I. Legal Framework
Statutory rules on privacy
The Privacy Act of 1974 protects records held by United States government agencies and requires agencies to apply fair information practices.1 Its effectiveness is significantly weakened by administrative interpretations of a provision allowing for disclosure of personal information for a "routine use" compatible with the purpose for which the information was originally collected. Limits on the use of Social Security numbers have also been undercut in recent years because of widespread use of the identifier among governmental agencies2 and because the private sector employs the identifier for both identification and authentication purposes.3 The act also allows certain agency systems of records to be exempt from accuracy and other requirements.
The United States has no comprehensive privacy protection law for the private sector. A patchwork of federal laws covers some specific categories of personal information.4 These include financial records,5 health information,6 credit reports,7 video rentals,8 cable television,9 children's (under age 13) online activities,10 educational records,11 motor vehicle registrations,12 and telemarketing.13
The Gramm-Leach-Bliley Act, which formally eliminated traditional ownership barriers between different financial institutions such as banks, securities firms, and insurance companies, set weak protections on financial information that is likely to be shared among merged institutions. These privacy provisions became effective in July 2001. The law allows information sharing amongst affiliates but offers individuals a limited opt-out for information sharing among non-affiliates. Consumer privacy was improved under the law when the FTC determined that the Social Security number qualified as non-public personal information, thus it is subject to the notice and opt-out requirements in certain contexts. The data industry has been unsuccessful in challenging this determination.14
The sole federal law governing information use online is the Children's Online Privacy Protection Act (COPPA), which went into effect in April 2000. This law requires parental consent before information is collected from children under the age of 13.15 In April 2005, the FTC requested public comments on the utility of the COPPA Rule, which directs Web site operators that collect information about children to notify parents or obtain parental consent before using or disclosing such information.16 At the conclusion of the review, the Commission determined that the Rule "continues to be valuable to children, their parents, and Web site operators," and decided to retain COPPA in its current form.17
In 2003, Congress passed legislation significantly amending the Fair Credit Reporting Act (FCRA) of 1970 and the nation's first spam regulation.18 Congress amended the FCRA, passing the Fair and Accurate Credit Transactions Act (FACTA),19 because portions of the FCRA statute were expiring that would allow states to pass more stringent privacy protections.20 Congress amended the law to protect financial institutions from state privacy regulation but also created new privacy rights. For instance, under regulations that took effect in 2004, individuals may obtain a free credit report from each of the credit bureaus once a year. Credit reporting agencies are required to disclose credit scores, but they may charge a fee for their provision. Individuals will have a new right to opt-out of marketing solicitations that flow from affiliate sharing of personal information. The act also now allows individuals to file fraud alerts, which require credit reporting agencies to inform others that fraud may be present. Identity theft victims also can request transaction records when businesses have extended credit to an impostor in order to try to ascertain the identity of the impostor.
Privacy case law
The United States Supreme Court has considered many important privacy cases over the last several years. In January 2000, the Supreme Court heard Reno v. Condon, a case addressing the constitutionality of the Drivers Privacy Protection Act (DPPA), a 1994 law that protects drivers' records held by state motor vehicle agencies. In a unanimous decision, the Court found that the information contained in the records was "an article of commerce" and could be regulated by the federal government.21 In June 2001, the Supreme Court ruled in the case of Kyllo v. United States that the use of a thermal imaging device, without a warrant, to detect heat emanating from a person's residence constituted an illegal search under the Fourth Amendment.22 The Fourth Amendment protects individuals from intrusions into areas where there is a "reasonable expectation of privacy."23 In November 2000, the Supreme Court held that suspicionless vehicle checkpoints, used to discover and interdict illegal narcotics, violate the Fourth Amendment.24 Also, in March 2001, the Supreme Court held that a state hospital cannot perform diagnostic tests to obtain evidence of criminal conduct without the patient's consent; such a test is unreasonable and violates the Fourth Amendment.25
In the 2001 term, the Supreme Court addressed anonymity, searches on buses, and student privacy. In Watchtower Bible v. Village of Stratton, the Court invalidated a law that required registration with the government before individuals could engage in door-to-door solicitation. The Court held that a pre-registration requirement violated the First Amendment, which guarantees freedom from government restrictions on free expression, and individuals' right to anonymity.26 Student privacy was diminished in a series of cases involving drug testing, "peer grading" (the practice of allowing a fellow student to score a test), and the right to sue under a federal student privacy law. In Board of Education v. Earls, the Court held that random, suspicionless drug testing of students involved in non-athletic extracurricular activities was justified under the "special needs" exception to the Fourth Amendment.27 In Owasso Independent School District v. Falvo, the Court held that both peer grading and the reporting aloud of peer grades did not violate the Family Educational Rights and Privacy Act of 1974 (FERPA).28 In Gonzaga Univ. v. Doe, the Court held that the FERPA does not give individuals a right to sue for violations of privacy.29
In the 2002 term, the Supreme Court ruled that a "Megan's Law statute," which requires sex offenders to have their pictures and addresses put on the Internet, does not violate the Ex Post Facto clause30 of the Constitution.31 In a related case, Connecticut Dept. of Public Safety v. Doe, the Court unanimously held that inclusion in a public sex offender registry, without a separate hearing on the offender's risk to the community, does not violate the Due Process Clause of the Constitution.32 In a far-reaching opinion in 2003, the Supreme Court ruled in Lawrence v. Texas that a state law that prohibited homosexual sodomy violated the due process rights in the Constitution.33 The Court reversed an earlier opinion in which it had upheld sodomy statutes.34 The court decision states: "The petitioners are entitled to respect for their private lives. The state cannot demean their existence or control their destiny by making their private sexual conduct a crime‚Ä¶"35 The Court also cited with approval the European Court of Human Rights and other foreign courts that have affirmed the "rights of homosexual adults to engage in intimate, consensual conduct." The decisions were brought to the attention of the high court in an amicus brief filed by the former UN High Commissioner for Human Rights.36
In the 2003 term, the Supreme Court considered the Privacy Act, a privacy exemption to the Freedom of Information Act, vehicle searches, and the issue of whether police could compel an individual to identify himself in public. In Doe v. Chao, the Court ruled that a plaintiff in a Privacy Act suit must demonstrate actual damages to qualify for the act's minimum statutory award of USD 1,000.37 In that case, the Department of Labor identified black lung benefits claimants with their Social Security number and exposed the identifier to public view in violation of the Privacy Act. In National Archives & Records Administration v. Favish, the Supreme Court expanded a privacy exemption in the Freedom of Information Act.38 That case involved a request for access to pictures of a suicide victim, who happened to be a senior Executive Administration employee. Noting that five separate investigations had been made into the circumstances of the suicide, the Court denied access to the photographs. Although American law generally does not recognize privacy interests after the death of the data subject, the Court held that surviving family members have a right to personal privacy with respect to their close relatives' death-scene images. This right outweighed the public's interest in disclosure. In United States v. Flores-Montano, the Court upheld a US Customs search of a gasoline tank at the Mexico-California border, ruling that vehicle searches at US border checkpoints do not require suspicion.39 In Thornton v. United States, the Court upheld, as a search incident to custodial arrest, the search of the passenger compartment of a vehicle when the suspect was first accosted after exiting the vehicle.40 The Court had previously ruled that the Fourth Amendment allowed police to search a passenger compartment, in the interests of evidence preservation and police protection, when the suspect was accosted while still inside the vehicle.41 In Hiibel v. Sixth Judicial District Court, the Court upheld a state statute that required individuals to identify themselves when requested by a police officer who has "reasonable suspicion" that the individual is involved in wrongdoing.42 Such statutes exist in more than 20 US states. The decision is limited in scope because identification requirements must occur within the scope of a "Terry Stop," an encounter where a police officer can articulate facts that reasonably indicate that a suspect is involved in criminal activity.43 The Court also pointed out that, while the statute requires an individual to reveal his or her name, he or she need not produce an identity document. However, as one of four dissenting Justices noted, a person's name can "provide the key to a broad array of information about the person," particularly when disclosed to officers with access to law enforcement databases.44
In the 2004 term, the Supreme Court ruled in Illinois v. Caballes that a canine sniff of an automobile did not violate the driver's constitutionally protected privacy right.45 The Court held that because a canine sniff reveals the location of contraband alone and because one has no legitimate expectation of privacy in contraband under the Fourth Amendment, the measure did not violate a constitutionally cognizable privacy interest.46 In Devenpeck v. Alford, the Court held that an arrest is justified if there is a legitimate basis, regardless of whether the stated reason for the arrest is meritorious or closely related. In that case, the suspect, who was driving a car with "wigwag" roof lights, tape recorded a conversation with a police officer who had stopped him for suspected impersonation of an officer. The officer then arrested him for violating the state privacy statute. Although the suspect's tape recording was later found not to have violated any state law, the Supreme Court ruled for the state because suspected impersonation of an officer was a legitimate basis for arrest.47
In June 2007, the Supreme Court ruled that vehicle passengers may challenge the legality of police stops. The Court found that traffic stops curtailed the travel of vehicle passengers as well as drivers, and that "no passenger would feel free to leave" after police detained the vehicle they were traveling in. The Court also noted that all nine Federal Courts of Appeals and 47 states allowed passengers to challenge the legality of vehicle stops on Fourth Amendment grounds.48
There is no independent privacy oversight agency in the United States. The Office of Management and Budget (OMB) plays a limited role in setting policy for federal agencies under the Privacy Act, but it has not been particularly active or effective in this capacity.49
The Consolidated Appropriations Act of 2005, enacted on December 8, 2004, requires every federal agency to appoint its own privacy officer.50 The privacy officers are responsible for ensuring the proper collection, use and disclosure of personal information handled by their respective agencies; ensuring that all systems of records adhere to the requirements of the Privacy Act and the agency‚Äôs own policies; conducting privacy impact assessments for all proposals of their respective agencies; preparing an annual report to Congress including all complaints and privacy violations; and educating agency employees regarding privacy legislation and policies.51
In July 2007, the Government Accountability Office released a report on the progress of the Department of Homeland Security Privacy Office in complying with its statutory mandates. The GAO concluded the Privacy Office has increased the number and quality of Privacy Impact Assessments issued, and it has managed to incorporate privacy considerations into DHS decision-making. However, the Privacy Office‚Äôs tardiness in releasing report has delayed the effectiveness of these reports and eroded the credibility of the Privacy Office.52
Department of Homeland Security
The Department of Homeland Security (DHS), established in 2003 under the Homeland Security Act, combined 22 agencies and was initiated under an estimated USD 38 billion budget.53 President Bush requested a budget of USD 41.1 billion for fiscal year 2006, a seven percent increase over the budget for 2005.54 This cabinet level agency has been granted increased law enforcement and information sharing powers but more limited open government responsibilities. For instance, the legislation allows the department to share intelligence and grand jury information with state and local authorities but broadly exempts "critical infrastructure information" submitted to the agency from the open government laws.
Limited privacy protections were included in the legislation creating DHS. The legislation created a civil rights officer and a separate privacy officer charged with the responsibility of compliance with the Privacy Act, with formulating privacy impact assessments for rules proposed by the department, and with preparing an annual report to Congress. Other portions of the law prohibit the government from creating a citizen snitch program called the "Terrorism Information Prevention System." The department is statutorily barred from developing a national identification system or card.
- 1. http://www.epic.org/privacy/laws/privacy_act.html
- 2. http://www.gao.gov/new.items/d02352.pdf
- 3. http://www.gao.gov/new.items/d04768t.pdf
- 4. http://www.epic.org/privacy/financialresources.html
- 5. http://www.epic.org/privacy/rfpa/
- 6. http://www.epic.org/privacy/medical/
- 7. http://www.ftc.gov/os/statutes/fcra.htm
- 8. http://www.epic.org/privacy/vppa/
- 9. http://www.epic.org/privacy/cable_tv/ctpa.html
- 10. http://www4.law.cornell.edu/uscode/html/uscode15/usc_sec_15_00006501----...
- 11. Family Educational Rights and Privacy Act, Pub. L. No. 93-380 (1974), available at
- 12. http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002721----...
- 13. Telephone Consumer Protection Act, Pub. L. No. 102-243 (1991); EPIC's Telemarketing and the Telephone
- 14. Trans Union v. FTC, No. 01-5202 (D.C. Cir. 2002).
- 15. FTC Privacy Initiatives supra; EPIC's Children's Online Privacy Protection Act (COPPA) Web Page, supra.
- 16. http://www.ftc.gov/opa/2005/04/coppacomments.shtm
- 17. http://www.ftc.gov/os/2006/03/P054505COPPARuleRetention.pdf
- 18. http://www.ftc.gov/os/statutes/fcra.htm
- 19. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_publi...
- 20. http://www.epic.org/privacy/preemption/
- 21. Reno v. Condon, 528 U.S. 141 (2000).
- 22. Kyllo v. United States, 533 U.S. 27 (2001). The Fourth Amendment states: "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
- 23. Kyllo v. United States, supra.
- 24. City of Indianapolis v. Edmond, 531 U.S. 32 (2000).
- 25. Ferguson v. City of Charleston, 532 U.S. 67 (2000).
- 26. Watchtower Bible & Tract Soc'y of N.Y. v. Village of Stratton, 536 U.S. 150 (2002).
- 27. Board of Education v. Earls, 536 U.S. 822 (2002).
- 28. Owasso Independent School District v. Falvo, 534 U.S. 426 (2001).
- 29. Gonzaga Univ. v. Doe, 536 U.S. 273 (2002).
- 30. That clause prohibits the government from applying a revised law that would result in a criminal punishment more severe than that which applied at the time the crime was committed.
- 31. http://www.supremecourtus.gov/opinions/02pdf/01-729.pdf
- 32. http://www.supremecourtus.gov/opinions/02pdf/01-1231.pdf
- 33. http://www.supremecourtus.gov/opinions/02pdf/02-102.pdf
- 34. Bowers v. Hardwick, 478 U.S. 186 (1986).
- 35. "Had those who drew and ratified the Due Process Clauses of the Fifth Amendment or the Fourteenth Amendment known the components of liberty in its manifold possibilities, they might have been more specific. They did not presume to have this insight. They knew times can blind us to certain truths and later generations can see that laws once thought necessary and proper in fact serve only to oppress. As the Constitution endures, persons in every generation can invoke its principles in their own search for greater freedom." Lawrence v. Texas, supra.
- 36. http://www.hrw.org/press/2003/07/amicusbrief.pdf
- 37. http://www.supremecourtus.gov/opinions/03pdf/02-1377.pdf
- 38. http://www.supremecourtus.gov/opinions/03pdf/02-954.pdf
- 39. http://www.supremecourtus.gov/opinions/03pdf/02-1794.pdf
- 40. http://www.supremecourtus.gov/opinions/03pdf/03-5165.pdf
- 41. See NY v. Belton, 453 U.S. 454 (1981).
- 42. 542 U.S. 177 (2004).
- 43. Terry v. Ohio, 392 U.S. 1 (1968).
- 44. http://www.epic.org/privacy/hiibel/
- 45. http://www.supremecourtus.gov/opinions/04pdf/03-923.pdf
- 46. Id.
- 47. http://www.supremecourtus.gov/opinions/04pdf/03-710.pdf
- 48. http://www.supremecourtus.gov/opinions/06pdf/06-8120.pdf
- 49. http://www.whitehouse.gov/omb/memoranda/m01-05.html
- 50. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_publi...
- 51. Id. at s.552.
- 52. http://www.gao.gov/new.items/d071024t.pdf
- 53. http://www.epic.org/privacy/homeland/homeland_security_act.html
- 54. http://www.dhs.gov/xlibrary/assets/Budget_BIB-FY2006.pdf