Sedona Conference Primer on Data Privacy - Part 1
The Sedona Conference's Primer on Data Privacy has just been made available for public comment. Here's a summary of the contents of the primer.
I. INTRODUCTION
The primer focuses on civil law issues.
II. BACKGROUND AND OVERVIEW
A. Common Law of Privacy
1. Brandeis / Warren article The Right to Privacy (1890) in Harvard Law Review in response to instantaneous photography - origin of right to privacy
2. Paresich v. New England Life Ins. Co. (Ga. 1905) recognizes tort for invasion of privacy.
3. Restatement of Torts (2nd)
a. intrusion upon seclusion - most often used for data privacy
i. violate reasonable expectation of privacy
ii. intrusion must be offensive to a reasonable person.
b. appropriation of name or likeness.
c. public disclosure of private facts.
d. false light
B. Fair Information Practice Principles and Similar Privacy-Protecting Frameworks
1. Privacy Act of 1974 (HHS)
2. White House Fair Information Practice Principles (FIPP) 2011
a. Transparency - notify use of PII
b. Individual participation / access - seek individual consent
c. Purpose Specification -
d. Data Minimization
e. Use Limitation
f. Data Quality and Integrity
g. Security
h. Accountability and Auditing - audit the actual use of PII.
C. Personal Information
1. EU definition broader
2. Personal information may become re-identified.
3. PII under federal government requirements for federal agencies is defined broadly to include “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
D. Industry Standards
1. FTC has brought actions based on failure to implement policies consistent with industry standards.
E. Contract Based Privacy Rights
1. Generally not enforceable through use of contract law principles.
III. FEDERAL AND STATE GOVERNMENTS
A. Federal Government
1. Privacy Act of 1974 (5 U.S.C. 552)
a. Can't disclose PII unless written consent or disclosure under 12 exceptions:
i. need to know. ii. FOIA iii. routine use iv. Census Bureau v. statistical research
vi. NARA vii. law enforcement viii. health/safety circumstances ix. official use by Congress
x. official use by GAO xi. court order xii. report bad debt information.
b. Individuals can request an Accounting
c. Right to Civil Action
d. If SSNs collected must issue disclosure
e. Privacy Act limits computer matching of records between agencies
f. Judicial Redress Act - EU citizens right to legal redress for privacy violations
2. E-Government Act of 2002
a. Title III Federal Information Security Management Act of 2002 (FISMA)
b. Title II privacy protections
i. Privacy Impact Assessment required by fed agencies before implementing information system.
ii. Privacy policy must be posed on agency web site describing what information is being collected.
iii. Confidential Collection of Statistical Information - Title V of the E-Gov Act, enacted as the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), protects individuals and organizations who provide information to federal agencies for statistical purposes under a pledge of confidentiality.
3. Freedom of Information Act
a. Nine 5 U.S.C. 552(b) exemptions. Exemption 6 - personal and medical files; Exemption 7 records compiled for law enforcement purposes - if unwarranted invasion of personal privacy.
4. Fourth Amendment
a. Led to shutdown of NSA telephone metadata bulk collection practices.
b. Unreasonably seized information can lead to 42 U.S.C. 1983 civil rights claim.
5. Federal Criminal Law Enforcement
a. FBI, DHS, and Secret Service have dedicated cyber crime units.
B. State Governments
1. State Constitutional Privacy Protections
a. California Constitution, for example, makes “pursuing and obtaining” privacy an inalienable right, on par with “enjoying and defending life and liberty.”
2. Public Record Statutes
a. All states have public records law that allow individuals to access documents from government agencies.
3. Surveillance and Other Data Collection
a. Motor Vehicle Records
Drivers Privacy Protection Act (DPPA) requires states to provide a minimum baseline of protection to drivers’ motor vehicle records
b. License Plate Readers
Automated License Plate Readers (ALPRs) in California can only be stored for 60 days.
c. Event Data Recorders
17 states have laws preventing collection from EDRs without owner consent.
d. 911 Call Recordings
- may or may not require court order to disclose.
4. Privacy Policies
One-third of states have passed laws requiring government agencies to maintain and publicize a privacy policy. California, for example, requires state agencies to adopt a privacy policy and to appoint an employee to be responsible for the policy.
5. State Criminal Statutes
a. Computer Crimes - unauthorized access is usually a misdemeanor, but aggravating circumstances can make it a felony. Only 12 states make it a crime to introduce a virus into a computer.
b. Identity Theft - e.g. RFID skimming
c. Threats and Harassment
i. Cyber Stalking - all states have laws criminalizing stalking and most have amended them to include cyber stalking.
ii. Revenge Porn - Outlawed in 16 states. Illinois statute is not limited to nude photos.
IV. GENERAL CONSUMER PROTECTION
A. Federal Privacy Statutes of General Applicability
1. Federal Trade Commission Act
Section 5 actions against entities that fail to protect consumer privacy and fail to properly secure personal information. E.g., August 2015, the FTC announced settlements with 13 companies that claimed to be current participants in the now defunct EU-US Safe Harbor Framework but whose certifications had either lapsed or never been submitted.
2. Children’s Online Privacy Protection Act (COPPA)
protects PII of children under 13 - websites can't collect.
3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- prohibits deceptive header information in spam.
- requires method to opt out of further messages.
- For email messages containing sexually oriented material, the first 19 characters on the subject line must be, in all caps and as depicted “SEXUALLY-EXPLICIT:” and that same phrase must also appear when the email is opened.
4. Telemarketing Act
a. prohibits abusive or coercive calls.
b. restricts the hours of the day unsolicited calls may be made.
c. promptly disclose the purpose of the call.
d. Telemarketing Sales Rule - FTC can address at its discretion deceptive telemarketing practices. Setup Do Not Call Registry.