You currently do not have JavaScript enabled in your web browser.
The ABA website relies on JavaScript for display purposes.
To fully experience the ABA site, please enable javascript.
ABA Focus Vol. XV, No. 2 -- Privacy: Legislation and Remedies




 

Privacy Legislation and Remedies

EDITOR: What legislation, policies, and/or administrative regulations, if any, should the U.S. enact to better protect individuals from the "invasions of privacy" that you have discussed?

JOHN GILLIOM: I am very skeptical about the possibility or capacity of effective legislative or administrative action in this area. Several factors point to such skepticism. First, we have all noted that the threats to privacy come from many diverse and dispersed locations. The capacity of centralized legislation to meet all these challenges, in all these areas, is doubtful. Second, we have noted that much of the threat comes form the corporate sector -- neither the Republicans nor the New Democrats have shown a burning desire to confront those interests. Third, the existing models, such as the Fair Information Practices and Privacy Act frameworks have, to my eye, provided little help. Finally, there are a number of fundamental dynamics in our lives that push toward the unfettered flow of information. Many democratic values celebrate "transparency"; science demands all the data; bureaucracy needs full information; the law needs "the facts." In so many ways we are a society that worships information and its gathering; as a result, it seems pretty unlikely that an aging, anti-informational value like "privacy" can make much headway.

Surely, there are small skirmishes to be fought and won, and many ways that individuals can erect defenses and evade some intrusions, but does anyone see much more promise than this? In the meantime, I'll be spending cash, rejecting cookies, hiding my Social Security number, and being very good.

HERB STRENTZ: I just reviewed some material from a privacy symposium held in 1995 in Hartford, Connecticut. The material is not a source of optimism. One of the issues covered dealt with subpoenas, search warrants, requests for telephone intercepts, and the difficulties in restraining government. (The same problems are posed in the private sector, because human beings work there, too.)

One example nicely captures the difficulties. Thomas Blanton, executive director of the National Security Archives, reported on the Foreign Intelligence Surveillance Act (FISA), a measure that had the wisdom to require approval from a select group of judges before government could conduct electronic surveillance. The judges annually issued more than 500 interception orders. "In its entire existence, since 1978 [in 1995 that would be 17 years], the FISA has never turned down a government request for electronic surveillance authority" (886 applications were approved in 1999). Ratios are almost as high for approval of subpoena and search warrant requests.

Several years ago the GAO issued a few reports on federal agency compliance with the Privacy Act. The agencies complied about as poorly as they do with FOI Acts. This is true at least in part because legislation

We need broad federal guidelines favoring privacy as the default.

[JUDITH WAGNER DECEW]

to enforce privacy or to provide access is often an unfunded mandate: workloads and duties are increased, but there are no funds to provide staff. All this suggests that guidelines and policies on how we handle privacy are difficult to arrive at, even more difficult to pass, and perhaps futile to try to enforce.

PRISCILLA REGAN: I also agree that there is cause for skepticism about the effectiveness of legislative and administrative solutions, but I would argue that some of the difficulties in enforcing, monitoring, and implementing more effective solutions might be answered by the establishment of a Privacy Commission or Board. The original Privacy Act that passed the Senate in 1974 provided for the establishment of a Federal Privacy Board with authority over both the public and private sectors. The House bill did not provide for such an entity, the Ford administration was opposed, and the resulting conference bill provided for the Privacy Protection Study Commission. At various points over the last 25 years, the proposal to establish some institution has resurfaced. At times, there has even appeared to be some consensus on the powers of such a body -- generally with more advisory, educational, and ombudsman authority rather than regulatory powers. The question of its scope has been more contentious with the private sector, which has not been ready to endorse the establishment of an entity whose powers might be expanded.

Some institutional solution is appropriate and necessary, even in a self-regulatory scheme. One of the main problems in the privacy area is the difficulty individuals have in finding out about organizational information practices and the implications of those practices. Some advisory or educational entity could fill this gap by providing a forum for the discussion and debate about privacy. Our current institutional arrangements are incredibly fragmented -- OMB, FTC, Commerce, HHS, and the State Department all have some responsibility in the area of information privacy. An institutional focus is much needed.

JUDITH WAGNER DECEW: Herb's data on the difficulties of formulating privacy guidelines and policies, getting them passed, and then enforcing them, is very depressing. If enforcement is really "futile," then we certainly have a daunting task. John adds more reasons to be doubtful that we can make progress. I share Priscilla's skepticism that a self-regulation model will work. That is largely what we have in many areas in the U.S. today, and we are left with virtually no control over, or guarantees of, privacy. The profit motive leaves little incentive for most businesses to adopt, endorse, and follow more stringent privacy guidelines. Some studies show that the public has made clear that it is distrustful of the self-regulation model as well.

It is worth emphasizing the extent to which current statutes are ad hoc. For example, records of video rentals are protected thanks to the "Bork" Bill, but medical records containing sensitive information (such as genetic data or test results for the breast cancer genes that can affect one's insurance or employment) are not protected.

DAVID SORKIN: Not only is U.S. legislation ad hoc and a patchwork of different guidelines with different levels of protection, in that it has been developed in response to specific complaints (Bork's) or crises, it also leaves many gaps. In addition, the legislation we have is usually filled with vague language such as claims that records are unavailable to others except those with a "legitimate need to know." Yet there is no specification of what sorts of needs are or should be deemed "legitimate." The malleability of the language makes passage of such legislation easier but makes enforcement more difficult and inconsistent. Almost anyone can claim one's need is legitimate in some sense.

EDITOR: Do other countries have stronger or better privacy protection laws?

DAVID SORKIN: To put at least some of this in context, the United States clearly has more privacy laws than most countries, but this is true because of the manner in which we regulate privacy, on an ad hoc, sectoral basis, where as the European Union and some other countries

Surveillance cameras in public places are much more common elsewhere than in the U.S.

[DAVID SORKIN]

have adopted a much more general approach to privacy. Certainly such a comprehensive, principled approach is preferable from the perspective of giving individuals control over their own personal information. But I think eventually it will dawn upon us that the simplicity, efficiency, and transparency of a comprehensive approach can be better for business as well.

PRISCILLA REGAN:The lack of an institutional authority for privacy is also one of the main differences between the U.S. approach and that of other countries, and one of the key reasons the European Union has had difficulty with American privacy policies. In some countries these institutions are called commissions, in others authorities or boards. In some, the title is "privacy," in others "data protection." The responsibilities also vary.

I think an institutional solution offers some counterweight to the weaknesses David identifies, and with which I agree completely, in the market-based solution. It is clear to me that a market solution will achieve a suboptimal supply of privacy protections and an oversupply of privacy invasions, because of the inherent market failures. Some government involvement is necessary to counter these market forces. An institutional solution would allow for policy development and learning that is necessary in this area.

JUDITH WAGNER DECEW: I agree with David that a more comprehensive and principled approach, such as that taken by the European Union, is preferable from the individual and consumer point of view. I continue to be hopeful that businesses may eventually discover that privacy protections may be preferable from their perspective as well, in that consumers will do business with those corporations offering more privacy, and EU countries will not do business with American corporations unable to promise privacy protection similar to that mandated under the EU directives.

Thus, I endorse broad privacy guidelines (legislation) at the federal level, for consistency and uniformity in protection across states and in different contexts. The federal government need not micromanage the details, but it needs to take a strong stand that protection of privacy for individuals is important and takes priority in many cases. More specifically, I endorse broad guidelines specifying the priority of privacy as the default -- i.e., what is normally to be expected.

As citizens become more fearful and threatened by privacy intrusions, and businesses see the advantages of offering more privacy protection, we may be able to compromise, or get our legislators to compromise. We should seek to break the impasse between those favoring total self-regulation and privacy advocates taking an absolutist stance. My sense is that intermediate positions that find common ground, as Amitai emphasized, will provide the only workable routes. Overarching federal legislation mandating a default favoring the priority of privacy but then allowing the implementation of general guidelines to vary, appears to me to offer such a compromise position.

Spring 2000 Issue Home | The 20th Century | Celebrity and Privacy | Privacy Abuses
Driver's Privacy Protection Act | Legislation | Resources | Contributors
Credits/Disclaimers| John Ryan Leaves ABA

Focus on Law Studies Home | Subscribe to Focus | Questions/Ordering Back Issues