Data Privacy Law: The Basics

By TAP Guest Blogger

Posted on February 1, 2010


Share

Last Thursday was Data Privacy Day. In recognition of this international celebration that builds awareness of the dignity of the individual expressed through personal information, TAP invited guest bloggers to present some of the basics of data privacy --within policy issues, the law, and of course, as individuals. Today TAP is pleased to provide an overview of data privacy law, by Aaron Burstein. 

To mark Data Privacy Day, I'm going to try to provide a brief overview of data privacy law: what it protects, how, and why. This is a fairly vast topic; my aim isn't to be comprehensive but rather to illustrate some of the main themes and structures in U.S. law. (It's a refrain I too often make, but foreign and international law will have to wait for another day.) I tend to think of three main structural features to privacy law: who the law applies to, what information it protects, and how it offers this protection.

Who: Patchworks, Silos, Stovepipes

These are terms that many privacy experts use to convey the fact that the United States doesn't have a single, overarching data privacy law. Instead, data privacy is regulated by many different statues and rules at the federal and state levels. (California, for example.)

Generally speaking, each privacy law applies to a particular context. For example, the Health Insurance Portability and Accountability Act (HIPAA) creates some privacy protections for personal health information. The Electronic Communications Privacy Act makes it a crime to intercept phone calls and emails and prohibits ISPs from turning over your Internet use records to the police unless they have a warrant or court order. The Gramm-Leach-Bliley Act requires banks and other financial institutions to keep your financial records confidential. Yet another federal law, the Family Educational Rights and Privacy Act, makes it illegal for schools that receive federal funding to disclose student records.


All of these laws (and there are more) have different exemptions, different remedies for breaches, and apply to different people and organizations, depending on their roles. The point is that data privacy in the United States is largely a creature of statutes, and those statutes apply to specific types of data and in specific contexts.

What: "Personally Identifiable" Information

In addition to defining the people and organizations that must observe data privacy rules, the law draws a line around the types of information that are protected in a given context. Laws generally protect "personally identifiable" information (PII) and leave everything else unprotected. For example, your name is obviously a personal identifier. To take another famous example, your Social Security number uniquely identifies you; data that is linked to this number is linked to you.

Conversely, the datum "likes vanilla ice cream," on its own, probably isn't; this tidbit of information doesn't provide a particularly accurate or reliable way of picking out an individual. The assumption that underlies much of U.S. data privacy law, as legal scholar Paul Ohm points out, is that PII can be easily separated from non-PII, and that non-PII can left unregulated without threatening anyone's privacy. As Paul's article, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,"  recounts, computer scientists have invalidated this assumption; given enough (supposedly) de-identified data (and it might not take that much), someone who's sufficiently determined can identify those records to an individual person. The Electronic Privacy Information Center has a great collection of resources describing and analyzing the implications of data reidentification.

How: Collection, Use, Disclosure

How are data privacy protections actually put into effect? Statutes typically aren't written to guarantee "privacy." Instead, data privacy statutes limit the flow of private information. More specifically, these statutes address three main points of information flow:
 

  • Collection: U.S. law generally places few limits on the kinds and extent of information that an authorized party may collect about you. For example, Web sites and search engines use browser cookies and Flash cookies (see this report, "Flash Cookies and Privacy" from UC Berkeley) to collect information about users over time; the law doesn't limit this collection, though unfair or deceptive practices (such as acting inconsistently with a privacy policy) could get a company into trouble. The flip side of the lack of constraints on communications data collection is that U.S. law, unlike the EU, doesn't impose data retention requirements. Given the extent to which companies collect information for their own purposed, this may be cold comfort. The rules for data collection by the federal government are somewhat more strict. Under the Privacy Act, federal agencies have to notify the public and assess the privacy impacts of any "system of records" (essentially a database by personally identifying information) they put in place. The Privacy Act also limits when and to whom agencies can disclose information from these databases. As privacy experts Dan Solove and Chris Hoofnagle have explained at length (see "A Model Regime of Privacy Protection, Version 2.0)", however, the Privacy Act has many limitations, ranging from the fact that it doesn't apply to state or local governments to its allowing federal agencies to use databases assembled by data brokers without notice. 
     
  • Use: The second way U.S. privacy law operates is by setting limits on how a company (or other party) can use private information it has collected. Here, again, U.S. law is pretty weak, especially where communications records are concerned. The in-house use of phone and Internet records by service providers isn't regulated (though disclosure is). The situation is different where health information is concerned. The HIPAA Privacy and Security Rules, for example, require healthcare providers and insurance companies to set up technical and procedural safeguards to prevent unauthorized access to patients' health information, including a healthcare provider's peeping at records for reasons that aren't within the scope of patient care. The federal Genetic Information Nondiscrimination Act extends this protection to prohibit employers and insurers from using genetic information to fire (or refuse to hire) workers and to deny coverage.

 

  • Disclosure: Finally, U.S. law limits when and how data may be shared, in a couple of significant ways. First, the government can usually get private information from a party that has it (your ISP, a website, your doctor, etc.); it's a question of how much work the government has to do to justify a demand for information. This can range from obtaining a warrant to conduct a wiretap to simply sending a letter to a communications provider to request call records as part of a "national security" investigation. (The Department of Justice's Office of the Inspector General reported on abuses of this informal mechanism here.) The second side of disclosure concerns information exchanges between private parties. The rules here vary quite a bit. On one hand, a private party cannot get the equivalent of a search warrant to intercept communications between parties that haven't given consent. On the other hand, the laws permit many types of data sharing among private parties, perhaps subject to customer opt-out requirements. Moreover, consent paves the way for exchanges that aren't categorically permitted by law; the scope of consent may be very broad, and the process for giving consent can be as minimal as using a service or checking a box. And remember that data privacy rules generally apply to a certain type of organization (e.g., your bank) or a person in a certain role (e.g., your doctor). Once data about you in the hand of a third party, the law has very little to say about how it may be used.

 

A few laws (including HIPAA and Gramm-Leach-Bliley), in addition to restricting disclosures, require companies to take certain precautions to prevent data breaches. Even under more detailed administrative rules (such as the HIPAA Security Rule), these regulations leave a great deal of discretion to companies to decide how to protect private information, and it's hard to tell how well they actually work. To provide the public with information about when data protection has failed, most states (starting with California in 2003) require companies to notify customers of security breaches that might have exposed their personal information. 

Those are the basic outlines of data privacy law. The landscape is complex, but I hope I've been able to illustrate some of the patterns that are repeated in many different data privacy laws. However, I don't want to leave the impression that the law is all that matters when it comes to data privacy. Fundamental issues -- such as how data privacy fits into broader issues of how individuals get to define themselves, and how privacy relates to other social objectives (security, safety, free speech) -- remain under debate. Though the law can contribute to that discussion, it's but one way to define and protect privacy.

Aaron Burstein is a Research Fellow, UC Berkeley School of Information.
 


Share