Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Constitutional Law

AMERICAN EXPECTATIONS OF PRIVACY IN AN INFORMATION AGE *

advertisement 
AMERICAN EXPECTATIONS OF PRIVACY
IN AN INFORMATION AGE *
Jeffrey A. Meldman
January 1981
CISR No. 66
Sloan WP No. 1180-81
* Copyright
.1981 J. A. Meldman. The text of this paper
was originally presented at the Fourteenth Annual Hawaii
International Conference on Systems Science, Honolulu, Hawaii,
January 1981.
- 1 -
Rapidly increasing applications of computer-based
information technology in realms of social activity have
had considerable impact on society itself.
tainly to be expected.
This is cer-
The exchange and use of information
about individual persons lie at the very heart of such
private social institutions as banking, credit, insurance,
and even medical care.
Numerous governmental activities
such as taxation, census taking, licensing of drivers, etc.,
also rely greatly on personal information.
More personal
social relationships such as trust, friendship, and love
depend even more critically on the personal information
that individuals choose to share with one another.
1
As
technology provides faster and cheaper means to collect,
maintain, and exchange personal information, the social
arrangements based upon this information are necessarily
affected.
One social value that is particularly affected
is the expectation of privacy.
- 2 -
There is no universally accepted definition of privacy.
The word usually denotes an individual's expectations of
control over information about himself.
passes expectations of several kinds.
But this encomPerhaps most funda-
mentally, it denotes an individual's expectations to be
free from undue intrusion.
Most individuals expect some
degree of privacy in the sense of being undisturbed and
unobserved within certain boundaries that society recognizes
as their private domains.
The expectations may apply to
physical domains, such as an individual's home, or to less
tangible domains, such as the information contained in a
diary.
There is a second set of expectations concerning
freedom from undue dissemination.
These involve circum-
stances in which an individual reasonably expects his
name or photograph or other personal information not
to be disclosed by someone else to other individuals or to
the public at large.
These expectations may apply to infor-
mation improperly obtained by an intrusion (e.g., from a
stolen diary), as well as to information entrusted to
someone else for a specific purpose
(e.g., census information).
A third set of expectations, one that only recently
has become part of the notion of privacy, concerns the
fairness of decisions made about an individual.
To a more
and more explicit extent individuals are coming to expect,
_________________X____l____l·m__
- 3 -
whenever decisions must be made about them on the basis
of personal information, that the information be accurate,
relevant, and complete.
As a consequence, individuals
will often expect to be able to see the "files"
that
government agencies and private organizations maintain
about them.
There is strong evidence of a substantial and growing
concern among the American public over threats to their
expectations of personal privacy.
A recent study of
public attitudes toward privacy reveals 64 percent of the
public expressing such concern as of December 1978.
A
similar study conducted a year earlier evoked concern from
only 47 percent of the public.
The later study also
found that 50 percent of the computer industry executives
surveyed, and 74 percent of the members of Congress surveyed
shared the public's concern.2
(See Table 1.)
percent of the American public
(and 67 percent of the
Seventy-six
computer industry executives) expressed the opinion that
the right to privacy is as fundamental for the individual
and for a just society as are life, liberty, and the
pursuit of happiness.
In regard to intrusion and dis-
semination, the public ranked finance companies and credit
bureaus first among all organizations both for asking for
more personal information than is necessary and for not
doing enough to keep personal information confidential. 4
(See Table 2.)
_1_____11_1________·ll______
Only 38 percent of the public trust the
_-- _·__
-
4 -
rdp
a),
oN
(.,
Z~rO
N
(N
CO
-i
ul
N
O
r
N
N
O
C)
e'
c-
LA
C)
-4
m
',
co
N ,9
?'
Ur
a
-
-W
' 31
;>.
"C
(( w
Q
r-4Z
U
r-
~-14Ja)
Z
-1
0
1-4
-H U
0
u
-I
dPI
>1
_(03a)ra
0z
V $4
CN
(N
m
(N
r"
-
U8
0
dP
a4
r,j
a)
0
r>
0
%D
-4I
CN
1-4c
LO
CN
U
ai)
dP
y e-
a
-I
(0
k+
) _+
2J.
-
U
r_
LA
cn
(v
v
o
o
LO
r
V
,-4
i"r`
a)
r4
3
0O
1-4
,..
v
?
C,
I-
0
1
CS
C
;v
m
cn
a)
0
>.
'4
U)
-I '
x
co
C-
z
*.
a
r.
0
n
>-
a)
4
U)
a)
-
0
U
__. ___·____________^___
ns
,
_1_11_1__1·1__1_·II
4
r
H
a)
d
a)
o
a)
4-)1
E-
tH
4-)
a)
64
U
4.3
a)
.4
U
4.)
m
Cz
rd
T
U
.O
H
E
U
-
5 -
'ABLI 2
QUESTION:
Which organizations ask for
more personal information than
is really necessary?
-
Organization
-
Responses
QUESTION:
Which organizations should
be doing more to maintain
confidentiality of cersonal
information?
-
(%)
Organization
Responses
Finance companies
45
Credit bureaus
45
Credit bureaus
44
Finance companies
43
Insurance companies
38
Credit card companies
42
Internal Revenue Service
38
Government welfare agencies
41
Credit card companies
37
Internal Revenue Service
37
The CIA
34
Insurance companies
37
The FBI
33
The FBI
35
Government welfare agencies
32
The CIA
34
Newspapers, magazines, and
television
31
Newspapers, magazines, and
television
34
Banks
29
Local police
34
Employers
25
Congressional committees
31
Hospitals
24
Banks
30
The Census Bureau
24
Employers
29
Local police
23
Social Security Administration
27
Congressional committees
22
The Census Bureau
26
Social Security Administration
21
Hospitals
23
The telephone company
17
The telephone company
22
Private doctors
11
Private doctors
17
.- ,, - -- , ...11. - -
~--_, _ ,
_
_---.
(%)
- 6 federal government to use personal information properly,
and only 36 percent trust business organizations to do the
same.5
Fifty-four percent of the public--and 53 percent
of computer industry executives--believe that the present uses of computers are an actual threat to personal privacy.6
The public's concern about privacy and its specific
expectations with respect to intrusion, dissemination, and
fairness in decision making must, of course, be balanced
against other social values.
Among these are the economic
efficiency of commerce, the public's right to know, and
the freedom of speech and press.
As in so many other
situations of conflicting social goals, the law has had
to deal with this balance.
The legal doctrines that have
evolved with respect to privacy have established the
boundaries within which an individual's expectations of
privacy are socially recognized.
It is not surprising
that this evolution often has had to be responsive to
new technologies and practices related to information.
American privacy law has evolved along three distinct
paths:
the right to sue a person or organization for a
tortious invasion of one's privacy, the constitutional
right against governmental invasion of privacy, and the
protection afforded by statutes against privacy invasions
related to the files of personal information maintained
by private and governmental organizations.
The last of
these most directly affects today's computer-based information activities, but it will be helpful first to look
-
7
briefly at the conceptual development of privacy law
along the first two paths.
The earliest path in the evolution of privacy
law was in the area of torts.
Torts are private wrongs
(like battery and defamation) for which one party sues
another for compensatory damages.
Unlike similar suits
based on contractual promises, tort suits are based on a
set of pre-existing rights and duties recognized by the
courts.
Until about 100 years ago, privacy was not among
these recognized rights.
In 1881 a woman was awarded
damages for an intrusion, during her childbirth, of a
man pretending to be a medical assistant.
were then rare.
But such cases
In 1890 the right to privacy was first
explicitly formulated in a now famous law review article
by Louis Brandeis (then an attorney practicing in Boston)
and his law partner Samuel Warren.
Warren and Brandeis
were concerned about a new technology--instantaneous
photography--in conjunction with the sensationalistic
practices of many of the newspapers of the time.
They
viewed the taking of an unauthorized photograph of an
individual as an unacceptable intrustion into the individual's private domain.
The unauthorized circulation of
such a photograph, in their view, was an unacceptable
dissemination of something that only the individual should
After reviewing the
have the right to make public.
-
I I_ ^_
_ _11_ _ ___11_ · XII
__ -------
~I__1_
.~_
1_
- 8-
evolution of American tort law, which they rightly
characterized as recognizing more and more the intangible
aspects of both person and property, they called upon
the courts to recognize explicitly the general concept
of a right to privacy.
The courts were rather slow to follow their suggesIt was not until 1905 that a state supreme court
tion.
(Georgia) decided that privacy was among the recognizable
rights that private citizens enjoyed vis-a-vis each
other. 9
The court awarded damages to a plaintiff whose
name had been used without his permission in a testimonial
advertisement.
Today, through court decisions and legis-
lative actions, similar rights are recognized throughout
the various jurisdictions of the United States.
While
the details differ from state to state, the full complement of these tortious invasions of privacy can be
summarized as follows:l 0
(1)
Appropriation, for the defendant's advantage
of the plaintiff's name or likeness.
(2)
Intrusion upon the plaintiff's seclusion, or
into his private affairs.
(3)
Public disclosure of embarassing private facts
about the plaintiff.
(4)
Publicity which places the plaintiff in a
false light in the public eye.
^---II~III--_---1-1~-1 -^---~-- ------ ·
~ l~l_----X
· ~---I ~--~..l
_ I~1I--.I___I1
-
9 -
These four forms of invasion establish rules that help
to determine boundaries within which intrusion is
legally unacceptable and outside of which dissemination
is legally unacceptable.
The second major path of privacy law has been in the
area of constitutional protection from governmental
invasion.
While the Constitution nowhere mentions pri-
vacy explicitly, several of the rights enumerated in the
first ten amendments
(the "Bill of Rights") embody various
aspects of personal privacy.
For example, the First
Amendment right of assembly ("freedom of association")
was held in 1958 to have been violated by an Alabama
statute that required the N.A.A.C.P.,
as an out-of-state
corporation, to deliver its membership list to the state. 1 1
The Supreme Court held that the N.A.A.C.P.'s claim of
immunity from state scrutiny of membership lists "is
so related to the right of the members to pursue their
lawful private interests privately and to associate freely
with others in so doing as to come within the protection
of the Fourteenth Amendment." 1 2
(The Fourteenth Amendment
brings most of the protections of the Bill of Rights
into operation against state governments much as they
operate themselves against the federal government.)
Recall, however, that another portion of the First
Amendment--the freedom of speech and press--involves
_1_________1________
___l_____l___r____
-
10
-
rights that inherently oppose the right to privacy.
It was not until 1965 that the Supreme Court
explicitly declared a constitutional right to privacy.
In Griswold v. Connecticut the Court struck down a
Connecticut statute prohibiting -the use of contraceptives,
holding that this activity fell within certain constitutionally protected zones of privacy that had to be
protected if full meaning was to be given to the enumerated
rights in the first ten amendments.
Besides the First
Amendment right of assembly just mentioned, the Court
pointed to the Fourth Amendment right against unreasonable
search and seizure, the Fifth Amendment right against selfincrimination and the right to due process, and the
Third Amendment right against the quartering of troops
in one's home.
In the abortion decisions in 1973, the
Court followed the precedent it had established in Griswold,
holding that the right to privacy "is broad enough to
encompass a woman's decision whether or not to terminate
her pregnancy."
The component rights from which the Supreme Court
fashioned the constitutional right to privacy are mainly
concerned with preventing governmental intrusion.
The
one exception is the Fifth Amendment right to due process.
Loosely speaking, this affords to an individual a
guarantee of fairness in the making of decisions by which
___II___
_____(_________
_______________I___
-
i
-
the government might deprive him of his life, liberty
or property.
In many cases this implies a judicial
proceeding, such as a trial or hearing, with certain
traditional
(and presumed)
fairness safeguards--the right
to present and to cross-examine witnesses, the rules of
evidence, etc.
(The Sixth Amendment expands these rights
of fairness in the case of criminal prosecutions, but
this was not included in the privacy-related rights outlined in Griswold.)
Similar expectations of fair treat-
ment in the decision-making process, with respect to
private organizations as well as to government agencies
have become a major component of privacy law as it is
emerging in the third path, the statutory protection of
privacy.
Congressional concern about the protection of privacy
began in earnest in the mid-sixties, chiefly in response
to a proposal to establish a National Data Center, a
central statistical pool of personal information to be
assembled and shared by all federal agencies.l5
The pro-
posal, along with a review conducted by the Bureau of
the Budget, 1 6 neglected any consideration of possible
privacy problems, and to many of its critics, the whole
project raised the spectre of George Orwell's "Big
Brother."
Hearings held before a House Subcommittee
during the summer of 1966 revealed a growing concern that
____I_
____lpll_^__···___(_____·_^---
the principles of privacy that had developed in the tort
law and in constitutional law- would be difficult to
apply directly to the possible abuses posed by computerbased information files.
17
For several reasons, includ-
ing these privacy objections,
carried out.
Nonetheless,
the proposal was never
the proposal pointed out what
appeared to be a growing need for legislative safeguards
aimed directly at large-scale data bases, manual as
well as automated, in the hands of private organizations
as well as in the hands of government.
The first significant piece of federal privacy
legislation was the Fair Credit Reporting Act of 1970.1
Under this statute, a person who is denied consumer credit
as a result of an unfavorable credit report has the
right to be told the name and location of the credit
reporting agency that supplied the report.
The consumer
can then go to the reporting agency, which is obligated
to tell the individual the nature and substance of the
consumer's file.
It should be noted that the consumer
does not have the right to see or to copy the file
itself.
(However, most of the large credit reporting
agencies today will voluntarily provide a copy of the
report for a fee of about five dollars.)
If the consumer
disagrees with the accuracy or completeness of the
information contained in the file, he may, after
LI__I_ II_____^_ILIII111__1_1_.___1111
-
13 -
the agency has had an opportunity to correct or reaffirm
the contents, append a short statement stating the facts
from the consumer's point of view.
The reporting agency
is required thereafter to disseminate the consumer's
statement to whomever it disseminates the file itself.
(In practice, many reporting agencies have been found to
disseminate only a note that a dispute exists about which
information is available upon further request.19).
This is
an early example in which a certain amount of information
fairness is required of a private organization.
In 1974 the Family Educational Rights and Privacy
Act (the "Buckley Amendment") afforded similar rights to
students (or, in the case of minors, to their parents). 20
Under this legislation, students have the right actually
to see and to copy their files
("education records"), the
right to a hearing if they disagree with the accuracy or
completeness of the files, and again the right to append
a statement if the hearing does not resolve the dispute
to their satisfaction.
In addition educational institutions
are now under strict regulation with regard to the dissemination of students' education records, both to persons
outside the institution and to some persons within the
institution.
Each institution is also required to prepare
and to distribute to students a detailed statement of its
privacy policy.
In the same year, Congress passed the Privacy Act
of 1974.21
This
is the most comprehensive federal privacy
legislation enacted
a model for
in the U.S.,
and
it has
several state privacy laws.
nally introduced into the Senate,
served as
As it was origi-
the bill would have
regulated data bases in private organizations as well as
in government agencies. 2
(This was the approach later
to be taken in some of the European privacy laws.
the version that ultimately passed,
23
)
In
only federal agencies
were covered, but a Privacy Protection Study Commission
was established to look into the question of privacy
regulation in the private sector.
The Privacy Act regulates the collection, maintenance,
and disclosure of records about individuals, whether these
records are manual or automated.
Some of the highlights
of the act are illustrated in Figure 1.
In the figure,
the outer box represents a federal agency, and the inner
box represents its system of records.
The act protects against undue intrusion by requiring
an agency,
to the greatest extent practicable, to request
personal information directly from the data subject
(not
from a third party) whenever the information may result
in adverse determinations about the individual's rights,
benefits, and privileges.
Then,
in making the request,
the agency must inform the individual of the legal
authority authorizing the request, whether compliance is
____ ___11_1-111_1__11___._
___
- 15 -
data subject
third parties
~ ~ ~~~~
"~~~~
I
n
I]
l~
I
not when data can result
in adverse determination
!
_
I
-
flu
-
_
_
__
III
Ild I I I fly
I i
I1
I
]._
FIGURE 1
X
L
_
iA_
-7
_
external
disclosure
HIGHLIGHTS OF THE PRIVACY ACT OF 1974
---
·-----~~~~~~----
_
_
- 16 -
mandatory or voluntary, the principal purpose for which
the information will be used, other routine uses that
may be made of it
agency),
(including disclosures outside of the
and the consequences, if any, to the individual
for not supplying the information.
Theoretically, this
permits the individual to make an informed decision about
whether or not to supply the information.
Another pro-
vision of the act prohibits most federal, state and local
government agencies from denying any right, benefit, or
privilege to an individual for refusing to disclose his
social security number, absent statutory authority to the
contrary.
Federal agencies may maintain in their records only
such information as is relevant and necessary to their
legally defined purposes.
They may not maintain information
concerning individuals' exercise of their First Amendment
rights.
Records must be maintained with sufficient
accuracy, relevance, timeliness and completeness to assure
fairness in determinations about the individual.
The act provides explicitly for access by the data
subject not only to his files but also to a log that
must be kept of external disclosures.
If the data subject
wishes to dispute the contents of the file he may request
an amendment and then, if he wishes, an agency review of
the outcome of his request.
If he is still dissatisfied,
he may take the dispute directly into Federal Court.
-
17
-
With respect to dissemination, personal
information
may be disclosed within the agency only to those employees
who have a need for the record in the
erformance of
Outside of the agency it may normally be
their duties.
disclosed pursuant only to written permission of the
data subject or to a previously indicated routine use.
Federal agencies are also prohibited from selling or
renting mailing lists, except where specifically authorized by law.
In addition to these restrictions on collection,
maintenance, and disclosure,
the act requires agencies to
publish annual notices describing the nature of the
and to establish appropriate
personal records they keep,
administrative, technical, and physical safeguards to
insure the security of these records.
As was mentioned above,
the Privacy Act also estabOne of
lished a Privacy Protection Study Commission.
its charges was to investigate information practices in
the private sector and to make recommendations concerning
possible mandatory and voluntary remedies where needed.
The commission held hearings for two years, paying particular attention to credit,
educational,
financial, medical,
insurance,
and employment record-keeping practices.
As a result of these hearings, the commission found an
accelerating trend toward the accumulation in organizations'
records of more and more personal details of
----- --------II---^1------.--·-I
·
individuals.
^---------
-
18 -
It found that organizations tend to make and keep records
about individuals for purposes that go beyond the relationships they have with the individuals, and that more
and more records are collected, maintained, and disclosed
by organizations that have no direct relationship with
the individuals.
Finally, they determined that neither
current law nor current technology gives the individual
the tools he needs to protect his legitimate privacy
interests in these records.
24
The commission made a
sweeping series of recommendations for separate legislative regulation in each of the industries it studied.
In the case of employment records, voluntary reforms were
urged.
Throughout their recommendations three policy goals
were stressed:
(1) to create a proper balance between what an
individual is expected to divulge to a recordkeeping organization and what he seeks in
return (to minimize intrusiveness);
(2) to open up record-keeping operations in ways
that will minimize the extent to which
recorded information about an individual is
itself a source of unfairness in any decision
about him made on the basis of it (to maximize
fairness); and
(3) to create and define obligations with respect
to the uses and disclosures that will be made
of recorded information about an individual
(to create legitimate, enforceable expectations
of confidentiality). 25
These goals can be seen to meet precisely the three
sets of privacy expectations that we have traced from
early American privacy law.
-
19
-
As a consequence of the commission's recommnendations, a considerable amount of privacy legislation has
been introduced in Congress.
Among these are a medical
records bill, a fair financial information practices
bill (encompassing privacy reforms in consumer reporting,
credit granting, credit and check authorization, depository banking, and insurance),
and an electronic-funds-
transfer privacy bill.
Taken together with the Privacy Act of 1974, this
proposed legislation demonstrates how our expectations
of privacy need continually to be reexamined and rearticulated as information technology continues to advance.
-NOTES
See Charles Fried, An Anatomy of Values:
Personal and Social Choice
U.
Press,
1970),
Problems of
(Cambridge, gMass.:
Chapter IX
Harvard
("Privacy and Personal
Relations.")
Louis Harris and Alan F.
Privacy:
A National Opinion Research Survey of Attitudes
Toward Privacy
1979)
pp.
3Ibid.,
Ibid.,
p.
28-29.
p.
22.
6Ibid.,
p.
76.
Roberts 46 Mich. 160,
9 N.W. 146
Samuel Warren and Louis Brandeis,
4 Harvard Law Review
9
Pavesich v.
50 S.E. 68
Sentry Insurance,
15.
pp.
De May v.
(Stevens Point, Wis.:
12-14.
5Ibid.,
7
Westin, The Dimensions of
193
"The Right to Privacy,"
(1890).
New England Life Insurance Co.,
(1905).
(1881).
22 Ga. 190,
10William Prosser,
383,
389
(1960).
1N.A.A.C.P. v.
12
Ibid. at 466.
1 3
Griswold v.
14
Roe v.
1
"Privacy," 48 California Law Review
Alabama, 357 U.S.
449
(1958).
Connecticut, 381 U.S. 479
Wade, 410 U.S. 113, 153
(1965).
(1973).
Library of Congress, Legislative Reference Service,
"Information Concerning the Proposed Federal Data Center,"
(August 1966).
16U.S. Bureau of the Budget,
a National Data Center"
17
"Review of a Proposal for
(The "Dunn Report"),
(December 1965).
See U.S. Congress, House of Representatives, "Hearings
on the Computer and Invasion of Privacy Before a Subcommittee
of the House Committee on Government Operations,
89th Cong. 2d Sess.
See 15 U.S.C.
_II___X_
(July 26-28, 1966).
§ 1687 et. seq.
A9U.S. Privacy Protection Study Commission, Personal
Privacy in an Information Society
(Washington, D.C.:
Government Printing Office Superintendent of Documents,
Stock No. 052-003-00395-3, July 1977),
p.
69.
20See 20 U.S.C. § 1232g.
2 1
P.L. 93-579
5 U.S.C.
24
n.
E.g.,
1974),
in part creating
§ 552a.
22S. 3418,
23
(Dec. 31,
93rd Cong., May 1,
1974.
the German Data Protection Act.
Personal Privacy in an Information Society, supra
19, p.
2 5 Ibid.,
__1_____1________ll_______X
8.
pp. 14-15, italics in the original.
____
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
Sample essay questions for Chapters 4 & 8
Sample essay questions for Chapters 4 & 8
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Download
advertisement