RM

Chapter 1: Introduction to Privacy

1. Introduction to Privacy

This chapter introduces the protection of individual information, called privacy law or information privacy law (U.S.) and data protection law (EU). It covers vocabulary, global principles, legal structures (comprehensive, sectoral, self/co-regulatory, technology-based models), and approaches to information privacy.

1.1 Defining Privacy

Privacy is a debated and evolving concept, notably defined in 1890 by Warren and Brandeis as "the right to be let alone." This definition balances individual autonomy and societal interests, influencing global privacy thinking. Privacy protects independence, dignity, and integrity by allowing individuals to control exposure of their attitudes and behavior.

1.2 Classes of Privacy

Privacy can be organized into four classes:

  • Information privacy: Rules for collecting and handling personal information (e.g., financial, medical, online activity).

  • Bodily privacy: Focuses on the physical body (e.g., genetic testing, birth control).

  • Territorial privacy: Limits intrusions into personal environments (e.g., home, workplace surveillance).

  • Communications privacy: Protects means of correspondence (e.g., mail, phone, email).
    While interconnected, the text primarily focuses on information privacy.

1.3 The Historical and Social Origins of Privacy

Information privacy has roots in ancient texts (e.g., classical Greece, Bible, Jewish law, Qur’an). Legally, it traces from early English law (e.g., Justices of the Peace Act 1361; Lord Camden's 1765 protection of home privacy). This tradition influenced the U.S. constitutional framework, where privacy is implicitly protected by the Third, Fourth, Fifth, and Fourteenth Amendments (ratified 1789). The California Constitution explicitly adds a right to privacy (1974). Internationally, modern privacy emerged from the human rights framework, notably the Universal Declaration of Human Rights (1948) and the Council of Europe's European Convention on Human Rights (1950) Article 8. Convention 108 (1981) required data protection laws, with a 108+ update in 2018 aligning with GDPR.

1.4 Fair Information Practices (FIPs)

FIPs (or FIPPs) are a foundational framework for individual rights and organizational responsibilities regarding personal information. Key codifications include the 1973 U.S. HEW Principles, 1980 OECD Guidelines, 1981 Convention 108, 2004 APEC Privacy Framework, and 2009 Madrid Resolution. FIPs generally categorize privacy into four areas:

1.4.1 Overview of Fair Information Practices

FIPs guide data handling with privacy, security, and fairness, covering:

  • Rights of Individuals: Notice (disclosing privacy policies), Choice and Consent (obtaining agreement for data use), and Data Subject Access (right to review personal data).

1.4.1.2 Controls on the Information

  • Information security: Using safeguards to protect data from unauthorized access.

  • Information quality: Maintaining accurate, complete, and relevant data.

1.4.1.3 Information Life Cycle

  • Collection: Gathering data only for identified purposes.

  • Use and Retention: Limiting use to specified purposes and retaining data only as long as necessary.

  • Disclosure: Sharing data with third parties only for identified purposes and with consent.

1.4.1.4 Management

  • Governance: Defining, documenting, and assigning accountability for privacy policies; establishing monitoring and enforcement.

Other FIPs frameworks (HEW, OECD, Council of Europe, APEC, Madrid Resolution) reiterate similar principles, emphasizing transparency, purpose limitation, data accuracy, security, and accountability.

1.5 Information Privacy, Data Protection, and the Advent of Information Technology

Modern privacy concepts evolved with rapid IT development. By the 1960s, mainframe computers enabled large-scale data processing, raising surveillance concerns and privacy risks (e.g., George Orwell's 1949 novel 1984). This led to early data protection laws in Europe (e.g., Hesse 1970) and the U.S. (Fair Credit Reporting Act 1970).

1.6 Personal and Nonpersonal Information

Personal information identifies an individual (e.g., name, SSN, address). Sensitive personal information requires extra protections (e.g., financial, health data). Nonpersonal information cannot identify an individual when stripped of identifiers. Terms like deidentified, anonymized, and pseudonymized describe data states; pseudonymized data can still be re-identified. The distinction can vary by jurisdiction (e.g., EU often treats IP addresses as personal data, while U.S. federal Privacy Act does not, though FTC may).

1.7 Sources of Personal Information

Personal information comes from three primary sources:

  1. Public records: Collected by government entities and publicly accessible.

  2. Publicly available information: Widely accessible (e.g., phone directories, search engines).

  3. Nonpublic information: Not generally accessible due to legal/customary protections (e.g., medical, financial records, company customer databases).
    The source influences how data can be used under different privacy regimes.

1.8 Processing Personal Information

Processing is a broad term for almost any action with personal information (collection, storage, use, disclosure, etc.). Key terminology:

  • Data subject: The individual whom the information concerns.

  • Data controller: The entity determining why and how personal information is processed, holding primary obligations.

  • Data processor: A third party processing data on behalf of the data controller (e.g., business associates under HIPAA). Processors must act within the controller’s scope.

1.9 Sources of Privacy Protection

Privacy protection stems from a blend of:

  • Market forces: Consumer concerns drive brand reputation and privacy practices.

  • Technology: Technical protections like encryption and privacy-enhancing technologies.

  • Law: Formal regulatory frameworks.

  • Self-regulation/Co-regulation: Industry codes, standards, or seal programs (e.g., PCI DSS, COPPA-associated seals).

1.10 World Models of Data Protection

Over 160 countries have privacy or data protection regimes, combining law, markets, technology, and self-regulation. Major global models include:

1.10.1 Comprehensive Model

Governs personal information across public and private sectors, typically overseen by a Data Protection Authority (DPA). Driven by historical injustices, EU GDPR adequacy, and promoting e-commerce. Critics cite high costs and potential innovation hindrance.

1.10.2 Sectoral Model (United States)

Regulates privacy by specific industry (e.g., video rental, finance, medical records via HIPAA). Proponents highlight tailored protections, while critics note potential gaps, overlaps, and laws lagging technology (e.g., HITECH Act for breach notification).

1.10.3 The Co-Regulatory and Self-Regulatory Models

  • Co-regulation: Mix of government and industry regulation (e.g., Australia).

  • Self-regulation: Industry/independent bodies create codes (e.g., PCI DSS, COPPA compliance codes). Proponents emphasize flexibility and industry expertise; critics question adequacy and enforcement.

1.10.4 Technology-Based Model

Relies on technical measures like encryption and privacy-enhancing technologies to protect data, reducing dependence on formal governance.

1.11 Conclusion

This chapter introduced privacy/data protection terminology, traced historical development alongside IT growth, and outlined global privacy protection models—comprehensive, sectoral, self/co-regulatory, and technology-based—that shape enforcement and governance globally.