Privacy is a core American value. Americans also value the free flow of information. In the United States we analyze and balance these sometimes competing values on a sector by sector basis, calibrating the balance point to fit a particular set of circumstances. As a result, protections vary from sector to sector. For example:
Federal law regulates the government's collection, use, and distribution of a significant amount of personal information. These protections are fairly comprehensive, although critics cite inadequate enforcement and note that the scope of protection may not be keeping pace with technology.
It is generally against the law to intercept the content of any communication without consent or specific authority. The 1996 Telecommunications Act extends comprehensive protection to transactional data held by common carriers. Online service providers and Internet access providers are not currently regulated by statute, but many contract with subscribers to provide privacy protections. In this area, the market appears to be providing a range of consumer choice.
Medical records are largely unprotected by federal law, governed traditionally by codes of professional conduct. But doctor-patient confidentiality safeguards may well be inadequate as cost containment pressures force the health care industry to maximize information technology use. Legislation passed in the 104th Congress, however, will produce important recommendations for comprehensive protection of medical records and will lead, at a minimum, to enforceable protection for medical records transmitted for insurance claim administration.
Consumer privacy safeguards are much less predictable in the commercial marketplace. Federal law governs use and disclosure of credit information by credit agencies. The same information is unprotected in other hands. Traditional notions about financial privacy have limited disclosure of banking information in the past, but may not be adequate in the current marketing environment. Some lifestyle information, like video or cable viewing habits, are protected by law, while other lifestyle data is not protected. The direct marketing industry appears to be responding to consumer demand for adoption and enforcement of fair information practices involving notice, choice, access and security. The FTC is monitoring this response.
Critics of U.S. data protection policy tend to identify several structural characteristics of our approach as troublesome:
- The sectoral approach protects privacy on a piece-meal basis. As a result, privacy rules are neither consistent nor predictable from sector to sector. This imposes compliance burdens on industry, and makes it more difficult for consumers to anticipate how their personal information will be used in any particular setting.
- No federal agency currently has privacy as its primary, much less its only, mission. This means that privacy must compete, in terms of budget and staff resources with the other responsibilities of these agencies. It also means that our international trading partners have a harder time identifying the proper forum to raise concerns about privacy and transborder data flows.
- No federal agency is responsible for articulating privacy values on an ongoing or proactive basis. Legislation is traditionally remedial in the United States, and government tends to intervene only when a specific problem is identified. Legislative solutions in the privacy area, moreover, tend to be narrowly tailored to deal with a specific type of information maintained by a particular sector of the economy.
- No federal agency coordinates government privacy initiatives. Some privacy concerns are not within any particular agency's purview. Other areas of privacy straddle one or more agencies. Also, in the absence of overriding federal legislation, privacy concerns are often addressed by the fifty individual states either through laws or constitutional protections. Some states have been aggressive in this arena,249 but privacy protection varies widely from one state to another. This creates difficulties for businesses operating in today's networked environment, where transfers of personal data across state lines are commonplace.
- Self-regulatory efforts are laudable, but unenforceable. Some segments of the private sector have taken affirmative steps to address privacy issues arising in the modern networked environment by adopting voluntary codes of conduct. Yet, unsolicited mail and telephone calls continue to be a major source of consumer dissatisfaction. Likewise, while major credit bureaus have adopted voluntary privacy standards, the credit reporting industry continues to be a leading source of complaints to the Federal Trade Commission.250 In any event, voluntary codes provide very little by way of judicial, or quasi-judicial, redress. Moreover, the codes are almost always voluntary, so non-compliance has little consequence. As with legislative responses, changes in private sector practices often occur only in response to some precipitating event.251
But the current approach to data protection in the United States has admirers as well. Supporters of the sectoral approach remind us of several of its virtues:
- The sectoral approach is more effective than an omnibus approach. One-size-fits-all privacy policies will inevitably constrain innovation and reduce competition, at the expense of the consumer.
- Privacy is only one of a number of important policy issues. There is no reason why it should not compete with priorities for its share of budget and human resources. Moreover, the fact that several agencies may have authority or responsibility for privacy protection may result in healthy inter-agency competition to "do the right thing."
- Our approach to privacy may have some inefficiencies, but it does avoid burdensome over-regulation. The reactive, rather than anticipatory, approach to privacy is consistent with our approach to lawmaking in other areas.
- The status quo is anything but static. Awareness of and attention to privacy issues have risen dramatically in recent years, and real progress is being achieved. It's not clear what additional federal coordination would contribute to this process.
- Self-regulatory efforts can work, and industry has demonstrated an admirable commitment to enhanced self-regulation. In recent months industry has also invested in the development of powerful technological tools to make the fair information principles of notice and choice a reality for consumers.
249. California, for example, has a state constitutional right to privacy as well as statutory privacy protection. See Calif. Const. art. I., § 1; Calif. Civ. Code § 1798 (West 1995). In 1994, a California court, relying on these statutory and constitutional protections, ruled against an individual who sought a county's entire municipal court information database because of the privacy implications inherent in the aggregate nature of the personal information contained in that database. Westbrook v. County of Los Angeles, 27 Cal. App.4th 175, 32 Cal. Rptr. 2d 382 (1994).
250. Merrill, supra, note 192.
251. For example, in the early 1990s, mounting consumer dissatisfaction, adverse media coverage and highly publicized lawsuits preceded changes in how the credit reporting industry dealt with consumer access to credit reports and ultimately led to amendments to the Fair Credit Reporting Act. See Rothfeder, supra note 139, at 58-62.