Records, Computers and the Rights of Citizens. Personal Privacy, Record Keeping, and the Law

07/01/1973

Some suggest that the risks presented by automated personal data systems call for a Constitutional amendment, or a general computer-based record-keeping practices. In the latter view, the enactment of an explicit, general right of personal privacy, whether Constitutionally or by statute, would not only provide no greater protection than is already latent in the common law of privacy, but also would create uncertainty and confusion that the courts are ill-suited to resolve.

Although the Constitution of the United States does not mention a right to privacy, and only three State Constitutions (Alaska, California, and South Carolina) make explicit provision for a right of privacy, various aspects of personal privacy have been protected against government action by judicial interpretation of certain provisions of the Bill of Rights. The First Amendment guarantees free speech, a free press, and freedom of assembly and religion; the Third Amendment prohibits quartering soldiers in private homes; the Fourth Amendment prohibits unreasonable searches and seizures; the Fifth Amendment protects against compulsory self-incrimination; and the Ninth Amendment guarantees that rights not enumerated in the Constitution are retained by the people. Courts have construed these protections of the Bill of Rights to uphold the individual's right not to be coerced into revealing political, social, or philosophical beliefs, or private associations, unless national security or public order are at stake. The issues in many cases are clearly rooted in concerns for personal privacy, but the courts have articulated their decisions in terms of Bill of Rights guarantees. The Supreme Court, however, has recognized a right of privacy as the basis for protecting the freedom of individuals to practice contraception, to read or look at pornography at home, and to have an unwanted pregnancy terminated.

Courts have also developed principles in the common law to allow suits for invasion of privacy in various situations involving financial or reputational. injury of one person by another. There is little evidence, however, that court decisions will, either by invoking Constitutional rights or defining common law principles, evolve general rules, framed in terms of a legal concept of personal privacy, that will protect individuals against the potential adverse effects of personal-data record-keeping practices. Indeed, there are many court decisions in which seemingly meritorious claims that could have been sustained by recognizing a right of privacy were denied because the courts would not permit such a right to override other legal considerations.

Although there is a substantial number of statutes and regulations that collectively might be called the "law of personal-data record keeping," they do not add up to a comprehensive and consistent body of law. They reflect no coherent or conceptually unified approach to balancing the interests of society and the organizations that compile and use records against the interests of individuals who are the subjects of records.1

The Federal Reports Act2 and the so-called "Freedom of Information Act,"3 taken together, come as close as any enactments to providing a framework for Federal policy in this area. However, they are limited in application to agencies of the Federal government; they deal in a limited fashion with only two aspects of record-keeping practice-data collection and data dissemination; and they contain scant and potentially inconsistent protections for the interests of individual record subjects.

The Federal Reports Act requires that Federal agencies, with several significant exceptions, obtain concurrence from the Office of Management and Budget before collecting "information upon identical items, from ten or more persons." The Act was designed chiefly to help business enterprises. Its main purposes are to minimize the "burden" upon those required to furnish information to the Federal government; to minimize the government's data collection costs; to avoid unnecessary duplication of Federal data-collection efforts; and to maximize the usefulness to all Federal agencies of the information collected. Although concern for the interests of individuals can be discerned in its administration, the Act itself makes no mention of personal privacy. It neither creates nor recognizes any rights for individuals with respect to the personal-data record-keeping practices of the Federal government.

The Freedom of Information Act mandates disclosure to the public of information held by the Federal government. It barely nods at the interest of the individual record subject by giving Federal agencies the authority to withhold personal data whose disclosure would constitute a clearly unwarranted invasion of privacy. The Act, however, is an instrument for disclosing information rather than for balancing the conflicting interests that surround the public disclosure and use of personal records. The Act permits exemption from mandatory disclosure for personal data whose disclosure would constitute a "clearly unwarranted invasion of personal privacy," but the agency is given total discretion in deciding which disclosures meet this criterion. The Act gives the data subject no way at all to influence agency decisions as to whether and how disclosure will affect his privacy.4

Many of the States, have similarly broad "public records" or "freedom of information" statutes whose objective is to assure public access to records of State government agencies,. Most of them, however, provide no exceptions from their general disclosure requirements in recognition of personal privacy interests. We discovered no State law counterparts to the Federal Reports Act.

By and large, one finds that record-keeping laws and regulations at all levels of government are limited and specific in their application. The requirements and prohibitions they impose apply to particular types of organizations, records, or record-keeping practices. They seldom go further than to stipulate that particular records shall be maintained and made accessible to the public, to particular officials, or for particular purposes, or that particular records shall be subject to confidentiality constraints. No body of statutory or administrative law establishes rights for individual record subjects or other rules of general application governing personal-data record-keeping practices, whether manual or automated.

Nor should we look to court decisions to develop such general rules. Courts can only decide particular cases; their opportunity to establish legal principle is: limited by the nature of litigation arising from controversies between parties. Few cases that raise the broad issues posed by all personal-data record keeping g have been brought before the courts, and fewer that focus those issues on computer based systems. There are several possible explanations for this.

One possibility is that nobody has been hurt enough or has felt sufficiently aggrieved by current record- keeping practices to bring suit. Another is that record-keeping and data-processing practices are not an overt or well understood function of institutions, whether governmental or private. Their adverse effects may not have been recognized. The individual affected may never discover that the root of his difficulties with an institution was some piece of information about him in a record. This is one reason for the section in the Fair Credit Reporting Act5 that requires than an individual be notified when an adverse action, such as denial of credit, insurance, or employment, is taken on the basis of a report from a consumer-reporting agency.

Still another possibility is that unless injury to the individual can be translated into reasonably substantial claims for damages, the individual ordinarily has little incentive to undertake a lawsuit. Few people can afford to bring suit against a well-defended organization solely for moral, satisfaction.

Record-keeping practices have ancient and predominantly honorable traditions, as we have seen. Historically, their social utility has seldom been questioned. Only when record-keeping systems can be shown to have caused actual injury, to have created problems with serious Constitutional implications, or to be in conflict with clear statutory requirements, are courts likely to interfere with their operation. As a consequence, government data systems appear, under existing law, to be virtually immune to constraint through suits by individual data subjects; private-sector systems appear no less so. The personal-data record-keeping, operations of private organizations are unlikely to give rise to Constitutional issues and are typically not subject to statutory requirements.6 The judicial process, in short, seems functionally ill-suited to initiating development of general common law rules relating to record-keeping practices.

The foregoing analysis leads us to conclude that the natural evolution of existing law will not protect personal privacy from the risks of computerized personal data systems. In our view the analysis also disposes of any expectation that enactment of a mere right of personal privacy would afford such protection .7 The creation of such a right without precise and elaborate definition of its intended significance: would not overcome the obstacles in the judicial process that hinder recognition of personal privacy in relation to record keeping. The development of legal principles comprehensive enough to accommodate a range of issues arising out of pervasive social operations, applications of a complex technology, and conflicting interests of individuals, record-keeping organizations, and society, will have to be the work of legislative and administrative rule-making bodies.