Caslon Analytics elephant logo title for Privacy guide
home | about | site use | resources | publications | timeline   spacer graphic   Ketupa
overview

issues

principles

Aust law

EU law

New Zealand

Asia law

N America

agencies

advocacy

reports

primers

other writing

technologies

harbours

statements

media

business

costs

spatial

cctv

bodies

workplace

prisons

politics

telecoms

search

attitudes

harvests

landmarks







related pages icon
related
Guides:

Secrecy &
Confidentiality

Security
& Infocrime



related pages icon
related
Profiles:

Identity
Crime

Pretexting

section heading icon     privacy in North America

This page looks at legislation and developments in North America.

It covers -

subsection heading icon     Canada

As in Australia, the Canadian regime involves a mix of federal legislation, provincial legislation and industry self-regulation.

At the federal level the 1982 Privacy Act (PA) covers all federal government departments and most federal agencies or statutory corporations. It gives Canadians the right to access and correct personal information held by those agencies. It places limits on the collection, use and disclosure by federal agencies of personal information.

The enactment built on earlier legislation such as regulation of wiretapping under the 1974 Protection of Privacy Act and privacy provisions in Part IV of the 1977 Canadian Human Rights Act.

The Canadian federal Personal Information Protection & Electronic Documents Act (often known as C-6 or the PIPED Act) received a strong endorsement from the EU. It is intended to cover collection, use and disclosure by private sector entities of personal information in the course of commercial activity. Individuals have the right to access and ask for corrections to information that an entity may have collected about them.

PIPED is broader than the Australian Bill and was implemented in two stages, commencing in 2001.

It initially applied to those private sector activities that are regulated by the federal government and to personal information that is traded "inter-provincially and internationally." From 1 January 2002 it encompassed personal health information collected, used or disclosed by entities engaged in federally-regulated activities. As of 1 January 2004 it covers personal information collected, used or disclosed in the course of any commercial activity within a province, including provincially-regulated organisations. A Canadian government guide is here.

Organisations or activities within Canada’s provinces will be exempt from the Act if the province has adopted provincial privacy legislation of a substantially similar nature. Quebec for example passed An Act Respecting the Protection of Personal Information in the Private Sector in 1998 - the only broad-brush legislation. Manitoba has established a more restricted Personal Health Information Act, with a similar Health Information Act (HIA) in Alberta.

All but two provinces - Prince Edward Island and Newfoundland - have privacy legislation governing the collection, use and disclosure of personal information held by government agencies.

subsection heading icon     PIPED and the CSA code

Federal, provincial and territory Ministers have agreed to support the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information as a minimum standard for privacy protection in all jurisdictions.

The Code reflects international frameworks and embodies ten Fair Information Practices, consistent with the Australian National Privacy Principles (NPP).

Key principles are:

1. Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

2. Identifying Purposes
The purposes for which personal information is collected must be identified by the organization at or before the time the information is collected.

3. Consent
The individual's knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate.

4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purpose identified by the organization. Information shall be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention
Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

6. Accuracy
Personal information is to be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards
Personal information must be protected by security safeguards appropriate to the sensitivity of the information.

8. Openness An organization must make readily available to individuals specific information about its policies and practices relating to the management of personal information.

9. Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of his/her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance

PIPED is examined in The Personal Information Protection & Electronic Documents Act: An Annotated Guide (Toronto: Irwin Law 2001) by Stephanie Perrin, Heather Black, David Flaherty & Murray Rankin, in the 2001 Guide to the Personal Information Protection & Electronic Documents Act (Markham: Butterworths 2000) by Colin McNairn & Alexander Scott and in the 2000 Canadian Privacy Law Handbook (ENS eLearning) by Suzanne Morin & Murray Long.

For wider coverage of federal and provincial regimes Privacy Law in Canada (Markham: Butterworths 2001) by McNairn & Scott is of particular value; the former co-authored Government Information: Access & Privacy (Toronto: Carswell 1992).

There is a thoughtful discussion of the Canadian legislation in relation to international developments in a report by Colin Bennett.

The European Commission has published FAQs on its 'adequacy finding' regarding the EU Directives and PIPED.

subsection heading icon     US

The United States has had a slow and uneven development of privacy policy and law, with most legislation concerning government rather than the private sector. A succinct and intelligent introduction is provided by Ken Gormley's 1992 Wisconsin Law Review paper One Hundred Years of Privacy, Joel Reidenberg's 2004 Privacy Wrongs in Search of Remedies paper and Martin Kuhn’s Federal Dataveillance: Implications for Constitutional Privacy Protections (New York: Lfb Scholarly Publishing 2007).

The Privacy Act of 1974 resulted from studies by consumer groups and the federal Department of Health, Education & Welfare among others. The legislation - and an associated Privacy Protection Study Commission - centred on data collection and use by government agencies. It was followed by a range of specific federal and state enactments such as the 1970 Fair Credit Reporting Act, 1984 Cable Communications Policy Act, 1974 Family Educational Rights & Privacy Act, and 1986 Electronic Communications Privacy Act.

In the following decade there was increasing interest in medical and online privacy, both because digital technologies 'crystalised' traditional privacy (and intellectual property) concerns and because civil liberties groups sought to grapple with electronic commerce issues.

One critic notes that US privacy policy

remains unsettled, in part because of ambiguity about cost incidence, ambiguity about underlying philosophy (property, free speech, and other theories are debated), and asymmetrical political clashes that chiefly involve data collectors/processors and privacy advocates. It continues to be easier (but not necessarily "easy") to progress when there is a specific objective that can evoke broad agreement, such as the 1999 Children's Online Privacy Protection Act and Gramm-Leach-Bliley Act. The perceived privacy threat has shifted toward the private sector, although concern about the government remains and has evolved. Advocates invoke a constitutional right to privacy, but support through case law and state-level actions remains limited when it comes to informational privacy.

Recent years have seen a move by the US federal government and major state governments (eg California and New York) towards stronger online privacy regulation, despite claims that privacy law is unecessary, unAmerican or simply too expensive. Some industry groups for example have welcomed stronger legislation and recognised that best practice is good business; others have lamented that it will strangle economic growth.

Robert Hahn's 2001 An Assessment of the Costs of Proposed Online Privacy Legislation (PDF) for example claimed proposed legislation will result in direct costs of US$36 billion.

The Online Privacy Alliance (OPA) - an advocacy group under the aegis of the US Direct Marketing Association - concurrently issued reports such as Customer Benefits from Current Information Sharing by Financial Services Companies (PDF), The Impact of Data Restrictions on Consumer Distance Shopping (PDF) and The Value of Comprehensive Credit Reports: Lessons from the US Experience (PDF) warning that restrictions on corporate sale/sharing of customer information without permission would cost 90 of the largest financial institutions US$17 billion a year of added expenses and involve a US$1 billion 'information tax' on consumers as costs are passed on through snailmail catalogues and websites.

Other advocates have warned that government, not business is the privacy 'enemy'.

The "free-market, pro-technology" advocacy group Privacilla - characterised by some as a privacy wolf in sheep's clothing - accused Washington agencies of breaking their own rules and sniffed in Privacy & Federal Agencies: Government Exchange & Merger of Personal Information is Systematic & Routine (PDF) that "new government information-sharing programs have been announced more than once every two weeks".

Further to the right, the Citizens Against Government Waste (CAGW) released Keeping Big Brother From Watching You, a study that concludes "the federal government’s vast incompetence to secure data puts it in an unsound position to legislate privacy issues".

Amid the smoke and shouting there has been substantial progress. The EU-US Safe Harbor Agreement, in which major US businesses have committed to meet EU data protection standards (something applauded by US consumers and eminently sensible if IBM, Amazon and others wish to sell goods/services in Europe) is discussed here. Private sector compliance is explored in the detailed October 2004 Safe Harbor Decision Implementation Study for the European Commission by Jan Dhont, María Verónica Pérez Asinari, Yves Poullet, Joel Reidenberg & Lee Bygrave (PDF), which notes "significant levels of non-compliance with the Safe Harbor by self-certified companies.

Developments such as the Financial Services Modernization Act (Gramm-Leach-Bliley Act), which requires financial institutions to send consumers yearly notices on how their personal financial data is used, have resulted in incremental changes and heightened awareness of issues.

A useful overview of recent US developments is provided in the online briefing by the bipartisan Congressional Internet Caucus. 

In September 2000 the US House of Representatives moved to create a 17-member bipartisan 'privacy commission' to explore the growing online personal privacy debate and recommend a comprehensive legislative approach.  The commission, first proposed in March, was opposed by the Clinton administration as likely to delay privacy legislation.  With representatives from business, academia and consumer groups it would present recommendations to Congress in 18 months time.  

The proposal is similar to the Commission on Online Child Protection (COPA Commission), established in 1998 in conjunction with the Child Online Protection Act (COPA) - recently struck down by a Supreme Court decision - to "identify technological and other methods that will help reduce access by minors to material that is harmful to minors on the Internet".  

The Commission presented its final report on 20 October 2000. The report embraced rating systems, filters, age verification systems and a special 'X' domain. 

COPA is distinct from the Children's Online Privacy Protection Act (COPPA), described below.   

The Advisory Committee on Online Access & Security (ACOAS) of the Federal Trade Commission (FTC) released a 220 page Privacy Online: Fair Information Practices in the Electronic Marketplace report on consumer access to information collected by commercial websites and the security of that information. Coming after a spate of privacy breaches by bodies such as CDNow, DoubleClick, Amazon, and RealNetworks, it reflects the FTC's 1998 Privacy Online and 1999 Self-Regulation reports to Congress. 

Transcripts from the 1999 FTC workshop on online profiling are now available. Peter Swire has a thoughtful paper on Financial Privacy & the Theory of High-Tech Government Surveillance, arguing that individuals= payments will become increasingly traceable, with possible advantages for government (taxation, revenue distribution, crime deterrence) along with disadvantages.

The 1998 US Children's Online Privacy Protection Act (COPPA), requires that US sites obtain parental permission before collecting, disclosing or using personal data from children younger than 13. 

Recent studies by the Federal Trade Commission suggest that under 50% of US sites geared to kids are compliant and reports indicate that industry is in disarray, with some sites ceasing to collect the data, some confusing the Act with the anti-pornography COPA legislation and others experiencing administrative problems as kid pretend to be their parents.

subsection heading icon     major US federal enactments

The salient federal legislation is  

  • Cable Communications Policy Act (CCPA)
  • Children's Online Privacy Protection Act (C0PPA)
  • Customer Proprietary Network Information Electronic Communications Privacy Act (CPNI)
  • The Electronic Communications Privacy Act (ECPA)
  • Fair Credit Reporting Act (FCRA)
  • Family Education Rights & Privacy Act (FERPA)
  • Federal Trade Commission Act (FTCA)
  • Gramm-Leach-Bliley-Act (GLBA)
  • Health Insurance Portability & Accountability Act (HIPAA)
  • Identity Theft Assumption & Deterrence Act (ITADA)
  • Privacy Act (PA)
  • Right to Financial Privacy Act (RFPA)

The 1996 Health Insurance Portability & Accountability Act (HIPAA) covers health care providers, insurers and information clearinghouses. Those entities were to be in full compliance by April 2003. Rules for Patient Privacy (Rules) under that legislation were belatedly published in 2001. Detailed coverage of HIPAA and state medical privacy legislation is provided by the Health Privacy Project (HPP) at Georgetown University.

Federal and state case law is significant. One point of entry is Christopher Slobogin's Privacy At Risk: The New Government Surveillance and the Fourth Amendment (Chicago: University of Chicago Press 2007).

The American Library Association points to state legislation regarding privacy of library records, has resources about 'the FBI In Your Library' and features privacy in the 'Library Bill of Rights'.



icon for link to next page    next page  (government agencies)


this site
the web

Google

 

version of October 2007
© Bruce Arnold
caslon.com.au | caslon analytics