The concept of privacy is not new. Writers and philosophers have discussed it for many years. It has evolved over time as well as through cultural influences. Privacy has become more related to an individual’s circumstances, and accordingly, is difficult to compare among cultures.
concept of privacy in modern society involves very individualistic ideas that are influenced by circumstances, culture, and social position.
When we speak of informational privacy in today’s business and political environment, we are referring to the ability of an identifiable individual to control the collection, use and disclosure of any recorded information about themselves.
Recorded information can extend beyond traditional hard copy records to include electronic information as well as audio and videotape.
While these aspects of privacy have evolved, it was not until the latter half of the 20th century that the concept of informational privacy and the rights of citizens to protect themselves from undue, unwarranted, or illegal use of their personal information, that governments started to look at enacting informational privacy legislation.
The Concept of Personal Information
In addressing informational privacy, the issue of what constitutes personal information arises: “What is it?” “What is personal and what is public?”
“How do we define it?” Personal information may be defined as information about an identifiable individual. In some jurisdictions it does not include the individual’s name, business title, business address or business telephone number. In others, the concept of informational privacy may not include personal information used for artistic, journalistic or domestic purposes.
While there have been many legal cases on the broader issue of privacy such as surveillance and bodily integrity, in many jurisdictions the concept of information privacy has yet to be rigorously tested in court.
Until that time, the legislation and regulations must be applied with care to ensure the rights of the data subject to informational privacy are maintained.
One of the first organizations to define a code of conduct, and a standard by which personal information should be gathered, stored, used, disseminated and destroyed, occurred in 1980.
The Organization for Economic Co-Operation and Development (OECD) published a document entitled, “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans border Flow of Personal Data,” enunciating eight personal information principles on which almost all legislation and directives on informational privacy are based.
Perhaps the document that accelerated the modern era of informational privacy was the European Union’s Directive 95/46, passed by the European Parliament and the Council in 1995. It established 12 principles that member states had to incorporate into their national legislation and enact by October 1998.
Those principles covered: data quality; special categories of processing; information to be given to the data subject; rights of access; data subject’s right to object; confidentiality and security of processing; notification; contents of notification; publicizing of processing operations; judicial remedies, liability and sanctions; transfer of personal data to third countries and supervisory authority
The Extraterritorial Nature of Privacy
In addition to the principles, Article 25 of the Directive creates an exclusion when transferring personal information to a country. Article 25 states:
“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.” Article 25 appears to require that if countries outside the EU have not enacted similar legislation, or do not have agreements such as Safe Harbor or Model Contract in place, that personal information cannot be transferred to that country for processing.
To address the EU restrictions on transferring personal information, the United States Federal Trade Commission entered into a Safe Harbor agreement with the EU in the summer of 2000, effective November 2000. To date, few American entities have registered.
The EU is also considering, under Directive 29, additional procedures under which member states could exchange personal information with countries that do not have similar legislation in place, provided that such data transfer is in accordance with the terms of the EU Model Contract.
Passage is targeted for the spring of 2001 with compliance required shortly thereafter.
Clearly, this side steps the thorny issue of country-by country privacy legislation and places the responsibility for compliance on European entities that export personal information outside of the EU.
The EU Privacy Commissioner has retained the right to audit compliance with such contracts.
In general, the United States has taken a very sectoral approach to privacy legislation with a number of pieces of legislation directed at, or incorporating, personal privacy considerations.
Legislation like Gramm-Leach-Bliley, HIPAA, and COPPA are focusing the attention of American businesses on the issue of informational privacy.
In April 2000 Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA). This act incorporates many of the OECD and Directive 95/46 concepts into 10 guiding principles.
It became effective for a few organizations on Jan. 1, 2001 and included the personal information of all private sector entities engaged in commercial activities on Jan. 1, 2004.
Part two looks at the meaning of privacy compliance