Markkula Center of Applied Ethics

Privacy and the Law

By Michael McFarland, SJ

Most governments recognize the need to protect the privacy of their citizens, to some degree at least. These protections occur at different levels of government, and have different concerns and styles. In this article we will look at some of the ways in which privacy is protected by the law, particularly in the United States. We will consider common law privacy protection, the Constitutional right to privacy, and privacy legislation in the U.S. Then we will compare the situation in the United States with that in some other countries.

Common Law Protection of Privacy

As noted earlier, the Anglo-American case law tradition, as recognized in most states, 1 offers some protection for privacy of personal information. It is illegal to reveal private facts about someone if the average person would find it objectionable to have that information made public, provided that the subject of the information is not a public figure and there is no legitimate public interest in making the information known. It is also an offense to place a person in a false light. It is not necessary that the false information ruin the person's reputation; only that it be objectionable. Appropriation of someone's name, image, or some other aspect of the person's identity is another offense. Finally intrusions, such as intercepting private communications, are also illegal, unless there is a legitimate reason for doing so or the parties to the communication have given consent. In any of these cases the victim can sue the perpetrator and recover damages. 2

Privacy and the Constitution

There is no explicit mention of privacy in the United States Constitution. But the courts have found a constitutional basis for privacy rights in the broad sense of freedom from interference in certain intimate realms of personal life. This is based on the protection of individual liberty from government interference in the Fourth, Fifth and Fourteenth amendments to the Constitution. 3 The First Amendment protection of the freedoms of speech, assembly, religious practice, and so on, could also be seen as privacy protection in this sense. On the other hand, the right to free speech could be used to defend someone who invaded the privacy of others by publishing or disclosing their personal information.

Informational privacy has not been given the same strong constitutional protection by the courts to date. The Supreme Court, in Whalen v. Roe, found that a New York law that required physicians and pharmacists to report all prescriptions of certain types of drugs to the state for storage in a comprehensive drug-use database, did not violate constitutional right, in spite of the protests of some patients and doctors involved that it was an invasion of privacy. The Court was willing to give the state interest in tracking drug use more weight against the individuals' interest in privacy because "informational privacy is not a fundamental right." Therefore, though the courts recognize some rights to privacy of information, these must be balanced, case-by-case, against the public interest in disclosure. In one subsequent case, United States v. Westinghouse, the Third Circuit Court worked out a "balancing test" for deciding between these competing interests. Some of the factors to be considered included what kind of information is sought, the harm that could be done by any further disclosure, the care taken to guard the information from any further disclosure, and the degree of public interest in its disclosure. 5

In 1967 in Katz v. United States, the Supreme Court extended Fourth Amendment protections to include some types of electronic communications and therefore informational privacy. Katz was convicted of illegal gambling based on FBI recordings of phone calls he made from a public pay phone. The recordings were made by a listening device placed outside the phone booth without a warrant. The appeals court allowed the conviction on the grounds that the FBI had not invaded a private space or tapped into a private network to obtain the evidence. The Supreme Court reversed the decision, finding that the recording of Katz's conversations was a violation of his Fourth Amendment privacy rights. What was determinative, the majority said, was not whether the space he was in was public or private, but whether his conversation could reasonably be considered a private one. The justices concluded that making a telephone call in a phone booth with the door closed met the criteria. The Katz case gave rise to the "reasonable expectation of privacy" test that is still used today to define the limits of government surveillance. 6 For example in January 2012 the Supreme Court overturned the conviction of an alleged drug dealer because it was based on evidence gathered from a GPS tracking device surreptitiously placed on his car. 7

These cases have limited applicability and do not affect the private sector, where many privacy issues arise. Therefore there is a need for legislation to set clearer guidelines on when and to what extent personal information is to be protected. Over the last few decades the federal government has enacted a number of such laws. As a whole these are spotty: domain-specific, inconsistent and full of loopholes. Still, they provide some protection in certain areas. The four most important laws are the Fair Credit Reporting Act (FCRA), which is concerned with record-keeping in the private sector; the Privacy Act (PA), which regulates record-keeping by the federal government; the Electronic Communications Privacy Act (ECPA), which safeguards the confidentiality of electronic transmissions; and the Health Insurance Portability and Accountability Act (HIPAA), which protects medical records. Other laws cover more specific issues.

The Fair Credit Reporting Act (FCRA)

The FCRA, 8 passed in 1970, was designed to protect consumers from information gathering in the private sector. Specifically it regulates credit reporting agencies, which collect data on consumers and their financial status and offer that data to business subscribers. The bill addresses several concerns about the reporting of credit information:

  1. Knowledge of the subject. Individuals have a right to know what is in their records and who has accessed the information.
  2. Inaccuracies. Credit agencies are required to take "reasonable" steps to guarantee the accuracy of the information they collect, store and report. An individual who is denied credit because of a credit report must be notified of the action and the source of the information. An individual may challenge the information in his or her record and have it changed if it can be proved wrong. If the individual is not satisfied with the agency's response to the challenge, he or she may place a statement in the record stating the reason for the challenge.
  3. Out of date information. Certain damaging events cannot be reported after a set period of time: 10 years for bankruptcies, seven years for civil suits and criminal charges. However, there is an exception when the subject is applying for more than $50,000 worth of credit or insurance or for a job paying more than a certain amount.
  4. Legitimacy of use. The bill defines the purposes for which a credit report can be given. These include the granting of credit, insurance, licensing and hiring. Reports can also be provided in response to a court order or with the consent of the subject. Unfortunately there is, in addition, a big loophole that allows anyone to purchase a report for a "legitimate business need."

Though the FCRA does give consumers some protection, it is widely recognized as inadequate, for a number of reasons. First, its scope is too narrow and its coverage too vague. For example, it is much too permissive about who can receive credit reports. Second, it puts the burden of finding and correcting errors on the consumers, not on the companies collecting and distributing the information. Furthermore consumers cannot actually inspect their files. They can only see a report about what is in them. Third, the consumer has no recourse until there has been an abuse. The bill does very little to prevent the abuse in the first place. Finally the bill only regulates the credit bureaus themselves, not those who purchase the information from them. 9

There is plenty of evidence that, in spite of the FCRA, it is easy to gain access to consumer credit information, with or without a "legitimate business need."

In 2003 Congress revisited the FCRA with the Fair and Accurate Credit Transactions Act (FACTA), adding some additional protections for consumers. For example credit reporting agencies cannot include medical information in their reports, and consumers must upon request be given a free copy of their credit report each year.

Other Laws Affecting the Private Sector

The Right to Financial Privacy Act (RFPA), 10 dating from 1978, limits the government's access to the bank records of individuals. In order to see a customer's financial records, the government must have a warrant or subpoena or the customer's permission. The government may also make a written request for the records, in which case the customer is notified and may challenge the request. However, the government has broad access to identifying information, such as "name, address, account number and type of account." 11 Furthermore the restrictions in the bill only apply to the federal government, not state agencies, corporations and private citizens.

The Fair Debt Collection Practices Act (FDCPA, 2003) curbs abuses by debt collection agencies, including harassing the debtor; calling third parties, such as family members or employers, who are not cosigners of the loan; and making false statements about the debtor. However, the so-called Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 weakened some of these curbs.

The Cable Communications Policy Act 12 (1984) controls a cable system's collection and dissemination of transactional information on its subscribers. This information can include the programs ordered, information services used, items purchased through home shopping channels, and so on. The Act requires cable companies to inform their subscribers of what personal information is being collected and who has access to it. Furthermore it does not allow the companies to collect or disclose personal information on subscribers without their consent, except for what is needed to do business or in response to a court order. One exception is that names and addresses of subscribers can be given out, as long as the subscribers have a chance to withdraw permission to do so. Finally the Act mandates that subscribers have access to their records.

The Video Privacy Protection Act (1988), otherwise known as the Bork Bill, forbids video renters from revealing the rental records of their customers.

The Privacy Act

The Privacy Act (PA) 13 was enacted in 1974, at the time of Watergate, to assert some control over the gathering and dissemination of personal information by the federal government. The law regulates information collection and use in several ways:

  1. Agencies are to gather only the information necessary and relevant for their mission. They are to get it as much as possible from the individual to which it refers, and they are to inform the individual of the purpose and use for which the information is being collected.
  2. There is to be no disclosure of the information to anyone else without the consent of the individual subject. There are, however, a long list of exceptions to this rule, including employees within the agency that holds the data, Congress, the General Accounting Office, consumer reporting agencies, in response to a court order, for a "compelling" need to protect the health and safety of an individual, for use in census data, statistical studies, the archives, criminal law enforcement, and for "routine use," meaning use compatible with the purpose for which it was given.
  3. Agencies are to keep records of disclosures. If corrections are made to any of the data, previous recipients of the data are to be informed of the corrections.
  4. Agencies are responsible for the accuracy and security of the data they hold.
  5. The existence of any collections of personal data is to be published in the Federal Register.
  6. Individuals are to have access to the information held about them. If they find the information erroneous, they can challenge its accuracy. A procedure is set up for resolving any disputes arising from such challenges.

The CIA, FBI and other law enforcement agencies are completely exempted from these regulations. There are also exemptions for agencies that use the data for law enforcement and security or for evaluating candidates for employment and promotion within the federal government.

The law in its present form also contains some minimal regulations for matching programs. It requires a written agreement and statement of purpose before any federal data can be used in such programs, procedures for the verification of results, and some general oversight of such programs by the federal government.

While the bill is commendable in its intent and some of the principles on which it is based are sound, it has been ineffectual. For one thing, it is leaky. There are many exceptions. Some, such as the provision for "routine use," are so broad and open to interpretation that they can be used to justify almost anything. Furthermore the law never questions the need for data collection programs. 14 Any agency that decides it needs personal data can collect it. Finally the law is difficult to enforce and in practice has rarely been invoked. A great deal of information held by federal agencies is routinely available, not only to other agencies, but to state and local governments, private corporations and individuals. One critic has called the Privacy Act and Fair Credit Reporting Act "toothless vestiges of the precomputer age." 15

Other Laws Affecting Government Record-Keeping

The Family Education Rights and Privacy Act (1974), controls access to student records at educational institutions. This is a very sensitive area, because these records can include not only grades and notations of disciplinary actions, but also psychological reports, family histories, personal data and teachers' observations and comments. The Act gives students, or their parents if the students are minors, the right to inspect the students' records and request corrections if needed. It also limits third party access to students' files. 17

The Privacy Protection Act 18 of 1980 is meant to help reporters for newspapers and magazines protect their sources. It limits the circumstances under which federal, state and local law enforcement agencies can seize records held by the print media. Either the one who holds the records must be suspected of criminal activity, or the information must be needed to prevent great harm, such as death or serious injury, or the destruction of evidence.

The Crime Control Act 19 sets standards for privacy and security of information systems used in criminal justice agencies at the state level. Any state that receives federal aid to upgrade its system must implement these standards.

The Electronic Communications Privacy Act (ECPA)

The ECPA20 was enacted in 1986 as an addition to the Wiretap Act of 1968. It extended some measure of privacy protection to new communication technologies such as pagers, cellular phones, electronic mail and other forms of computer-to-computer communications.

The significance of the act, from the point of view of computer privacy, is that it forbids the interception, use and disclosure of any "electronic communication," which includes electronic mail and other transfers of electronic data. There are, of course, some exceptions to this. For example system operators are allowed to monitor and store transmissions "in the normal course of ... employment," e.g., as needed to forward the communication to another system, to diagnose problems in the system, or to prevent fraud or misuse of the system. Surveillance by law enforcement officials and their agents is allowed when properly authorized. Anyone who is a party to the communication, whether as sender or addressee, or has the permission of one of the parties, can intercept it. The prohibition also does not apply to systems that are set up so that communications are publicly accessible, such as electronic bulletin boards.

The act also has provisions to protect stored communications. It is unlawful to break into a system that is used for electronic communications; and it is unlawful for the operator of a system to disclose any electronic communications stored on the system except for the reasons listed above. 21

The act does not have any special provisions to cover employer monitoring of employee email and other communications. Before the passage of the act, the courts gave employers broad latitude in employee monitoring, including their communications. The main tests were whether there was a legitimate business purpose for the monitoring and whether employees had a "reasonable expectation of privacy." As long as employers warned employees or employees had other reason to expect monitoring, it was allowed. The ECPA has not changed that significantly. 22 Several employee lawsuits against email monitoring have failed. It appears that the ECPA does not give added privacy protection to employees. 23

As mentioned earlier, the USA PATRIOT Act of 2001 weakened many of the protections against electronic surveillance, including those contained in the ECPA. It both expanded the scope of allowed interceptions of electronic communications and weakened judicial oversight. For example, authorities may now access routing information on packet-switched networks like the Internet, which often contains indications of the content of emails and Web pages. They can, with the permission of the operator, intercept communications carried out on computers that host interstate and foreign communications, which were previous protected. They can also subpoena not only subscriber data, but also details of use, from Internet service providers. The Act also greatly expanded the definition of who could authorize electronic surveillance and how broad the scope could be.

Medical Records and HIPAA

Medical records contain some of the most sensitive material of any personal databases. They can include family backgrounds, psychiatric histories and evaluations, accounts of past breakdowns, suicide attempts, drug and alcohol use, physical and mental disabilities, and medication used. There are many parties that would like to know that information, including insurance companies, researchers, marketers, employers, legal adversaries, law enforcement officials, coworkers, the press and the curious. Not all of these have the patient's best interest at heart, and few have the permission of the patient to view the records.

Until 1996 there was no federal protection of privacy in medical records; and state laws varied widely. That changed with HIPAA. The purpose of HIPAA, as noted earlier was to encourage and facilitate a transition to electronic medical records. There are a number of advantages to this. The computerized records are more readily accessible to physicians and other health care workers, even at remote locations. When a traveler is brought to the emergency room far from home, doctors can check her records for past medical problems, current medication, possible allergies and so on. This can lead to better, safer care. Better-organized and more easily accessed records can also support more efficient billing, payment and reimbursement. Finally having a large base of medical data online can support important medical research, which can lead ultimately to better understanding and treatment of disease. However, as with other types of personal data, having the information on computers, easily searchable and available over networks, makes it more likely that it will end up in the hands of those who have no business looking at it.

Another threat to the privacy of medical records is institutional: the move to managed care in the health industry. In their attempts to control costs, payers are demanding more and more detailed information on patient conditions, diagnoses and treatments. Therapists, for example, must now give detailed accounts of their clients' emotional states and the reasons for them, in order to collect for their treatments. 24 This is information that traditionally has been very carefully protected as part of a privileged therapeutic relationship. Now it goes into the insurance company's records, where it can easily leak out. 25

HIPPA attempted to address these problems by mandating good information protection practices for medical records. Its privacy rules, which went into effect in 2003, apply to both health care providers and payers, such as insurance plans, employee benefit plans and managed care plans. It covers any medical records that can be linked to an individual, including billing and payment information.

The law requires that the following measures be taken to protect patient privacy:

  • Individuals must have access to their records.
  • Individuals can require that errors in their records be corrected.
  • Disclosure of medical information is allowed without the patient's permission as needed to facilitate treatment, billing and payment and other related operations; all other disclosures require the written permission of the patient.
  • Providers must track all disclosures of patient information and inform the patient of any use of that information.
  • Providers must make reasonable efforts to keep communications regarding patient information confidential.

Any entity covered by HIPAA must also provide a contact and a mechanism for responding to patient complaints. As noted earlier, HIPAA has not eliminated unauthorized access to sensitive patient data; but it does give patients a remedy if they become aware of it. 26 Another limitation is that, while the law regulates the use and transmission of information in a professional setting, it has not stopped the unauthorized communication of that information in less formal settings, for example over social networks. 27

Differences in Other Countries

Alan Westin has observed that, while every culture values privacy in some way, the need for privacy is experienced in different ways in different cultures. Even among the Western democracies, there are differences in the balance struck between the individual's need for privacy and society's need for disclosure. 28 There are also differences in the mechanisms used to protect privacy, depending on which aspects seem most important.

A study by Milberg, Burke, Smith and Kallman has explored these differences and some of the factors that account for them. 29 The authors identify six different types of regulatory systems, in order of increasing government involvement. The first is no regulation at all. Thailand is offered as an example of this. The second is the so-called "self-help" model. The subjects of data records themselves are responsible for finding inaccuracies and abuses and bringing legal challenges to them. Such a system existed in France, for example, before the EU Directive discussed below. The third type of system uses "voluntary control." The law contains rules on the proper collection and use of data, but the organizations to which they apply are themselves responsible for enforcing them. That is the form of regulation used in Japan and the United States. The fourth system uses a government "data commissioner," who hears complaints, gives advice on proper data handling, and does some monitoring of data use. However, the commissioner has no direct power of enforcement. Some countries that use this system are Australia, New Zealand and Canada. The fifth type of system requires that databases containing personal information be registered with the government. If there are complaints that lead to a finding of improper use or inadequate protection of the data, the organization holding the data can be decertified, thus losing its permission to operate. Denmark and the United Kingdom have such systems. The final, and strictest, type of regulation uses the "licensing model." This is similar to the registration model in the fifth system, except that when a database is registered, the government imposes requirements on how the data is to be collected and used. The authors were not able to identify any country that uses this system.

The study goes on to identify three dimensions of cultural values that could affect countries' privacy concerns and therefore the degree of regulation they institute. The first is the "uncertainty avoidance index," a measure of anxiety and risk aversion. The second is the inequality of power and degree of distrust between different segments of the population. The third is the degree of individualism in a society. A cross-cultural survey showed that different cultures did differ along these dimensions, and that the differences correlated with different degrees of regulation in different countries. Greater "uncertainty avoidance" and greater inequality of power both correlate with a higher degree of government involvement in privacy protection. On the other hand, countries with a higher degree of individualism have less government involvement, presumably because such societies prefer more individualized solutions.

European Directive on Protection of Personal Data

In 1995 the Council of Ministers of the European Union took a step toward unified standards by adopting the Directive on Protection of Personal Data. 30 A consistent set of rules is needed, it was felt, to facilitate the movement of data across national boundaries, an important part of the unified economy toward which the Europeans had been working. Without those rules, a country holding sensitive personal data, with an obligation to safeguard it, could not trust another country to protect it with the same care. This would inhibit the sharing of data that is so important to common economic activity.

The Directive includes the following requirements:

  • • Data may be collected only for legitimate purposes, which must be clearly specified.
  • • Data held must be kept "relevant, accurate and up-to-date."
  • • Subjects should know the purpose for which data is being collected and what organizations will use it, and must be able to decide whether to disclose the information or not.
  • • All data processing must have a legitimate legal basis. The possible legal grounds recognized are "consent, contract, legal obligation, vital interest of the data subject or the balance between the legitimate interests of the people controlling the data and the people on whom data is held."
  • • Subjects on whom data is held are given certain rights: "the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances," (e.g., direct marketing).
  • • Some particularly sensitive information, on health, sexual behavior, ethnic and racial background, political and religious associations, and so on, can only be used with the consent of the subject, except where there is an important public need, such as medical research. In that case safeguards must be instituted to protect the identity of the subject.
  • • Adherence to these standards should be monitored by an "independent data supervisory authority" in each jurisdiction.
  • • Exceptions should be granted for when the information is used only for "journalistic, artistic or literary purposes," in order to balance freedom of expression with privacy rights.

Each member state of the European Union was responsible for implementing these requirements within three years, and by 1998 all the states in the EU had put into place legislation that conformed to the Directive.

Companies that do business in the EU are subject to the requirements of the Directive; and countries that exchange data with EU members are expected to observe policies that are consistent with the Directive's main principles. There have been tensions between the EU and certain other countries, including the U.S., whose privacy policies are seen as too lax.

For a more detailed account of privacy laws in other countries, see Freedman. 31

Michael McFarland, S.J., a computer scientist with extensive liberal arts teaching experience and a special interest in the intersection of technology and ethics, served as the 31st president of the College of the Holy Cross.

June 2012


1. The exceptions are Nebraska, New York, Oklahoma, Utah, Virginia and Wisconsin, where privacy rights are established by law. See Warren Freedman, The Right of Privacy in the Computer Age, New York: Quorum Books (1987), p. 12.
2. Edward A. Cavazos and Gavino Morin, Cyberspace and the Law: Your Rights and Duties in the on-line World, Cambridge, MA: MIT Press (1994), pp. 26-28.
3. Francis S. Chlapowski, "The Constitutional Protection of Information Privacy," Boston University Law Review, 71 (1991): 133-160, pp. 139-140.
4. ibid, p. 147.
5. ibid, p. 148.
6. Andrews, I Know Who You Are and I Saw What You Do, op. cit., p. 52.
7. Adam Liptak, "Justices Say GPS Tracker Violated Privacy Rights," The New York Times, (January 23, 2012), http://www.nytimes.com/2012/01/24/us/police-use-of-gps-is-ruled-unconstitutional.html.
8. 15 USC 1681-1681t.
9. Richard S. Rosenberg, The Social Impact of Computers, Boston: Academic Press (1992), p. 204.
10. 12 USC 3401-3422.
11. Freedman, The Right of Privacy in the Computer Age, p. 14.
12. 47 USC 551
13. 5 USC 22a
14. Rosenberg, p. 207.
15. Rothfeder, "Invasions of Privacy," p. 152.
16. 20 USC 1221.
17. Rosenberg, p. 207.
18. 52 USC 2000aa-11.
19. 42 USC 3789g.
20. 18 USC 2510.
21. Edward A. Cavazos and Gavino Morin, Cyberspace and the Law: Your Rights and Duties in the On-Line World, Cambridge, MA: MIT Press (1994), pp. 16-20.
22. William S. Galkin, "Electronic Privacy Rights: The Workplace,"The Computer Law Report, 15 (December 28, 1995), pp. 2-3.
23. Sipior and Ward, "The Ethical and Legal Quandry of Email Privacy," p. 53.
24. ibid, p. 39.
25. Alison Bass, "HMO Puts Confidential Records On-line," The Boston Globe, (March 7, 1995): p. 1.
26. See, for example, "HHS Imposes a $4.3 Million Civil Money Penalty for HIPAA Privacy Rule Violations," U.S. Department of Health and Human Services, (February 22, 2011), http://www.hhs.gov/news/press/2011pres/02/20110222a.html.
27. Lucas Mearian, "Facebook and physicians: Not good medicine: Doctors warned to stay off social media to avoid patient privacy conflict," Computerworld, (May 23, 2012), http://www.computerworld.com/s/article/
9227180/Facebook_and_physicians_Not_good_medicine_
28. Westin, Freedom and Privacy, p. 26.
29. Sandra J. Milberg, Sandra J. Burke, H. Jeff Smith, and Ernest A. Kallman, "Values Personal Information, Privacy, and Regulatory Approaches," Communications of the ACM, 38(12) (December, 1995): 65:74.
30. "Council Definitively Adopts Directive on Protection of Personal Data," European Commission Press Release: IP/95/822 (July 25, 1995).
31. Freedman, The Right of Privacy in the Computer Age, pp. 121-146.


New Materials

Center News