History of Privacy

Written By Janelle Hsia

Below is an explanation for the stark difference between the origin of privacy rights in the EU and the US and why they don’t always see eye to eye on privacy and data protection. It is also a high-level explanation of the categories of privacy laws and regulations.

In Europe, privacy is a fundamental human right as defined in the Universal Declaration of Human Rights which was adopted by the General Assembly of the United Nations in 1948.  Europeans determined the need for fundamental human rights after the atrocities of World World II. They understood how the government’s use of personal information like ethnicity, political affiliation, and faith could be used for discrimination and hate. The lessons that they learned during this time are entrenched in their data protection laws and in their culture.

Then in 1950, the Council of Europe, which was created in 1949 by ten western and northern European states and now has 47 member states before Brexit, drafted the European Convention on Human Rights which is an international treaty to protect human rights and fundamental freedoms. This new Convention has two substantial components: one is the establishment of enforcement through the Court of Human Rights and the second is a large and encompassing scope related to the fundamental rights and freedoms it protects.

With the age of computers came another data protection advancement from Europe. In 1981, the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). Convention 108 is unique because it was open to countries outside of Europe to sign. Once signed, these countries must adopt the principles in their local legislation.

Before the 2016 EU General Data Protection Regulation 2016/679 (GDPR) that we know and love today, there was the 1995 Data Protection Directive 95/46/EC (Directive). The Directive has guidelines to ensure fundamental rights were incorporated into the flow of personal data from one country to another but these were not regulations (laws). The GDPR changed that and made it law.

As you can see, for the last 70 years, privacy has been linked to human rights in Europe.

However, in the United States, privacy as a specific right is only alluded to in many Amendments to the United States Constitution but it is actually never stated.  For example, the fourth amendment to the US constitution, states that ‘The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…’ but there is no mention of an actual right to privacy. 

Then in 1890, two United States lawyers, Samuel D. Warren and Louis Brandeis, wrote an article for the Harvard Law Review titled “The Right to Privacy” which defines privacy as the "right to be left alone.” This revolutionary article was mostly targeted at the media for the unauthorized use of private individuals’ portraits in the newspaper and for the use of mechanical devices (cameras) capturing private interactions. Although not a law, this became the basis for the four US privacy torts that we know today: 1) Intruding on seclusion, 2) Private fact made public 3) Interfering with a person’s right to publicity, and 4) Casting a person in a false light either libel (written) or slander (oral).

In 1967, the US passed the Freedom of Information Act (FOIA) which gives everyone the right to request access to documents from state agencies. Then in 1970, the Fair Credit Reporting Act (FCRA) was enacted which some say was the first major national data privacy law in the United States, although it only provided rights over financial data. This was updated in 2003 by the Fair and Accurate Credit Transactions Act (FACTA) to help with identity theft and credit report transparency from the big credit bureaus.

The Fair Information Privacy Principles (FIPPs) were developed in the 1970s. FIPPs defines four categories of principles related specifically to privacy: rights of individuals, controls on information, information lifecycle, and management of data. These principles are used in major data protection laws around the world. One of the most widely adopted uses of FIPPs is in the 1980 Organization for Economic Cooperation and Development (OECD) guidelines. These guidelines are for the protection of personal data that crosses borders when it is being electronically processed.

After 1970, the US began a patchwork of Federal level, sector-specific laws, some that you might recognize organized by category: Education (FERPA), Children (COPPA), Medical (HIPAA/HITECH and GINA), Telco (TCPA, TSR, CAN-SPAM), Employment (COBRA, ERISA, FMLA, OSHA), National Security (FISA, USA PATRIOT ACT, USA FREEDOM ACT), and more Financial (GLBA, Dodd-Frank, SOX). Although the United States has many laws that help with some aspects of data privacy, there are many gaps and no comprehensive set of standards at the Federal level.

Many feel the US Federal Government has not done enough to protect personal data so some states have passed laws at the local level. Most notably, the California Consumer Privacy Act (CCPA) which was passed in 2018 and goes into effect 2020. The states have also passed their own data breach notification laws. These data breach laws ensure that consumers are informed when companies lose their personal data.

With the addition of the state laws to the already complicated mix of federal laws, you would assume the citizens of the United States have wonderful and robust data privacy protection but in fact, we don’t. The laws are full of loopholes, exceptions, and exemptions for companies to use our personal data in almost any way they want. To learn more, please contact us.

Janelle Hsia
Previous

Privacy Programs are a Competitive Advantage