An Overview of Privacy Law in 2022 - Scholarly Commons
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GW Law Faculty Publications & Other Works Faculty Scholarship 2022 An Overview of Privacy Law in 2022 Daniel J. Solove Paul M. Schwartz Follow this and additional works at: https://scholarship.law.gwu.edu/faculty_publications Part of the Law Commons
There are no better-qualified authors than Professor Schwartz and Solove to summarize
PRIVACY LAW FUNDAMENTALS, SIXTH EDITION, 2022
the current state of privacy law and, as a result, there is no better compact privacy law
resource than Privacy Law Fundamentals.”
– Christopher Wolf, Hogan Lovells US LLP
“This book is an indispensable guide for privacy and data protection practitioners, students, and
scholars. You will find yourself consulting it regularly, as I do. It is a must for your book shelf.”
– Danielle Citron, University of Virginia
Daniel J. Solove & Paul M. Schwartz
PRIVACY LAW
FUNDAMENTALS
SIXTH EDITION, 2022
ABOUT THE AUTHORS
DANIEL J. SOLOVE PAUL M. SCHWARTZ
Daniel J. Solove & Paul M. Schwartz
is the John Marshall Harlan Research is Jefferson E. Peyser Professor of
Professor of Law at the George Law at Berkeley Law School and
Washington University Law School. a director of the Berkeley Center
He is also President and CEO of for Law & Technology. He is also a
TeachPrivacy, a privacy and security special advisor at Paul Hastings.
training company.
$50.00
ISBN 978-1-948771-59-7
55000>
9 781948 771597
Electronic copy available at: https://ssrn.com/abstract=4072205
Order the Book on the International Association
of Privacy Professionals (IAPP) Website
https://iapp.org/store/books/a191P000004nyr2QAA
Click Here to
Order the Book
20% Student Discount
Use code PLF4STUDENT
Electronic copy available at: https://ssrn.com/abstract=4072205
Privacy Law
Fundamentals
Sixth Edition, 2022
Daniel J. Solove
John Marshall Harlan Research Professor of Law
George Washington University Law School
&
Paul M. Schwartz
Jefferson E. Peyser Professor of Law
U.C. Berkeley School of Law
An IAPP Publication
Electronic copy available at: https://ssrn.com/abstract=4072205©2022, by the International Association of Privacy Professionals (IAPP).
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted in any form or by any means, mechanical,
photocopying, recording, or otherwise, without the prior, written permission
of the publisher, International Association of Privacy Professionals, Pease
International Tradeport, 75 Rochester Ave., Portsmouth, NH 03801
ISBN 978-1-948771-59-7
Electronic copy available at: https://ssrn.com/abstract=4072205ABOUT PRIVACY LAW FUNDAMENTALS
“This book is an indispensable guide for privacy and data protection practitioners,
students, and scholars. You will find yourself consulting it regularly, as I do. It is a
must for your book shelf.”
—Danielle Citron, University of Virginia
“The go-to privacy law reference that you will keep going to. Professors Schwartz
and Solove manage to distill without distorting and to outline without obscuring.
Part reference, part primer and part pathfinder, Privacy Law Fundamentals is the
ultimate privacy law resource.”
—Tom Counts, Paul Hastings
“Two giants of privacy scholarship succeed in distilling their legal expertise into
an essential guide for a broad range of the legal community. Whether used to learn
the basics or for quick reference, Privacy Law Fundamentals proves to be concise
and authoritative.”
—Jules Polonetsky, Future of Privacy Forum
“Privacy Law Fundamentals is a must-read for privacy practitioners to keep up and
gain a clear and succinct picture of where the law is and where it is heading around
the world and across different industries.”
—Lindsey Tonsager, Covington & Burling
“There are no better-qualified authors than Professors Schwartz and Solove
to summarize the current state of privacy law and, as a result, there is no better
compact privacy law resource than Privacy Law Fundamentals”
—Christopher Wolf, Hogan Lovells
Privacy Law Fundamentals, Sixth Edition iii
Electronic copy available at: https://ssrn.com/abstract=4072205Electronic copy available at: https://ssrn.com/abstract=4072205
ABOUT THE AUTHORS
Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the
George Washington University Law School. He is also the president and CEO of
TeachPrivacy, www.teachprivacy.com, a company that provides privacy and data
security training to organizations in an array of industries. One of the world’s
leading experts in privacy law, Solove is the author of numerous books, including
Breached: Why Data Security Fails and How to Improve It (2022)(with Woodrow
Hartzog); Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale
2011), Understanding Privacy (Harvard 2008), The Future of Reputation: Gossip and
Rumor in the Information Age (Yale 2007; winner of the 2007 McGannon Award),
and The Digital Person: Technology and Privacy in the Information Age (NYU 2004).
Solove is also the co-author (with Paul Schwartz) of a textbook, Information
Privacy Law, with Aspen Publishing Co., now in its seventh edition. Additionally,
he is the author of several other textbooks, including Privacy and the Media (4th
edition, Wolters Kluwer 2021), Privacy, Law Enforcement, and National Security
(3rd edition, Wolters Kluwer 2021), Consumer Privacy and Data Protection (3rd
edition, Wolters Kluwer 2021), and EU Data Protection and the GDPR (1st edition,
Wolters Kluwer 2021), all with Paul Schwartz. He has published more than 50
articles and essays.
Solove has testified before the U.S. Congress and has been involved as an
expert and consultant in a number of high-profile privacy cases. His work has
been cited by many federal and state courts, including the U.S. Supreme Court.
He has been interviewed and featured in several hundred media broadcasts and
articles in publications and on networks, including The New York Times, The Wall
Street Journal, The Washington Post, Chicago Tribune, USA Today, Time, Newsweek,
People, Reader’s Digest, The Associated Press, ABC, CBS, NBC, CNN, NPR, and
C-SPAN’s “Book TV.”
More information about Solove’s work can be found at www.daniel-
solove.com. He can also be followed on Twitter at @DanielSolove. He blogs at
Privacy+Security Blog, www.teachprivacy.com/privacy-security-training-blog/.
As one of a select group of “Influencers,” Solove has more than 1 million LinkedIn
followers.
Privacy Law Fundamentals, Sixth Edition v
Electronic copy available at: https://ssrn.com/abstract=4072205Paul M. Schwartz is the Jefferson E. Peyser Professor of Law at the UC Berkeley
School of Law and a director of the Berkeley Center for Law & Technology. A
leading international expert on informational privacy and information law, he has
published widely on these topics. In the United States, his articles and essays have
appeared in periodicals such as the Harvard Law Review, Yale Law Journal, Stanford
Law Review, Columbia Law Review, California Law Review, N.Y.U. Law Review, and
Chicago Law Review. With Daniel Solove, he has published the leading casebook
Information Privacy Law (Aspen, 7th edition, 2021) and other books.
Schwartz has testified as an expert before congressional committees in the
United States and provided legal reports to the Commission of the European
Community and Department of Justice, Canada. He has assisted numerous
corporations in the United States and abroad with information privacy issues. A
member of the American Law Institute, Schwartz has received scholarships and
grants from the American Academy in Berlin, where he was a Berlin Prize Fellow;
the Alexander von Humboldt Foundation; German Marshall Fund; Fulbright
Foundation; the German Academic Exchange; and the Harry Frank Guggenheim
Foundation. He is a member of the American Law Institute and the organizing
committee of the Privacy Law Salon, as well as special advisor to Paul Hastings
LLP.
Schwartz belongs to the editorial boards of International Data Privacy Law,
the International Journal of Law and Information Technology, and the Zeitschrift für
Datenschutz (Data Protection Journal). His homepage is www.paulschwartz.net.
His Twitter account is @paulmschwartz.
vi Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205DEDICATION
In memory of Joel Reidenberg and Kurt Wimmer,
two great figures in privacy law and two cherished friends.
To Pamela and Griffin —DJS
To Steffie, Clara, and Leo —PMS
Privacy Law Fundamentals, Sixth Edition vii
Electronic copy available at: https://ssrn.com/abstract=4072205Electronic copy available at: https://ssrn.com/abstract=4072205
PREFACE
This book provides a concise guide to privacy law. Privacy Law Fundamentals is
designed to serve as a primer of the essential information one needs to know about
the field. For the student of privacy law or the beginning privacy professional, the
book will provide an overview that can be digested readily. For the more seasoned
and experienced, the book will serve as a handy reference guide, a way to refresh
one’s memory of key components of privacy laws and central cases. It will help close
gaps in knowledge and inform on areas of the field about which one wants to know
more.
In writing this book, we have aimed to avoid the “too much information”
problem by singling out the essential provisions of law, regulations, and judicial
decisions. A frequent risk in law books is that key definitions, provisions, and
concepts will become lost in a litany of long and dense statutes and in a mass of
cases. We have endeavored to distill the field down to its fundamentals and present
this information in as clear and useful a manner as we could. Wherever possible,
we have developed charts and lists to convey the material. The book is organized
in twelve chapters:
• Chapter 1—an overview of privacy law in all its varied types and forms
and a timeline with key points in the development of privacy law.
• Chapter 2—privacy law involving the media, including the privacy torts,
defamation, and the First Amendment.
• Chapter 3—the law of domestic law enforcement, focusing on the Fourth
Amendment and the statutes regulating electronic surveillance.
• Chapter 4—national security law, including the U.S. Foreign Intelligence
Surveillance Act (FISA).
Privacy Law Fundamentals, Sixth Edition ix
Electronic copy available at: https://ssrn.com/abstract=4072205• Chapter 5—the laws and regulations that pertain to health and genetic
data, including the U.S. Health Insurance Portability and Accountability
Act (HIPAA).
• Chapter 6—government records and laws, such as the Privacy Act and
the Freedom of Information Act (FOIA).
• Chapter 7—the laws concerning financial information, including the
U.S. Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act
(GLBA).
• Chapter 8—legal regulation of the privacy of consumer data and business
records, involving statutes, tort protections, and U.S. Federal Trade
Commission (FTC) enforcement actions.
• Chapter 9—data security law, including the varying laws in all the states.
• Chapter 10—school privacy, including the U.S. Family Educational
Rights and Privacy Act (FERPA).
• Chapter 11—the regulation of employment privacy, including the
different rules for government and private sector employees.
• Chapter 12—international privacy law, including the EU General Data
Protection Regulation, the Organisation for Economic Co-operation and
Development (OECD) Guidelines, the Asia-Pacific Economic Cooperation
(APEC) Privacy Framework, and rules of international data transfers.
For his suggestions on our chapter about school privacy, we wish to thank
Steven McDonald. Through its different editions, this book also benefitted greatly
from the research assistance of a dream team of students. These are Lorraine
Abdulahad, Deborah Choi, Luisa Domenichini, Robert Fairbanks, David Fang,
Russell Fink, Natalie Heim, Joey Kingerski, Charlotte Kress, Annie Lee, Brittany
Johnson, Harris Mateen, Meet Mehta, Gregory Merchant, Michelle Park, Sanjana
Parikh, Amelie Raepple, Sarah Suwanda, Sophia Wallach, Kevin Yang, and Andy
Zachrich.
For further references, including books, websites, statutes, and other sources
of news and legal materials, visit our website (www.informationprivacylaw.com),
and for our casebooks, click on the “Resources” tab at the top.
x Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205We look forward to keeping this book up to date and finding additional ways
to make it as useful as possible. Please feel free to contact us with any suggestions
and feedback about the book.
In 2021, Joel Reidenberg and Kurt Wimmer, two leaders of data privacy law,
passed away. Both were cherished friends of the authors of this volume and of so
many in our field. Joel Reidenberg was a distinguished professor at Fordham Law
School and a leader in international privacy law. Kurt Wimmer led the privacy and
cybersecurity practice at Covington and advanced press freedom in his pro bono
work. We wish to dedicate this volume to them.
Daniel J. Solove
Washington, DC
dsolove@law.gwu.edu
Paul M. Schwartz
Berkeley, CA
pschwartz@law.berkeley.edu
Privacy Law Fundamentals, Sixth Edition xi
Electronic copy available at: https://ssrn.com/abstract=4072205Electronic copy available at: https://ssrn.com/abstract=4072205
TABLE OF CONTENTS
CHAPTER 1: AN OVERVIEW OF PRIVACY LAW
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
TYPES OF PRIVACY LAW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Torts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Torts Most Commonly Involved In Privacy Cases . . . . . . . . . . . . . . . . . . . 2
Origins Of The Privacy Torts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contract/Promissory Estoppel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Criminal Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Evidentiary Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Federal Constitutional Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Ways the U.S. Constitution Protects Privacy . . . . . . . . . . . . . . . . . . . . . . 3
State Constitutional Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
States With Express Constitutional Privacy Protection . . . . . . . . . . . . . . . . 3
Federal Statutory Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
State Statutory Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Areas of State Legislation on Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
International Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
THE CHIEF PRIVACY OFFICER OR DATA PROTECTION OFFICER . . . . 8
THE CHIEF INFORMATION SECURITY OFFICER . . . . . . . . . . . . . . . . . 9
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
General Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CHAPTER 2: PRIVACY AND THE MEDIA
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
THE PRIVACY TORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Public Disclosure of Private Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Approaches to the Newsworthiness Test . . . . . . . . . . . . . . . . . . . . . . . . 20
Privacy Law Fundamentals, Sixth Edition xiii
Electronic copy available at: https://ssrn.com/abstract=4072205Intrusion upon Seclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
False Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appropriation of Name or Likeness . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
OTHER TORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intentional Infliction of Emotional Distress . . . . . . . . . . . . . . . . . . . . . . 24
Breach of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
OTHER PRIVACY LAWS OF NOTE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Video Voyeurism Prevention Act, 18 U.S.C. § 1801 (2004) . . . . . . . . . . . . 24
State Video Voyeurism Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
“Peeping Tom” Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Blackmail Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
California Anti-Paparazzi Act, Cal. Civ. Code § 1708.8 . . . . . . . . . . . . . . . 25
Image-Based Sexual Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
DEFAMATION LAW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Libel and Slander . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
First Amendment Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Actual Malice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Public vs. Private Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Communications Decency Act § 230(c), 47 U.S.C. § 230(c) (1996) . . . . . . 28
FIRST AMENDMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
THE FIRST AMENDMENT AND TORTS . . . . . . . . . . . . . . . . . . . . . . . . 30
Public Disclosure of Private Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Intrusion upon Seclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
False Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Appropriation of Name or Likeness . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Intentional Infliction of Emotional Distress . . . . . . . . . . . . . . . . . . . . . . 30
Breach of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Defamation Torts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Anti-SLAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ANONYMOUS SPEECH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Standards for Unmasking Anonymous Speakers . . . . . . . . . . . . . . . . . . . 32
PRIVACY OF READING AND INTELLECTUAL EXPLORATION . . . . . . . 32
Reporter’s Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
xiv Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205CHAPTER 3: PRIVACY AND LAW ENFORCEMENT
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
FOURTH AMENDMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
The Fourth Amendment to the U.S. Constitution . . . . . . . . . . . . . . . . . . 38
How the Fourth Amendment Works . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Key Fourth Amendment Doctrines . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ELECTRONIC COMMUNICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Electronic Communications Privacy Act of 1986 . . . . . . . . . . . . . . . . . . . 43
Types of Communications in ECPA . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Stored Communications Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Pen Register Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Key Facts About ECPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Clarifying Lawful Overseas Use of Data Act Pub. L No. 115-141, 132
Stat. 348 (codified as amended in scattered sections of 18 U.S.C.) (2018) . . 49
Communications Assistance for Law Enforcement Act of 1994 . . . . . . . . . 49
STATE ELECTRONIC SURVEILLANCE LAW . . . . . . . . . . . . . . . . . . . . . 50
Recording Police Encounters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
State Electronic Surveillance Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
GOVERNMENT ACCESS TO PERSONAL DATA . . . . . . . . . . . . . . . . . . . 52
Fourth Amendment: Third-Party Doctrine . . . . . . . . . . . . . . . . . . . . . . . 52
Bank Secrecy Act of 1970 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Right to Financial Privacy Act of 1978 . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Subpoenas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Federal Statutory Provisions for Government Access to Records . . . . . . . . . 54
SEARCHES AND SEIZURES OF MEDIA DOCUMENTS . . . . . . . . . . . . . 55
Privacy Protection Act of 1980 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
CHAPTER 4: NATIONAL SECURITY AND FOREIGN INTELLIGENCE
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
THE FOURTH AMENDMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
FOREIGN INTELLIGENCE GATHERING . . . . . . . . . . . . . . . . . . . . . . . . 60
Foreign Intelligence Surveillance Act of 1978 . . . . . . . . . . . . . . . . . . . . . 60
USA Freedom Act of 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Privacy Law Fundamentals, Sixth Edition xv
Electronic copy available at: https://ssrn.com/abstract=4072205GOVERNMENT ACCESS TO PERSONAL DATA FOR
NATIONAL SECURITY PURPOSES . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
National Security Letters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
USA Patriot Act of 2001, § 215 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
STATE SECRETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
THE INTELLIGENCE COMMUNITY . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Intelligence Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Intelligence Reform and Terrorism Prevention Act of 2004 . . . . . . . . . . . . 65
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Government Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
CHAPTER 5: HEALTH PRIVACY
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
PATIENT-PHYSICIAN CONFIDENTIALITY . . . . . . . . . . . . . . . . . . . . . . 72
Ethical Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Evidentiary Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
The Breach of Confidentiality Tort . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Public Disclosure of Private Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Key Points: Common Law Torts and Medical Information . . . . . . . . . . . . 73
Tort Liability for Failing to Disclose Personal Data . . . . . . . . . . . . . . . . . . 73
MEDICAL INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
State Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Health Insurance Portability and Accountability Act of 1996 . . . . . . . . . . . 76
Deidentifying Data Under HIPAA . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Court Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
HIPAA Myths and Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
OCR HIPAA Enforcement Actions with Monetary Penalties . . . . . . . . . . . 81
State Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
The Common Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Federal Drug and Alcohol Confidentiality Statute . . . . . . . . . . . . . . . . . . 85
Subpoenas for Medical Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
CONSTITUTIONAL PROTECTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Constitutional Right to Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Constitutional Right to Information Privacy . . . . . . . . . . . . . . . . . . . . . . 87
Fourth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
GENETIC INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Genetic Testing and Discrimination . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
xvi Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
CHAPTER 6: GOVERNMENT RECORDS
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
FAIR INFORMATION PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
COURT RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Common Law Right to Access Court Records . . . . . . . . . . . . . . . . . . . . 92
Protective Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Depositions and Interrogatories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Pseudonymous Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Juror Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The First Amendment Right to Access . . . . . . . . . . . . . . . . . . . . . . . . . . 93
PUBLIC RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Freedom of Information Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
State Public Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
The Constitution and Personal Data in Public Records . . . . . . . . . . . . . . . 97
When Does the Constitution Limit the Government from
Disclosing Personal Information? . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Critical Infrastructure Information Act of 2002 . . . . . . . . . . . . . . . . . . . . 98
PRIVACY RIGHTS IN GOVERNMENT RECORDS . . . . . . . . . . . . . . . . . 98
The Privacy Act of 1974 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Establishing a Violation of the Privacy Act . . . . . . . . . . . . . . . . . . . . . 100
State Privacy Acts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
State Statutes Regulating Government Website Privacy Policies . . . . . . . . 103
DNA Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Driver’s Privacy Protection Act of 1994 . . . . . . . . . . . . . . . . . . . . . . . . 104
DPPA: Key Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Identification Records and Requirements . . . . . . . . . . . . . . . . . . . . . . . 106
Social Security Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
GOVERNMENT PRIVACY AND SECURITY MANAGEMENT . . . . . . . . . 107
E-Government Act of 2002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Federal Information Security Management Act of 2002 . . . . . . . . . . . . . 108
Office of Management and Budget . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Federal Acquisitions Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Privacy Law Fundamentals, Sixth Edition xvii
Electronic copy available at: https://ssrn.com/abstract=4072205CHAPTER 7: FINANCIAL DATA
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
The Financial Services Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Fair Credit Reporting Act of 1970 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
The Consumer Financial Protection Bureau . . . . . . . . . . . . . . . . . . . . . 113
FCRA: Keys to Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Federal Trade Commission Fair Credit Reporting Act
Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Consumer Financial Protectoin Bureau Fair Credit Reporting Act
Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
THE USE AND DISCLOSURE OF FINANCIAL INFORMATION . . . . . . . 120
Gramm-Leach-Bliley Act of 1999 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Federal Trade Commission Enforcement Actions . . . . . . . . . . . . . . . . . 122
CFPB Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Right to Financial Privacy Act of 1978 . . . . . . . . . . . . . . . . . . . . . . . . . 123
Bank Secrecy Act of 1970 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Torts and Financial Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
State Financial Statutes and Regulations . . . . . . . . . . . . . . . . . . . . . . . 126
NY Department of Financial Services Enforcement Actions . . . . . . . . . . . 127
California’s SB1 and FCRA Preemption . . . . . . . . . . . . . . . . . . . . . . . 127
TAX PRIVACY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Internal Revenue Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
IDENTITY THEFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Identity Theft Assumption and Deterrence Act of 1998 . . . . . . . . . . . . . 128
FTC Red Flags Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
SEC and CFTC Red Flags Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
State Identity Theft Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
GOVERNMENT ACCESS TO FINANCIAL INFORMATION . . . . . . . . . . 130
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
CHAPTER 8: CONSUMER DATA
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
PERSONAL DATA OR PERSONALLY IDENTIFIABLE INFORMATION . 134
Approaches to Defining PII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Injury and Standing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Standing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
TORT LAW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
xviii Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205CONTRACT AND PROMISSORY ESTOPPEL . . . . . . . . . . . . . . . . . . . 138
Breach of Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Promissory Estoppel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Are Privacy Policies Contracts? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Liability for Third-Party Apps? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
FEDERAL TRADE COMMISSION ENFORCEMENT OF SECTION 5
OF THE FEDERAL TRADE COMMISSION ACT . . . . . . . . . . . . . . . . . . 140
Statutes Granting Enforcement Authority to the FTC . . . . . . . . . . . . . . 141
Triggers for FTC Complaints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
FTC Consent Decrees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
CONSUMER FINANCIAL PROTECTION BUREAU ENFORCEMENT . . 148
FEDERAL STATUTES: ENTERTAINMENT RECORDS . . . . . . . . . . . . . 148
Communications Act of 1934 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Cable Communications Policy Act of 1984 . . . . . . . . . . . . . . . . . . . . . 150
Federal Communications Commission Enforcement of the FCA
and Cable Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
FCC, Privacy Guidelines for ISPs (2016) . . . . . . . . . . . . . . . . . . . . . . . 151
Video Privacy Protection Act of 1988 . . . . . . . . . . . . . . . . . . . . . . . . . 152
Video Privacy Protection Act Amendments Act of 2012 . . . . . . . . . . . . . 153
FEDERAL STATUTES: MARKETING . . . . . . . . . . . . . . . . . . . . . . . . . 155
Telephone Consumer Protection Act of 1991 . . . . . . . . . . . . . . . . . . . . 155
Controlling the Assault of Non-Solicited Pornography and Marketing
Act of 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
FEDERAL STATUTES: INTERNET USE AND
ELECTRONIC COMMUNICATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Children’s Online Privacy Protection Act of 1998 . . . . . . . . . . . . . . . . . 158
Federal Trade Commission Children’s Online Privacy Protection Act
Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Complying with COPPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
How to Determine if a Website (or a Portion of It)
Is Directed at Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Electronic Communications Privacy Act of 1986 . . . . . . . . . . . . . . . . . . 163
Computer Fraud and Abuse Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
FEDERAL STATUTES: OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Federal Statutes and Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Federal Statutes and Opt-In/Opt-Out . . . . . . . . . . . . . . . . . . . . . . . . 179
STATE STATUTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Data Sale and Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
California Consumer Privacy Act of 2018, AB 375 . . . . . . . . . . . . . . . . . 180
Virginia’s Consumer Data Protection Act, Va. Code Ann.
§ 59.1-571 (2021) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Privacy Law Fundamentals, Sixth Edition xix
Electronic copy available at: https://ssrn.com/abstract=4072205Colorado Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Unfair and Deceptive Acts and Practices Acts . . . . . . . . . . . . . . . . . . . . 183
Radio-Frequency Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
State Statutes Regulating Private Sector Use of RFID . . . . . . . . . . . . . . . 183
Eraser or Right to Be Forgotten Laws . . . . . . . . . . . . . . . . . . . . . . . . . 185
Biometric Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Website Privacy Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Data Brokers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
State Spyware Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Video Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
FIRST AMENDMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
CHAPTER 9: DATA SECURITY
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
DATA BREACH NOTIFICATION STATUTES . . . . . . . . . . . . . . . . . . . . 197
Rise of the State Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
State Data Security Breach Notification Statutes . . . . . . . . . . . . . . . . . . 198
Federal and State Credit Freeze Statutes . . . . . . . . . . . . . . . . . . . . . . . . 203
FEDERAL TRADE COMMISSION ENFORCEMENT UNDER
SECTION 5 OF THE FTC ACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
CONSUMER FINANCIAL PROTECTION BUREAU ENFORCEMENT . . 207
FEDERAL COMMUNICATIONS COMMISSION ENFORCEMENT . . . . . 208
SECURITIES AND EXCHANGE COMMISSION GUIDANCE AND
ENFORCEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
STATE CYBERSECURITY STATUTES AND REGULATIONS . . . . . . . . . 209
TORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
DATA RETENTION AND DISPOSAL . . . . . . . . . . . . . . . . . . . . . . . . . . 214
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
xx Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205CHAPTER 10: EDUCATION PRIVACY
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
STUDENT RECORDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Family Educational Rights and Privacy Act of 1974 . . . . . . . . . . . . . . . . 221
Protection of Pupil Rights Amendment of 1978 . . . . . . . . . . . . . . . . . . 224
Every Student Succeeds Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Individuals with Disabilities Education Act . . . . . . . . . . . . . . . . . . . . . 224
National School Lunch Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Jeanne Clery Disclosure of Campus Security Policy and Campus
Crime Statistics Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Other Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Gainful Employment Rule (2011) . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Other Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
STATE LAWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Student Data Collection, Use, and Disclosure . . . . . . . . . . . . . . . . . . . . 226
Social Media Account Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
STUDENT SPEECH AND EXPRESSION . . . . . . . . . . . . . . . . . . . . . . . 230
State Anti-Bullying Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
SEARCHES AND SURVEILLANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Fourth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
SELF-REGULATORY MEASURES . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Future of Privacy Forum, Student Data Privacy Pledge (2014) . . . . . . . . . 233
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
CHAPTER 11: EMPLOYMENT PRIVACY
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
SEARCHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Government Employees: Fourth Amendment . . . . . . . . . . . . . . . . . . . 236
Private Sector Employees: Fourth Amendment . . . . . . . . . . . . . . . . . . . 236
Searches and Surveillance by Private Sector Employers . . . . . . . . . . . . . . 237
QUESTIONING AND TESTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Fourth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Constitutional Right to Information Privacy . . . . . . . . . . . . . . . . . . . . . 238
Employee Polygraph Protection Act of 1988 . . . . . . . . . . . . . . . . . . . . . 239
Americans with Disabilities Act of 1990 . . . . . . . . . . . . . . . . . . . . . . . . 240
Occupational Safety and Health Act . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Genetic Information Nondiscrimination Act of 2008 . . . . . . . . . . . . . . . 241
Privacy Law Fundamentals, Sixth Edition xxi
Electronic copy available at: https://ssrn.com/abstract=4072205State Employment Testing and Inquiry Laws . . . . . . . . . . . . . . . . . . . . 241
State Criminal Background Check “Ban the Box” Laws . . . . . . . . . . . . . . 241
EMPLOYEE ACCESS TO THE COMPUTER NETWORK . . . . . . . . . . . . 243
Van Buren v. United States, 141 S. Ct. 1648 (2021) . . . . . . . . . . . . . . . . . 243
SURVEILLANCE AND MONITORING . . . . . . . . . . . . . . . . . . . . . . . . . 243
Electronic Communications Privacy Act . . . . . . . . . . . . . . . . . . . . . . . 243
What Every Employer Must Know to Comply with ECPA . . . . . . . . . . . 244
Employment Privacy Law: Public vs. Private Sector . . . . . . . . . . . . . . . . 244
Biometric Data Collection Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
EMPLOYER SOCIAL MEDIA POLICIES AND PRACTICES . . . . . . . . . . 246
National Labor Relations Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
The NLRA and Social Media Policies . . . . . . . . . . . . . . . . . . . . . . . . 246
Employer Access to Employee Social Media Accounts . . . . . . . . . . . . . . 248
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Treatises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 12: INTERNATIONAL PRIVACY LAW
ESSENTIAL POINTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Data Protection and Information Privacy: A Note on Terminology . . . . . . 252
WORLDWIDE PRIVACY RIGHTS AND GUIDELINES . . . . . . . . . . . . . . 252
Universal Declaration of Human Rights (1948) . . . . . . . . . . . . . . . . . . 252
Organisation for Economic Co-operation and Development
Privacy Guidelines (1980) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
The Influence of the OECD Guidelines . . . . . . . . . . . . . . . . . . . . . . . . 254
UN Guidelines for the Regulation of Computerized Personal Files (1990) . . 254
EUROPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
European Convention on Human Rights
Article 8—The Right to Respect for Private and Family Life (1950) . . . . . 255
Council of Europe Convention on Privacy, Treaty No. 108ETS
No. 108 (1981) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Modernization Convention for the Protection of Individuals with
Regard to the Processing of Personal Data (2018) . . . . . . . . . . . . . . . . 260
EU Data Protection Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
General Data Protection Regulation . . . . . . . . . . . . . . . . . . . . . . . . . . 263
The First Evaluation of the GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . 266
EDPB: Its Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
The European Data Protection Board and the Consistency Mechanism . . . 267
Binding decision 1/2021 on the dispute arisen on the draft decision
of the Irish Supervisory Authority regarding WhatsApp Ireland
( July 28, 2021) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
xxii Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205Decision 01/2020 on the dispute arisen on the draft decision of the
Irish Supervisory Authority regarding Twitter (Nov. 9, 2020) . . . . . . . . . 268
EU Law Enforcement Directive (2018) . . . . . . . . . . . . . . . . . . . . . . . . 268
EU-U.S. Privacy Shield Framework (2016) . . . . . . . . . . . . . . . . . . . . . . 268
Principles of the Privacy Shield . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Positive Adequacy Determinations by the EU Commission . . . . . . . . . . . 271
Passenger Name Record Agreements . . . . . . . . . . . . . . . . . . . . . . . . . 272
Transferring Personal Data to Non-EU Countries: Standard
Contractual Clauses and Binding Corporate Rules . . . . . . . . . . . . . . . . 272
Standard Contractual Clauses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Binding Corporate Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
The EU Cybersecurity Act (2019) . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
EU Network and Information Security Directive (2016) . . . . . . . . . . . . 273
Discovery from EU Member Nations in U.S. Litigation . . . . . . . . . . . . . . 273
Directive on Privacy and Electronic Communications
(ePrivacy Directive) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
The ePrivacy Regulation: A Work-in Progress . . . . . . . . . . . . . . . . . . . . 274
EU Data Retention Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
European Data Protection Supervisor . . . . . . . . . . . . . . . . . . . . . . . . 277
THE UK POST-BREXIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
CANADA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Charter of Rights and Freedoms (1982) . . . . . . . . . . . . . . . . . . . . . . . 278
Privacy Act (1985) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Personal Information Protection and Electronic
Documents Act (2000) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
PIPEDA’s 10 Privacy Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Canada’s Anti-Spam Law (2010) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Provincial Privacy Laws for the Private Sector . . . . . . . . . . . . . . . . . . . 282
LATIN AMERICA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Habeas Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Argentina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Colombia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Uruguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
AFRICA AND THE MIDDLE EAST . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Bahrain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Dubai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Ghana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Morocco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
South Africa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Privacy Law Fundamentals, Sixth Edition xxiii
Electronic copy available at: https://ssrn.com/abstract=4072205ASIA-PACIFIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
APEC Privacy Framework (2004) . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
APEC Privacy Framework’s Nine Principles . . . . . . . . . . . . . . . . . . . . 286
APEC Member Nations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
APEC Cross-Border Privacy Rules System . . . . . . . . . . . . . . . . . . . . . 287
Federal Trade Commission Enforcement of the APEC
Cross-Border Privacy Rules System . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Hong Kong . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Philippines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Singapore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
South Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
EUROPE, NON–EU COUNTRIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Russia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Turkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
FOR FURTHER REFERENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Treatises and Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Articles and Other Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
xxiv Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205CHAPTER 1 1
An Overview of Privacy Law
An Overview
of Privacy Law
ESSENTIAL POINTS
• Information privacy law is a relatively youthful area of law. New developments
are still shaping it and changing its form. For example, data breach notification
statutes in the United States date only to 2003.
• The development of privacy law in the United States may also be viewed as a di-
alogue between the courts and legislature about the scope and application of the
legal concept of privacy. In some matters, courts will define new privacy rights. In
others, the courts will leave the job to the legislature.
• Privacy problems occur in particular contexts, and different types of problems
involve different trade-offs and concerns.
• Technology plays an especially important role in shaping the kinds of privacy con-
cerns that society faces and the role of the law.
• In Europe and most of the rest of the world, this area is called data protection
law. International developments have played a highly visible and important part
in shaping the role of privacy professionals and the privacy dialogue within the
United States.
Privacy Law Fundamentals, Sixth Edition 1
Electronic copy available at: https://ssrn.com/abstract=4072205TYPES OF PRIVACY LAW
Torts
In the United States, tort law is primarily state law. As a result, the particular bound-
aries of this area of law will differ from state to state—sometimes dramatically. For
example, some states recognize all four privacy interests, but Minnesota accepts only
three of the four. It does not recognize the false light tort. Lake v. Wal-Mart Stores, Inc.,
582 N.W.2d 231 (Minn. 1998).
TORTS MOST COMMONLY INVOLVED IN PRIVACY CASES
• Invasion of privacy (a collective term for the four privacy torts)
– Public disclosure of private facts
– Intrusion upon seclusion
– False light
– Appropriation of name or likeness
• Breach of confidentiality
• Intentional infliction of emotional distress
• Defamation
– Libel
– Slander
• Negligence
ORIGINS OF THE PRIVACY TORTS
Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L.
Rev. 193 (1890)
This foundational article, which inspired the development of privacy law
in the twentieth century, argued that the common law protected privacy
as “the right to be let alone.”
William L. Prosser, Privacy, 48 Cal. L. Rev. 383 (1960)
Legendary torts scholar William Prosser surveyed all the common law
privacy tort cases and identified the central four interests protected. His
formulations of the privacy torts remain in widespread use today. The
states have widely adopted Prosser’s four privacy torts.
Contract/Promissory Estoppel
Confidentiality or other privacy protections can be express or implied contractual
terms in a relationship. Promises to protect privacy might be enforced through prom-
issory estoppel.
2 Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205Criminal Law
Many privacy laws have criminal penalties. Many states have criminalized blackmail,
“Peeping Tom” activity, or the surreptitious capture of nude images.
1
Evidentiary Privileges
In evidence law, many privileges protect the confidentiality of information shared
An Overview of Privacy Law
within certain relationships, such as attorney-client and patient-physician.
Federal Constitutional Law
WAYS THE U.S. CONSTITUTION PROTECTS PRIVACY
• The First Amendment’s right to speak anonymously
• The First Amendment’s freedom of association, which protects the
privacy of one’s associations
• The Third Amendment’s protection of the home from the quartering
of troops
• The Fourth Amendment’s protection against unreasonable searches
and seizures
• The Fifth Amendment’s privilege against self-incrimination
• The constitutional right to privacy
• The constitutional right to information privacy
State Constitutional Law
A number of states have directly provided for the protection of privacy in their consti-
tutions. For example, Cal. Const. art. I, § 1 stipulates: “All people are by their nature
free and independent and have inalienable rights. Among these are enjoying and de-
fending life and liberty, acquiring, possessing, and protecting property, and pursuing
and obtaining safety, happiness and privacy.”
STATES WITH EXPRESS
CONSTITUTIONAL PRIVACY PROTECTION
AK Alaska Const. art. I, § 22 IL Ill. Const. art. I, § 6
AZ Ariz. Const. art. II, § 8 LA La. Const. art. I, § 5
CA Cal. Const. art. I, § 1 MT Mt. Const. art. II, § 10
FL Fla. Const. art. I, § 23 SC S.C. Const. art. I, § 10
HI Hawai’i Const. art. I, § 23 WA Wash. Const. art. I, § 7
Privacy Law Fundamentals, Sixth Edition 3
Electronic copy available at: https://ssrn.com/abstract=4072205Federal Statutory Law
• Fair Credit Reporting Act (FCRA) of 1970, 15 U.S.C. §§ 1681 et seq.—
provides citizens with rights regarding the use and disclosure of their personal
information by consumer reporting agencies.
• Bank Secrecy Act of 1970, Pub. L. No. 91-508—requires banks to maintain
reports of people’s financial transactions to assist in government white-collar
investigations.
• Privacy Act of 1974, 5 U.S.C. § 552a—provides individuals with a number of
rights concerning their personal information maintained in government record
systems by federal agencies, such as the right to see one’s records and ensure the
information in them is accurate.
• Family Educational Rights and Privacy Act (FERPA) of 1974, 20 U.S.C. §§
1221 note, 1232g—protects the privacy of school records.
• Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401–3422—requires
a subpoena or search warrant for law enforcement officials to obtain financial
records.
• Foreign Intelligence Surveillance Act (FISA) of 1978, 15 U.S.C.
§§ 1801–1811—regulates foreign intelligence gathering within the United States.
• Privacy Protection Act (PPA) of 1980, 42 U.S.C. § 2000aa—restricts the gov-
ernment’s ability to search and seize the work product of the press and media.
• Cable Communications Policy Act of 1984, 47 U.S.C. § 551—mandates
privacy protection for records maintained by cable companies.
• Electronic Communications Privacy Act (ECPA) of 1986, 18 U.S.C. §§
2510–2522, 2701–2709—contains three distinct statutes that regulate elec-
tronic surveillance law: the Wiretap Act, Stored Communications Act, and Pen
Register Act. The Wiretap Act was first enacted in 1968 as Title III of the Omni-
bus Crime Control and Safe Streets Act.
• Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a—
regulates automated investigations conducted by federal agencies carrying out
automatic matching on computer files with other federal agencies or non-federal
entities.
• Employee Polygraph Protection Act of 1988, 29 U.S.C. §§ 2001–2009—
governs the use of polygraphs by employers.
4 Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205• Video Privacy Protection Act (VPPA) of 1988, 18 U.S.C. §§ 2710–2711—
protects the privacy of prerecorded videotapes, cassette tapes, or “similar audio
visual materials.
1
• Telephone Consumer Protection Act (TCPA) of 1991, 47 U.S.C. § 227—
provides certain remedies from repeat telephone calls by telemarketers.
An Overview of Privacy Law
• Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721–2725—restricts
the states from disclosing or selling personal information from their motor vehicle
records.
• Communications Assistance for Law Enforcement Act of 1994, Pub. L.
No. 103–414—requires telecommunications providers to help facilitate govern-
ment interceptions of communications and surveillance.
• Personal Responsibility and Work Opportunity Reconciliation Act of 1996,
Pub. L. No. 104–193—requires the collection of personal information (includ-
ing Social Security numbers, addresses, and wages) of all people who obtain a new
job anywhere in the nation. The resulting information is placed into a national
database to help government officials track down parents with outstanding child
support payments.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996,
Pub. L. No. 104–191—gives the Department of Health and Human Services
(HHS) the authority to promulgate regulations governing the privacy of medical
records. These regulations, the HIPAA Privacy Rule, were initially finalized in
2000 with modifications made in subsequent years. 45 C.F.R. 160, 162, and 164.
• Identity Theft and Assumption Deterrence Act (ITADA) of 1998, 18 U.S.C.
§ 1028—criminalizes the transfer or use of fraudulent identification with the
intent to commit unlawful activity.
• Children’s Online Privacy Protection Act (COPPA) of 1998, 15 U.S.C. §§
6501–6506—restricts the use by internet websites of information gathered from
children under age 13.
• Gramm-Leach-Bliley Act (GLBA) of 1999, 15 U.S.C. §§ 6801–6809—
requires privacy notices and provides opt-out rights when financial institutions
seek to disclose personal data to other companies.
• Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act (USA Patriot Act) of
2001, Pub. L. No. 107–56—amends a number of electronic surveillance statutes
and other statutes to facilitate law enforcement investigations and access to infor-
mation.
Privacy Law Fundamentals, Sixth Edition 5
Electronic copy available at: https://ssrn.com/abstract=4072205• Controlling the Assault of Non-Solicited Pornography And Marketing Act
(CAN-SPAM Act) of 2003, Pub. L. No. 180–187—provides penalties for the
transmission of unsolicited email.
• Video Voyeurism Prevention Act of 2004, 18 U.S.C § 1801—criminalizes the
capturing of nude images of people (when on federal property) under circum-
stances where they have a reasonable expectation of privacy.
• FISA Amendments Act of 2008, Pub. L. No. 110–261—amends FISA to add
a new title creating additional procedures concerning the acquisition of informa-
tion about certain persons outside the United States.
State Statutory Law
Much of privacy law is found in state law. Privacy tort law and data breach notifi-
cation statutes are predominately state law. In addition, numerous federal statutes
permit state laws to exceed their specifications. This issue is regulated under the
rubric of “preemption.” In Chapter 9, we provide a chart that lists the federal statutes
that preempt state laws and those that do not. The U.S. regulation of privacy is best
thought of as a dual federal-state system.
Areas of State Legislation on Privacy
Substantial state legislation on privacy exists in the following areas:
Law Enforcement
• Wiretapping and electronic surveillance
Medical and Genetic Information
• Confidentiality of medical information
• Genetic privacy
Government Records
• Public records
• State agency use and disclosure of personal information
Financial Privacy
• Banking privacy
• Consumer reports
• Security freeze
6 Privacy Law Fundamentals, Sixth Edition
Electronic copy available at: https://ssrn.com/abstract=4072205Consumer Data and Business Records
• Biometrics
• Sale of personal data 1
• Spam
An Overview of Privacy Law
• Spyware and phishing
• Telecommunications privacy
• Pretexting
• Use of Social Security numbers
• Data disposal
• Video privacy
• Radio frequency identification (RFID) and tracking devices
• Restrictions on internet service providers (ISPs)
• Unauthorized access to computers and networks
Data Security
• Identity theft
• Data security breach notification
• Substantive security standards
• Data disposal
Employment
• State employee personal information
• Restrictions on employment application questions
International Law
Around the world, numerous countries have endeavored to protect privacy in their
laws. There are two general approaches toward protecting privacy:
1. Omnibus: A comprehensive approach to protecting privacy that covers person-
al data across all industries and most contexts. Sometimes a single omnibus
law will also regulate the public and private sectors.
2. Sectoral: Regulates information on a sector-by-sector basis. Different indus-
tries receive different regulation, and some contexts are not regulated at all.
Different statutes regulate the public and private sectors.
The world’s first comprehensive information privacy statute was a state law; the
Hessian Parliament enacted this statute in Wiesbaden, Germany, on September 30,
1970. Like most European data protection laws, this statute is an omnibus law. Note,
however, that the European Union today relies on a mixture of omnibus and sectoral
laws. The General Data Protection Regulation (GDPR) is an omnibus law and one
that is supplemented by sectoral laws from the European Union, such as the ePrivacy
Directive, and from the member states.
Privacy Law Fundamentals, Sixth Edition 7
Electronic copy available at: https://ssrn.com/abstract=4072205You can also read
