What have been the major US privacy developments – good or bad – of the past generation? This type of question is fun and can draw a wide range of responses. Everyone has a different perspective on a subject as broadly defined as privacy. Here is my top ten list.
The Federal Trade Commission. I find the FTC’s sporadic privacy activities over the years to be mostly a bad development for consumers and for business.
The FTC shows interest in privacy only when it draws headlines, and many past Commission actions and inactions contributed to the problem we face today. The Commission often acts an apologist for business, as evidenced by its limp enforcement actions.
In contrast, I give a positive honorable mention to state attorneys general, whose functions partly overlap with the FTC. When they act, state attorneys general usually do a better job of protecting consumers than the FTC.
September 11. There is nothing about September 11 that you could call good, unless you work for an information company making gobs of money selling government agencies personal data that isn’t useful. Still, the USA Patriot Act that passed in 2001 was not as bad for privacy as it could have been. We didn’t get a national identity card, and some other oppressive measures were not included.
Federal privacy laws. I single out one statute later for special mention, but we have enacted several privacy laws over the years, including the Privacy Act of 1974, Gramm-Leach-Bliley, Electronic Communications Privacy Act, Children’s Online Privacy Protection Act, and the Health Insurance Portability and Accountability Act. These have been mildly positive developments for privacy.
However, the laws are mostly weak, incomplete, inconsistent, unenforced, and out of date.
California. We often say that the states are the laboratories of democracy, and California’s leadership in privacy legislation is a good illustration. It passed financial privacy laws that increased pressure for better national laws.
The federal Driver’s Privacy Protection Act started with a California law too. The state’s security breach law became a national model. It has a state privacy office. California’s activities have been good for privacy, even though some of its laws have been trumped by weaker federal laws.
Privacy Institutions. We actually have quite a few privacy institutions today, including privacy offices in some federal and state agencies, privacy officers in companies, and a still growing list of privacy advocacy organizations. These institutions have all been positive developments for privacy, even though many have significant limitations and flaws.
We still don’t have the institution we need most: an independent non-regulatory federal privacy agency that looks like the privacy authorities in other countries.
Fair Credit Reporting Act. The original act dates back to 1970, but it has been amended and improved several times over the years.
The FCRA isn’t perfect, but it implements a full set of privacy protections and remains the most successful and important information privacy law.
The Act is a model for what other privacy laws should look like. Even industry insiders have admitted to me in private that the FCRA is the best thing that every happened to the credit reporting industry. The FRCA has been good for everyone.
Information Technology. You can make a case that the Internet, e-mail, search engines, the increasing speed of data processing, and the decreasing cost of data storage each belongs on this list as a separate item.
Just to pick one example, technology has morphed the old-fashioned flat list business into a dossier business run by data brokers who want to know everything about consumers in order to hawk products, serve ads, and repackage data for other users, including government agencies.
At the same time, technology gives consumers better tools to protect privacy. Overall, information technology is a mixed bag for privacy.
European Union’s Data Protection Directive. The Directive committed all EU states to meet a set of reasonably high-level privacy policies. To keep pace, many other countries adopted their own privacy laws that met or tried to meet EU standards.
The major outlier is, of course, the United States. Nevertheless, the federal government and the American business community have been forced to respond to world pressure and move in a pro-privacy direction.
The Data Protection Directive has flaws, but it has contributed positively to privacy throughout the world.
Fair information practices. FIPs have been the most important policy statement in the privacy arena ever. An American advisory committee came up with the first version and the name back in 1973.
Work done by the Organisation for International Cooperation and Development and others in the early 1980s restated and improved FIPs. FIPs remain important because they provide a comprehensive high-level statement of the practices for addressing information privacy.
Recognition of the value of FIPs came slowly during the 1980s, but reliance on FIPs is now widespread although not entirely universal. FIPs have been a positive development for privacy.
Identity theft. Identity theft has been the single most important privacy development both for good and for evil. How can I say that ID theft has been both good and bad for privacy? In my next column I will explain. Stay tuned.