Document Details

Uploaded by Deleted User

2023

Peter Swire, CIPP/US, DeBrae Kennedy-Mayo, CIPP/US

Tags

privacy law information privacy data protection privacy

Summary

This book, published in 2023, is a comprehensive guide to US private-sector privacy law and practice for information privacy professionals. It covers various aspects of privacy regulation, technological aspects, and specific sectors like healthcare, finance, and education. The book emphasizes the increasing importance of privacy professionals in handling personal information in a responsible way.

Full Transcript

U.S. Private-Sector Privacy Law and Practice for Information Privacy Professionals, Fourth Edition Peter Swire, CIPP/US DeBrae Kennedy-Mayo, CIPP/US An IAPP Publication CIPP®, CIPP/A®, CIPP/C®, CIPP/G®, CIPP/E®, CIPP/US®, CIPM®, and CIPT® are registered trademarks of the International Association...

U.S. Private-Sector Privacy Law and Practice for Information Privacy Professionals, Fourth Edition Peter Swire, CIPP/US DeBrae Kennedy-Mayo, CIPP/US An IAPP Publication CIPP®, CIPP/A®, CIPP/C®, CIPP/G®, CIPP/E®, CIPP/US®, CIPM®, and CIPT® are registered trademarks of the International Association of Privacy Professionals, Inc. © 2024, e International Association of Privacy Professionals, Inc. (IAPP). All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmi ed in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior, wri en permission of the IAPP. For more information contact [email protected]. Copy editor: Libby Sweeney Indexer: Hyde Park Publishing Services ISBN: 978-1-948771-77-1 Contents About the IAPP Preface Acknowledgments Introduction Chapter 1: Introduction to Privacy 1.1 Defining Privacy 1.2 Classes of Privacy 1.3 The Historical and Social Origins of Privacy 1.4 Fair Information Practices 1.5 Information Privacy, Data Protection, and the Advent of Information Technology 1.6 Personal and Nonpersonal Information 1.7 Sources of Personal Information 1.8 Processing Personal Information 1.9 Sources of Privacy Protection 1.10 World Models of Data Protection 1.11 Conclusion Chapter 2: U.S. Legal Framework 2.1 Branches of the U.S. Government 2.2 Sources of Law in the United States 2.3 Key Definitions for Understanding the U.S. Privacy Law Framework 2.4 Regulatory Authorities Focused on Privacy Issues in the Private Sector 2.5 Self-Regulation 2.6 Keys to Understanding Laws 2.7 Conclusion Chapter 3: Introduction to Technological Aspects of Privacy 3.1 Overview 3.2 Basics of the Internet 3.3 Computing Architectures 3.4 Digital Surveillance and Tracking 3.5 Privacy-Enhancing Technologies 3.6 Cybersecurity 3.7 Conclusion Chapter 4: Information Management and Privacy Risk Management 4.1 Information Management 4.2 Privacy Risk Management 4.3 Global Perspective 4.4 Conclusion Chapter 5: Federal and State Regulators and Enforcement of Privacy Law 5.1 Types of Litigation and Enforcement 5.2 Federal Privacy Enforcement and Policy Outside the FTC 5.3 The FTC and the FTC Act 5.4 Additional FTC Authority to Protect Consumer Privacy and Security 5.5 Future of Federal Enforcement by the FTC 5.6 State Enforcement 5.7 Self-Regulation and Enforcement 5.8 Conclusion Chapter 6: State Comprehensive Privacy Laws 6.1 Lack of Federal Comprehensive Privacy Law 6.2 Overview of State Comprehensive Privacy Laws 6.3 Conclusion Chapter 7: State Data Breach Notification Laws, State Data Security Laws, and State Data Destruction Laws 7.1 State Data Breach Notification Laws 7.2 State Data Security Laws 7.3 State Data Destruction Laws 7.4 Conclusion Chapter 8: Medical Privacy 8.1 The Health Insurance Portability and Accountability Act of 1996 8.2 The Health Information Technology for Economic and Clinical Health Act 8.3 Confidentiality of Substance Use Disorder Patient Records Rule 8.4 Genetic Information Nondiscrimination Act of 2008 8.5 The 21st Century Cures Act of 2016 8.6 Medical Technology 8.7 Conclusion Chapter 9: Financial Privacy 9.1 The Fair Credit Reporting Act 9.2 The Fair and Accurate Credit Transactions Act 9.3 Gramm-Leach-Bliley Act 9.4 Dodd-Frank Wall Street Reform and Consumer Protection Act 9.5 Regulation E of the Electronic Fund Transfer Act (1978) 9.6 Required Disclosure Under Anti-Money-Laundering Laws 9.7 Future of Financial Regulation 9.8 Conclusion Chapter 10: Education Privacy 10.1 The Family Educational Rights and Privacy Act 10.2 FERPA and the Protection of Pupil Rights Amendment 10.3 Individuals with Disabilities Education Act 10.4 FERPA and the HIPAA Privacy Rule 10.5 Education Technology 10.6 Cybersecurity Requirements 10.7 Conclusion Chapter 11: Telecommunications and Marketing 11.1 Regulations Governing Telemarketing 11.2 Fax Marketing 11.3 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 11.4 The Telecommunications Act of 1996 11.5 The Cable Communications Policy Act of 1984 11.6 The Video Privacy Protection Act of 1988 11.7 Digital Advertising 11.8 Conclusion Chapter 12: Workplace Privacy 12.1 Legal Overview 12.2 Privacy Issues in the Employment Life Cycle 12.3 Privacy Issues Before Employment 12.4 Privacy Issues During Employment 12.5 Privacy Issues A er Employment 12.6 Conclusion Chapter 13: Privacy Issues in Civil Litigation and Government Investigations 13.1 Disclosures Required, Permitted, or Forbidden by Law 13.2 Privacy and Civil Litigation 13.3 Law Enforcement and the Role of Privacy Professionals 13.4. National Security and the Role of Privacy Professionals 13.5 Conclusion Chapter 14: The GDPR and International Privacy Issues 14.1 Overview of the General Data Protection Regulation 14.2 Key Terms 14.3 General Principles 14.4 Data Subject Rights 14.5 Breach Notification and Response 14.6 Enforcement 14.7 Overview of EU Requirements for International Data Transfers 14.8 Recent Developments in Global Data Flows 14.9 Conclusion About the Authors Index About the IAPP e International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data. e IAPP is a not-for-pro t association founded in 2000 with a mission to de ne, support and improve the privacy profession globally. In 2023, the IAPP expanded our work with the launch of the AI Governance Center which provides professionals tasked with AI governance, risk and compliance with the content, resources, networking, training, and certi cation needed to respond to the complex risks in the AI eld. We are commi ed to providing a forum for privacy and AI governance professionals to share best practices, track trends, advance privacy, and AI management issues, standardize the designations for professionals and provide education and guidance on opportunities in the elds of information privacy and AI governance. e IAPP is responsible for developing and launching the only globally recognized credentialing programs in information privacy and AI governance: the Certi ed Information Privacy Professional (CIPP®), the Certi ed Information Privacy Manager (CIPM®), the Certi ed Information Privacy Technologist (CIPT®), and the AI Governance Professional Certi cation (AIGP). The CIPP, CIPM and CIPT are the leading privacy certi cations for thousands of professionals around the world who serve the data protection, information auditing, information security, legal compliance and/or risk management needs of their organizations. e AIGP is the rst designation of its kind. AIGP certi cation demonstrates that an individual can ensure safety and trust in the development and deployment of ethical AI and ongoing management of AI systems. In addition, the IAPP o ers a full suite of educational and professional development services and holds annual conferences that are recognized internationally as the leading forums for the discussion and debate of issues related to privacy policy and practice as well as AI governance. Preface I write this preface in July 2023, a li le over three years a er the preface for the previous edition of this textbook. As with previous editions, I o er some re ections on what has happened since. e rst comprehensive state privacy law, the California Consumer Privacy Act, went into e ect in 2020. By the end of 2022, ve states had such laws, and that number has already doubled in 2023. Although Congress has acted more slowly than it ought, organizations across the United States are ramping up to respond to these new laws. Also in 2020, the Court of Justice of the European Union (CJEU) issued its Schrems II decision, calling into question the enormous volume of data ows across the Atlantic. Now, the EU and U.S. have created the Trans-Atlantic Data Privacy Framework, including new redress provisions that were the subject of much of my research with the Cross-Border Data Forum. More generally, data has become so important that countries around the world are considering new laws to regulate or prohibit cross-border data ows. Privacy professionals today o en list cross-border ows as the most challenging part of their job. Privacy professionals must cope with constant technological change. Recently, large learning models such as ChatGPT have exploded onto the scene. One result is that the governance and ethics expertise of privacy professionals is being tapped in many organizations to address new AI challenges. e rst edition of this book, published in 2007, focused on the privacy issues for a limited number of sectors, such as health care and nancial services, as well the online technology companies whose existence is de ned by the processing and transfer of information. By contrast, the importance of privacy professionals has spread into companies and sectors that were historically based in the physical world, as data collection and connectivity spread throughout human activity. For instance, automobiles for decades were physical objects xed by wrenches and similar tools. en, so ware became important to diagnose and repair cars. Today the average new car is approaching 20 antennas, while the average American spends over six percent of their waking time in a car. Imagine the volume, variety, and velocity of data that privacy professionals will need to consider in the future of the auto sector. Across the economy, privacy and cybersecurity governance have become essential components of organizational success. You are holding the h version of this textbook. When Sol Bermann and I wrote the rst iteration of the book, published in 2007, it was the rst o cial International Association of Privacy Professionals textbook and was created to prepare for the rst Certi ed Information Privacy Professional examination. Kenesa Ahmad and I revamped the text for the next version (and rst edition with this name), published in 2012. DeBrae Kennedy-Mayo has been the co-author for the 2018, 2020, and 2023 editions, and her knowledge and insights are apparent in every part of the book. DeBrae’s twice-yearly teaching of the Privacy for Professionals course at Georgia Tech means that our updates are informed by literally hundreds of students who use this text. anks as well to all the others that DeBrae lists by name in her preface. All of us have worked hard to create a book that gives you, a new person in the eld, a readable introduction to our profession. In the IAPP, thanks to Nicole Russell as our lead contact for this edition. Under the direction of Trevor Hughes, the IAPP, which was founded in 2000, has grown into a vibrant, global organization with more than 80,000 members. On a personal level, my special thanks to my wife, Annie Antón, for her wisdom and partnership in privacy and more importantly in life. I believe that we, as privacy professionals, have a profound ethical responsibility to handle personal information in responsible ways. I hope this book fosters the knowledge and awareness to help make that a reality. Peter Swire, CIPP/US Atlanta, Georgia, USA July 2023 is edition of the book has numerous updates, likely more than any previous edition. e need for such updates was triggered both by the amazing speed at which the technological innovations that shape the contours of privacy are happening and by the e orts of regulators to respond to these changes. As authors, we also realize that by the time this book has been published, another round of edits will already be on the horizon. With this realization in mind, we made the decision to remove Chapter 15 – Emerging Issues because in a published book, that chapter cannot keep pace with the changes occurring in the regulation of privacy. We have added relevant discussions of emerging technologies into the chapters on medical privacy, nancial privacy, and education privacy. Each chapter in the book has been refreshed (at a minimum) and several have been entirely rewri en. Chapter 1 – Introduction to Privacy has been updated to include the recent work by the OECD and APEC to enhance cross-border data ows. In Chapter 2 – U.S. Legal Framework, the book now has a discussion of the United States Supreme Court case of Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade. Chapter 3 – Introduction to Technological Aspects of Privacy is an entirely new chapter that replaces the chapter previously known as Online Privacy. Chapter 4 – Information Management and Privacy Risk Management has been overhauled in its treatment of information management and now also explores privacy risk management. Chapter 5 – Federal and State Regulators has been edited to remove certain historical information, refreshed to focus on new cases, and expanded in its treatment of state-level developments. Chapter 6 – State Comprehensive Privacy Laws is an entirely new chapter that replaces the 2020 chapter known as the California Consumer Privacy Act. Realizing that additional state comprehensive privacy laws would almost inevitably be passed (and the number of enacted state laws has doubled since the chapter was wri en in January 2023), this chapter focuses on trends and outliers among these older state laws as well as providing the reader with an approach for examining any such state laws which may be enacted in the future. Chapter 7 – State Data Breach Noti cation Laws has been edited to remove details of the speci c state laws and to instead focus on the trends and outliers among these laws. e chapters focused on sectoral privacy laws, Chapter 8 – Medical Privacy, Chapter 9 – Financial Privacy, Chapter 10 – Education Privacy, Chapter 11 – Telecommunications and Marketing, and Chapter 12 – Workplace Privacy, have been updated to incorporate the long-term e ects of the pandemic, the implications of the Dobbs case, and the e orts to regulate emerging technologies. In Chapter 13 – Civil Litigation and Government Investigations, the implications of the Dobbs case are addressed. In addition, this chapter examines the Second Additional Protocol to the Budapest Convention. e updates to Chapter 14 – e GDPR and International Privacy Issues explore data transfers from Europe to the United States as well as developments in global data ows. Also, we have reordered two chapters in the book. In the 2020 edition, Chapter 3 focused on federal and state regulators while Chapter 5 explored the various aspects of the topic dubbed online privacy. In this edition, we have swapped that order. For this edition, the rst three chapters of the book are introductory material important to the study of privacy and its regulation. ese three chapters are then followed by chapters that focus on di erent aspects of the regulation of privacy. In several chapter updates, we have intentionally linked the updates to the material found in the relevant books associated with additional certi cations o ered by the IAPP CIPT, CIPM, and CIPP/E, respectively. Chapter 3 provides an introduction to technical issues relevant to privacy, which are discussed in more detail in the IAPP’s book entitled An Introduction to Privacy for Technology Professionals. Chapter 4 provides an introduction to information management and privacy risk management, topics discussed in more detail in the IAPP’s book Privacy Program Management. Chapter 14 provides an overview of the EU data protection framework and the legal basis for data ows to the United States. e IAPP’s book entitled European Data Protection: Law and Practice explores these topics in detail. On a personal note, I want to express my appreciation to Peter Swire for the positive working relationship that resulted in our co-authorship of this latest edition of this book. In the IAPP, Nicole Russell was our lead contact for this edition of the book. Her work in ge ing this edition to the publisher was invaluable. A list of thank yous is inevitably incomplete, but the e ort is still worthwhile. ank you to eodore Christakis, Ken Propp, and Dan Felz at the Cross-Border Data Forum for their insights into data ows across national borders. ank you to Nathan Lemay for his insight concerning the technical aspects of privacy, his focus on deidenti cation, and his e orts to further democratization of education in the eld of privacy. ank you to Jan Hankins for her insights into Fourth Amendment protections and her perspective related to criminal defense. ank you to Tino Chikate, Gemma Davies, Jake Gord, Dwight Hakim, Will Hankins, Justin Hemmings, James Jones, Ben Jury, Emily Le, Tamara Lev, Muhammad Nauman, Hal Overman, Emily Powell, and Sepehr Saberian for providing ideas for chapter update, reviewing dra s of chapters, and working on footnotes. To my students at Georgia Tech, thank you for all the insights you have provided to me and, more importantly, for all those that you have imparted to the communities where you live. To everyone who reads this book, thank you for the time you take to increase your knowledge and understanding of the complex concept referred to as privacy and for how you implement these ideas, both in your professional and private lives. Finally, thank you to my remarkable husband Garre for his insights, his unwavering support, and his willingness to watch our dog, Luke, and our cat, Miss Ki y, on those days when I am working long hours researching the intersection of privacy and technology. DeBrae Kennedy-Mayo, CIPP/US Savannah, Georgia, USA July 2023 Acknowledgments e IAPP is pleased to present U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals, Fourth Edition in support of the Certi ed Information Privacy Professional/United States (CIPP/US®) program. We are grateful for the many privacy professionals who provide their time and expertise to support our training programs. is list starts with our Training Advisory Board, a group of highly-respected professionals representing a broad range of jurisdictions and industries. Current members include: Olufunke Babatunde, CIPP/E, CIPM, FIP Shay Babb, CIPP/C, CIPM Robin Anise Benns, CIPP/US James Boyle, CIPP/E Dave Brown, CIPP/US, CIPM, FIP Erin Butler, CIPM Jonathan Cantor, CIPP/G, CIPP/US Smriti Chandrashekar, CIPP/A, CIPP/US, CIPM, FIP Ben Daley-Gage, CIPP/E, CIPM, CIPT Nitin Dhavate, CIPP/E, CIPM, FIP Preeti Dhawan, CIPP/C Kathryn Fox, CIPM Roberto Girardi, CIPP/E Francesco Gualtieri, CIPP/E, CIPM, CIPT, FIP Leyla Gurbanova, CIPP/E Adebola Hamed, CIPP/US, CIPM, FIP Adam Higgins, CIPP/E, CIPM, CIPT, FIP Stacey Keegan, CIPP/C, CIPP/US, CIPM Milla Keller, CIPP/E Kok Kwang Lui, CIPP/E, CIPM, CIPT, FIP Maria-Cristina Macocinschi, CIPP/E, CIPM Fiona Makaka, CIPP/E Nicholas Merker, CIPT Esteban Morin, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, PLS Michael O’Rourke, CIPP/G Ross Parker, CIPM Jason Peterson, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP Natasha Pe erson, CIPP/E, CIPM Petruta Pirvan, CIPP/E, CIPP/US, CIPM, FIP Tiina Suomela, CIPP/E, CIPM, CIPT, FIP Kalpana Sundaram, CIPP/US Roja Tanamala, CIPM Liisa omas Mary Kay urlkill, CIPP/US, CIPM, FIP Paul Törnblom, CIPP/E Victoria van Roosmalen, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, FIP Sok Woo Yoon, CIPP/US I am enormously grateful to Peter Swire and DeBrae Kennedy-Mayo for their time and dedication to this project. ank you, Peter and DeBrae for sharing your expertise in government and privacy law to clearly and comprehensively explain the changes in and complexity of the U.S. privacy landscape within these pages. We are appreciative of Libby Sweeney’s a ention to detail in her copy edit of the textbook and for Hyde Park Publishing Services who created the book index. As with previous editions, I hope you nd this textbook to be a valuable resource in preparing for your CIPP/US certi cation and a practical reference in your daily professional lives. Marla Berry, CIPT Training Director International Association of Privacy Professionals Introduction It has become cliché in the world of data privacy to remark on the pace of change within our eld. We speak of a landslide of U.S. state consumer privacy laws. We drink from the re hose of international compliance obligations. We swim endlessly in the vast and turbulent waters of regulatory scrutiny. But through it all, privacy professionals can return always to the strong core at the base of our practice. Like a martial artist descending comfortably into a ghting stance, privacy’s principles-based foundation provides us with the exibility we need to adapt to new realities without compromising the lived experience of those we serve. Whether we conceive of new risks in corporate terms or by reference to the privacy rights of individuals, we nd ourselves armed with the tools we need to adapt and maintain consistent outcomes. It is books like the one you hold in your hands that make the exible strength of our profession possible. As this edition goes to print, the newest wave of technologies o en described imprecisely and unsatisfyingly as “arti cial intelligence” are challenging many of the fundamental concepts in data privacy. What is “personal data” when new inference engines can spin powerful and accurate guesses about consumers’ lives from mundane inputs? What is “sensitive data” when the movements of our bodies or even the electrical emanations of our thoughts can be used to infer our health conditions, our emotions, our very identities? How can we rely on individualized controls to respond to the collective privacy risks raised by opaque algorithms deployed at scale? Yet even as AI questions our assumptions, the eld of privacy is reaching a maturity level that could only have been dreamed of a few decades ago. e policy innovations to which privacy pros respond largely require the same time-tested tools of practice that began to be developed in the 1970s. is book helps us to understand and use those tools, whether we do so in service of the Privacy Act of 1974, the Connecticut Data Privacy Act of 2022, or our own values and principles. We could not ask for a be er guide. Peter Swire continues to inspire with the depth and rigor of his privacy credentials. Swire wears many hats. In addition to his work handcra ing each subsequent edition of this textbook, he is a Senior Counsel at Alston & Bird, LLP and serves as Professor of Law and Ethics in the Georgia Technology Scheller College of Business, while holding the J.Z. Liang Chair in the Georgia Technology School of Cybersecurity and Privacy. Professor Swire has served important roles in government, including groundbreaking privacy management and oversight roles in Clinton’s O ce of Management and Budget and the Obama White House. He is a Senior Fellow with the Future of Privacy Forum and has been a member of the National Academies’ Forum on Cyber-Resiliency. He has received awards for his scholarship and leadership in the privacy community from the IAPP and FPF. More importantly, Swire has le his mark on a wide range of long-lasting privacy developments that feature in this book, from the Health Insurance Portability and Accountability Act Privacy Rule to the EU-U.S. Privacy Shield agreement. e impact of DeBrae Kennedy-Mayo to the e ectiveness of this resource can also not be understated. As Kennedy-Mayo makes clear in her preface, this textbook is forged in the res of real-world education. e focus on robust pedagogy is apparent throughout its pages, refreshed in this edition with new angles and examples, always with an eye toward bringing data privacy alive for the student and practitioner alike. Since the time my own privacy career was but a twinkle, this book has served as the de nitive resource for privacy law and regulation in the United States. e fourth edition of U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals continues to bene t from its authors’ careful stewardship. Because of its comprehensive treatment of the principles, practice, and evolving compliance obligations of data privacy, it will continue to serve as an indispensable resource for every privacy professional even in the swi ly moving digital world we now occupy. As you peruse the pages of this rich resources, whether for the rst time or on a repeat journey, I hope you will take to heart the lesson that data privacy remains a powerful tool for centering the lives of individuals within organizational practice, not because of new compliance obligations, but because of the timeless principles it embraces. Laws change, technology changes, but the ideal of data privacy remains the same, challenging us always to continue to improve. Cobun Zweifel-Keegan, CIPP/US, CIPM Managing Director, Washington, D.C. International Association of Privacy Professionals CHAPTER 1 Introduction to Privacy is chapter provides an introduction to the subject of protection of information about individuals. In the United States and other countries, laws in this area are known as privacy law, or sometimes data privacy or information privacy law. In the European Union and other countries, laws in this area are known as data protection law. e discussion introduces the relevant vocabulary and describes the common principles and approaches used throughout the world for information privacy and data protection. is chapter continues by providing an understanding of the legal and policy structures for privacy and data protection around the world. It then outlines key models of privacy protection: the comprehensive, sectoral, self-regulatory or co-regulatory, and technology models. 1.1 Defining Privacy In 1890, Samuel Warren and Louis Brandeis published “ e Right to Privacy” in the Harvard Law Review, se ing forth the essential de nition of privacy as “the right to be let alone.”1 Both fundamental and concise, this de nition underscored the personal and social dimensions of the concept that would linger long a er publication of this landmark essay. Similar to this U.S. experience, most other countries have historical reasons that individuals, organizations, and government bodies have proposed their own privacy de nitions. International organizations have also addressed the issue of privacy. Privacy has been de ned as the desire of people to freely choose the circumstances and the degree to which individuals will expose their a itudes and behavior to others.2 It has been connected to the human personality and used as a means to protect an individual’s independence, dignity, and integrity.3 Establishing an understanding of how privacy is de ned and categorized as well as how it has emerged as a social concern is critical to understanding data protection and privacy laws as they have been established today in the United States, Europe and elsewhere around the world. 1.2 Classes of Privacy As previously discussed, privacy can be de ned in many ways. When examining data protection and privacy laws and practices, it can be helpful to focus on four categories or classes of privacy.4 1. Information privacy is concerned with establishing rules that govern the collection and handling of personal information. Examples include nancial information, medical information, government records, and records of a person’s activities on the internet. 2. Bodily privacy is focused on a person’s physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing, or body cavity searches. It also encompasses issues such as birth control, abortion, and adoption. 3. Territorial privacy is concerned with placing limits on the ability to intrude into another individual’s environment. “Environment” is not limited to the home; it may be de ned as the workplace or public space. Invasion into an individual’s territorial privacy typically takes the form of monitoring such as video surveillance, identi cation checks, and use of similar technology and procedures. 4. Communications privacy encompasses protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus. While some of these categories may interrelate, this book will focus primarily on the legal, technological and practical components of information privacy. 1.3 The Historical and Social Origins of Privacy Information privacy as a social concept is rooted in some of the oldest texts and cultures.5 Privacy is referenced numerous times in the laws of classical Greece and in the Bible. e concept of the freedom from being watched has historically been recognized by Jewish law.6 Privacy is similarly recognized in the Qur’an and in the sayings of Mohammed, where there is discussion of the privacy of prayer as well as in the avoidance of spying or talking ill of someone behind their back.7 e legal protection of privacy rights has a similarly far-reaching history. In England, the Justices of the Peace Act, enacted in 1361, included provisions calling for the arrest of “peeping Toms” and eavesdroppers.8 In 1765, British Lord Camden protected the privacy of the home, striking down a warrant to enter the home and seize papers from it. He wrote, “We can safely say there is no law in this country to justify the defendants in what they have done; if there was, it would destroy all the comforts of society; for papers are o en the dearest property any man can have.”9 Parliamentarian William Pi shared this view, declaring that “the poorest man may in his co age bid de ance to all the force of the Crown. It may be frail: its roof may shake; the wind may blow through it; the storms may enter; the rain may enter but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement.”10 is British tradition of privacy protection was built into the U.S. Constitution, rati ed in 1789. Although the word “privacy” does not appear in the Constitution, a number of provisions relate to privacy, including the ird Amendment, banning quartering of soldiers in a person’s home; the Fourth Amendment, generally requiring a search warrant before the police can enter a home or business; the Fi h Amendment, prohibiting persons from being compelled to testify against themselves; and, later, the Fourteenth Amendment, with its requirement of due process under the law, including for intrusions into a person’s bodily autonomy. By contrast, the California Constitution contains an explicit guarantee of the right to privacy, which the people of California added to the California Constitution by a ballot measure in November 1974. Article 1, Section 1 of the California Constitution states: All people are by nature ee and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring , possessing , and protecting property, and pursuing and obtaining safety, happiness, and privacy.11 In many parts of the world, modern privacy has arisen within the context of human rights. In December 1948, the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights.12 is declaration formally announced that “no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.”13 In 1950, the Council of Europe set forth the European Convention for the Protection of Human Rights and Fundamental Freedoms.14 Article 8 of that Convention, which has been the subject of extensive litigation, provides that “everyone has the right to respect for his private and family life, his home and his correspondence,” with this right conditioned where necessary to protect national security and other goals, as necessary to preserve a democratic society.15 1.4 Fair Information Practices Since the 1970s, fair information practices (FIPs), sometimes called fair information privacy practices or principles (FIPPs), have been a signi cant means for organizing the multiple individual rights and organizational responsibilities that exist with respect to personal information. e precise de nitions of FIPs have varied over time and by geographic location; nonetheless, strong similarities exist for the major themes. In practice, there are various exceptions to the clear statements provided here and the degree to which the FIPs are legally binding. Important codi cations of FIPs include: e 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles e 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) e 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”) e Asia-Paci c Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework e 2009 Madrid Resolution International Standards on the Protection of Personal Data and Privacy 1.4.1 Overview of Fair Information Practices FIPs are guidelines for handling, storing, and managing data with privacy, security, and fairness in an information society that is rapidly evolving.16 ese principles can be conceived in four categories: rights of individuals, controls on the information, information life cycle, and management. 1.4.1.1 Rights of Individuals With regard to the rights of individuals, organizations should address notice, choice, and consent, as well as data subject access. Notice. Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained, and disclosed. Choice and consent. Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. Consent is o en considered especially important for disclosures of personal information to other data controllers. Data subject access. Organizations should provide individuals with access to their personal information for review and updates. 1.4.1.2 Controls on the Information Regarding controls on the information, organizations should focus on information security and information quality. Information security. Organizations should use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, use, disclosure, modi cation, and destruction. Information quality. Organizations should maintain accurate, complete, and relevant personal information for the purposes identi ed in the notice. 1.4.1.3 Information Life Cycle Organizations should address the life cycle of information, including collection, use and retention, and disclosure. Collection. Organizations should collect personal information only for the purposes identi ed in the notice. Use and retention. Organizations should limit the use of personal information to the purposes identi ed in the notice and for which the individual has provided implicit or explicit consent. Organizations should also retain personal information for only as long as necessary to ful ll the stated purpose. Disclosure. Organizations should disclose personal information to third parties only for the purposes identi ed in the notice and with the implicit or explicit consent of the individual. 1.4.1.4 Management Regarding management, organizations should ensure that they address both management and administration as well as monitoring and enforcement. Management and administration. Organizations should de ne, document, communicate, and assign accountability for their privacy policies and procedures. Monitoring and enforcement. Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes. 1.4.2 U.S. Health, Education and Welfare FIPs (1973) e FIPs used widely today date back to a 1973 report by the U.S. Department of Health, Education and Welfare Advisory Commi ee on Automated Systems.17 e original Code of Fair Information Practices provided: ere must be no personal data recordkeeping systems whose very existence is secret ere must be a way for a person to nd out what information about the person is in a record and how it is used ere must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the individual’s consent ere must be a way for a person to correct or amend a record of identi able information about the person Any organization creating, maintaining, using or disseminating records of identi able personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuse of the data 1.4.3 Organisation for Economic Co-operation and Development Guidelines (1980) In 1980, the OECD, an international organization that originally included the United States and European countries but has since expanded, published a set of privacy principles entitled “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.”18 Updated in 2013, the OECD Guidelines are perhaps the most widely recognized framework for FIPs and have been endorsed by the U.S. Federal Trade Commission (FTC) and many other government organizations.19 e guidelines provide the following privacy framework: Collection Limitation Principle. ere should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up to date. Purpose Speci cation Principle. e purposes for which personal data are collected should be speci ed not later than at the time of data collection and the subsequent use limited to the ful llment of those purposes or such others as are not incompatible with those purposes and as are speci ed on each occasion of change of purpose. Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those speci ed in accordance with [the Purpose Speci cation Principle] except: (a) with the consent of the data subject or (b) by the authority of law. Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modi cation or disclosure of data. Openness Principle. ere should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. Individual Participation Principle. An individual should have the right: (a) to obtain om a data controller, or otherwise, con rmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, recti ed, completed or amended. Accountability Principle. A data controller should be accountable for complying with measures which give e ect to the principles stated above.20 In 2022, the OECD adopted a declaration on common principles for government access, both for law enforcement and national security purposes, to personal data held by private companies.21 1.4.4 Council of Europe Convention (1981) In 1981, the Council of Europe passed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ("Convention 108"). is convention required member states of the Council of Europe that signed the treaty to incorporate certain data protection provisions into their domestic law.22 Convention 108 provided for the following: Quality of data. Data of a personal nature that is automatically processed should be obtained and stored only for speci ed and legitimate purposes. Data should be stored in a form that permits identi cation of the data subject no longer than needed for the required purpose. Special categories of data. Unless domestic law provides appropriate safeguards, personal data revealing the following categories cannot be automatically processed: racial origin, political opinions, religious beliefs, health, sex life, or criminal convictions. Data security. Appropriate security measures should be taken for les containing personal data. ese measures must be adapted for the particular function of the le as well as for risks involved. Transborder data ows. When transferring data from one party of the Convention to another party, privacy concerns shall not prohibit the transborder ow of data. Exceptions to this provision include special regulations concerning certain categories of personal data.23 e Convention was broadly similar to the OECD Guidelines, and its principles were important contributors to national data protection laws in Europe in the 1980s and 1990s.24 In 2018, the Council of Europe adopted an update to the convention, referred to as Convention 108+.25 e changes brought the Convention in line with the EU’s General Data Protection Regulation (GDPR). In particular, the updates focus on necessary and proportionate requirements for data processing; obligations on controllers to provide notice when a data breach occurs; and requirements for transborder data ows.26 As of the writing of this book, the United States is not expected to ratify Convention 108 or Convention 108+.27 1.4.5 APEC Privacy Framework (2004) APEC is a multinational organization with 21 Paci c Coast members in Asia and the Americas. Unlike the European Union, the APEC organization operates under nonbinding agreement. It was established in 1989 to enhance economic growth for the region. In 2003, the APEC Privacy Subgroup was established under the auspices of the Electronic Commerce Steering Group in order to develop a framework for privacy practices. is framework was designed to provide support to APEC-member economic legislation that would both protect individual interests and ensure the continued economic development of all APEC member economies. e APEC Privacy Framework was approved by the APEC ministers in 2004 and updated in 2015.28 It contains nine information privacy principles that generally mirror the OECD Guidelines, but in some areas are more explicit about exceptions. e APEC privacy principles spelled out in the framework are: 1. Preventing Harm. Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Further, acknowledging the risk that harm may result om such misuse of personal information, speci c obligations should take account of such risk and remedial measures should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of personal information. 2. Notice. Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include: a. the fact that personal information is being collected; b. the purposes for which personal information is collected; c. the types of persons or organizations to whom personal information might be disclosed; d. the identity and location of the personal information controller, including information on how to contact it about its practices and handling of personal information; e. the choices and means the personal information controller o ers individuals for limiting the use and disclosure of personal information, and for accessing and correcting it. All reasonably practicable steps shall be taken to ensure that such information is provided either before or at the time of collection of personal information. Otherwise, such information should be provided as soon a er as is practicable. It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information. 1. Collection Limitation. e collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and, where appropriate, with notice to, or consent of, the individual concerned. 2. Uses of Personal Information. Personal information collected should be used only to ful ll the purposes of collection and other compatible purposes except: a. with the consent of the individual whose personal information is collected; b. when necessary to provide a service or product requested by the individual; or, c. by the authority of law and other legal instruments, proclamations and pronouncements of legal e ect. 3. Choice. Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and a ordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information. 4. Integrity of Personal Information. Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use. 5. Security Safeguards. Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modi cation or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment. 6. Access and Correction. Individuals should be able to: a. obtain om the personal information controller con rmation of whether or not the personal information controller holds personal information about them b. have communicated to them, a er having provided su cient proof of their identity, personal information about them i. within a reasonable time; ii. at a charge, if any, that is not excessive; iii. in a reasonable manner; iv. in a form that is generally understandable; and, c. challenge the accuracy of information relating to them and, if possible and as appropriate, have the information recti ed, completed, amended or deleted. d. such access and opportunity for correction should be provided except where: i. the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy in the case in question; ii. the information should not be disclosed due to legal or security reasons or to protect con dential commercial information; or iii. the information privacy of persons other than the individual would be violated If a request under (a) or (b) or a challenge under (c) is denied, the individual should be provided with reasons why and be able to challenge such denial. 1. Accountability. A personal information controller should be accountable for complying with measures that give e ect to the principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these principles.29 In 2022, Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States announced that they will establish an international certi cation system based on the existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems. e new approach, known as the Global Cross-Border Privacy Rules Forum (Global CBPR Forum), will technically be independent of the existing APEC framework, allowing non-APEC members to participate.30 1.4.6 Madrid Resolution (2009) In 2009, the Madrid Resolution was approved by the independent data protection and privacy commissioners (not the governments themselves) at the annual International Conference of Data Protection and Privacy Commissioners held in Madrid, Spain.31 ere were dual purposes for the Madrid Resolution: to de ne a set of principles and rights guaranteeing (1) the e ective and internationally uniform protection of privacy with regard to the processing of personal data and (2) the facilitation of the international ows of personal data needed in a globalized world. e resolution has several basic principles: Principle of lawfulness and fairness. Personal data must be fairly processed, respecting the applicable national legislation as well as the rights and freedoms of individuals. Any processing that gives rise to unlawful or arbitrary discrimination against the data subject shall be deemed unfair. Purpose speci cation principle. Processing of personal data should be limited to the ful llment of the speci c, explicit, and legitimate purposes of the responsible person; processing that is noncompatible with the purposes for which personal data was collected requires the unambiguous consent of the data subject. Proportionality principle. Processing of personal data should be limited to such processing as is adequate, relevant, and not excessive in relation to the purposes. Reasonable e orts should be made to limit processing to the minimum necessary. Data quality. e responsible person should at all times ensure that personal data is accurate, su cient, and up to date in such a way as to ful ll the purposes for which it is processed. e period of retention of the personal data shall be limited to the minimum necessary. Personal data no longer necessary to ful ll the purposes that legitimized its processing must be deleted or rendered anonymous. Openness principle. e responsible person shall provide to the data subjects, as a minimum, information about the responsible person’s identity, the intended purpose of processing, the recipients to whom their personal data will be disclosed, and how data subjects may exercise their rights. When data is collected directly from the data subject, this information must be provided at the time of collection unless it has already been provided. When data is not collected directly from the data subject, the responsible person must inform them about the source of personal data. is information must be provided in an intelligible form, using clear and plain language, in particular for any processing addressed speci cally to minors. Accountability. e responsible person shall take all the necessary measures to observe the principles and obligations set out in the resolution and in the applicable national legislation and have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities exercising their powers. 1.5 Information Privacy, Data Protection, and the Advent of Information Technology Modern ideas about privacy have been decisively shaped by the rapid development of information technology (IT). Mainframe computers emerged by the 1960s to handle the data processing and storage needs of business, government, educational, and other institutions. As hardware and so ware evolved, there were clear and large bene ts to individuals and society, ranging from increased economic growth to easier communications for individuals. e unprecedented accumulation of personal data, and the resulting potential for increased surveillance, also triggered an acute interest in privacy practices and the privacy rights of individuals. A vivid image of the risk came from George Orwell’s 1949 book 1984, in which the government kept citizens under surveillance at all times, warning them with the slogan “Big Brother is watching you.”32 To prevent the creation of “Big Brother,” by the late 1960s, nearly two decades a er Orwell wrote his masterpiece, there were increasing demands for formal rules to govern the collection and handling of personal information. In response to this sort of concern, in 1970 the German state of Hesse enacted the rst known modern data protection law. is German law was motivated in part by the growing potential of IT systems as well as a desire to prevent a reoccurrence of the personal information abuses that took place under Hitler’s ird Reich before and during World War II. Such concerns were not con ned to Germany, and over the next decade, several European countries enacted national privacy laws of di ering objectives and scope. In 1970, the United States passed its rst national privacy law, the Fair Credit Reporting Act (FC ), which focused solely on information about consumer credit. 1.6 Personal and Nonpersonal Information Because information privacy is concerned with establishing rules that govern the collection and handling of personal information, an understanding of what constitutes personal information is key. A central issue to determine is the extent to which information can be linked to a particular person. is can be contrasted with aggregate or statistical information, which generally does not raise privacy compliance issues. 1.6.1 Personal Information In the United States, the terms “personal information” and “personally identi able information” (PII) are generally used to de ne the information that is covered by privacy laws. ese de nitions include information that makes it possible to identify an individual. Examples include names, Social Security numbers, or passport numbers. e terms also include information about an “identi ed” or “identi able” individual. For instance, street address, telephone number, and email address are generally considered su ciently related to a particular person to count as identi able information within the scope of privacy protections. e de nitions generally apply to both electronic and paper records. Sensitive personal information is an important subset of personal information. e de nition of what is considered sensitive varies depending on jurisdiction and particular regulations. In the United States, Social Security numbers and nancial information are commonly treated as sensitive information, as are driver’s license numbers and health information. In general, sensitive information requires additional privacy and security limitations to safeguard its collection, use and disclosure. 1.6.2 Nonpersonal Information If the data elements used to identify the individual are removed, the remaining data becomes nonpersonal information, and privacy and data protection laws generally do not apply.33 Similar terms used include “deidenti ed” or “anonymized” information. is type of information is frequently used for research, statistical, or aggregate purposes. Pseudonymized data exists where information about individuals is retained under pseudonyms, such as a unique numerical code for each person, that renders data temporarily nonpersonal. Pseudonymized data can be reversed, reidentifying the individuals. is reversibility can be important in certain situations, such as a drug trial where the medicine is discovered to have adverse side e ects.34 1.6.3 The Line between Personal and Nonpersonal Information e di erence between personal and nonpersonal information depends on what is identi able. e line between these two categories is not always clear, and regulators and courts in di erent jurisdictions may disagree on what counts as personal information. Other Information Assets of an Organization As part of their normal activities, organizations also may collect and generate information that, by its nature, would not be considered personal information but is nevertheless a key part of the information assets of the organization. Examples of such information include: Financial data Operational data Intellectual property Information about the organization’s products and services ough not personal information, such information needs to be protected and secured to ensure its con dentiality. As an example of how di erent regimes have de ned the line between personal and nonpersonal information, consider the internet protocol (IP) address: the numbers that identify the location of computers in communications over the internet. e European Union generally considers IP addresses personal data” taking the view that IP addresses are identi able.35 In the United States, federal agencies operating under the Privacy Act do not consider IP addresses to be covered by the statute.36 However, the Federal Trade Commission, an independent agency in the United States, has stated that in connection with breaches of health care information, IP addresses are personal information.37 For the privacy professional, it is important to check the line between personal and nonpersonal information for the appropriate regulatory regime. Assessing an Organization’s Personal Information Responsibilities e line between personal and nonpersonal information illustrates a critical rst step in assessing an organization’s personal information responsibilities determining whether the organization is covered by a law or other obligation. With globalization, information privacy professionals may need to determine when the laws of a particular jurisdiction apply. In addition, some laws apply only to particular sectors or types of information. e Health Insurance Portability and Accountability Act (HIPAA) in the United States, for instance, applies only to certain organizations (“covered entities”) and certain information (“protected health information”). Changes in technology can also shi the line between personal and nonpersonal information. For instance, historically, IP addresses were usually dynamic individuals would generally get a new IP address assigned by their internet service provider each time they logged on to the internet. Over time, more individuals have had static IP addresses, which stay the same for each computer device, linking the device more closely to an identi able person.38 e increasingly used version of the internet protocol (IPv6) employs a new numbering scheme that, by default, uses information about the computer to generate an IPv6 address, making it even easier to link devices (including smartphones) and their users. 1.7 Sources of Personal Information Sometimes the same information about an individual is treated di erently based on the source of the information. To illustrate this point, consider three sources of personal information: public records, publicly available information, and nonpublic information. 1. Public records consist of information collected and maintained by a government entity and available to the public. ese government entities include the national, state, provincial, and local governments. Public records laws vary considerably across jurisdictions.39 2. Publicly available information is information that is generally available to a wide range of persons. Some traditional examples are names and addresses in telephone books and information published in newspapers or other public media. Today, search engines are a major source of publicly available information. 3. Nonpublic information is not generally available or easily accessed due to law or custom. Examples of this type of data are medical records, nancial information, and adoption records. A company’s customer or employee database usually contains nonpublic information. Organizations should be alert to the possibility that the same information may be public record, publicly available, and nonpublic. For example, a name and address may be a ma er of public record on a real estate deed, publicly available in the telephone book, and included in nonpublic databases, such as in a health care patient le. To understand how to handle the name and address, one must understand the source that provided it restrictions may apply to use of the name and address in the patient le, but not to public records or publicly available information. 1.8 Processing Personal Information As previously introduced, almost anything that someone may do with personal information might constitute processing under privacy and data protection laws. e term “processing” refers to the collection, recording, organization, storage, updating or modi cation, retrieval, consultation, and use of personal information. It also includes the disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal information. e following common terms, rst widely used in the European Union, apply to data processing: Data subject is the individual about whom information is being processed, such as the patient at a medical facility, the employee of a company, or the customer of a retail store. Data controller is an organization that has the authority to decide how and why personal information is to be processed. is entity is the focus of most obligations under privacy and data protection laws it controls the use of personal information by determining the purposes for its use and the manner in which the information will be processed.40 e data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership. Data processor is an individual or organization, o en a third-party outsourcing service, that processes data on behalf of the data controller. Under the HIPAA Privacy Rule, these data processors are called “business associates.” A data controller might not have the employees or expertise in-house to do some types of activities, or might nd it more e cient to get assistance from other organizations. For instance, a data controller may hire another organization to do accounting and back-o ce operations. e rst data processor, in turn, might hire other organizations to act as data processors on its behalf, for example, if a company providing back-o ce operations hired a subcontractor to manage its website. Each organization in the chain from data controller, to data processor, to any subsequent data processor acting on behalf of the rst data processor is expected to act in a trusted way, doing operations that are consistent with the direction of the data controller. e data processors are not authorized to do additional data processing outside of the scope of what is permi ed for the data controller itself. 1.9 Sources of Privacy Protection ere is no single approach to protecting privacy and security. Rather, privacy protection is derived from several sources: market forces, technology, legal controls, and self-regulation. Markets. e market can be a useful way of approaching privacy protection. When consumers raise concerns about their privacy, companies respond. Businesses that are brand-sensitive are especially likely to adopt strict privacy practices to build up their reputations as trustworthy organizations. In turn, this can create market competition, spurring other companies to also implement privacy practices into their operations. Technology. Technology also can provide robust privacy protection. e rapid advancement of technology such as encryption provides people with new and advanced means of protecting themselves. Even if privacy protection from law or market forces is weak, information privacy and security best practices can remain strong. Law. Law is the traditional approach to privacy regulation. However, simply enacting more laws does not necessarily result in be er privacy and security. Laws may not be well dra ed and may be poorly enforced. Laws should be understood as one very important source of privacy protection, but in practice, actual protection also depends on markets, technology and self-regulation. Self-regulation and co-regulation. Self-regulation (and the closely related concept of co-regulation) is a complement to law that comes from the government. e term “self-regulation” can refer to any or all of three components: legislation, enforcement, and adjudication. Legislation refers to the question of who de nes privacy rules. For self- regulation, this typically occurs through the privacy policy of a company or similar entity, or by an industry association. Enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities (DPAs), other government agencies, industry code enforcement, or, in some cases, the a ected individuals. Finally, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. e decision-maker can be an industry association, a government agency, or a judicial o cer. us, the term “self-regulation” covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who de nes the requirements, which organization brings enforcement action, and who makes the judicial decisions. 1.10 World Models of Data Protection As of the writing of this book, more than 160 countries have privacy or data protection regimes, and more than half of them rst enacted such laws a er the year 2000.41 In varying degrees, the di erent data protection models around the world all draw upon law, markets, technology and self-regulation as sources for privacy protection.42 Comprehensive data protection laws are those in which the government has de ned requirements throughout the economy. On the other hand, sectoral laws, such as those in the United States, exist in selected market segments, o en in response to a particular need or problem. e scope of data protection laws, as described above, varies depending on how much the speci c country relies on government laws versus industry codes and standards. e various data protection models used globally also di er in enforcement and adjudication. However, each regime falls along a continuum, with clearly de ned legislative, enforcement and adjudication mechanisms established by the government at one end and no stated, de ned baseline at the other. In practice, no regime is so comprehensive that all laws are wri en, enforced and adjudicated by the government. Even in the United States, however, which is o en used as an example of a less regulatory-oriented regime, the government has wri en numerous privacy laws. Some of the most common data protection models in use today are comprehensive and sectoral frameworks, co-regulatory or self-regulatory models, and the technology-based model. Following are the basic approaches, along with major arguments for and against each approach. 1.10.1 Comprehensive Model Comprehensive data protection laws govern the collection, use and dissemination of personal information in the public and private sectors.43 Generally speaking, a country that has enacted such laws hosts an o cial or agency responsible for overseeing enforcement.44 is o cial or agency, o en referred to as a DPA in Europe, ensures compliance with the law and investigates alleged breaches of the law’s provisions. In many countries, the o cial also bears responsibility for educating the public on data protection ma ers and acts as an international liaison for data protection issues. Enforcement and funding are two critical issues in a comprehensive data protection scheme. Data protection o cials are granted varying degrees of enforcement power from country to country. Further, countries choose to allocate varying levels of resources to the enforcement of data protection laws, leaving some countries inadequately funded to meet the laws’ stated goals. Over time, countries have adopted comprehensive privacy and data protection laws for a combination of at least three reasons:45 Remedy past injustices. A number of countries, particularly those previously subject to authoritarian regimes, have enacted comprehensive laws as a means to remedy past privacy violations. For instance, Germany is widely regarded as having one of the strictest privacy regimes. At least part of the reason is likely a reaction to its history during the Nazi regime and under the heavy surveillance by the Stasi (Ministry of State Security) in East Germany before the two parts of Germany were reuni ed in 1990. Ensure consistency with European privacy laws. As discussed later in the book, the GDPR in the European Union limits transfer of personal data to countries that lack “adequate” privacy protections.46 Some countries passed privacy laws as part of the process of joining the European Union. Other countries have enacted privacy laws at least in part to prevent any disruption in trade with EU countries. Promote electronic commerce. Countries have developed privacy laws to provide assurance to potentially uneasy consumers engaged in electronic commerce. Critics of the comprehensive approach express concern that the costs of the regulations can outweigh the bene ts. One-size- ts-all rules may not address risk well. If the rules are strict enough to ensure protection for especially sensitive data, such as medical data or information that can lead to identity the , that same level of strictness may not be justi ed for less sensitive data. Along with the strictness of controls, comprehensive approaches can involve costly paperwork, documentation, audits and similar requirements even for se ings where the risks are low. A di erent critique of comprehensive regimes is that they may provide insu cient opportunity for innovation in data processing. With the continued evolution of IT, individuals have access today to many products and services that were unimaginable a decade or two ago, from smartphones to social networks and the full range of services that have developed since the internet emerged in the 1990s. To the extent that comprehensive laws may discourage the emergence of new services involving personal information or require prior approval from regulators, the pace and diversity of technological innovation may slow. 1.10.2 Sectoral Model (United States) is framework protects personal information by enacting laws that address a particular industry sector.47 For example, in the United States, di erent laws delineate conduct and specify the requisite level of data protection for video rental records, consumer nancial transactions, credit records, law enforcement, and medical records. Even in a comprehensive model, laws addressing speci c market segments may be enacted to provide more speci c protection for data particular to that segment, such as the health care sector. Supporters of the sectoral approach emphasize that di erent parts of the economy face di erent privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors. Critics of the sectoral approach express concern about the lack of a single DPA to oversee personal information issues. ey also point out the problems of gaps and overlaps in coverage. Gaps can occur when legislation lags technological change, and unregulated segments may suddenly face privacy threats with no legislative guidance. Whereas laws under the comprehensive approach apply to new technologies, there are no similar governmental rules under the sectoral approach until the legislature or other responsible body acts. As a recent example, drones are becoming more common in the United States, but there have not been any national privacy rules governing surveillance by drones. Moreover, there can be political obstacles to creating new legislation if industry or other stakeholders oppose such laws. An example of a gap being lled is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which introduced a breach noti cation requirement for vendors of personal health records. ese were not covered entities under HIPAA. e new law addressed a gap, where entities not traditionally involved in health care o ered services involving the collection and use of large volumes of health care information. Similarly, overlaps can exist in a sectoral approach. For instance, HIPAA- covered entities such as medical health care providers are subject to enforcement either by the U.S. Department of Health and Human Services (HHS) under HIPAA or by the FTC under its general authority to take action against unfair and deceptive practices. As the boundaries between industries change over time, previously separate industries can converge, potentially leading to di erent legal treatment of functionally similar activities. 1.10.3 The Co-Regulatory and Self-Regulatory Models Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information.48 Under both approaches, a mix of government and nongovernment institutions protects personal information. e co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One example is the Children’s Online Privacy Protection Act (COPPA) in the United States, which allows compliance with codes to be su cient for compliance with the statute once the codes have been approved by the FTC. e self-regulatory model emphasizes creation of codes of practice for the protection of personal information by a company, industry or independent body. In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code.49 A prominent example that a ects the wide range of businesses that process credit card data is the global Payment Card Industry Data Security Standard (PCI DSS), which enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally. Seal programs are another form of self-regulation. A seal program requires its participants to abide by codes of information practices and submit to some variation of monitoring to ensure compliance.50 Companies that abide by the terms of the seal program are then allowed to display the program’s privacy seal on their website. Seal programs recognized by the FTC for adhering to the COPPA are Children’s Advertising Review Unit (CARU), Entertainment So ware Rating Board (ESRB), iKeepSafe, kidSAFE, PRIVO, and TrustArc (formerly TRUSTe).51 Supporters of a self-regulatory approach tend to emphasize the expertise of the industry to inform its own personal information practices, and thus use the most e cient ways to ensure privacy and security.52 Self-regulatory codes may also be more exible and quicker to adjust to new technology without the need for prior governmental approval. Critics of the self-regulatory approach o en express concerns about adequacy and enforcement. Industry-developed codes can provide limited data protection and may not adequately incorporate the perspectives and interests of consumers and other stakeholders who are not part of the industry. e strength of enforcement can also vary. In some cases, where an organization has signed up for a code, any violation is treated just like a violation of a statute. In others, however, penalties can be weak, and there may be no e ective enforcement authority. An alternative to the protections that arise from an organization’s administrative compliance with laws or self-regulatory codes that is worth considering is a technology-based model. Individuals and organizations in some se ings can use technical measures that reduce the relative importance of administrative measures for overall privacy protection. For example, global web email providers such as Google and Microso have increased their use of encryption between the sender and recipient. Chapters 3 and 4 further discuss the interrelated roles of technical, administrative, and physical safeguards for personal information. 1.11 Conclusion is chapter introduced key terminology about privacy and data protection laws and policies. It traced the history of these topics and the continued growth of legal requirements to accompany the evolution of IT since the 1960s. As legal requirements have increased, the number of data protection and privacy professionals has grown rapidly, and the role has expanded in many organizations. Similar but not identical forms of FIPS have been the basis of privacy and data protection laws in numerous countries around the globe. is chapter introduces the reader to the legal and policy structures for privacy and data protection around the world. e key models of privacy protection have been examined: the comprehensive, sectoral, self-regulatory or co-regulatory, and technology models. Endnotes 1 Samuel Warren and Louis Brandeis, “ e Right to Privacy,” Harvard Law Review 4, no. 5 (December 15, 1890): 193, h p://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html. ere are numerous sources of legal privacy, including tort privacy (Warren and Brandeis’s original conception), Fourth Amendment privacy, First Amendment privacy, fundamental-decision privacy and state constitutional privacy. Ken Gormley, “One Hundred Years of Privacy,” Wisconsin Law Review 1335 (1992), h ps://cyber.law.harvard.edu/privacy/Gormley--100 Years of Privacy-- EXCERPTS.htm. 2 Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1967). 3 Edward J. Bloustein, “Privacy as an Aspect of Human Dignity: An Answer to Dean Prosser,” New York University Law Review 39 (December 1964): 962–971. 4 David Banisar and Simon Davies, “Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments,” John Marshall Journal of Computer & Information Law 18 (Fall 1999), h p://papers.ssrn.com/sol3/papers.cfm?abstract_id=2138799. 5 Gary M. Schober et al., “Colloquium on Privacy & Security,” Bu alo Law Review 50, no. 2 (April 2002): 703–726; Electronic Privacy Information Center & Privacy International, Privacy and Human Rights: An International Survey of Privacy Laws and Developments , 2002. 6 Privacy and Human Rights , 5; see EPIC-Privacy and Human Rights Report, 2006, www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006- e.html. 7 Qur’an, an-Noor 24:27–28 (Yusufali); al-Hujraat 49:11–12 (Yusufali). 8 “Justices of the Peace Act 1361, CHAPTER 1 34 Edw 3,” Legislation.gov.uk, accessed January 2020, www.legislation.gov.uk/aep/Edw3/34/1. 9 Entick v. Carrington EWHC KB J98, www.bailii.org/ew/cases/EWHC/KB/1765/J98.html. 10 William Pi , Speech on the Excise Bill, House of Commons (March 1763). 11 Cal. Const. art. I, § 1. See Lothar Determann, California Privacy Law: Practical Guide and Commentary, (Portsmouth, NH: IAPP, 2016), Chapter 2-2. 12 Universal Declaration of Human Rights, United Nations, accessed January 2020, www.un.org/en/universal-declaration-human-rights/. 13 Universal Declaration of Human Rights at Article 8. 14 Convention for the Protection of Human Rights and Fundamental Freedoms, Council of Europe, April 11, 1950, www.coe.int/en/web/conventions/full-list/-/conventions/treaty/005. 15 Convention for the Protection of Human Rights and Fundamental Freedoms at Article 8. 16 Pam Dixon, “A Brief Introduction to Fair Information Practices,” World Privacy Forum, updated December 19, 2007, h ps://www.worldprivacyforum.org/2008/01/report-a-brief-introduction-to-fair-information- practices/. To view the code itself, see “ e Code for Fair Information Practices,” Electronic Privacy Information Center, accessed January 2020, h ps://www.epic.org/privacy/consumer/code_fair_info.html. 17 U.S. Department of Health, Education and Welfare, Pub. No. (OS) 73-94, “Records, Computers, and the Rights of Citizens,” July 1973, h ps://www.justice.gov/opcl/docs/rec-com-rights.pdf. For a historical overview of this report, view Chris Hoofnagle, “ e Origin of Fair Information Practices,” Archive of Meetings of the Secretary’s Advisory Commi ee on Automated Personal Data Systems, Berkeley Center for Law and Technology, July 15, 2014, h ps://papers.ssrn.com/sol3/papers.cfm?abstract_id=2466418. 18 Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, September 23, 1980. An important distinction between the Organisation for Economic Co-operation and Development and the Council of Europe is the involvement and support of the U.S. government. For more information, see h ps://www.oecd.org/digital/privacy/ (accessed May 2023). 19 e Organisation for Economic Co-operation and Development Privacy Framework, accessed March 2023, h ps://www.oecd.org/digital/privacy/; Jordan M. Blanke, “‘Safe Harbor’ and the European Union’s Directive on Data Protection,” Albany Law Journal of Science & Technology (2000). 20 Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, OECD, adopted September 22, 1980 and amended July 10, 2013, h ps://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188. 21 is recent OECD e ort is discussed in more detail in Chapter 14. Declaration on Government Access to Personal Data Held by the Private Sector, OECD, December 13, 2022, h ps://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0487; see Natasha Lomas, “OECD Adopts Declaration on Trusted Government Access to Private Sector Data,” TechCrunch, December 14, 2022, h ps://techcrunch.com/2022/12/14/oecd-declaration-trusted-government-access/. 22 Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention 108), January 8, 1981, Council of Europe, h ps://www.coe.int/en/web/conventions/full- list/-/conventions/treaty/108; see Council of Europe Privacy Convention, Electronic Privacy Information Center, h ps://epic.org/privacy/intl/coeconvention/ (accessed January 2020); see also 46 Member States, accessed May 2023, h ps://www.coe.int/en/web/portal/46-members-states. 23 See Explanatory Report to the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Council of Europe, European Treaty Series No. 108, January 28, 1981, h ps://rm.coe.int/16800ca434. 24 Banisar and Davies, “Global Trends,” 11. See also Je rey B. Ri er, Benjamin S. Hayes and Henry L. Judy, “Emerging Trends in International Privacy Law,” Emory International Law Review (Spring 2001). 25 Later that year, Convention 108+ was opened for signatures for the members of the Council of Europe. Convention 108+: Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, opened for signature January 28, 1981, Council of Europe, h ps://rm.coe.int/convention- 108-convention-for-the-protection-of-individuals-with-regar/16808b36f1. 26 Jennifer Baker, “What Does the Newly Signed Convention 108+ Mean for UK Adequacy?” IAPP Privacy Advisor, October 30, 2018, h ps://iapp.org/news/a/what-does-the-newly-signed-convention-108-mean- for-u-k-adequacy/; Amelia Williams, “International Origins of Data Protection Day and the Convention 108.” DataGuidance, January 2022, h ps://www.dataguidance.com/opinion/international-origins-data- protection-day-convention. 27 e U.S. is an observer to the Convention. “Chart of Signatures and Rati cations of Treaty 108,” Council of Europe, h ps://www.coe.int/en/web/conventions/full-list?module=signatures-by- treaty&treatynum=108. 28 e framework provides guidance on both domestic and international implementation. APEC Privacy Framework , Asia-Paci c Economic Cooperation, August 2017, h ps://www.apec.org/Publications/2017/08/APEC-Privacy-Framework-(2015). 29 APEC Privacy Framework , Asia-Paci c Economic Cooperation. 30 U.S. Department of Commerce, “Global Cross Border Privacy Rules (CBPR) System.” Commerce.gov, July 22 2020, h ps://www.commerce.gov/global-cross-border-privacy-rules-declaration; see Mark Sco & Vincent Manancourt, “Washington Goes on the Global Privacy O ensive,” Politico, May 6, 2022, h ps://www.politico.eu/article/washington-data-privacy-global-rules-restrictions/; APEC Cross-Border Privacy Rules Go Global,” e National Law Review, April 21, 2022, h ps://www.natlawreview.com/article/apec-cross-border-privacy-rules-go-global. 31 International Standards on the Protection of Personal Data and Privacy: e Madrid Resolution, from the International Conference of Data Protection and Privacy Commissioners, November 5, 2009; see Calli Schroeder, “When the World’s DPAs Get Together: Resolutions of the ICDPPC, IAPP Privacy Advisor, November 28, 2017, h ps://iapp.org/news/a/when-the-worlds-dpas-get-together-resolutions-of-the- icdppc/. 32 Image of “Big Brother is Watching You” book cover, accessed June 2023, h ps://images-na.ssl-images- amazon.com/images/I/51AZNmwwgxL._SY550_.jpg. 33 At the writing of this book, some countries, including the EU and India, are considering regulation of nonpersonal data. Although these protections may ful ll various government objectives, the motivations are not necessarily primarily related to privacy and instead may address concerns such as foreign the of intellectual property or trade secrets. See Ken Propp, “Cultivating Europe’s Digital Garden,” Lawfare, March 4, 2022, (discussing proposed regulation of nonpersonal data in the EU Data Act and Digital Markets Act), h ps://www.lawfareblog.com/cultivating-europes-data-garden; Sourabh Lele, “Governance Policy Will Ensure Fair Access to Non-Personal Data,” Business Standard, June 17, 2022 (discussing India’s National Data Governance Framework), h ps://www.business-standard.com/article/economy-policy/governance- policy-will-ensure-fair-access-to-non-personal-data-meity-122061600954_1.html. 34 See Phil Lee, “Anonymisation is Great, but Don’t Undervalue Pseudonymisation,” Data and Privacy (blog), Field sher, April 26, 2014, h ps://www. eld sher.com/en/services/privacy-security-and- information/privacy-security-and-information-law-blog/anonymisation-is-great-but-dont-undervalue- pseudonymisation. 35 See Daniel Felz, “ECJ Declares IP Addresses Are Personal Data,” Privacy & Cybersecurity (blog), Alston & Bird, October 19, 2016, h ps://www.alstonprivacy.com/ecj-declares-ip-addresses-personal-data/. 36 O ce of Management and Budget Memorandum 07-16, “Safeguarding Against and Responding to the Breach of Personally Identi able Information,” May 22, 2007, h ps://obamawhitehouse.archives.gov/sites/default/ les/omb/memoranda/fy2007/m07-16.pdf. 37 Federal Trade Commission, 16 CFR Part 318, “Health Breach Noti cation Rule,” Federal Register 74, no. 163 (August 25, 2009), h ps://www. c.gov/sites/default/ les/documents/federal_register_notices/health-breach-noti cation- rule-16-cfr-part-318/090825healthbreachrule.pdf. 38 At least one Federal Trade Commission o cial has noted that static IP addresses generally meet the de nition of personally identi able data. Jessica Rich, director of the Federal Trade Commission Bureau of Consumer Protection, “Keeping Up with the Online Advertising Industry,” FTC Business Blog, April 21, 2016, h ps://www. c.gov/news-events/news/public-statements/keeping-online-advertising-industry. 39 e categorization of government records as “public records” can sometimes be less than straightforward. For instance, real estate records in some jurisdictions contain detailed information about ownership, assessed value, amount paid for the parcel, taxes imposed on the parcel, and improvements. Making this information public has certain advantages, such as enabling a person who owns real estate to determine if the taxes assessed are fair relative to other parcels in the area. Other jurisdictions, by contrast, do not release such information, considering it to be private. 40 General Data Protection Regulation, Article 4, accessed March 2020, h ps://gdprm.eu/article-4- de nitions/; see Detlev Gabel and Tim Hickman, “Chapter 10: Obligations of Controllers – Unlocking the EU General Data Protection Regulation,” White & Case, April 5, 2019, h ps://www.whitecase.com/publications/article/chapter-10-obligations-controllers-unlocking-eu-general- data-protection. 41 Graham Greenleaf, “Global Data Privacy Laws: 2023: 162 National Laws and 20 Bills , 181 Privacy Laws and Business International Report 1, 2-4, h ps://papers.ssrn.com/sol3/papers.cfm?abstract_id=4426146. For a searchable database, see “Data Protection Laws of the World,” DLA Piper, accessed October 2023, h ps://www.dlapiperdataprotection.com/#handbook/world-map-section/c1_RU. 42 See Digital Economic Report 2021 - Cross-Border Data Flows and Development: For Whom the Data Flows, United Nations Conference on Trade and Development, 2021, h ps://unctad.org/system/ les/o cial-document/der2021_en.pdf 43 Banisar and Davies, “Global Trends,” 18. 44 Banisar and Davies, “Global Trends,” 14. 45 Banisar and Davies, “Global Trends,” 11. 46 GDPR is discussed in detail in Chapter 14. 47 Banisar and Davies, “Global Trends,” 14. 48 O ce of the Australian Information Commissioner, “Australian Privacy Principles,” accessed January 2020, h ps://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles; see “Australia,” Data Protection Laws of the World, DLA Piper, last modi ed December 31, 2022, h ps://www.dlapiperdataprotection.com/index.html?t=law&c=AU; Sven Burchartz, Karla Brown and Brighid Virtue Kalus Kenny Intelex, “ e Privacy, Data Protection and Cybersecurity Law Review: Australia,” e Law Reviews, October 27, 2022, h ps://thelawreviews.co.uk/title/the-privacy-data-protection-and- cybersecurity-law-review/australia. As of the writing of this book, Australia is considering a signi cant overhaul of its privacy laws. Jake Evans, “Government to Overhaul Privacy Laws, Including Right to Opt Out of Advertising, a Right to Be Forgo en, and New Rules for Small Businesses,” ABC News, September 28, 2023, h ps://www.abc.net.au/news/2023-09-28/government-agrees-to-sweeping-privacy- reforms/102912458; “Overhaul of Australian Privacy Laws Imminent,” Ashurst, February 16, 2023, h ps://www.ashurst.com/en/insights/overhaul-of-australian-privacy-laws-imminent/. 49 Banisar and Davies, “Global Trends,” 13–14. 50 “COPPA Safe Harbor Program,” Federal Trade Commission, accessed January 2020, h ps://www. c.gov/safe-harbor-program. 51 “COPPA Safe Harbor Program,” Federal Trade Commission. 52 For a discussion of the pros and cons of self-regulation, see Peter Swire, “Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information,” in Privacy and Self-Regulation in the Information Age, U.S. Department of Commerce, last revised June 10, 2017, h p://papers.ssrn.com/sol3/papers.cfm?abstract_id=11472. CHAPTER 2 U.S. Legal Framework is chapter introduces basic concepts and terms used by privacy professionals in the United States. Much of the material in this chapter will be familiar to lawyers. Privacy compliance in most organizations today, however, involves substantial participation by nonlawyers, including people whose primary background ranges from marketing, information technology (IT) and human resources to public relations and other areas. For all readers, the goal of this chapter is to provide a helpful introduction to the terminology used by privacy professionals. 2.1 Branches of the U.S. Government e U.S. Constitution establishes the framework of the legal system, creating three branches of government. e three branches legislative, executive, and judicial are designed to provide a separation of powers with a system of checks and balances among the branches. ese three branches are also generally found at the state (and o en the local) levels.1 e legislative branch is made up of elected representatives who write and pass laws. e executive branch’s duties are to enforce and administer the law. e judicial branch interprets the meaning of a law and how it is applied, and may examine such issues as a law’s constitutionality and the intent behind its creation. Table 2-1: Three Branches of U.S. Government Legislative Branch Executive Branch Judicial Branch Purpose Makes laws Enforces laws Interprets laws Who President, vice president, Congress (House and Senate) cabinet, federal agencies Federal courts (such as FTC) Checks Congress confirms President appoints federal Determines whether and presidential appointees, can judges, can veto laws passed by the laws are Balances override vetoes Congress constitutional e U.S. Congress, consisting of the Senate and the House of Representatives, is the legislative branch. Aside from passing laws, Congress can override presidential vetoes; the Senate con rms presidential appointees. When enacting legislation, Congress may also delegate the power to promulgate regulations to federal agencies. For example, Congress has enacted several laws that give the U.S. Federal Trade Commission (FTC) the authority to issue regulations to implement the laws. e executive branch consists of the president, the vice president, the president’s cabinet, and federal agencies that report to the president. e agencies implement the laws through rulemaking and enforce the laws through civil and criminal procedures. In addition, the president has veto power over laws passed by Congress and the power to appoint federal judges. e judicial branch encompasses the federal court system. e lowest courts in the federal system are the district courts, which serve as federal trial courts. Cases decided by a district court can be appealed to a federal appellate court, also referred to as a circuit court. e federal circuit courts are not trial courts but serve as the appeals courts for federal cases. e appeals courts are divided into 12 regional circuits, and each district court is assigned to a circuit; appeals from a district court are considered by the appeals court for that circuit. In addition, there are special courts such as the U.S. Court of Federal Claims and the U.S. Tax Court. At the top of the federal court system is the U.S. Supreme Court, which hears appeals from the circuit courts and decides questions of federal law, including interpreting the U.S. Constitution.

Use Quizgecko on...
Browser
Browser