US Private Sector Privacy Chapter 01 Introductionv2p1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP

CHAPTER 1
Introduction to Privacy
This chapter provides an introduction to the subject of protection of information about individuals.
In the United States and other countries, laws in this area are known as privacy law, or sometimes
data privacy or information privacy law. In the European Union (EU) and other countries, laws in
this area are known as data protection law. The discussion introduces the relevant vocabulary and
describes the common principles and approaches used throughout the world for information
privacy and data protection. This chapter continues by providing an understanding of the legal and
policy structures for privacy and data protection around the world. It then outlines key models of
privacy protection: the comprehensive, sectoral, self-regulatory or co-regulatory, and technology
models.

1.1 Defining Privacy
In 1890, Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law
Review, setting forth the essential definition of privacy as “the right to be let alone.” 1 Both
fundamental and concise, this definition underscored the personal and social dimensions of the
concept that would linger long after publication of this landmark essay. Similar to this U.S.
experience, most other countries have historical reasons that individuals, organizations, and
government bodies have proposed their own privacy definitions. International organizations have
also addressed the issue of privacy.
Privacy has been defined as the desire of people to freely choose the circumstances and the
degree to which individuals will expose their attitudes and behavior to others. 2 It has been
connected to the human personality and used as a means to protect an individual’s independence,
dignity and integrity. 3 Establishing an understanding of how privacy is defined and categorized—as
well as how it has emerged as a social concern—is critical to understanding data protection and
privacy law as they have been established today in the United States, Europe and elsewhere around
the world.

1.2 Classes of Privacy
As previously discussed, privacy can be defined in many ways. When examining data protection and
privacy laws and practices, it can be helpful to focus on four categories or classes of privacy. 4
1. Information privacy is concerned with establishing rules that govern the collection and
handling of personal information. Examples include financial information, medical
information, government records and records of a person’s activities on the internet.
2. Bodily privacy is focused on a person’s physical being and any invasion thereof. Such an
invasion can take the form of genetic testing, drug testing, or body cavity searches. It also
encompasses issues such as birth control, abortion and adoption.

1
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
3. Territorial privacy is concerned with placing limits on the ability to intrude into another
individual’s environment. “Environment” is not limited to the home; it may be defined as
the workplace or public space. Invasion into an individual’s territorial privacy typically takes
the form of monitoring such as video surveillance, ID checks, and use of similar technology
and procedures.
4. Communications privacy encompasses protection of the means of correspondence,
including postal mail, telephone conversations, email, and other forms of communicative
behavior and apparatus.
While some of these categories may interrelate, this book will focus primarily on the legal,
technological and practical components of information privacy.

1.3 The Historical and Social Origins of Privacy
The concept of information privacy as a social concept is rooted in some of the oldest texts and
cultures. 5 Privacy is referenced numerous times in the laws of classical Greece and in the Bible. The
concept of the freedom from being watched has historically been recognized by Jewish law. 6
Privacy is similarly recognized in the Qur’an and in the sayings of Mohammed, where there is
discussion of the privacy of prayer as well as in the avoidance of spying or talking ill of someone
behind their back. 7
The legal protection of privacy rights has a similarly far-reaching history. In England, the Justices
of the Peace Act, enacted in 1361, included provisions calling for the arrest of “peeping Toms” and
eavesdroppers. 8
In 1765, British Lord Camden protected the privacy of the home, striking down a warrant to enter
the home and seize papers from it. He wrote, “We can safely say there is no law in this country to
justify the defendants in what they have done; if there was, it would destroy all the comforts of
society, for papers are often the dearest property any man can have.” 9 Parliamentarian William Pitt
shared this view, declaring that “the poorest man may in his cottage bid defiance to all the force of
the Crown. It may be frail: its roof may shake; the wind may blow through it; the storms may enter;
the rain may enter—but the King of England cannot enter; all his forces dare not cross the threshold
of the ruined tenement.” 10
This British tradition of privacy protection was built into the U.S. Constitution, ratified in 1789.
Although the word privacy does not appear in the Constitution, a number of provisions relate to
privacy, including the Third Amendment, banning quartering of soldiers in a person’s home; the
Fourth Amendment, generally requiring a search warrant before the police can enter a home or
business; the Fifth Amendment, prohibiting persons from being compelled to testify against
themselves; and, later, the Fourteenth Amendment, with its requirement of due process under the
law, including for intrusions into a person’s bodily autonomy.
By contrast, the California Constitution contains an explicit guarantee of the right to privacy,
which the people of California added to the California Constitution by a ballot measure in
November 1974. Article 1, Section 1 of the California Constitution states:

2
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
All people are by nature free and independent and have inalienable rights. Among these
are enjoying and defending life and liberty, acquiring, possessing, and protecting property,
and pursuing and obtaining safety, happiness, and privacy. 11
In many parts of the world, modern privacy has arisen within the context of human rights. In
December 1948, the General Assembly of the United Nations adopted and proclaimed the Universal
Declaration of Human Rights. 12 This declaration formally announced that “no one shall be subjected
to arbitrary interference with his privacy, family, home or correspondence.” 13 In 1950, the Council
of Europe set forth the European Convention for the Protection of Human Rights and Fundamental
Freedoms. 14 Article 8 of that Convention, which has been the subject of extensive litigation,
provides that “everyone has the right to respect for his private and family life, his home and his
correspondence,” with this right conditioned where necessary to protect national security and
other goals, as necessary to preserve a democratic society. 15

1.4 Fair Information Practices
Since the 1970s, fair information practices (FIPs), sometimes called fair information privacy
practices or principles (FIPPs), have been a significant means for organizing the multiple individual
rights and organizational responsibilities that exist with respect to personal information. The
precise definitions of FIPs have varied over time and by geographic location; nonetheless, strong
similarities exist for the major themes. In practice, there are various exceptions to the clear
statements provided here and the degree to which the FIPs are legally binding.
Important codifications of FIPs include:
• The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice
Principles
• The 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”)
• The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the
Automatic Processing of Personal Data (“Convention 108”)
• The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy
Framework
• The 2009 Madrid Resolution—International Standards on the Protection of Personal Data
and Privacy

1.4.1 Overview of Fair Information Practices
FIPs are guidelines for handling, storing and managing data with privacy, security and fairness in an
information society that is rapidly evolving. 16 These principles can be conceived in four categories:
rights of individuals, controls on the information, information life cycle and management.

1.4.1.1 Rights of Individuals
With regard to the rights of individuals, organizations should address notice, choice and consent, as
well as data subject access.
3
NOT FOR DISSEMINATION
The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
• Notice. Organizations should provide notice about their privacy policies and procedures and
should identify the purpose for which personal information is collected, used, retained and
disclosed.
• Choice and consent. Organizations should describe the choices available to individuals and
should get implicit or explicit consent with respect to the collection, use, retention and
disclosure of personal information. Consent is often considered especially important for
disclosures of personal information to other data controllers.
• Data subject access. Organizations should provide individuals with access to their personal
information for review and update.

1.4.1.2 Controls on the Information
Regarding controls on the information, organizations should focus on information security and
information quality.
• Information security. Organizations should use reasonable administrative, technical and
physical safeguards to protect personal information against unauthorized access, use,
disclosure, modification and destruction.
• Information quality. Organizations should maintain accurate, complete and relevant
personal information for the purposes identified in the notice.

1.4.1.3 Information Life Cycle
Organizations should address the life cycle of information, including collection, use and retention,
and disclosure.
• Collection. Organizations should collect personal information only for the purposes
identified in the notice.
• Use and retention. Organizations should limit the use of personal information to the
purposes identified in the notice and for which the individual has provided implicit or
explicit consent. Organizations should also retain personal information for only as long as
necessary to fulfill the stated purpose.
• Disclosure. Organizations should disclose personal information to third parties only for the
purposes identified in the notice and with the implicit or explicit consent of the individual.

1.4.1.4 Management
Regarding management, organizations should ensure that they address both management and
administration as well as monitoring and enforcement.
• Management and administration. Organizations should define, document, communicate
and assign accountability for their privacy policies and procedures.
• Monitoring and enforcement. Organizations should monitor compliance with their privacy
policies and procedures and have procedures to address privacy-related complaints and
disputes.

4
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP

1.4.2 U.S. Health, Education and Welfare FIPs (1973)
The FIPs used widely today date back to a 1973 report by the U.S. Department of Health, Education
and Welfare Advisory Committee on Automated Systems. 17
The original Code of Fair Information Practices provided:
• There must be no personal data recordkeeping systems whose very existence is secret
• There must be a way for a person to find out what information about the person is in a
record and how it is used
• There must be a way for a person to prevent information about the person that was
obtained for one purpose from being used or made available for other purposes without the
individual’s consent
• There must be a way for a person to correct or amend a record of identifiable information
about the person
• Any organization creating, maintaining, using or disseminating records of identifiable
personal data must assure the reliability of the data for its intended use and must take
precautions to prevent misuse of the data

1.4.3 Organisation for Economic Co-operation and Development Guidelines (1980)
In 1980, the OECD, an international organization that originally included the U.S. and European
countries but has since expanded, published a set of privacy principles entitled “Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data.” 18 The OECD Guidelines, updated in
2013, are perhaps the most widely recognized framework for FIPs and have been endorsed by the
U.S. Federal Trade Commission (FTC) and many other government organizations. 19
The guidelines provide the following privacy framework:
Collection Limitation Principle. There should be limits to the collection of personal data
and any such data should be obtained by lawful and fair means and, where appropriate,
with the knowledge or consent of the data subject.
Data Quality Principle. Personal data should be relevant to the purposes for which they
are to be used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up to date.
Purpose Specification Principle. The purposes for which personal data are collected should
be specified not later than at the time of data collection and the subsequent use limited to
the fulfillment of those purposes or such others as are not incompatible with those
purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle. Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified in accordance with [the Purpose
Specification Principle] except: (a) with the consent of the data subject or (b) by the
authority of law.

5
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
Security Safeguards Principle. Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use, modification
or disclosure of data.
Openness Principle. There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be readily available of
establishing the existence and nature of personal data, and the main purposes of their use,
as well as the identity and usual residence of the data controller.
Individual Participation Principle. An individual should have the right: (a) to obtain from a
data controller, or otherwise, confirmation of whether or not the data controller has data
relating to him; (b) to have communicated to him, data relating to him, within a
reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a
form that is readily intelligible to him; (c) to be given reasons if a request made under
subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to
challenge data relating to him and, if the challenge is successful to have the data erased,
rectified, completed or amended.
Accountability Principle. A data controller should be accountable for complying with
measures which give effect to the principles stated above. 20
In 2020, the governments involved with the OECD, including the U.S., embarked on a process to
formulate common principles for government access, both for law enforcement and national
security purposes, to personal data held by private companies. As of the writing of this book,
this OECD work is ongoing. 21

1.4.4 Council of Europe Convention (1981)
In 1981, the Council of Europe passed the Convention for the Protection of Individuals with Regard
to the Automatic Processing of Personal Data ("Convention 108"). This convention required
member states of the Council of Europe that signed the treaty to incorporate certain data
protection provisions into their domestic law. 22
Convention 108 provided for the following:
• Quality of data. Data of a personal nature that is automatically processed should be
obtained and stored only for specified and legitimate purposes. Data should be stored in a
form that permits identification of the data subject no longer than needed for the required
purpose.
• Special categories of data. Unless domestic law provides appropriate safeguards, personal
data revealing the following categories cannot be automatically processed: racial origin,
political opinions, religious beliefs, health, sex life, or criminal convictions.
• Data security. Appropriate security measures should be taken for files containing personal
data. These measures must be adapted for the particular function of the file as well as for
risks involved.

6
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
• Transborder data flows. When transferring data from one party of the Convention to
another party, privacy concerns shall not prohibit the transborder flow of data. Exceptions
to this provision include special regulations concerning certain categories of personal data. 23
The Convention was broadly similar to the OECD Guidelines, and its principles were important
contributors to national data protection laws in Europe in the 1980s and 1990s. 24
In 2018, the Council of Europe adopted an update to the Convention, referred to as Convention
108+. 25 The changes brought the Convention in line with the EU’s General Data Protection
Regulation (GDPR). In particular, the updates focus on necessary and proportionate requirements
for data processing; obligations on controllers to provide notice when a data breach occurs; and
requirements for transborder data flows. 26 As of the writing of this book, the U.S. is not expected
to ratify Convention 108 or Convention 108+. 27

1.4.5 APEC Privacy Framework (2004)
APEC is a multinational organization with 21 Pacific Coast members in Asia and the Americas. Unlike
the EU, the APEC organization operates under nonbinding agreement. It was established in 1989 to
enhance economic growth for the region.
In 2003, the APEC Privacy Subgroup was established under the auspices of the Electronic
Commerce Steering Group in order to develop a framework for privacy practices. This framework
was designed to provide support to APEC-member economic legislation that would both protect
individual interests and ensure the continued economic development of all APEC member
economies. The APEC Privacy Framework was approved by the APEC ministers in 2004 and updated
in 2015. 28
It contains nine information privacy principles that generally mirror the OECD Guidelines, but in
some areas are more explicit about exceptions. The APEC privacy principles spelled out in the
framework are:
1. Preventing Harm. Recognizing the interests of the individual to legitimate expectations of
privacy, personal information protection should be designed to prevent the misuse of such
information. Further, acknowledging the risk that harm may result from such misuse of
personal information, specific obligations should take account of such risk and remedial
measures should be proportionate to the likelihood and severity of the harm threatened
by the collection, use and transfer of personal information.
2. Notice. Personal information controllers should provide clear and easily accessible
statements about their practices and policies with respect to personal information that
should include:
a. the fact that personal information is being collected;
b. the purposes for which personal information is collected;
c. the types of persons or organizations to whom personal information might be
disclosed;

7
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
d. the identity and location of the personal information controller, including
information on how to contact it about its practices and handling of personal
information;
e. the choices and means the personal information controller offers individuals for
limiting the use and disclosure of personal information, and for accessing and
correcting it.
All reasonably practicable steps shall be taken to ensure that such information is provided
either before or at the time of collection of personal information. Otherwise, such
information should be provided as soon after as is practicable. It may not be appropriate
for personal information controllers to provide notice regarding the collection and use of
publicly available information.
2. Collection Limitation. The collection of personal information should be limited to
information that is relevant to the purposes of collection and any such information should
be obtained by lawful and fair means, and, where appropriate, with notice to, or consent
of, the individual concerned.
3. Uses of Personal Information. Personal information collected should be used only to fulfill
the purposes of collection and other compatible purposes except:
a. with the consent of the individual whose personal information is collected;
b. when necessary to provide a service or product requested by the individual; or,
c. by the authority of law and other legal instruments, proclamations and
pronouncements of legal effect.
2. Choice. Where appropriate, individuals should be provided with clear, prominent, easily
understandable, accessible and affordable mechanisms to exercise choice in relation to
the collection, use and disclosure of their personal information. It may not be appropriate
for personal information controllers to provide these mechanisms when collecting publicly
available information.
3. Integrity of Personal Information. Personal information should be accurate, complete
and kept up-to-date to the extent necessary for the purposes of use.
4. Security Safeguards. Personal information controllers should protect personal
information that they hold with appropriate safeguards against risks, such as loss or
unauthorized access to personal information, or unauthorized destruction, use,
modification or disclosure of information or other misuses. Such safeguards should be
proportional to the likelihood and severity of the harm threatened, the sensitivity of the
information and the context in which it is held, and should be subject to periodic review
and reassessment.
5. Access and Correction. Individuals should be able to:
a. obtain from the personal information controller confirmation of whether or not
the personal information controller holds personal information about them

8
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
b. have communicated to them, after having provided sufficient proof of their
identity, personal information about them
i.

within a reasonable time;

ii. at a charge, if any, that is not excessive;
iii. in a reasonable manner;
iv. in a form that is generally understandable; and,
b. challenge the accuracy of information relating to them and, if possible and as
appropriate, have the information rectified, completed, amended or deleted.
c. such access and opportunity for correction should be provided except where:
i.

the burden or expense of doing so would be unreasonable or
disproportionate to the risks to the individual’s privacy in the case in
question;

ii. the information should not be disclosed due to legal or security reasons or
to protect confidential commercial information; or
iii. the information privacy of persons other than the individual would be
violated
If a request under (a) or (b) or a challenge under (c) is denied, the individual should be
provided with reasons why and be able to challenge such denial.
6. Accountability. A personal information controller should be accountable for complying
with measures that give effect to the principles stated above. When personal information
is to be transferred to another person or organization, whether domestically or
internationally, the personal information controller should obtain the consent of the
individual or exercise due diligence and take reasonable steps to ensure that the recipient
person or organization will protect the information consistently with these principles. 29
In 2022, the U.S., Canada, Japan, Singapore, the Philippines, the Republic of Korea, and Chinese
Taipei announced that they will establish an international certification system based on the
existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors (PRP) Systems.
The new approach, known as the Global Cross-Border Privacy Rules Forum (Global CGPR Forum),
will technically be independent of the existing APEC framework, allowing non-APEC members to
participate. 30

1.4.6 Madrid Resolution (2009)
In 2009, the Madrid Resolution was approved by the independent data protection and privacy
commissioners (not the governments themselves) at the annual International Conference of Data
Protection and Privacy Commissioners held in Madrid, Spain. 31 There were dual purposes for the
Madrid Resolution: to define a set of principles and rights guaranteeing (1) the effective and

9
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.

MGT 6727 (Spring Semester 2024) at Georgia Tech
Chapter 1 – as of 01/05/2024
© IAPP
internationally uniform protection of privacy with regard to the processing of personal data and (2)
the facilitation of the international flows of personal data needed in a globalized world.
The resolution has several basic principles:
• Principle of lawfulness and fairness. Personal data must be fairly processed, respecting the
applicable national legislation as well as the rights and freedoms of individuals. Any
processing that gives rise to unlawful or arbitrary discrimination against the data subject
shall be deemed unfair.
• Purpose specification principle. Processing of personal data should be limited to the
fulfillment of the specific, explicit and legitimate purposes of the responsible person;
processing that is noncompatible with the purposes for which personal data was collected
requires the unambiguous consent of the data subject.
• Proportionality principle. Processing of personal data should be limited to such processing
as is adequate, relevant and not excessive in relation to the purposes. Reasonable efforts
should be made to limit processing to the minimum necessary.
• Data quality. The responsible person should at all times ensure that personal data is
accurate, sufficient and kept up to date in such a way as to fulfill the purposes for which it is
processed. The period of retention of the personal data shall be limited to the minimum
necessary. Personal data no longer necessary to fulfill the purposes that legitimized its
processing must be deleted or rendered anonymous.
• Openness principle. The responsible person shall provide to the data subjects, as a
minimum, information about the responsible person’s identity, the intended purpose of
processing, the recipients to whom their personal data will be disclosed, and how data
subjects may exercise their rights. When data is collected directly from the data subject, this
information must be provided at the time of collection, unless it has already been provided.
When data is not collected directly from the data subject, the responsible person must
inform them about the source of personal data. This information must be provided in an
intelligible form, using clear and plain language, in particular for any processing addressed
specifically to minors.
• Accountability. The responsible person shall take all the necessary measures to observe the
principles and obligations set out in the resolution and in the applicable national legislation
and have the necessary internal mechanisms in place for demonstrating such observance
both to data subjects and to the supervisory authorities in the exercise of their powers.

1.5 Information Privacy, Data Protection, and the Advent of
Information Technology
Modern ideas about privacy have been decisively shaped by the rapid development of information
technology (IT). Mainframe computers emerged by the 1960s to handle the data processing and
storage needs of business, government, educational and other institutions. As hardware and
software evolved, there were clear and large benefits to individuals and society, ranging from

10
NOT FOR DISSEMINATION

The materials in this course are provided only for the personal use of students in this class in association with this class.