Thursday, June 22, 2017
Editors' note: Guest Blogger Prof. Tim Armstrong from the University of Cincinnati College of Law sends this post discussing Special Rapporteur Cannataci's US visit.
Earlier this week, United Nations Special Rapporteur Joseph Cannataci arrived in the United States for an eight-day visit, slated to focus on “issues related to security and surveillance, big data and open data, health data, and personal data processed by private corporations.” Cannataci, a European academic, has written on privacy and technology issues, internet regulation, and intellectual property law, and has served as the U.N. Special Rapporteur on the right to privacy since 2015. His visit is certain to raise new, and enduringly controversial, political questions about the proper scope of legal protections for privacy in the United States.
Article 12 of the Universal Declaration of Human Rights (1948) declares that “Everyone has the right to the protection of the law against … arbitrary interference with his privacy, family, home or correspondence, [or] attacks upon his honour and reputation.” The particular form such protections take, however, lies largely within the discretion of state actors, who have responded in widely diverging ways.
For example, in the European Union, the Data Protection Directive (1995), soon to be supplemented by a new General Data Protection Regulation, defines quite broad individual privacy protections aimed principally against misuse of private data by large companies. Data about an individual may be processed only with that individual’s informed consent, subject to fairly narrow exceptions. Processing data that would reveal an individual’s “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, … health or sex life” is barred entirely. Furthermore, individuals retain ongoing rights to object to the use of information about themselves even after it has been collected.
No comparable comprehensive regulatory framework exists in the United States. Privacy law in the United States rests upon a patchwork of constitutional protections (such as the Fourth Amendment’s protection against unreasonable searches), common-law rules (such as tort and employment law doctrines protecting against some intrusions on privacy), and both state and federal statutory rules (most of which are relatively narrow and apply only in certain fairly technical circumstances). For example, the federal Privacy Act, despite its somewhat sweeping title, regulates only the disclosure of specified records by the government (subject to a host of exceptions), not the collection of information, and does not regulate private parties at all. The Electronic Communications Privacy Act, another federal statute, rests upon a distinction between “intercepted” and “stored” communications that technological developments have at least partly erased. Furthermore, the European recognition of ongoing privacy interests in data following collection is largely missing from United States law: individual complaints about invasion of informational privacy in the United States often fail because the court finds that the individual consented at some point in the past to the collection and use of her data, and thereby waived any right to complain about how that information is subsequently used.
Two further issues will necessarily cloud any review of the state of privacy protections in the United States. First, the collection and processing of private individuals’ data represents a profitable sector of the national economy. Concern with the state of the information processing industry manifests in many ways in public policy, including the recent resolution allowing Internet Service Providers to continue marketing user data, or the 2016 “privacy shield” agreement between the European Union and the United States to allow U.S. companies to process EU citizens’ data. Advocates for more expansive protections for informational privacy in the United States unavoidably encounter the objection that their proposals would yield a drag on commerce.
Second, issues of public safety (itself a protected interest under Article 3 of the Universal Declaration of Human Rights) and national security frequently are invoked to justify legal restrictions on individual privacy interests. Following the terror attacks of September 11, 2001, Congress passed (and subsequently reauthorized) the USA PATRIOT Act, giving federal law enforcement and intelligence agencies new surveillance powers. The pervasive extent of the surveillance system that had grown up, largely unobserved, in the United States was revealed in 2013 by fugitive NSA contractor Edward Snowden; public outcry following the Snowden revelations led Congress to (at least nominally) rein in certain of the government’s surveillance activities in the 2015 USA FREEDOM statute. Although Congress may regard the matter as settled, disagreement over the proper balance to be struck between individuals’ demands for privacy and government intelligence agencies’ need to detect and disrupt possible attacks remains an enduring feature of the public debate in this area.
Against this complex backdrop, it would surely be too optimistic to expect the visit of the Special Rapporteur to uncover a hidden consensus on the proper direction of public policy on the subject of privacy. Nevertheless, raising public awareness of this frequently overlooked issue, and illuminating the extent to which both public policy and private economic activity implicitly depend upon comparatively weak privacy protections in this country, would itself represent an accomplishment that should not be minimized.