ANALYSIS OF THE U.S. APPROACH TO DATA PRIVACY

1
ANALYSIS OF THE U.S. APPROACH TO DATA PRIVACY
European Commission Audiovisual Library
2
PRINCIPLES OF PRIVACY PROTECTION

• PRINCIPLE 1 RECOGNITION OF A GENERAL
  RIGHT TO PRIVACY
• PRINCIPLE 2 QUALITY OF INFORMATION
• PRINCIPLE 3 SPECIAL CATEGORIES
• PRINCIPLE 4 SECURITY OF INFORMATION
• PRINCIPLE 5 ADDITIONAL SAFEGUARDS
• PRINCIPLE 6 OVERSIGHT MECHANISMS

3
PRINCIPLE 1 RECOGNITION OF A GENERAL RIGHT TO
PRIVACY

• EU
• European data protection regimes have arisen from
  a desire to balance individual and societal
  interests, including by minimizing unnecessary
  intrusion by government into personal privacy.
  Corresponding principles of personal privacy have
  been incorporated in the Charter of Fundamental
  Rights of the European Union.

• U.S.
• The U.S. Constitutions Bill of Rights explicitly
  guarantees certain privacy rights and the U.S.
  Supreme Court has inferred from them a general
  right to privacy.
• The U.S. Congress has enacted the Privacy Act of
  1974 and the e-Government Act of 2002, which make
  affirmative demands on federal agencies to
  protect privacy.
• The U.S. President has issued memoranda
  establishing executive branch policies concerning
  the privacy of personal information in federal
  records.
• U.S. jurisprudence has in particular
  circumstances provided remedies for violations of
  these privacy interests.

4
PRINCIPLE 2 QUALITY OF INFORMATION

• EU
• Personal data generally should be
• Obtained and processed fairly and lawfully

• U.S.
• By law, federal law enforcement agencies may
  obtain such information as may be required to
  carry out their law enforcement functions.
  Regulations of the particular law enforcement
  agencies concerned or agency guidelines provide
  supplemental authority.
• State and local governments operate analogously.
• The Privacy Act establishes a code of fair
  information practices which regulates the
  collection, maintenance, use and disclosure of
  personally identifiable information.
• E-Government Act of 2002 mandates that agencies
  conduct Privacy Impact Assessments (PIAs) of
  certain information technology systems that
  collect identifying information about
  individuals. Each agency must certify that it
  has completed a PIA for such a system in order to
  receive funding for it.

5

• EU
• Stored for specified and legitimate purposes
• Adequate, relevant and not excessive in relation
  to the purposes for which they are stored

• U.S.
• The Federal Records Act (44 U.S.C. 2901-2909,
  3101-07) establishes rules for the creation,
  management, preservation and disposal of federal
  records.
• The Act is designed to assure an accurate and
  complete documentation of the policies and
  transactions of the Federal Government,
  control of the quantity and quality of records
  produced by the Federal Government, and
  judicious preservation and disposal of
  records.
• The system is for the purpose of protecting both
  government interests, and those of persons
  directly affected by government agency actions.
• The Privacy Act establishes a code of fair
  information practices which regulates the
  collection, maintenance, use and disclosure of
  personally identifiable information.
• Special regulations protecting personal privacy
  have been promulgated to address such important
  law enforcement functions as operation of
  criminal intelligence, or background check
  systems.
• The relevance standard for admitting evidence in
  criminal or related proceeding under adjudication
  acts as an additional check. The court
  adjudicating a matter may also reject the
  presentation of evidence which, although
  relevant, is excessive.
• The Privacy Act establishes a code of fair
  information practices which regulates the
  collection, maintenance, use and disclosure of
  personally identifiable information.

6

• EU
• Removed when the purpose for which the data was
  stored no longer exists

• U.S.
• The Records Disposal Act (44 U.S.C. 3303 et
  seq.) authorizes the National Archivist to
  establish schedules for the destruction of
  records, and requires approval from the U.S.
  Archivist before an agency can discard a record.
  
• Specific disposal requirements are set forth in
  regulations, which specify the period for which
  law enforcement records may be retained.

7
PRINCIPLE 3 SPECIAL CATEGORIES

• EU
• Personal data must be subjected to appropriate
  special safeguards if it pertains to
• Health or sexual life

• U.S.
• Generally, federal law enforcement may not take
  into account factors such as race, sex, religion,
  or personal feelings about an individual under
  investigation, and federal investigations must be
  conducted with as little intrusion into the
  privacy of individuals as the needs of the
  situation permit.
• Medical records may be critical to issues such as
  establishing physical injury and identification
  of individuals. Their use is accordingly
  permissible for a range of law enforcement
  purposes.
• At the same time, law enforcement may not use
  protected health information concerning an
  individual, discovered during the course of
  health oversight activities for unrelated civil,
  administrative, or criminal investigations of a
  non-health oversight matter, against that
  individual except when the balance of relevant
  factors weighs clearly in favor of its use. Such
  use must be authorized at the highest levels of
  the appropriate agency.
• Regulations set forth in detail the circumstances
  under which patient information in general may be
  gathered and special procedures that must be
  followed in order to ensure the confidentiality
  of patient identifying information.

8

• EU
• Personal beliefs
• Racial origin

• U.S.
• U.S. law and practice recognizes that this type
  of information provides a potential for abuse.
• Accordingly, for example, agency guidelines
  prohibit the FBI from initiating investigations
  based on activities protected by the First
  Amendment to the Constitution, which encompasses
  the free expression of ideas, freedom of
  religion, and freedom of association.
• The U.S. Constitution prohibits singling out
  suspects for prosecution on the basis of race,
  religion or other arbitrary classification.
• U.S. jurisprudence also, inter alia, clearly
  prohibits law enforcement officials from relying
  on racial origin alone to justify investigative
  stops of suspects.

9
PRINCIPLE 4 SECURITY OF INFORMATION

• EU
• Personal data obtained by the government must be
  subjected to appropriate measures to
• Safeguard its physical integrity

• U.S.
• Pursuant to the Federal Records Act (44 U.S.C.
  3105) and supplemental regulations (Title 36
  C.F.R. 1228.150, et seq., 1228.228, and
  Appendix A), information held by federal agencies
  must be stored in accordance with safeguards to
  ensure that the physical integrity of the
  information is maintained, as well as to protect
  against unauthorized access.

10

• EU
• Protect against improper disclosure

• U.S.
• Concerning disclosure to another government
  agency
• The United States adheres to a general principle
  that information collected for law enforcement
  purposes should be used only to prevent or
  prosecute criminal offenses.
• Personal information obtained by one U.S. law
  enforcement agency that appears useful for
  another may generally be used for any matter
  within the receiving agencys jurisdiction.
• This is important under our federal system so as
  not to unnecessarily hamper federal and state law
  enforcement authorities from cooperating on how
  best to exercise the complementary or concurrent
  law enforcement competencies.
• The disclosure of certain types of information to
  another agency may in some cases require
  imposition of special conditions (e.g., to ensure
  that the investigation or a witness is not
  endangered).
• All 50 states have further restrictions based on
  their own privacy laws.

11

• U.S.
• Concerning the disclosure of personal information
  to private third parties
• This issue is generally regulated by the Freedom
  of Information Act (FOIA), which applies to both
  citizens and-non citizens.
• Specifically exempt from disclosure is
  information collected for law enforcement
  purposes that could reasonably be expected to
  constitute an unwarranted invasion of personal
  privacy.
• Also exempt is a broad category of medical,
  personnel, and similar information the
  disclosure of which could reasonably be expected
  to constitute an unwarranted invasion of personal
  privacy.
• FOIA exemptions do not create a blanket
  prohibition on the disclosure of all personal
  information held by an agency. Instead, the
  statute and interpretive jurisprudence establish
  a test for withholding disclosure that balances
  the publics interest in government transparency
  against the privacy interests of the individual
  concerned.

12
PRINCIPLE 5 ADDITIONAL SAFEGUARDS

• EU
• In general, under EU principles, a person should
  be entitled to
• Determine whether the government possesses
  personal data pertaining to him or her

• U.S.
• For both citizens and non-citizens, it is the
  FOIA, not the Privacy Act, that governs access to
  information about themselves held by federal law
  enforcement agencies. Indeed, while the Privacy
  Act may appear to give a U.S. citizen or resident
  the right to request access to information about
  him or herself, in fact U.S. law enforcement
  agencies are permitted to exempt and have
  exempted themselves from this provision.
• The FOIA generally limits the extent to which
  access to records or information compiled for
  law enforcement purposes may be obtained,
  regardless of whether the information pertains to
  oneself or another. Such access is necessarily
  limited for both citizens and non-citizens
  because of the potential for interference with
  legitimate law enforcement investigative
  activities.

13

• EU
• Obtain the correction or deletion of incorrect
  personal data
• Have a remedy for the governments failure to do
  so

• U.S.
• U.S. law and practice provides mechanisms to
  correct inaccurate information gathered by law
  enforcement agencies, e.g.
• With respect to reports to be used by a court in
  determining the proper sentence to impose on a
  convicted person
• With regard to criminal history information
• Access (and therefore a right of subsequent
  correction) may be inconsistent with effective
  law enforcement operations e.g., where an
  investigation is ongoing and therefore not
  available.
• Where the individual has sought but not obtained
  correction of his records in the circumstances
  described above, remedies under U.S. law include
  fine or administrative action, depending on the
  nature and consequences of the inaccuracy.

14
PRINCIPLE 6 OVERSIGHT

• EU
• In the EU, data protection authorities have been
  established to ensure compliance with applicable
  data protection instruments.

• U.S.
• The precise type of data protection authorities
  existing in the EU have not been established, but
  analogous mechanisms exist.
• On July 7, 2004 Congress legislated the creation
  of Chief Privacy Officers in all executive
  departments and the creation of a Civil Liberties
  Protection Officer in the Directorate of National
  Intelligence.
• A presidential memorandum of 1998 requires each
  federal agency to designate a senior official to
  assume responsibility for policy under the
  Privacy Act, including the institution of a
  thorough review of the agencies record systems
  and practices regarding collection or disclosure
  of personal information.
• Presidents Privacy and Civil Liberties Oversight
  Board was created in February, 2007 The Board
  advises the President and other senior executive
  branch officials to ensure that concerns with
  respect to privacy and civil liberties are
  appropriately considered in the implementation of
  all laws, regulations, and executive branch
  policies related to efforts to protect the Nation
  against terrorism. This includes advising on
  whether adequate guidelines, supervision, and
  oversight exist to protect these important legal
  rights.
• Inspectors General within each federal agency.
  The Office of the Inspector General (OIG) at the
  Department of Justice conducts independent
  investigations, audits, inspections, and special
  reviews of United States Department of Justice
  personnel and programs to detect and deter waste,
  fraud, abuse, and misconduct, and to promote
  integrity, economy, efficiency, and effectiveness
  in Department of Justice operations.
• Internal Affairs Divisions take appropriate
  action against employees who wrongly disclose
  private information.
• With regard to the oversight of records
  management systems, U.S. law authorizes the
  administrator of general services or the
  archivist to inspect the records or the records
  management practices and programs of any Federal
  agency for the purpose of making recommendations
  for improving records management practices and
  programs (See 44 U.S.C. 2906(a)(1)).
• U.S. law provides for a variety of criminal and
  civil sanctions for violations of laws and
  regulations on personal privacy.
• States have various oversight and control
  mechanisms as well.

15
CONCLUSION

• In sum, while the means may differ, the EU and
  U.S. both protect the same principles of personal
  privacy.