- Email: [email protected]
Perspectives on privacy and terrorism: all is not lost—yet
Pergamon Government Information Quarterly 19 (2002) 255–264
Perspectives on privacy and terrorism: all is not lost—yet Robert Gellman* Privacy and Information Policy Consultant, 419 Fifth Street SE, Washington, DC 20003, USA
Abstract Antiterrorism legislation passed at the end of 2001—the U.S.A. Patriot Act— has serious implications for privacy. Many of the law’s provisions expand the government’s existing ability to intercept wire, oral, and electronic communications relating to terrorism and other crimes, to share criminal investigative information, and to conduct electronic surveillance. While the changes are controversial, and some are of questionable constitutionality, the surveillance provisions of the new law mostly make changes in degree and not kind. Other aspects of privacy and privacy law remained unchanged. Laws affecting how the private sector gathers, stores, and uses personal information for private purposes were not modified. After passage of the antiterrorism law, other legislation expanded privacy protections in other areas. Further events and legislation will affect privacy rights and interests, and some protections may be eroded while others are improved. © 2002 Elsevier Science Inc. All rights reserved.
1. Introduction Too often, casual observers treat privacy as a singular trait. We either have privacy or we do not. Personal information is either within the control of the data subject or privacy does not exist. One of the most famous recent quotes about privacy is from Scott McNealy, the president of Sun Microsystems. In 1999, McNealy said: “You have zero privacy. Get over it.”1 Analyzing privacy is considerably more complex than examining a light switch to see if it is on or off. McNealy’s observation about privacy is clearly wrong. In 1999, we had the same basic constitutional protections for privacy that we had in previous years. Supreme Court decisions may have added a bit here and subtracted some there, but the core of constitutional privacy interests found in the Bill of Rights remains.2 Looking beyond
* Corresponding author. 0740-624X/02/$ – see front matter © 2002 Elsevier Science Inc. All rights reserved. PII: S 0 7 4 0 - 6 2 4 X ( 0 2 ) 0 0 1 0 5 - 3
256
R. Gellman / Government Information Quarterly 19 (2002) 255–264
constitutional rights, many other privacy protections remain. Bathroom doors still have locks, and confidential communications with physicians have the same privilege as before.3 Privacy rights have actually increased in recent years with the passage of new federal laws4 such as the Children’s Online Privacy Protection Act5 and the financial privacy provisions of the Financial Services Management Act, popularly known as the Gramm-Leach-Bliley Act.6 Without question, other developments have been less favorable to privacy. One of those less favorable developments is a major piece of antiterrorism legislation— the U.S.A. Patriot Act—passed during the first session of the 107th Congress in December 2001.7 In this essay, I propose to take a casual look at some of the privacy implications of that legislation for the purpose of offering alternate ways of cutting up the privacy pie. No point-by-point review of the antiterrorism law will be provided. What follows is a broad evaluation of the law’s consequences for privacy that will leave out many of the details and will allow considerable room for other points of view. The goal here is to consider perspectives on privacy that go beyond the zero privacy approach.
2. What is privacy anyway? Privacy is a difficult term to define, mostly because it represents a context-specific value and not a fixed concept. Privacy interests recognized in the U.S. Constitution include such diverse matters as freedom of religion, freedom of speech, freedom from unreasonable government searches and surveillance, the right against self-incrimination, and the right of association. Privacy rights and interests with respect to nongovernmental activities, while not constitutionally based, are even more diverse. The earlier point about bathroom door locks is not silly. It reflects one aspect of privacy. The ability to review a credit record protects a privacy interest. Many also believe that telemarketing telephone calls during dinner or even basic junk mail is an invasion of privacy. A list of privacy rights and interests could continue for pages. For most people, the personal details of their lives can be found scattered in the files of dozens or perhaps even hundreds of record keepers, and a privacy interest can be connected to nearly all of those files. The list of privacy rights would be considerably shorter, but the privacy list would have considerable substance nevertheless. Like other complex value-laden objectives, such as justice, security, and ethics, the level and quality of privacy change over time. We continue to have a core of significant privacy protections even though those protections may increase or decrease in response to public opinions, current events, legislation, judicial decisions, new technologies, and other factors. Privacy will not and cannot disappear entirely as a concern for individuals or as a public policy issue. Antiterrorism legislation diminished some privacy protections, but many privacy laws and principles remain unchanged. In 1976, the Supreme Court offered a summary of its own decisions affecting privacy in a way that offers a constitutionally-based perspective. In Whalen v. Roe, the Court found that there are two categories of privacy interests. One is the interest in independence in making certain kinds of important decisions (e.g., matters relating to marriage, procreation, contraception, family relationships, child rearing, and education), and the other is the individual
R. Gellman / Government Information Quarterly 19 (2002) 255–264
257
interest in avoiding disclosure of personal matters.8 Privacy can be categorized in other ways, but the Supreme Court’s analysis is useful. The first of the Supreme Court’s categories, relating to individual autonomy, seems wholly unaffected by the events of September 11 and their aftermath. The right of individuals to make fundamental decisions about their personal lives is the same as it was. The second category is sometimes referred to as information privacy or data protection.9 This is the aspect of privacy that may be most threatened by responses to terrorism. However, before we can assess the effect of terrorism on information privacy, we still need to know the elements of information privacy. In most places around the world, the substance of information privacy law and policy can be described using the principles of fair information practices (FIPs). A federal advisory committee at the Department of Health, Education, and Welfare first proposed a FIPs code in a 1973 report.10 The work of the committee had a great impact worldwide,11 and, by 1980, FIPs had become the core of nearly all international privacy policy documents. A 1980 restatement of FIPs by the Organization for Economic Cooperation and Development12 (OECD) is now generally recognized as a prime statement of FIPs.13 We can use the eight principles of FIPs to begin to break down the concept of information privacy into digestible parts. The OECD FIPs principles are: (1) collection limitation; (2) data quality; (3) purpose specification; (4) use limitation; (5) security safeguards; (6) openness; (7) individual participation (access and correction); and (8) accountability. Much more can be said about these principles than can fit in the available space. However, even a cursory review of the FIPs checklist shows that many core principles of privacy are not affected at all or in any major way by the antiterrorism measures enacted by Congress. Thus, personal records that are more secure have some better privacy protections even if the records can be used in antiterrorism investigations. Regardless of specific authorized uses, privacy protections remain when record keepers are held accountable for complying with privacy rules, if other use limitations remain in force, or if record keeping practices must be disclosed publicly. The Privacy Act of 1974, a law that principally applies to personal information maintained by federal agencies, was the first statute anywhere in the world to implement FIPs.14 The same committee that developed the idea of FIPs recommended passage of the act, and Congress followed the committee’s recommendations closely. Most other privacy (or data protection) laws around the world today are implementations of FIPs. What did the antiterrorism legislation do to the Privacy Act and to FIPs? Nothing. The act and the principles on which it was based were unchanged. Well before September 11, information privacy laws everywhere around the world already included significant exemptions for law enforcement and national security activities.15 The Privacy Act has always applied to the Central Intelligence Agency (CIA), to the Federal Bureau of Investigation (FBI), and to every other federal agency. At the same time, the Privacy Act has always allowed personal records of the CIA16 and of law enforcement agencies17 to be exempted from some of its requirements. The exemptions are broad, but they are not complete. No personal records covered by the Privacy Act are completely exempt from the act’s basic requirements concerning openness, purpose specification, use limitation, security safeguards,
258
R. Gellman / Government Information Quarterly 19 (2002) 255–264
and data quality. Nothing in the antiterrorism legislation changed the way that the Privacy Act applies to intelligence and law enforcement agencies.18 The Privacy Act’s implementation of FIPs for federal agencies was unchanged, including the scope of the act, its protections, and its exemptions.
3. Privacy and Government Many of the antiterrorism law’s provisions with privacy implications increased the surveillance powers of government.19 Legislation authorizing and regulating government surveillance activities for criminal law enforcement and national security matters can be found in several previous statutes, including the Foreign Intelligence Surveillance Act of 1978,20 the Electronic Communications Privacy Act,21 and the Omnibus Crime Control and Safe Streets Act.22 Allowing reasonable government surveillance under defined conditions balances the public interest in fighting crime and protecting national security against privacy in a traditional manner. At higher levels of abstraction, balancing is often noncontroversial. No one asserts that privacy is an interest that outweighs other societal values and objectives. The controversies arise over the details of the balancing. The antiterrorism law enhances the government’s ability to intercept wire, oral, and electronic communications relating to terrorism and other crimes, to share criminal investigative information, to conduct electronic surveillance, and for other purposes. These changes were among the most hotly contested and most controversial parts of the law, and the constitutionality of some of the provisions has been called into question.23 For the most part, however, the surveillance provisions of the new law only make changes in degree and not kind. Most of the changes relating to surveillance found in Title II of the legislation were accomplished by revisions to existing statutes and not through the enactment of new sections of law. The distinction between a cut-and-paste amendment of an existing section of law and the enactment of a new section of law is not always a reliable indicator of the significance or scope of the change. In this instance, however, it shows that existing laws already granted surveillance powers to federal agencies, and that the new law expanded those powers by changing procedures and burdens of proof. Without question, the changes represent a significant loss for some aspects of privacy protection, but the changes were relatively narrow when measured broadly against privacy rights and interests.24 The antiterrorism law enhanced government surveillance powers, but limitations, controls, and procedures continue to exist. Government surveillance is not unlimited or unrestricted. The privacy barriers were moved, perhaps too far, but they were not eliminated. Another set of statutory changes affected privacy matters that relate to financial institutions. The antiterrorism law changes rules governing maintenance, disclosure, and sharing of information about international money laundering and the financing of terrorism.25 The law also requires financial institutions to meet minimum standards to verify the identity of customers opening accounts.26 Other provisions encourage financial institutions to report suspicious activities.27 The law also makes credit reporting available for counterterrorism purposes.28
R. Gellman / Government Information Quarterly 19 (2002) 255–264
259
The provisions of the antiterrorism law affecting financial institutions are much more extensive that can be discussed here. Here, too, many of the new requirements are extensions of existing rules, laws, or practices. Antimoney laundering provisions have been in place for years. The new law enhances them. Many banks already undertake investigations of new customers,29 and the law’s new requirements may not greatly change existing practices. The Fair Credit Reporting Act already allows for the disclosure of credit reports to the FBI for counterintelligence purposes.30 The expansion of the law to cover disclosures for counterterrorism investigations is not significantly different. In general, the antiterrorism law will directly affect the way that personal information is collected, maintained, and disclosed by banks, and the effects on privacy will be viewed by most as negative. The growing interrelationship between private sector record keepers and the government is clearly troubling from a privacy perspective, and further developments that enhance the flow of personal data from the private sector to the government will be even more unwelcome to privacy advocates. However, the antiterrorism law did not modify the financial privacy provisions of the Gramm-Leach-Bliley Act or change the principal consumer protections in the Fair Credit Reporting Act. One conclusion is that the antiterrorism law eroded some privacy protections, but other protections remain unaffected. Not everything in the antiterrorism law can be casually swept into the incremental change category. One provision of the antiterrorism law changes the rules for use of statistical records by the National Center for Educational Statistics (NCES).31 This relatively obscure provision may be one of the most radical antiprivacy parts of the entire law. NCES is one of a number of existing statistical agencies operating under laws making the information that they collect unavailable for all administrative uses. The Census Bureau is perhaps the best known example of a statistical agency whose records cannot be disclosed for administrative uses.32 The antiterrorism law makes NCES records available for the investigation and prosecution of terrorism. A court order is required, but the court is obliged to issue the order if the government certifies that there are specific and articulable facts giving reason to believe that the information is relevant to an terrorism investigation or prosecution.33 The standard is much weaker than probable cause or reasonable cause. The NCES amendment is a significant change because it allows a new use for an entire category of hitherto protected statistical records. The justification for strict privacy laws for statistical and research records is the recognition that guaranteeing protection of the records from administrative or law enforcement uses is essential to the ability to collect the records from voluntary providers.34 By requiring that NCES records be available for law enforcement purposes, the antiterrorism law, for the first time, takes a class of statutorily protected statistical records and turns them into administrative records available for law enforcement purposes. All NCES records collected in the past under a statutory guarantee of confidentiality may now be used in a way that is directly inconsistent with the terms of collection and the assurances provided to data providers and data subjects. A particularly unfortunate aspect of the change in status for NCES records is that NCES management reportedly instigated the amendment. Congressional willingness to allow statistical records collected under strict confidentiality rules to be used in other ways is a major blow to the privacy of all statistical records. It establishes a precedent that could be used to change the protections for records of other
260
R. Gellman / Government Information Quarterly 19 (2002) 255–264
statistical agencies. The change to the NCES law represent a major breach of a long-standing statutory privacy protection. The amendment may also undermine the availability of data for educational research and the mission of NCES.
4. Privacy and the private sector For all of the negative consequences for privacy wrought by the antiterrorism legislation—and it is worth repeating, again, that, although many of the changes were incremental, the consequences are still significant—it is important to take note of what was not changed. Most existing information privacy laws were not changed at all by the antiterrorism legislation,35 although several were amended to enhance government access for terrorism investigations.36 However, laws affecting how the private sector gathers, stores, and uses personal information for private purposes were not changed. Basic policies of fair information practices reflected (albeit inconsistently) in existing privacy laws remain unchanged by the antiterrorism law. The balance between privacy and law enforcement that was always a part of public policy was adjusted to reflect new concerns. However, the framework in which that balancing has traditionally been conducted was largely untouched. Events of September 11 changed public views in many ways. The passage of the legislation strongly suggests that the public is more willing to accept diminished privacy protections to permit government surveillance in terrorism investigations and prosecutions. How public attitudes will adjust over time is uncertain. Public opinion polls indicate that the public was much more willing to support adoption of a national identification card shortly after the terrorist attack, but public support began to wane as time passed.37 No matter how recent events may have modified public views about some privacy issues, it seems likely that some types of privacy concerns are likely to remain unaffected. People still expect that bathroom doors will have locks, that medical records will receive confidential treatment, and that their tax returns will not be freely shared throughout government. Public concerns about private sector collection, use, and disclosure of personal information have probably not changed either. There is no reason to believe that people are any more willing than they were before September 11 to share personal information with companies over the Internet, to disclose Social Security numbers, or to receive telemarketing calls during dinner. Strong evidence of continuing public concern about privacy can be found in legislation passed several months after the passage of the antiterrorism law. The No Child Left Behind Act of 2001 is a major education law passed after September 11, 2001, that includes new privacy protections for the collection of marketing information through schools.38 The law requires local educational agencies to adopt and notify parents about privacy policies for surveys that collect some personal information from students and for activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes.39 Parents also have the right to review marketing collection instruments in advance and to refuse to allow their children to participate in marketing surveys. The passage of this law indicates that privacy has not disappeared from the congressional agenda. Indeed, the school privacy provisions were passed in the face of strong opposition
R. Gellman / Government Information Quarterly 19 (2002) 255–264
261
from marketers and school boards. The opposition was able to weaken the privacy provisions, but it was not strong enough to remove them entirely. Privacy continues to be seen by Congress as a value of importance to the public. Even the antiterrorism law itself includes some provisions designed to make sure that privacy interests are reflected in rulemaking and data sharing activities.40
5. Conclusion Perhaps the most insidious aspect of any legislation that reduces privacy protections is that it moves the privacy baseline.41 The incremental change analysis presented here should not be too reassuring even if it were an entirely fair characterization of the antiterrorism law. A series of incremental changes can, and will, completely erode a statutory protection enacted in good faith. The privacy provisions of the tax code42 and the limited protections in the Right to Financial Privacy Act of 197843 have both been substantially undermined by a torrent of incremental amendments over the years. However, incremental change can work in both directions. The privacy protections of the Driver’s Privacy Protection Act were enhanced through later amendments.44 It is safe to predict that future events and legislation will affect privacy rights and interests. Some privacy rights and interests are likely to be diminished, and serious losses in privacy protection are possible. Improvements are also a possibility. It is not unusual to find public policy moving in different and, sometimes, contradictory directions at the same time. In considering the effects of any of these possible changes, it is useful to break down the analysis into smaller components. By using the elements of privacy (e.g., fair information practices), the domains of privacy (individual autonomy and information privacy), and the types of record keepers (public sector and private sector), the consequences of change can be more clearly evaluated, and the result will be a better understanding of what has been gained or lost.
Notes 1. Quoted in James Freeman, “You Have Zero Privacy . . . Get Over It,” U.S.A. Today, Aug. 9, 1999, 具http://www.usatoday.com/news/comment/columnists/freeman/ncjf30.htm典. 2. See, e.g., the famous statement of Associate Justice William O. Douglas from a 1965 decision of the Supreme Court: “The foregoing cases suggest that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance . . . . Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment in its prohibition against the quartering of soldiers ‘in any house’ in time of peace without the consent of the owner is another facet of that privacy. The Fourth Amendment explicitly affirms the ‘right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’ The Fifth Amendment in its Self-Incrimination
262
R. Gellman / Government Information Quarterly 19 (2002) 255–264
3.
4. 5. 6. 7.
8. 9. 10.
11. 12.
13. 14. 15.
16. 17. 18.
Clause enables the citizen to create a zone of privacy which government may not force him to surrender to his detriment. The Ninth Amendment provides: ‘The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.’ ” Griswold v. Connecticut, 381 U.S. 479, 484 (1965) (citation omitted). The value of the privilege has been questioned, but it continues to exist much the same as it has in the past. See, for example, Robert Gellman, “Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy,” North Carolina Law Review, 62 (January 1984): 255. The value of the legislation is a matter of considerable controversy, but there can be no question that some improvements in privacy protections were achieved. 15 U.S.C. 6501 et seq. 5 U.S.C. 6801 et seq. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S.A. PATRIOT ACT) Act of 2001, P.L. 107– 056, 115 Stat. 272. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname⫽ 107_cong_public_laws&docid⫽f:publ056.107. 429 U.S. 589, 599 – 600 (1976). Data protection is a term widely used in Europe and around the world to refer to information privacy. The word privacy does not exist in every language. Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (Washington: Department of Health, Education & Welfare, 1973), at http://aspe.os.dhhs.gov/datacncl/1973privacy/tocprefacemembers.htm. David Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill, NC: University of North Carolina, 1989, p. 310. Organization for Economic Cooperation and Development, Council Recommendations Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 20 I.L.M. 422 (1981), O.E.C.D. Doc. C (80) 58 (Final) (Oct. 1, 1980), at http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM. Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca, NY: Cornell University Press, 1992), pp. 130139. 5 U.S.C. 552a. For example, the European Union’s core data protection rules also allow national government to provide for some exemptions for national security, defense, public security, and law enforcement matters. Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, Council Directive 95/46/EC, 1995 O.J. (L 281) 31, Article 13 具http://europa.eu.int/ comm/internal_market/en/dataprot/law/index.htm典. 5 U.S.C. 552a(j)(1). Id. at 552a(j)(2). Indeed, a provision in section 310 of the antiterrorism law regarding the Financial Crimes Enforcement Network expressly provided that rules on information use and disclosure must comply with the Privacy Act of 1974.
R. Gellman / Government Information Quarterly 19 (2002) 255–264
19. 20. 21. 22. 23.
24.
25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35.
36.
37.
263
U.S.A. Patriot Act at Title II (Enhanced Surveillance Procedures). 50 U.S.C. 1801 et seq. See 18 U.S.C. chapter 119. See 18 U.S.C. chapters 119 and 121. See, for example, American Civil Liberties Union, U.S.A. Patriot Act Boosts Government Powers While Cutting Back on Traditional Checks and Balances (New York, NY: November 2001) 具http://www.aclu.org/congress/L110101a.html典. The long-term effects of some of the act’s provisions may not be clear before the end of 2005. A number of amendments relating to government surveillance expire at that time and will disappear if not renewed by a subsequent statute. U.S.A. Patriot Act at section 224. U.S.A. Patriot Act at Title III (International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001). Id. at section 326. Id. at section 351. Id. at section 626. See, for example, Paul Beckett, “Banks Are Using a National Database to Blacklist Customers For Slip-Ups,” Wall Street Journal, Aug. 1, 2000: A1 (Eastern edition). 15 U.S.C. 1681u. 20 U.S.C. 9007. 13 U.S.C. 9. U.S.A. Patriot Act at section 508 (amending 20 U.S.C. 9007). See, for example, U. S. Privacy Protection Study Commission, Protecting Privacy in an Information Society (Washington: GPO, 1977) at chapter 15. These privacy laws were not changed by the antiterrorism law: Privacy Act of 1974, 5 U.S.C. 552a; Video Privacy Protection Act, 18 U.S.C. 2710; Driver’s Privacy Protection Act, 18 U.S.C. 2721 et seq.; Telecommunications Act, 47 U.S.C. 222; Children’s Online Privacy Protection Act, 15 U.S.C. 6501 et seq.; Gramm-LeachBliley, 15 U.S.C. 6801 et seq.; Health Insurance Portability and Accountability Act, 42 U.S.C. 1320 days-2 note; 45 CFR Parts 160 & 164. The Fair Credit Reporting Act was changed slightly as described above and in some other minor ways. The Right to Financial Privacy Act, 12 U.S.C. 3414, was also modified slightly. See U.S.A. Patriot Act at section 505. The Family Educational Rights and Privacy Act, 20 U.S.C. 1232g, was modified to allow disclosure of school records for terrorism investigations pursuant to court order. See U.S.A. Patriot Act at section 507. The Cable Communications Policy Act, 47 U.S.C. 551, was amended to permit limited disclosure of subscriber records to government entities. Even here, the law prohibited disclosure of records revealing cable subscriber selection of video programming from a cable operator. See U.S.A. Patriot Act at section 211. Of course, the surveillance amendments in the antiterrorism law significantly amended the Electronic Communications Privacy Act, which prescribes the rules for government access to electronic communications. See U.S.A. Patriot Act at Title II passim. Donna Leinwand, “National ID in Development,” U.S.A. Today, Jan. 22, 2002, http://www.usatoday.com/life/cyber/tech/2002/01/22/id-cards.htm.
264
R. Gellman / Government Information Quarterly 19 (2002) 255–264
38. P.L. 107–110, January 8, 2002. 39. Section 1061 of the act amending 20 U.S.C. 1232h. 40. See U.S.A. Patriot Act at section 403 (amending 8 U.S.C. 1105(d)(2) to require that sharing of National Crime Information Center information will “ensure the security, confidentiality, and destruction of such information” and will protect privacy rights). 41. Professor Paul Schwartz makes a similar point about technology, arguing that everincreasing technological capabilities can erode expectations of privacy because the technology is often in place, accepted, and profitable before anyone can argue that it is unreasonable. Paul Schwartz, “Privacy and Participation: Personal Information and Public Sector Regulation in the United States,” Iowa Law Review, 80 (March 1995): 553, 573. 42. 26 U.S.C. 6103. 43. 12 U.S.C. 3401 et seq. 44. 18 U.S.C. 2721 et seq.
Perspectives on privacy and terrorism: all is not lost—yet Robert Gellman* Privacy and Information Policy Consultant, 419 Fifth Street SE, Washington, DC 20003, USA
Abstract Antiterrorism legislation passed at the end of 2001—the U.S.A. Patriot Act— has serious implications for privacy. Many of the law’s provisions expand the government’s existing ability to intercept wire, oral, and electronic communications relating to terrorism and other crimes, to share criminal investigative information, and to conduct electronic surveillance. While the changes are controversial, and some are of questionable constitutionality, the surveillance provisions of the new law mostly make changes in degree and not kind. Other aspects of privacy and privacy law remained unchanged. Laws affecting how the private sector gathers, stores, and uses personal information for private purposes were not modified. After passage of the antiterrorism law, other legislation expanded privacy protections in other areas. Further events and legislation will affect privacy rights and interests, and some protections may be eroded while others are improved. © 2002 Elsevier Science Inc. All rights reserved.
1. Introduction Too often, casual observers treat privacy as a singular trait. We either have privacy or we do not. Personal information is either within the control of the data subject or privacy does not exist. One of the most famous recent quotes about privacy is from Scott McNealy, the president of Sun Microsystems. In 1999, McNealy said: “You have zero privacy. Get over it.”1 Analyzing privacy is considerably more complex than examining a light switch to see if it is on or off. McNealy’s observation about privacy is clearly wrong. In 1999, we had the same basic constitutional protections for privacy that we had in previous years. Supreme Court decisions may have added a bit here and subtracted some there, but the core of constitutional privacy interests found in the Bill of Rights remains.2 Looking beyond
* Corresponding author. 0740-624X/02/$ – see front matter © 2002 Elsevier Science Inc. All rights reserved. PII: S 0 7 4 0 - 6 2 4 X ( 0 2 ) 0 0 1 0 5 - 3
256
R. Gellman / Government Information Quarterly 19 (2002) 255–264
constitutional rights, many other privacy protections remain. Bathroom doors still have locks, and confidential communications with physicians have the same privilege as before.3 Privacy rights have actually increased in recent years with the passage of new federal laws4 such as the Children’s Online Privacy Protection Act5 and the financial privacy provisions of the Financial Services Management Act, popularly known as the Gramm-Leach-Bliley Act.6 Without question, other developments have been less favorable to privacy. One of those less favorable developments is a major piece of antiterrorism legislation— the U.S.A. Patriot Act—passed during the first session of the 107th Congress in December 2001.7 In this essay, I propose to take a casual look at some of the privacy implications of that legislation for the purpose of offering alternate ways of cutting up the privacy pie. No point-by-point review of the antiterrorism law will be provided. What follows is a broad evaluation of the law’s consequences for privacy that will leave out many of the details and will allow considerable room for other points of view. The goal here is to consider perspectives on privacy that go beyond the zero privacy approach.
2. What is privacy anyway? Privacy is a difficult term to define, mostly because it represents a context-specific value and not a fixed concept. Privacy interests recognized in the U.S. Constitution include such diverse matters as freedom of religion, freedom of speech, freedom from unreasonable government searches and surveillance, the right against self-incrimination, and the right of association. Privacy rights and interests with respect to nongovernmental activities, while not constitutionally based, are even more diverse. The earlier point about bathroom door locks is not silly. It reflects one aspect of privacy. The ability to review a credit record protects a privacy interest. Many also believe that telemarketing telephone calls during dinner or even basic junk mail is an invasion of privacy. A list of privacy rights and interests could continue for pages. For most people, the personal details of their lives can be found scattered in the files of dozens or perhaps even hundreds of record keepers, and a privacy interest can be connected to nearly all of those files. The list of privacy rights would be considerably shorter, but the privacy list would have considerable substance nevertheless. Like other complex value-laden objectives, such as justice, security, and ethics, the level and quality of privacy change over time. We continue to have a core of significant privacy protections even though those protections may increase or decrease in response to public opinions, current events, legislation, judicial decisions, new technologies, and other factors. Privacy will not and cannot disappear entirely as a concern for individuals or as a public policy issue. Antiterrorism legislation diminished some privacy protections, but many privacy laws and principles remain unchanged. In 1976, the Supreme Court offered a summary of its own decisions affecting privacy in a way that offers a constitutionally-based perspective. In Whalen v. Roe, the Court found that there are two categories of privacy interests. One is the interest in independence in making certain kinds of important decisions (e.g., matters relating to marriage, procreation, contraception, family relationships, child rearing, and education), and the other is the individual
R. Gellman / Government Information Quarterly 19 (2002) 255–264
257
interest in avoiding disclosure of personal matters.8 Privacy can be categorized in other ways, but the Supreme Court’s analysis is useful. The first of the Supreme Court’s categories, relating to individual autonomy, seems wholly unaffected by the events of September 11 and their aftermath. The right of individuals to make fundamental decisions about their personal lives is the same as it was. The second category is sometimes referred to as information privacy or data protection.9 This is the aspect of privacy that may be most threatened by responses to terrorism. However, before we can assess the effect of terrorism on information privacy, we still need to know the elements of information privacy. In most places around the world, the substance of information privacy law and policy can be described using the principles of fair information practices (FIPs). A federal advisory committee at the Department of Health, Education, and Welfare first proposed a FIPs code in a 1973 report.10 The work of the committee had a great impact worldwide,11 and, by 1980, FIPs had become the core of nearly all international privacy policy documents. A 1980 restatement of FIPs by the Organization for Economic Cooperation and Development12 (OECD) is now generally recognized as a prime statement of FIPs.13 We can use the eight principles of FIPs to begin to break down the concept of information privacy into digestible parts. The OECD FIPs principles are: (1) collection limitation; (2) data quality; (3) purpose specification; (4) use limitation; (5) security safeguards; (6) openness; (7) individual participation (access and correction); and (8) accountability. Much more can be said about these principles than can fit in the available space. However, even a cursory review of the FIPs checklist shows that many core principles of privacy are not affected at all or in any major way by the antiterrorism measures enacted by Congress. Thus, personal records that are more secure have some better privacy protections even if the records can be used in antiterrorism investigations. Regardless of specific authorized uses, privacy protections remain when record keepers are held accountable for complying with privacy rules, if other use limitations remain in force, or if record keeping practices must be disclosed publicly. The Privacy Act of 1974, a law that principally applies to personal information maintained by federal agencies, was the first statute anywhere in the world to implement FIPs.14 The same committee that developed the idea of FIPs recommended passage of the act, and Congress followed the committee’s recommendations closely. Most other privacy (or data protection) laws around the world today are implementations of FIPs. What did the antiterrorism legislation do to the Privacy Act and to FIPs? Nothing. The act and the principles on which it was based were unchanged. Well before September 11, information privacy laws everywhere around the world already included significant exemptions for law enforcement and national security activities.15 The Privacy Act has always applied to the Central Intelligence Agency (CIA), to the Federal Bureau of Investigation (FBI), and to every other federal agency. At the same time, the Privacy Act has always allowed personal records of the CIA16 and of law enforcement agencies17 to be exempted from some of its requirements. The exemptions are broad, but they are not complete. No personal records covered by the Privacy Act are completely exempt from the act’s basic requirements concerning openness, purpose specification, use limitation, security safeguards,
258
R. Gellman / Government Information Quarterly 19 (2002) 255–264
and data quality. Nothing in the antiterrorism legislation changed the way that the Privacy Act applies to intelligence and law enforcement agencies.18 The Privacy Act’s implementation of FIPs for federal agencies was unchanged, including the scope of the act, its protections, and its exemptions.
3. Privacy and Government Many of the antiterrorism law’s provisions with privacy implications increased the surveillance powers of government.19 Legislation authorizing and regulating government surveillance activities for criminal law enforcement and national security matters can be found in several previous statutes, including the Foreign Intelligence Surveillance Act of 1978,20 the Electronic Communications Privacy Act,21 and the Omnibus Crime Control and Safe Streets Act.22 Allowing reasonable government surveillance under defined conditions balances the public interest in fighting crime and protecting national security against privacy in a traditional manner. At higher levels of abstraction, balancing is often noncontroversial. No one asserts that privacy is an interest that outweighs other societal values and objectives. The controversies arise over the details of the balancing. The antiterrorism law enhances the government’s ability to intercept wire, oral, and electronic communications relating to terrorism and other crimes, to share criminal investigative information, to conduct electronic surveillance, and for other purposes. These changes were among the most hotly contested and most controversial parts of the law, and the constitutionality of some of the provisions has been called into question.23 For the most part, however, the surveillance provisions of the new law only make changes in degree and not kind. Most of the changes relating to surveillance found in Title II of the legislation were accomplished by revisions to existing statutes and not through the enactment of new sections of law. The distinction between a cut-and-paste amendment of an existing section of law and the enactment of a new section of law is not always a reliable indicator of the significance or scope of the change. In this instance, however, it shows that existing laws already granted surveillance powers to federal agencies, and that the new law expanded those powers by changing procedures and burdens of proof. Without question, the changes represent a significant loss for some aspects of privacy protection, but the changes were relatively narrow when measured broadly against privacy rights and interests.24 The antiterrorism law enhanced government surveillance powers, but limitations, controls, and procedures continue to exist. Government surveillance is not unlimited or unrestricted. The privacy barriers were moved, perhaps too far, but they were not eliminated. Another set of statutory changes affected privacy matters that relate to financial institutions. The antiterrorism law changes rules governing maintenance, disclosure, and sharing of information about international money laundering and the financing of terrorism.25 The law also requires financial institutions to meet minimum standards to verify the identity of customers opening accounts.26 Other provisions encourage financial institutions to report suspicious activities.27 The law also makes credit reporting available for counterterrorism purposes.28
R. Gellman / Government Information Quarterly 19 (2002) 255–264
259
The provisions of the antiterrorism law affecting financial institutions are much more extensive that can be discussed here. Here, too, many of the new requirements are extensions of existing rules, laws, or practices. Antimoney laundering provisions have been in place for years. The new law enhances them. Many banks already undertake investigations of new customers,29 and the law’s new requirements may not greatly change existing practices. The Fair Credit Reporting Act already allows for the disclosure of credit reports to the FBI for counterintelligence purposes.30 The expansion of the law to cover disclosures for counterterrorism investigations is not significantly different. In general, the antiterrorism law will directly affect the way that personal information is collected, maintained, and disclosed by banks, and the effects on privacy will be viewed by most as negative. The growing interrelationship between private sector record keepers and the government is clearly troubling from a privacy perspective, and further developments that enhance the flow of personal data from the private sector to the government will be even more unwelcome to privacy advocates. However, the antiterrorism law did not modify the financial privacy provisions of the Gramm-Leach-Bliley Act or change the principal consumer protections in the Fair Credit Reporting Act. One conclusion is that the antiterrorism law eroded some privacy protections, but other protections remain unaffected. Not everything in the antiterrorism law can be casually swept into the incremental change category. One provision of the antiterrorism law changes the rules for use of statistical records by the National Center for Educational Statistics (NCES).31 This relatively obscure provision may be one of the most radical antiprivacy parts of the entire law. NCES is one of a number of existing statistical agencies operating under laws making the information that they collect unavailable for all administrative uses. The Census Bureau is perhaps the best known example of a statistical agency whose records cannot be disclosed for administrative uses.32 The antiterrorism law makes NCES records available for the investigation and prosecution of terrorism. A court order is required, but the court is obliged to issue the order if the government certifies that there are specific and articulable facts giving reason to believe that the information is relevant to an terrorism investigation or prosecution.33 The standard is much weaker than probable cause or reasonable cause. The NCES amendment is a significant change because it allows a new use for an entire category of hitherto protected statistical records. The justification for strict privacy laws for statistical and research records is the recognition that guaranteeing protection of the records from administrative or law enforcement uses is essential to the ability to collect the records from voluntary providers.34 By requiring that NCES records be available for law enforcement purposes, the antiterrorism law, for the first time, takes a class of statutorily protected statistical records and turns them into administrative records available for law enforcement purposes. All NCES records collected in the past under a statutory guarantee of confidentiality may now be used in a way that is directly inconsistent with the terms of collection and the assurances provided to data providers and data subjects. A particularly unfortunate aspect of the change in status for NCES records is that NCES management reportedly instigated the amendment. Congressional willingness to allow statistical records collected under strict confidentiality rules to be used in other ways is a major blow to the privacy of all statistical records. It establishes a precedent that could be used to change the protections for records of other
260
R. Gellman / Government Information Quarterly 19 (2002) 255–264
statistical agencies. The change to the NCES law represent a major breach of a long-standing statutory privacy protection. The amendment may also undermine the availability of data for educational research and the mission of NCES.
4. Privacy and the private sector For all of the negative consequences for privacy wrought by the antiterrorism legislation—and it is worth repeating, again, that, although many of the changes were incremental, the consequences are still significant—it is important to take note of what was not changed. Most existing information privacy laws were not changed at all by the antiterrorism legislation,35 although several were amended to enhance government access for terrorism investigations.36 However, laws affecting how the private sector gathers, stores, and uses personal information for private purposes were not changed. Basic policies of fair information practices reflected (albeit inconsistently) in existing privacy laws remain unchanged by the antiterrorism law. The balance between privacy and law enforcement that was always a part of public policy was adjusted to reflect new concerns. However, the framework in which that balancing has traditionally been conducted was largely untouched. Events of September 11 changed public views in many ways. The passage of the legislation strongly suggests that the public is more willing to accept diminished privacy protections to permit government surveillance in terrorism investigations and prosecutions. How public attitudes will adjust over time is uncertain. Public opinion polls indicate that the public was much more willing to support adoption of a national identification card shortly after the terrorist attack, but public support began to wane as time passed.37 No matter how recent events may have modified public views about some privacy issues, it seems likely that some types of privacy concerns are likely to remain unaffected. People still expect that bathroom doors will have locks, that medical records will receive confidential treatment, and that their tax returns will not be freely shared throughout government. Public concerns about private sector collection, use, and disclosure of personal information have probably not changed either. There is no reason to believe that people are any more willing than they were before September 11 to share personal information with companies over the Internet, to disclose Social Security numbers, or to receive telemarketing calls during dinner. Strong evidence of continuing public concern about privacy can be found in legislation passed several months after the passage of the antiterrorism law. The No Child Left Behind Act of 2001 is a major education law passed after September 11, 2001, that includes new privacy protections for the collection of marketing information through schools.38 The law requires local educational agencies to adopt and notify parents about privacy policies for surveys that collect some personal information from students and for activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes.39 Parents also have the right to review marketing collection instruments in advance and to refuse to allow their children to participate in marketing surveys. The passage of this law indicates that privacy has not disappeared from the congressional agenda. Indeed, the school privacy provisions were passed in the face of strong opposition
R. Gellman / Government Information Quarterly 19 (2002) 255–264
261
from marketers and school boards. The opposition was able to weaken the privacy provisions, but it was not strong enough to remove them entirely. Privacy continues to be seen by Congress as a value of importance to the public. Even the antiterrorism law itself includes some provisions designed to make sure that privacy interests are reflected in rulemaking and data sharing activities.40
5. Conclusion Perhaps the most insidious aspect of any legislation that reduces privacy protections is that it moves the privacy baseline.41 The incremental change analysis presented here should not be too reassuring even if it were an entirely fair characterization of the antiterrorism law. A series of incremental changes can, and will, completely erode a statutory protection enacted in good faith. The privacy provisions of the tax code42 and the limited protections in the Right to Financial Privacy Act of 197843 have both been substantially undermined by a torrent of incremental amendments over the years. However, incremental change can work in both directions. The privacy protections of the Driver’s Privacy Protection Act were enhanced through later amendments.44 It is safe to predict that future events and legislation will affect privacy rights and interests. Some privacy rights and interests are likely to be diminished, and serious losses in privacy protection are possible. Improvements are also a possibility. It is not unusual to find public policy moving in different and, sometimes, contradictory directions at the same time. In considering the effects of any of these possible changes, it is useful to break down the analysis into smaller components. By using the elements of privacy (e.g., fair information practices), the domains of privacy (individual autonomy and information privacy), and the types of record keepers (public sector and private sector), the consequences of change can be more clearly evaluated, and the result will be a better understanding of what has been gained or lost.
Notes 1. Quoted in James Freeman, “You Have Zero Privacy . . . Get Over It,” U.S.A. Today, Aug. 9, 1999, 具http://www.usatoday.com/news/comment/columnists/freeman/ncjf30.htm典. 2. See, e.g., the famous statement of Associate Justice William O. Douglas from a 1965 decision of the Supreme Court: “The foregoing cases suggest that specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance . . . . Various guarantees create zones of privacy. The right of association contained in the penumbra of the First Amendment is one, as we have seen. The Third Amendment in its prohibition against the quartering of soldiers ‘in any house’ in time of peace without the consent of the owner is another facet of that privacy. The Fourth Amendment explicitly affirms the ‘right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.’ The Fifth Amendment in its Self-Incrimination
262
R. Gellman / Government Information Quarterly 19 (2002) 255–264
3.
4. 5. 6. 7.
8. 9. 10.
11. 12.
13. 14. 15.
16. 17. 18.
Clause enables the citizen to create a zone of privacy which government may not force him to surrender to his detriment. The Ninth Amendment provides: ‘The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.’ ” Griswold v. Connecticut, 381 U.S. 479, 484 (1965) (citation omitted). The value of the privilege has been questioned, but it continues to exist much the same as it has in the past. See, for example, Robert Gellman, “Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy,” North Carolina Law Review, 62 (January 1984): 255. The value of the legislation is a matter of considerable controversy, but there can be no question that some improvements in privacy protections were achieved. 15 U.S.C. 6501 et seq. 5 U.S.C. 6801 et seq. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S.A. PATRIOT ACT) Act of 2001, P.L. 107– 056, 115 Stat. 272. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname⫽ 107_cong_public_laws&docid⫽f:publ056.107. 429 U.S. 589, 599 – 600 (1976). Data protection is a term widely used in Europe and around the world to refer to information privacy. The word privacy does not exist in every language. Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (Washington: Department of Health, Education & Welfare, 1973), at http://aspe.os.dhhs.gov/datacncl/1973privacy/tocprefacemembers.htm. David Flaherty, Protecting Privacy in Surveillance Societies (Chapel Hill, NC: University of North Carolina, 1989, p. 310. Organization for Economic Cooperation and Development, Council Recommendations Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 20 I.L.M. 422 (1981), O.E.C.D. Doc. C (80) 58 (Final) (Oct. 1, 1980), at http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM. Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca, NY: Cornell University Press, 1992), pp. 130139. 5 U.S.C. 552a. For example, the European Union’s core data protection rules also allow national government to provide for some exemptions for national security, defense, public security, and law enforcement matters. Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, Council Directive 95/46/EC, 1995 O.J. (L 281) 31, Article 13 具http://europa.eu.int/ comm/internal_market/en/dataprot/law/index.htm典. 5 U.S.C. 552a(j)(1). Id. at 552a(j)(2). Indeed, a provision in section 310 of the antiterrorism law regarding the Financial Crimes Enforcement Network expressly provided that rules on information use and disclosure must comply with the Privacy Act of 1974.
R. Gellman / Government Information Quarterly 19 (2002) 255–264
19. 20. 21. 22. 23.
24.
25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35.
36.
37.
263
U.S.A. Patriot Act at Title II (Enhanced Surveillance Procedures). 50 U.S.C. 1801 et seq. See 18 U.S.C. chapter 119. See 18 U.S.C. chapters 119 and 121. See, for example, American Civil Liberties Union, U.S.A. Patriot Act Boosts Government Powers While Cutting Back on Traditional Checks and Balances (New York, NY: November 2001) 具http://www.aclu.org/congress/L110101a.html典. The long-term effects of some of the act’s provisions may not be clear before the end of 2005. A number of amendments relating to government surveillance expire at that time and will disappear if not renewed by a subsequent statute. U.S.A. Patriot Act at section 224. U.S.A. Patriot Act at Title III (International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001). Id. at section 326. Id. at section 351. Id. at section 626. See, for example, Paul Beckett, “Banks Are Using a National Database to Blacklist Customers For Slip-Ups,” Wall Street Journal, Aug. 1, 2000: A1 (Eastern edition). 15 U.S.C. 1681u. 20 U.S.C. 9007. 13 U.S.C. 9. U.S.A. Patriot Act at section 508 (amending 20 U.S.C. 9007). See, for example, U. S. Privacy Protection Study Commission, Protecting Privacy in an Information Society (Washington: GPO, 1977) at chapter 15. These privacy laws were not changed by the antiterrorism law: Privacy Act of 1974, 5 U.S.C. 552a; Video Privacy Protection Act, 18 U.S.C. 2710; Driver’s Privacy Protection Act, 18 U.S.C. 2721 et seq.; Telecommunications Act, 47 U.S.C. 222; Children’s Online Privacy Protection Act, 15 U.S.C. 6501 et seq.; Gramm-LeachBliley, 15 U.S.C. 6801 et seq.; Health Insurance Portability and Accountability Act, 42 U.S.C. 1320 days-2 note; 45 CFR Parts 160 & 164. The Fair Credit Reporting Act was changed slightly as described above and in some other minor ways. The Right to Financial Privacy Act, 12 U.S.C. 3414, was also modified slightly. See U.S.A. Patriot Act at section 505. The Family Educational Rights and Privacy Act, 20 U.S.C. 1232g, was modified to allow disclosure of school records for terrorism investigations pursuant to court order. See U.S.A. Patriot Act at section 507. The Cable Communications Policy Act, 47 U.S.C. 551, was amended to permit limited disclosure of subscriber records to government entities. Even here, the law prohibited disclosure of records revealing cable subscriber selection of video programming from a cable operator. See U.S.A. Patriot Act at section 211. Of course, the surveillance amendments in the antiterrorism law significantly amended the Electronic Communications Privacy Act, which prescribes the rules for government access to electronic communications. See U.S.A. Patriot Act at Title II passim. Donna Leinwand, “National ID in Development,” U.S.A. Today, Jan. 22, 2002, http://www.usatoday.com/life/cyber/tech/2002/01/22/id-cards.htm.
264
R. Gellman / Government Information Quarterly 19 (2002) 255–264
38. P.L. 107–110, January 8, 2002. 39. Section 1061 of the act amending 20 U.S.C. 1232h. 40. See U.S.A. Patriot Act at section 403 (amending 8 U.S.C. 1105(d)(2) to require that sharing of National Crime Information Center information will “ensure the security, confidentiality, and destruction of such information” and will protect privacy rights). 41. Professor Paul Schwartz makes a similar point about technology, arguing that everincreasing technological capabilities can erode expectations of privacy because the technology is often in place, accepted, and profitable before anyone can argue that it is unreasonable. Paul Schwartz, “Privacy and Participation: Personal Information and Public Sector Regulation in the United States,” Iowa Law Review, 80 (March 1995): 553, 573. 42. 26 U.S.C. 6103. 43. 12 U.S.C. 3401 et seq. 44. 18 U.S.C. 2721 et seq.