Who Owns Data 5: Privacy - by John Sumser - HRExaminer

Privacy is very fragile as rights go.

This is the last part of the mini law school on ownership. Then we’ll start looking at who owns data. The last concept to understand is privacy.

Privacy is very fragile as rights go. (Especially in the US. Privacy rights are much stronger in Europe.)

The most common types of information that are considered private are medical information, personal financial information and information about our sex lives. But even that information is commonly revealed.

Legal Basis for Privacy

In the US, privacy laws are a mishmash of Constitutional principals, cases, and statutes. The United States Constitution does not contain a specific right to privacy. Yet, several amendments give rise to concepts of privacy. The 4th Amendment prevents the government from searching you and your property without a warrant.The 5th Amendment prevents the government from requiring you to disclose information that would be self-incriminating. And the 9th Amendment says you have rights beyond those specifically listed in the Constitution.

Based on these provisions, the Supreme Court has recognized “penumbra” rights of privacy in our personal lives. I would say that the individual rights and liberties granted in the first ten amendments create a right to privacy.

Many states, such as California, have an express right of privacy in the State Constitution that provides broader privacy protections.

The specific kinds of privacy recognized by law are:

1. The right to be left alone. This is the essence of the right to privacy. But it really just applies to your home and property. When you are in your home, you have a right to seclusion that others can’t intrude on without your permission or invitation.

2. The right to your name and likeness. This is both a privacy right and a property right. People can’t use your name or your image for their own benefit without your permission. Yet, many people have the same names. So there is no exclusive right to be the only person in the world with that name. And you can be photographed and recorded when you are in public for noncommercial purposes. So it’s really just that other people can’t make money using your name and image without your permission and giving you a share. But if you are a public figure, you give up that right since people are going to recognize you and talk about you as a matter of course.

3. The right not to have your private life made public if it would be highly offensive or if there is no legitimate public concern. This is the fundamental basis of informational privacy. Both statutes and cases generally acknowledge that certain information is private: images of our naked body, our sex lives, our finances, and our medical information.

Most other things are a balance between what we reasonably expect is private against whether there is a good reason to disclose it.

An example of this balance is the current dispute about the TSA body scanners at airports. The scanners reveal your naked image. The alternative is they frisk your genitals. Both are invasions of privacy. But the invasion is then balanced against the public safety concern of not getting blown up in an airplane. So far, not getting blown up has prevailed. But how you feel about the issue depends partly on how invasive it is for you to be scanned this way, and whether you believe the body scanners actually work better than the old metal detectors.

4. The right not to have people saying offensive and untrue things about you.

This privacy right is the basis for claims of defamation and its various flavors of libel and slander. For a comprehensive education in defamation law, do some searches about whether Sandra Fluke had the right to sue Rush Limbaugh for calling her a slut.  There are good legal arguments for yes and no.

Privacy is Not Absolute

It’s important to understand that no privacy right is absolute. For example, we don’t have a right to be left alone all the time–even in our home. People can come to your door to talk to you or sell you things; and FedEx can deliver packages–but not at 2 am.

In addition, almost every privacy law permits the companies or people who have the information to disclose it when the government demands it with a search warrant or a subpeona. Some information is allowed to be used anonymously for research or analysis.  And with medical information, health care providers can get information in emergency situations to save your life.

But when information is private, you generally need to agree to reveal it, or there has to be a really good reason for the disclosure.

If You Tell, It’s Not Private

Private information does not mean that people can’t ever find out. Like any secret, the minute you tell it to someone who doesn’t have any requirement to keep it confidential, it’s not secret anymore. So even though the law recognizes general categories of “private information,” if you disclose it, it’s not private anymore.

Privacy Statutes

There are specific statutes that protect how information is collected and used that are based on the concepts of informational privacy. The UK, Europe and Canada have much more comprehensive and restrictive laws on how information can be collected, stored and used.

Here are some of the privacy laws in the US.

HIPAA protects how your personal health information is used and shared.

The Right to Financial Privacy Act of 1978 (Gramm-Leach-Bliley) protects how financial institutions can share or disclose your personal and financial information.

COPPA , COPA and CIPA, all laws aimed at protecting children from seeing inappropriate content online, and protecting the use and disclosure of information about children. The provisions relating to controlling content or forbidding the transmission of certain content have generally been struck down as illegal restrictions of free speech.  But the restrictions on how information about users under 13 is handled and disclosed, notice requirements and required privacy policies are in effect.

The Computer Fraud and Abuse Act protects you from unauthorized access or use of your computers, and from people obtaining information from your computers without authorization. The main problem with this law is that you have to show at least $5000 in damages to sue. The courts are not permitting people to claim that an invasion of their privacy is the same thing as economic losses. In a case against Facebook, internet users tried to show that Facebook’s use of their information deprived them of the use and value of their data. But the court held they did not show how Facebook’s use caused them actual monetary losses. In a case against Amazon, users claimed they could be harmed if Amazon sold their personal data to credit card companies or employment background agencies who could then use that information to deny a loan or refuse to hire them. The court found that the damages were speculative–you are not damaged until it actually happens.

And this is exactly the trouble with asking courts to handle these issues, you can only bring a court case after it’s too late.

The Stored Communication Act, and The Wiretap Act each prevents electronic communications service companies from revealing the content of your communications. Basically, they can send the communication to the people it’s addressed to. Then both the sender and the recipient can consent to further disclosure. In another case against Facebook, a user claimed that Facebook revealed information about users through its targeted advertising when users clicked on a banner ad. Not surprisingly, the court found that clicking on the ad was effectively consent to contact the advertiser and be directed to its website.

For more details on some of these laws, and citations to the statutes and cases, see Gerry Silver’s excellent article “Do Not Track”: The Outlook for Online Privacy Litigation at Law Technology News, March 14, 2012.

Unfair Trade Practices

Where Facebook did get tripped up, was under the California unfair trade practices statute. Many states have laws against deceptive or unfair business practices that basically require companies to do what they say they are doing. That usually also means not changing the deal without telling you and getting your agreement.

Unfair Trade Practice statutes often do not require a showing of monetary damages–just that the company’s words and actions did not match. So Facebook’s privacy policies said one thing, but they were rolling out new technology and changes so fast that they way the site worked no longer matched the policies. As a result Facebook has agreed to a privacy review by the FTC every two years to make sure that when users set their privacy settings, they actually work.


The US is still grappling with what data is private, who owns it, who gets to use it and for what purposes. It depends on what information is or should remain private and to what extent people have knowingly consented to its use. More troubling, is whether online data should be sold or transferred to third parties or the government, and what they can use it for.

Further Reading

In March 2012, we did a series on information privacy where we looked at:

(This piece is substantially a reprint of What Laws Protect Privacy.)

We also looked at Employee Privacy at Work:

Here’s the rest of the series on data ownership