“Privacy” is widely recognized as a legal right, but with a range of different meanings. These include restraints on intrusion into the home, confidentiality of correspondence, freedom to make certain fundamental decisions, control of personal data, anonymity, and many others. Countries differ as to the specific understandings of privacy their laws protect and whether those understandings apply equally against the government and private sector entities.
Since the end of World War II, international legal agreements have recognized privacy as a human right because “laws protecting privacy are the means through which the collective acknowledges rules of civility that are designed to affirm human autonomy and dignity” (Smolla 1992, 119). The Universal Declaration of Human Rights provides that “no one shall be subject to arbitrary interference with his privacy, family, home, or correspondence.” The International Covenant on Civil and Political Rights and the European Convention on Human Rights contain identical provisions. The “Right to Privacy” clause of the American Convention on Human Rights likewise provides that “no one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence.”
Comparative Law: Constitutions, Statutes, And Common Law
A number of countries recognize privacy in their constitutions. For example, the South Korean Constitution states: “The privacy of no citizen shall be infringed.” Similarly, the Basic Law of Germany protects privacy as part of “human dignity,” “inviolability of the home,” and the “privacy of correspondence, posts and telecommunications.” Other countries in which privacy emanates from constitutions include Brazil, Ireland, India, Japan, the Netherlands, Russia, and the United States.
In addition to the constitutional guarantee of privacy, many nations regulate privacy as a civil or criminal offense through statutes. This is true in the 27 member countries of the European Union, which are required by the 1995 EU Data Protection Directive to adopt omnibus data protection laws applicable to both the government and the private sector. Although many European nations had adopted privacy laws prior to the Directive taking effect in 1998, the Directive significantly increased the scope and burden of privacy law throughout Europe. Argentina, Australia, Canada, Hong Kong, Japan, Singapore, South Korea, Switzerland, Taiwan, and other nations have also adopted broad data protection statutes. Common law has also played a significant role in evolving privacy requirements, especially in the United States and New Zealand.
US Constitutional Provisions
“Privacy,” as a distinct set of legal rights, originated in the United States with the 1890 publication of Samuel Warren and Louis Brandeis’s Harvard Law Review article, “The right to privacy.” Warren and Brandeis proposed the creation of a tort action for invasion of privacy by the news media. In the century since, privacy law has expanded to exist in all of the forms discussed above, with the exception so far of an omnibus data protection law. This exception is increasingly bringing the United States into conflict with other nations.
The US Supreme Court has found three privacy rights implicit in the US Constitution. The first is based in the Fourth Amendment “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The Court has held that the protected zone of Fourth Amendment privacy is defined by the individual’s “actual,” subjective expectation of privacy and the extent to which that expectation is “one that society was prepared to recognize as ‘reasonable.’” The protection afforded by the Fourth Amendment is subject to many exceptions. For example, there can be no reasonable expectation of privacy in information held by a third party. Hence, the US government can collect even the most sensitive information from a third party without a warrant and without risk that the search may be found unreasonable under the Fourth Amendment.
The second of the constitutional privacy protections is a more general constitutional right against government-compelled “disclosure of personal matters.” This right has proved quite weak, and in fact has never been used by the Supreme Court to block any government demand for personal data. The third constitutional privacy provision is an amorphous but controversial right of individuals to make certain fundamental decisions concerning themselves or their families. This right has been the source of considerable controversy in debates over abortion, reproduction, education, and childrearing, and seems unlikely to survive the appointment of more conservative Supreme Court justices.
The contours of the Fourth Amendment and of the right against nondisclosure of personal matters are of great importance to journalists, because they define the constitutional protection against the government seizing or searching journalists’ papers, files, photographs, and outtakes. As many journalists have learned to their consternation, there are today few, if any, limits, and those that there are can always be overcome by the government applying to a court for a warrant.
US Tort Privacy Law
US common law, and later statutes, have also provided for four types of privacy torts over the years. First, the tort of unreasonable intrusion requires that it involve one’s invasion of the solitude of another or his private affairs and that it be “highly offensive to a reasonable person.” Second, the tort of disclosure of embarrassing facts applies to publication of private information that would be “highly offensive to a reasonable person” and is not of “legitimate public concern.”
The third privacy tort is publicity that places a person in a false light before the public. To be actionable under the false light tort, the publication must be both false and highly offensive to a reasonable person. The final privacy tort is for commercial appropriation of an individual’s name, likeness, or other personal characteristic without permission. Most state laws require that the appropriation be for “direct commercial gain”; the activities of the press rarely are found to satisfy this requirement. Because the torts restrict expression and therefore must withstand First Amendment review, they are rarely successful. To date, only a few awards to privacy tort plaintiffs have ever survived the Supreme Court’s First Amendment scrutiny.
Data Protection as Right of Privacy
Euro-American Experience
Privacy concerns almost always respond to new technologies. The latter third of the twentieth century witnessed the creation of a new and different form of privacy protection – data protection – in response to the development of computers since the 1960s. These data protection laws have evolved over the past three decades, and they have taken widely varying forms in different countries.
Data protection laws generally focus on investing individuals with control over the collection and use of information about themselves. Earlier data protection laws tended to lay less stress on individual control. Later data protection laws have become almost wholly preoccupied with this goal. The first data protection laws emerged in the United States and applied primarily to industry sectors (such as credit reporting and higher education) far removed from the activities of most journalists.
Perhaps the high point of data protection law focused on individual control is the European Union Data Protection Directive. The Directive reflects the European experience with personal data being misused by the Gestapo and by the East German Stazi and other national police and intelligence organizations during and after World War II. Thus, European nations have pursued a broader approach to privacy and one that regards it as a basic human right.
Europe was the site of the first national omnibus privacy legislation (Sweden, 1973). Today, all 27 members of the EU have broad-based laws, adopted in compliance with the EU Data Protection Directive of 1995. The Directive requires each member state to enact laws governing the processing of personal data. Personal data are defined as “any information relating to an identified or identifiable natural person.” This would include not only textual information, but also photographs, audiovisual images, and sound recordings of an identified or identifiable person, whether dead or alive. As a practical matter, the Directive does not apply in only two contexts: activities outside of the scope of Community law, such as national security and criminal law, and the processing of personal data that is performed by a “natural person in the course of a purely private and personal activity.”
The EU Data Protection Directive is noteworthy for its broad scope, its sweeping requirements, and its singular focus on privacy, often to the exclusion of other values. The national laws adopted under the EU Directive vary widely, thus largely undermining the value of the Directive in facilitating pan-European data flows. Even though member states are permitted, but not required, to carve out exceptions to most of the Directive’s provisions for journalistic purposes, because national governments and individuals have broad rights to block the collection, use, and transfer of personal data, national data protection laws reduce the store of personal data on which journalists may draw.
Other National Data Protection Laws
Article 25 of the EU Data Protection Directive restricts the flow of data to countries found by European officials to lack “adequate” data protection, and this has added considerable pressure to the existing incentives for other nations to adopt new data protection laws and to model those on the Directive. To date, Switzerland, Canada, Argentina, Guernsey, and the Isle of Man have all adopted restrictive data protection laws that have been found “adequate” under the Directive. Many other nations (including Australia, Hong Kong, Japan, South Korea, and Taiwan) have adopted such laws but have not applied for adequacy determinations or have been turned down because the provisions were not considered adequate under the Directive. The United States negotiated a “safe harbor” agreement that allows US companies in many industries, on a case-by-case basis, to agree to be bound by the Directive’s “principles” and to be subject to enforcement by the US Federal Trade Commission (or other federal authorities) if they fail to. In exchange for a publicly acknowledged agreement to do so, the companies may then import personal data from the EU.
Later US Data Protection Laws
The US Congress and many state legislatures have adopted more restrictive data protection laws. These laws reflect considerable movement toward investing individuals with control over information about them, irrespective of whether the information is, or could be, used to cause harm.
The Children’s Online Privacy Protection Act of 1998 requires operators of websites directed to children under 13, or who knowingly collect personal information from children under 13 on the Internet, to provide parents with notice of their information practices, and obtain prior, verifiable opt-in parental consent for the collection, use, and/ or disclosure of personal information from children (with certain limited exceptions). The Driver’s Privacy Protection Act of 1994 bars states and their employees from releasing information from motor vehicle records, including names, addresses, photographs, and telephone and social security numbers. The law has many exemptions, but none for the news media.
These laws apply to the press directly. The result has been quite pronounced in terms of restricting press access to traditionally accessible sources of information. A study by Brooke Barnett (2001) found that journalists routinely use public records not merely to check facts or find specific information, but to actually generate stories in the first place. Other laws do not directly regulate the activities of journalists, but have limited their ability to obtain important information. For example, the privacy rules under the Health Insurance Portability and Accountability Act address the privacy of personal health information and thus severely restrict the ability of hospitals and other health-care providers to comment on the medical condition of their patients. Thus, journalists are often unable to discover even the most basic information concerning public officials and victims of crimes and natural disasters.
While more recently adopted data protection laws increasingly restrict journalists’ access to personal data, in the United States they continue to impose few restraints on the use of data once obtained because of the powerful role of the First Amendment. The US Supreme Court held in Bartnicki v. Vopper (2001) that the broadcast of an illegally intercepted cellular telephone conversation concerning labor negotiations over public school teacher salaries was protected by the First Amendment.
References:
- Barnett, B. (2001). Use of public record databases in newspaper and television newsrooms. Federal Communications Law Journal, 53, 557–572.
- Bartnicki v. Vopper, 532 US 514 (2001).
- Cantrell v. Forest City Publishing Co., 419 US 245 (1974).
- Cate, F. (1997). Privacy in the information age. Washington, DC: Brookings Institution Press.
- Edelman, P. B. (1990). Free press v. privacy: Haunted by the ghost of Justice Black. Texas Law Review, 68, 1195–1198.
- European Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, Nov. 4, 1950, 213 UNTS 221.
- Glasser, C., Jr (ed.) (2006). International libel and privacy handbook. New York: Bloomberg.
- Katz v. United States, 389 US 347 (1967).
- McCarthy, J. (2007). The rights of publicity and privacy, 2nd edn. Eagan, MN: Thomson/West.
- Olmstead v. United States, 277 US 438 (1928).
- Paraschos, E. (1998). Media law and regulation in the European Union. Ames, IA: Iowa State University Press.
- Rosen, J. (2000). The unwanted gaze: The destruction of privacy in America. New York: Random House.
- Rotenberg, M. (ed.) (2006). Privacy law sourcebook: United States law, international law, and recent developments. Washington, DC: Electronic Privacy Information Center.
- Smolla, R. (1992). Free speech in an open society. New York: Alfred A. Knopf.
- Tugendhat, M., & Christie, I. (2002). The law of privacy and the media. Oxford: Oxford University Press.
- United States v. Miller, 425 US 435 (1976).