Privacy Policy: From Suggestion To Law

Privacy policies are required by law across the world if collecting data that can be used to identify an individual. This is because this data is legally protected by several important laws that require a privacy policy. While the United States does not have a specific federal regulation mandating universal implementation of privacy policies, several laws, including federal and state laws, have provisions on data privacy. The Federal Trade Commission (FTC) regulates data protection for all consumers in the USA. The Children's Online Privacy Protection Act (COPPA) is a federal law that requires websites to post a privacy policy if they collect information about or target children under the age of 13. The Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) also include provisions related to privacy policies.

The right to privacy

In the United States, the right to privacy is not explicitly mentioned in the Constitution or the Bill of Rights. However, the Supreme Court first recognised the "right to privacy" in Griswold v. Connecticut (1965), which established a right to privacy for married couples regarding the purchase of contraceptives. This decision was based on the "penumbras" of other explicitly stated constitutional protections, such as the First, Third, Fourth, Fifth, and Ninth Amendments.

While the United States has made strides in recognising the right to privacy, it lags behind the European Union in terms of data protection and privacy laws. The EU's General Data Protection Regulation (GDPR), which came into effect in 2018, provides more extensive data protection laws and harmonises privacy rules across all member states.

Privacy laws in the US

The United States does not have a comprehensive federal law governing data collection, protection, and privacy. Instead, there is a system of federal and state laws that govern particular sectors and types of personal information.

The US Constitution does not explicitly mention "privacy", but the Fourth Amendment ensures "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures". This has been interpreted as protecting citizens from unwarranted government intrusion.

The Supreme Court has also interpreted the Fourteenth Amendment as providing a substantive due process right to privacy, which was first affirmed in Griswold v. Connecticut (1965). This decision protected a married couple's right to contraception. The Court found that there is a right to privacy within the penumbra of rights provided by the Constitution, even if it is not specifically mentioned in the Amendments.

The early years of privacy rights in the US began with English common law, which initially protected "only the physical interference of life and property". The "Castle doctrine" analogises a person's home to their castle—a private site that should not be accessed without the owner's permission. Over time, these rights expanded to include a "right to be let alone", and the definition of "property" broadened to include "every form of possession – intangible, as well as tangible".

In the late 19th century, interest in privacy grew due to the rapid growth of print media, especially newspapers. Between 1850 and 1890, US newspaper circulation grew by 1000%, and journalism became more sensationalised, termed "yellow journalism". The development of handheld cameras also allowed people and journalists to take candid snapshots in public for the first time.

In 1890, Samuel Warren and Louis Brandeis wrote a "pathbreaking" Harvard Law Review article, "The Right to Privacy", which has been described as "adding a chapter to our law". They defined "privacy" as the right to be left alone, and their article largely spurred the development of the "invasion of privacy" doctrine.

In the 20th century, technological and governmental changes continued to shape the nature of privacy issues and laws. The Watergate incident played a significant role in shaping the scope and text of privacy laws in the 1970s and 1980s.

Some key federal privacy laws in the US include:

• The Fair Credit Reporting Act of 1970, which requires credit-reporting services to ensure the accuracy of personal information in credit reports, and places restrictions on the use of information in credit records.
• The Federal Privacy Act of 1974, which prohibits federal agencies from disclosing information about individuals without their consent.
• The Cable Communications Policy Act of 1984, which addresses concerns about the ability of cable companies to track consumer viewing and buying habits.
• The Video Privacy Protection Act of 1988, which prohibits the disclosure of video rental records, with some exceptions.
• The Health Insurance Portability and Accountability Act (HIPAA), which limits the amount and types of information that can be collected and stored by healthcare providers, and includes data confidentiality requirements in "The Privacy Rule".
• The Gramm-Leach-Bliley Act, which places limits and requirements on data collection by financial institutions, and restricts how information can be collected, used, and stored.
• The Children's Online Privacy Protection Act, which imposes restrictions on websites that collect information about children under the age of 13, and requires these websites to post a privacy policy and adhere to information-sharing restrictions.

In addition to federal laws, many states have implemented their own privacy laws and regulations. For example, the California Online Privacy Protection Act of 2003 was the first state law requiring a privacy policy on commercial websites and online services. The California Electronic Communications Privacy Act of 2015 requires state law enforcement to obtain a warrant before accessing electronic data, and the Delaware Online Privacy and Protection Act of 2016 regulates advertising directed at children and enhances privacy protections for digital book readers.

Privacy laws in the UK

Privacy law in the UK is a rapidly developing area of law that considers situations where individuals have a legal right to informational privacy, i.e., the protection of personal or private information from misuse or unauthorised disclosure.

The Data Protection Act 1998 (DPA) is the law on privacy in the UK that makes a privacy policy mandatory. Companies that must comply with the UK's DPA act must follow eight principles, including:

• Any kind of personal data from users must be collected in a specified and lawful way. The data also cannot be processed in any way that is incompatible with that purpose.
• The personal data collected should be adequate, relevant, and not excessive in relation to the purpose for which it is being collected.
• The personal data should be kept up to date and accurate.
• Any kind of personal data collected from users should not be kept longer than is necessary for the purpose for which it was collected.

The Human Rights Act 1998 also incorporated the European Convention on Human Rights into English law. Article 8.1 of the ECHR provided an explicit right to respect for a private life.

The UK's DPA was updated in 2018 to include the General Data Protection Regulation (GDPR). Under the Data Protection Act 2018, individuals have the right to find out what information the government and other organisations store about them. This includes the right to:

• Be informed about how their data is being used.
• Access personal data.
• Have incorrect data updated.
• Stop or restrict the processing of their data.
• Object to how their data is processed in certain circumstances.

Privacy laws in the EU

Privacy is a fundamental right in the EU, enshrined in Article 8 of the EU Charter of Fundamental Rights. The right to privacy is also part of the 1950 European Convention on Human Rights, which states that "everyone has the right to respect for his private and family life, his home and his correspondence".

The EU's approach to privacy laws is notably more developed than in other parts of the world, such as the US. The EU's privacy laws apply to both the public and private sectors, covering not only government operations but also private enterprises and commercial transactions.

In 1968, the Council of Europe began to study the effects of technology on human rights, recognising the new threats posed by emerging computer technology. This led to the introduction of Convention 108, or the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, in 1981.

In 1995, the EU adopted the Data Protection Directive, which set minimum data privacy and security standards for member states. However, the directive was superseded by the General Data Protection Regulation (GDPR) in 2018. The GDPR is the world's toughest privacy and security law, imposing obligations on organisations worldwide as long as they target or collect data related to people in the EU. The regulation includes hundreds of pages of new requirements, covering areas such as data protection principles, rights of the data subject, duties of data controllers and processors, and remedies, liability, or penalties for breach of rights.

The GDPR provides individuals with greater control over their personal information and simplifies the regulations for international businesses. It applies to any organisation based in the EU that collects information about living people, as well as organisations outside the EU if they collect or process personal data of individuals located inside the EU. Under the GDPR, individuals have the right to access their personal data, rectify or erase their data, restrict its processing, and transfer their data from one electronic processing system to another. Data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long the data is being retained and whether it is being shared with third parties.

The GDPR imposes harsh fines for violations of its privacy and security standards, with penalties reaching tens of millions of euros. As of 2021, over one billion euros in GDPR fines had been imposed.

Privacy laws in China

In recent years, China has introduced several major data protection laws, including the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). The PIPL, which came into effect on November 1, 2021, is China's first comprehensive privacy law. It establishes a new regulatory framework for personal information protection, requiring consent as its principal basis for data collection and handling, and imposing significant fines for non-compliant conduct. The DSL, which came into force on September 1, 2021, focuses on data security across a broad category of data.

The PIPL and DSL are the two main pillars of China's personal information protection framework, along with the Cybersecurity Law (CSL), which came into effect on June 1, 2017, and was the first national-level law to address cybersecurity and data privacy protection. While the CSL was a significant step forward, the PIPL is the first comprehensive, national-level personal information protection law in China. It enhances and clarifies earlier personal information laws and regulations.

The PIPL requires express and informed consent for the processing of personal information. Separate and explicit consent is required for sensitive information, such as biometric recognition, religious belief, specific identity, medical health data, financial account information, and personal location tracking. The law also restricts cross-border data transfers, allowing personal information to be transferred outside of China only after completing certain requisite steps and obtaining regulatory approval.

In addition to the three main laws, China's personal information protection framework includes several other regulations and guidelines. These include the Decision on Strengthening Online Information Protection, the Measures for the Security Assessment of Outbound Data Transfers, and the National Standard of Information Security Technology — Personal Information Security Specification (PIS Specification). The PIS Specification, while not legally binding, has been highly persuasive in providing technical guidance on key issues such as data transfers and sensitive personal information.

China's privacy laws are meant to preserve a broad "exceptional zone" for state surveillance in areas like intelligence collection, law enforcement, and domestic stability maintenance. At the same time, they aim to discipline firms and lower-level bureaucratic entities that are abusing or misusing citizens' data. For example, the PIPL applies to state organs, and there have been cases where state organs have been disciplined for privacy violations, such as inadvertently publishing private information.

The application of privacy law to state entities stems from a recognition that some of the most egregious instances of data abuses in recent years, especially during the COVID-19 pandemic, emanated from state or quasi-state entities. For instance, local officials in Henan assigned red COVID health codes to citizens to prevent them from traveling to protest the freezing of their bank deposits. As a result, the Cyberspace Administration of China (CAC) issued a notice in 2020 urging governments to follow personal information protection guidelines in their pandemic control work.

China's privacy laws have been enacted, in part, to highlight its responsive governance in the face of new vulnerabilities and dependencies that have arisen out of its data-driven society. By enacting these laws, the Chinese government seeks to position itself as a champion of individual privacy rights against incursions from various digital bad actors, including individuals, firms, and local governments. However, the central Party-state itself, despite its leading role as a surveillant, is notably missing from this list. In this regard, privacy law may also serve to distract the population from the state's own privacy incursions.

China's privacy laws pose significant challenges for companies conducting or responding to investigations in the country. The requirements for notification and consent when collecting and processing data from company employees can create logistical and practical difficulties during an investigation. Additionally, it is common for company employees in China to use personal devices for handling and communicating business data, and they may be reluctant to hand over these devices during an investigation.

Another challenge arises from restrictions on cross-border data transfers. Multinational companies conducting investigations in China are advised to process and review all China-related data within the country using local teams or outside counsel with China-based teams, thereby avoiding the need to transfer data out of China.

Frequently asked questions