AFFIRMATIVE-CONSUMER/INTERNET-INHERENCY 363

CURRENT PRIVACY LAWS ARE INADEQUATE

CURRENT PRIVACY LAW IS INSUFFICIENT IN THE INTERNET AGE

Bryan S. Schultz, Associate Member, 1997-98, University of Cincinnati Law Review, "ELECTRONIC MONEY, INTERNET COMMERCE, AND THE RIGHT TO FINANCIAL PRIVACY: A CALL FOR NEW FEDERAL GUIDELINES," University of Cincinnati Law Review, Spring, 1999, 67 U. Cin. L. Rev. 779, EE2001-JGM, P 799-800

Despite widespread recognition of the need to ensure that proper security measures effectively protect electronic money transactions conducted over the Internet, applicable statutory and common law fail to guard against potential information abuses. Current federal legislation does not directly address the privacy concerns inherent in electronic money systems. n165 Indeed, the Privacy Act, the Right to Financial Privacy Act, and the Electronic Communications Privacy Act all appeal to the privacy concerns of the past. As such, these statutes, limited in scope and flexible in operation, fail to provide adequate safeguards against the prevailing privacy threats of today's electronic marketplace.

THE LEGAL APPROACH TO COMMERCIAL DATA PROCESSING MUST BE RECONSTRUCTED

Suzanne M. Thompson, "The Digital Explosion Comes With a Cost: The Loss of Privacy," Journal of Technology Law and Policy, Spring 1999, 4 J. Tech. L. & Pol'y 3, EE2001-JGM, P.49

As has been shown, even when there has been an attempt to codify fair information practices through statute, regulations, or industry guidelines, it has generally fallen short of the desired goal of privacy advocates -- to have individuals control the collection, use and disclosure of personal information. n136 There is no statute that gives an individual simple, meaningful, up-front control over personal information. n137 The sector by sector approach of existing law has slowed progress toward comprehensive informational privacy rights, and many gaps remain. Without consistent rights for privacy protection, it is difficult for individuals to assess their informational privacy rights and enforce fair information practices for the treatment of personal information. This suggests that the legal approach to commercial data processing activities needs to be reconstructed.

THE CURRENT PIECEMEAL APPROACH OF PROTECTING PERSONAL INFORMATION IS COMPLETELY INADAQUATE

Suzanne M. Thompson, "The Digital Explosion Comes With a Cost: The Loss of Privacy," Journal of Technology Law and Policy, Spring 1999, 4 J. Tech. L. & Pol'y 3, EE2001-JGM, P.31

The current protection of personal information is approached by an ad-hoc process -- targeting personal information on a case-by-case basis in either the public or private sector, either at the state or federal level, and in differing contextual and jurisdictional conditions. n71 This targeted approach results in uneven, inconsistent, and often less than adequate protection for personal data. n72 There are no universal fair information guidelines or practices that can be applied to ensure the protection and privacy of personal information. n73 Under the U.S. scheme, no single standard cuts across boundaries of law or industry practice. Furthermore, with the technological advances of the Internet, targeted standards are problematic. The use of computers allows personal information to be disseminated across sectors thus defying the aim of context-specific regulations and practices. "Information technology renders data multifunctional and fluid. Once in digital form and available on electronic networks, personal information may be combined and shared across sectoral lines." n74 Current information practices challenge the U.S. piecemeal approach to informational privacy protection because there is widespread, cross-sectoral use of personal information. n75

THERE IS CURRENTLY NO GUARANTEE THAT DATA WILL NOT BE SOLD

THE BALTIMORE SUN, August 21, 1999, TITLE: Congress bogs down over privacy laws for medical records; Abortion, right to sue are primary hurdles to passage of safeguards // acs-EE2001

So, for the moment, more privacy safeguards are in place for Americans' video rentals than for their medical records. There are no guarantees that private information won't be sold to pharmaceutical companies, passed to employers or whispered about in insurance company offices. A hospital clerk could sell your records to a malpractice attorney or leak them to a newspaper, and it's not against the law -- at least, not federal law.

THE GOVERNMENTS AD HOC DATA PRIVACY LAWS LEAVE PROTECTION SOLELY IN THE HANDS OF PRIVATE INDUSTRY COMPANIES WHO OFTEN IGNORE THEM

Gregory Shaffer, Assistant Professor of Law, University of Wisconsin Law School, Winter, 2000; Journal of International Law, 25 Yale J. Int'l L. 1, "Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards," EE2001-hxm lxnx

Because of the government's ad hoc approach to data privacy, U.S. regulation of the private sector largely depends on industry norms and individual company policies that are developed in reaction to market pressures. Yet until recently, industry norms and policies were rare. While they have suddenly proliferated in the context of U.S.-EU negotiations over the adequacy of U.S. data privacy protections, n106 these "selfregulatory" schemes remain voluntary, unenforceable, and, it appears, often ignored by the very companies advocating their use. n107 Privacy labeling programs are being created for companies to market their data privacy practices to attract customers, but there is presently little to no external monitoring of labeling practices. n108 While privacy advocates assert that these "self -regulatory" measures are smoke-screens to impede government regulation, n109 they nonetheless hope to use the EU Directive's regulatory mechanisms (and U.S.- [*28] EU negotiations over their application) to change regulatory policies and market practices in the United States.

STATUS QUO PRIVACY LAW FAILS TO PROVIDE INDIVIDUALS WITH PRIVACY PROTECTION IN UNREGULATED SECTORS

[*26] While U.S. data privacy protection may be adequate under EU standards in some sectors, it was thought inadequate in most. n99 Individuals have little or no privacy protection in unregulated sectors. From an ex ante perspective, the United States does not require an individual's consent to the processing, marketing, and sale to third parties of personal information. From an ex post perspective, individuals have no access to processed information and cannot challenge its accuracy or use before a court or administrative body. Congress has, in particular, kept its hands off the powerful direct marketing industry. As a result, enterprises can freely compile, mix, match, buy, sell, and trade profiles and dossiers covering an individual's purchasing proclivities; physical, emotional, and mental conditions; ethnic identity; political opinions; and moral views. n100 As one direct marketer boasts, its profiles "make it easy to keep up with the Joneses, as well as the Johnsons, the Francos, the Garcias, the Wongs and all the others." n101 The attitude of many U.S. businesses is encapsulated in the remarks of the chairman and chief executive of Sun Microsystems: "You already have zero privacy - get over it." n102

STATUS QUO PRIVACY LAW DOES NOT PROTECT THE PRIVACY OF PERSONAL INFORMATION FROM THE PRIVATE SECTOR

Gregory Shaffer, Assistant Professor of Law, University of Wisconsin Law School, Winter, 2000; Journal of International Law, 25 Yale J. Int'l L. 1 , "Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards," EE2001-hxm lxnx

Unlike the European Union, the United States provides no generalized protection to individuals from the processing of personal information by the private sector. Congress has limited federal privacy protection to discrete sectors and concerns, as depicted in the following statutory titles: the Driver's [*25] Privacy Protection Act of 1994, n90 the Videotape Privacy Protection Act of 1988, n9l the Electronic Communications Privacy Act of 1986, n92 the Cable Communications Policy Act of 1984, n93 and the Fair Credit Reporting Act of 1971. n94 Rather than engage in a concerted effort to protect individual privacy, in most cases, Congress has simply reacted to public scandals. In passing the Fair Credit Reporting Act, Congress responded "to consumer horror stories of dealings with credit reporting agencies." n95 The Driver's Privacy Protection Act "was inspired by the murder of an actress ... who was tailed by a stalker who obtained her address ... from state driver's license records." n96 Congress enacted the Video Privacy Protection Act after the video rental records of Judge Robert Bork were obtained and published by a news reporter in the course of a campaign against his Supreme Court nomination. n97 As a result, in the United States, "video rentals are afforded more federal protection than are medical records." n98

MARKETING COMPANIES CAN BUY PERSONAL INFORMATION UNDER STATUS QUO PRIVACY LAW

n100. Direct marketing companies may compile profiles of an individual's ethnicity, political perspectives, sexual preferences, sexual potency, purchasing habits of undergarments, views on abortion, and health problems. To do this, they gather information from diverse sources, including registration records, business files, credit card purchases, warranty applications, and other places. See Reidenberg, supra note 97, at 518-23.

PRIVACY LAWS PROTECT DISCLOSURE OF PERSONAL INFORMATION BUT NOT COLLECTION AND STORAGE

Fred H. Cate, Brookings Institution, 1997; PRIVACY IN THE INFORMATION AGE, EE2001 -mfp p. 99

Outside of the constitutional arena, protection for information privacy relies on hundreds of federal and state laws and regulations, each of which applies only to a specific category of information user (such as the government or retailers of videotapes), context (applying for credit or subscribing to cable television), type of information (criminal records or financial information), or use for that information (computer matching or impermissible discrimination). Privacy laws in the United States most often prohibit certain disclosures, rather than collection, use, or storage, of personal information. When those protections extend to the use of personal information, it is often as a byproduct of legislative commitment to another goal, such as eliminating discrimination. And the role provided for the government in most U.S. privacy laws is often limited to providing a judicial form for resolving disputes.