Privacy: Issues, Policies, Statements - U.s. Online Privacy-protection Legislation

U.S. ONLINE PRIVACY-PROTECTION LEGISLATION

A series of existing laws addresses the privacy dilemmas spawned by the Internet, with dozens of new bills proposed in each Congressional session.

Title III of the 1968 Omnibus Crime Control and Safe Streets Act, also called the Federal Wiretap Statute, represents one of the first legislative attempts to protect the privacy of individuals' communications. It levies criminal and civil penalties for the intentional and unauthorized interception or disclosure of private communications, but it extended only to aural, not electronic, communications. In 1986, the Electronic Communication Privacy Act (ECPA) added electronic communications to those already protected by the Wiretap Statute. The Stored Communications Act, which safeguards electronic data stored after transmission, followed in the same year.

However, the ECPA allows governmental officials with a valid court order to trace private communications. Judges must approve requests for such court orders if prosecutors can verify that the data is relevant to ongoing criminal investigations. Furthermore, the statute doesn't protect users' identifications, only the content of their communications.

Congress asked the FTC to assess the privacy risks associated with computer databases in 1995. Partly as a result of FTC findings, a series of subsequent laws were passed, each addressing a separate facet of online privacy.

The 1996 Health Insurance Portability and Accountability Act (HIPAA) requires that safeguards be instituted to protect patients' medical records, which health-care organizations are increasingly storing and transmitting online. The Health and Human Services (HHS) Department drafted attendant regulatory protections in 1999. They grant patients the right to review and obtain copies of their medical records; require patients' consent before health information is released; and allow patients to restrict the use of their medical information.

Individuals' online financial information is protected under the Fair Credit Reporting Act (FCRA) of 1997. It gives consumers control over their credit histories, requires employers to notify employees in advance if they are to be subject to workplace misconduct investigations, and obligates them to inform employees of the results of such investigations. Proposed changes to FCRA would require online companies to notify individuals about data-sharing arrangements with third parties and to permit them to opt out of such arrangements.

The Gramm-Leach-Bliley Act of 1999 further targeted the security of personal financial data. It mandated that financial institutions reveal to consumers what personal information they share with third parties and that they notify their customers annually about how personal data is gathered and protected.

By 2000, there was growing bipartisan support in Congress for Internet privacy. Many relevant bills were submitted to congressional sessions in the late 1990s and in 2000. The 107th Congress introduced nearly 50 bills in its first four months alone. Among them were bills proposing the establishment of a federal privacy commission, the protection of social security numbers online, and the prohibition of any future governmental attempts to establish a uniform national identification standard.

Proponents of stronger privacy-protection legislation cite a 2000 FTC report to Congress, which revealed that only 20 percent of the most heavily visited Web sites had implemented comprehensive "fair information practices" regarding online data-gathering. The report concluded that industry self-regulation alone had failed to guarantee sufficient protection for user privacy and personal data, and that more comprehensive legislation would be needed, in tandem with self-regulation, to accomplish that goal.