and issued “The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” [OECD, 1980], which expanded them into eight practical measures aimed at harmonizing the processing of personal data in its member countries. By setting out core principles, the organization hoped to “obviate unnecessary restrictions to transborder data flows, both on and off line.” The eight principles are as follows [OECD, 2013].4
1. Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
4. Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification principle except:
(a) with the consent of the data subject; or
(b) by the authority of law.
5. Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
6. Openness Principle. There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity about usual residence of the data controller.5
7. Individual Participation Principle. Individuals should have the right:
(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them;
(b) to have communicated to them, data relating to them
i. within a reasonable time;
ii. at a charge, if any, that is not excessive;
iii. in a reasonable manner; and
iv. in a form that is readily intelligible to them;
(c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
(d) to challenge data relating to them and, if the challenge is successful, to have the data erased; rectified, completed or amended.
8. Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.
Even though the OECD principles, just as the HEW guidelines before them, carried no legal obligation, they nevertheless constituted an important international consensus that substantially influenced national privacy legislation in many countries in the years to come [Solove and Rotenberg, 2003]. In what Michael Kirby, former Justice of the High Court in Australia, has called the “decade of privacy” [Clarke, 2006], many European countries (and the U.S.) followed the German state Hesse in passing comprehensive data protection laws—the first national privacy law was passed in Sweden in 1973, followed by the U.S. (Privacy Act of 1974, regulating processing of personal information by federal agencies), Germany (1977), and France (1978).
The FIPs, while an important landmark in privacy protection, are, however, not without their flaws. Clarke [2000] calls them a “movement that has been used by corporations and governments since the late 1960s to avoid meaningful regulation.” Instead of taking a holistic view on privacy, Clark finds the FIPs too narrowly focused on “data protection,” only targeting the “facilitation of the business of government and private enterprise” rather than the human rights needs that should be the real goal of privacy protection: “the principles are oriented toward the protection of data about people, rather than the protection of people themselves” [Clarke, 2006]. More concrete omissions of the FIPs are the complete lack of data deletion or anonymization requirements (i.e., after the data served its purpose), or the absence of clear limits on what could be collected and in what quantities (the FIPs only require that the data collected is “necessary”). Similarly, Cate [2006] notes that, in their translation into national laws, the broad and aspirational fair information practice principles have often been reduced to narrow legalistic concepts, such as notice, choice, access, security, and enforcement. These narrow interpretations of the FIPs focus on procedural aspects of data protection rather than the larger goal of protecting privacy for the benefit of individuals and society.
2.1.2 PRIVACY LAW AND REGULATIONS
Many countries have regulated privacy protections through national laws—often with reference to or based on the fair information practice principles. We provide an overview of those laws with a specific emphasis on the U.S. and Europe, due to their prominent roles in developing and shaping privacy law and their differing approaches for regulating privacy.
Privacy Law and Regulations in the United States
The U.S. Constitution does not lay out an explicit constitutional right to privacy. However, in a landmark case, Griswold vs. Connecticut 1965,6 the U.S. Supreme Court recognized a constitutional right to privacy, emanating from the First, Third, Fourth, Fifth, and Ninth Amendments of the U.S. Constitution.7 The First Amendment guarantees freedom of worship, speech, press, assembly and petition. Privacy under First Amendment protection usually refers to being unencumbered by the government with respect to one’s views (e.g., being able to speak anonymously or keeping one’s associations private). The Third Amendment provides that troops may not be quartered (i.e., allowed to reside) in private homes without the owner’s consent (an obvious relationship to the privacy of the home). The Ninth Amendment declares that the listing of individual rights is not meant to be comprehensive, i.e., that the people have other rights not specifically mentioned in the Constitution [National Archives]. The right to privacy is primarily anchored in the Fourth and Fifth Amendments [Solove and Rotenberg, 2003].
• Fourth Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
• Fifth Amendment: No person shall be […] compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
In addition, the Fourteenth Amendment’s due process clause has been interpreted to provide a substantive due process right to privacy.8
• Fourteenth Ammendment: No state shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any state deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.
While
