Principles for Protecting Privacy

The past five years have witnessed an explosion in legislation, regulation, and litigation designed to protect the privacy of personal information. Congress alone has adopted comprehensive federal financial privacy legislation, online privacy protection for children, and the first federal prohibition on access to historically open public records without individual "opt-in" consent, among other privacy laws. Rather than preventing harmful uses of personal information or invasions of privacy by the government, these laws grant individuals broad fights to control innocuous and even beneficial uses of information about them by the private sector. At the state level, legislators have considered hundreds of their own privacy bills in the past two years alone. State attorneys general have initiated aggressive privacy investigations and litigation. State insurance commissioners have been busy trying to implement the insurance provisions of the Gramm-Leach-Bliley Financial Services Modernization Act of 1999. On the judicial side, the Supreme Court has decided two cases upholding privacy laws from constitutional attack, (1) while at the same time holding that the First Amendment protected the broadcast of an illegally intercepted cellular telephone conversation. (2) Federal appellate courts, meanwhile, have been busy alternately upholding and striking down privacy laws. (3) Outside of the United States, Europe has brought its sweeping data protection directive into force, while other industrialized countries have either adopted or are in the process of considering new privacy laws. In sum, there is no shortage of sources to which we might look for experience in enacting and enforcing privacy laws. The most recent federal privacy enactment involves the rules adopted by the Department of Health and Human Services in December 2000, and amended in March 2002, to implement the health privacy provisions of the 1996 Health Insurance Portability and Accountability Act. While weakening protection for privacy against government intrusion, they impose substantial new restrictions on the use of personal health information by the private sector. Under the amended rules, such information can generally be used for health care treatment, payment, or operations only after an individual is provided with a detailed disclosure of privacy practices by covered health care providers. Providers with a direct treatment relationship also must make a good faith effort to receive a written acknowledgement of receipt of that notice. Information may be used for other health-related purposes only with the explicit, opt-in "authorization" of the individual concerned. These rules ignore much of the evidence about the cost and burden to consumers of providing notices and securing consent, and the undesirability (and likely unconstitutionality) of conditioning medical service on compliance with bureaucratic notice and acknowledgement or consent requirements, especially when that service cannot be provided without the information or access to the information yields broad societal benefits. The rules demonstrate how little we have learned from our past experience with privacy laws and regulations. This article, therefore, addresses health privacy in the broader context of other areas of recent privacy activity, in an effort to discover what we should have learned in trying to identify those principles that should undergird regulatory efforts to protect privacy. The Privacy Debate The recent debate over privacy, and the role of law in protecting it, is unlike many other political debates for a variety of reasons. Privacy is an unusually broad term, encompassing both fundamental constitutional rights (such as freedom from government intrusions into our homes and other forms of search and seizure, as well as the right of citizens to make decisions about marriage, contraception, and abortion) and less well-defined and arguably less critical issues (such as the desire to be free from annoying direct marketing calls and mailings). …