In my first post in this series, I posited that there is an implicit assumption that every individual has the right to data privacy and that privacy has on the whole been codified into law in may first-world countries, with the exception of the United States.
In this second post in this series, I will begin to look at the position of a US citizen from the perspective of personal data, starting with personally identifiable data relating to financial transactions and moving on to medical data and then the ability to be forgotten if you have done something wrong and completed your punishment for that issue.
As stated in my earlier post, the only protections a US citizen has regarding privacy are the rather limited 1974 Privacy Act and the legal common-law tort of invasion of privacy, neither of which are powerful enough deterrents against privacy infringements. Both were written at a time when the drafters could not envision the sprawl of modern-day data and the myriad of methods of holding it. It is true that the US Supreme Court has, on occasion, tried to mold the aging law to take account of changes in data privacy, but the fact remains that the 1974 Privacy Act is over forty years old. The US Supreme Court takes, on the whole, a very conservative approach to the law, with no major attempts to move it into the twenty-first century.
One case in point is the fact that deceased individuals do not have any privacy rights; more importantly, neither do the executors or the next of kin. This effectively means that once a person is dead, their personal information is game, and there is nothing anybody in the US can do to stop that information from becoming public. In the case of Flores v. Fox, a plaintiff’s claim for injunctive relief to correct his prison records was mooted by his death. In other words, because the plaintiff died, his records could not be changed, leaving the incorrect records in place. Compare this to the European right to be forgotten.
The US has attempted to close some gaps, but on the whole, its position regarding personal and data privacy is very loose. The US does have HIPAA, which relates to personal health records; COPPA, which relates to the privacy of children online; FACTA, which regulates the credit reporting industry [Equifax, Experian, et al]; and the FTCA, the overarching federal law that safeguards US citizens.
The CAN-SPAM Act provides regulation for hate porn (the leaking of private acts between consenting adults). This act also covers regulations regarding electronic mailings and telephones.
The Electronic Communications Privacy Act and the computer Fraud and Abuse Act regulate the interception of electronic communications and tampering.
Finally, in 2016, Congress enacted the Judicial Redress Act, giving some non-citizens or permanent residents the right to seek redress in US courts for privacy violations; however, this is restricted to information shared with law enforcement agencies and does not cover private interactions.
That said, the fact remains that there is no single legal method for removing false information about yourself or stale information—i.e., information regarding spent convictions. This is coupled with the fact that on April 3, 2017, POTUS 45 signed into law a bill that repealed a broad set of privacy and data security regulations for broadband Internet service providers that were adopted by the FCC toward the end of POTUS 44’s presidency (October 2016). At the time, the FTC and the administration acknowledged that “the current federal privacy regime, including the important leadership of the Federal Trade Commission (FTC) and the Administration efforts to protect consumer privacy, does not now comprehensively apply the traditional principles of privacy protection to…21st Century telecommunications services [as] provided by broadband networks.” The FCC Privacy Rule (which would have taken effect later in 2017) established a framework of customer consent required for ISPs to use and share their customers’ personal information that was calibrated to the sensitivity of the information. The rules would have allowed the inclusion of browsing history and apps usage as sensitive information, requiring opt-in consent. It also would have included data security and breach notification requirements. This is one of the first rollbacks of privacy enhancements brought in by the Obama administration. The effect of this rollback is that your browsing information can now be sold to the highest bidder. It seems that the US is alone in rolling back citizen privacy rights.