The Failure of Fair Information Practice Principles
costs of the current approach. Instead, I propose that lawmakers reclaim theoriginal broader concept of FIPPS by adhering to Consumer Privacy ProtectionPrinciples (CPPPS) that include substantive restrictions on data processingdesigned to prevent specific harms.The CPPPS framework is only a first step. It is neither complete nor perfect, but it is an effort to return to a more meaningful dialogue about the legal regulationof privacy and the value of information flows in the face of explosive growth intechnological capabilities in an increasingly interconnected, global society.
The Evolution of Fair Information Practice Principles
According to Professor Paul Schwartz, a leading scholar of data protection law inthe United States and Europe, “[f]air information practices are the building blocksof modern information privacy law.”
Marc Rotenberg, president of the ElectronicPrivacy Information Center, has written that “Fair Information Practices” have“played a significant role” not only in framing privacy laws in the United States, but in the development of privacy laws “around the world” and in the developmentof “important international guidelines for privacy protection.”
In fact, soimportant are these principles that Rotenberg writes of them only in capital letters,like one might refer to the Bible or the Koran. What are FIPPS and from where didthey originate?
The HEW Code of Fair Information Practices
In the early 1970s, mounting concerns about computerized databases prompted theU.S. government to examine the issues they raised—technological and legal—byappointing an Advisory Committee on Automated Personal Data Systems in theDepartment of Health, Education and Welfare. The Advisory Committee issued itsreport,
Records, Computers and the Rights of Citizens
, in 1973
In that report, theAdvisory Committee called on Congress to adopt a “Code of Fair InformationPractices,” based on five principles:1.
There must be no personal data record-keeping systems whose very existenceis secret.2.
There must be a way for a person to find out what information about the person is in a record and how it is used.3.
There must be a way for a person to prevent information about the person thatwas obtained for one purpose from being used or made available for other purposes without the person’s consent.