Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 11 |Likes:
Published by api-14716032

More info:

Published by: api-14716032 on Jul 10, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Electronic copy available at: http://ssrn.com/abstract=1156972
Chapter 13
The Failure of Fair Information Practice Principles
Consumer Protection in the Age of the Information Economy
Fred H. Cate
Indiana University
Modern data protection law is built on “fair information practice principles”(FIPPS). At their inception in the 1970s and early 1980s, FIPPS were broad,aspirational, and included a blend of substantive (e.g., data quality, use limitation)and procedural (e.g., consent, access) principles. They reflected a wide consensusabout the need for broad standards to facilitate both individual privacy and the promise of information flows in an increasingly technology-dependent, globalsociety.As translated into national law in the United States, Europe, and elsewhereduring the 1990s and 2000s, however, FIPPS have increasingly been reduced tonarrow, legalistic principles (e.g., notice, choice, access, security, andenforcement). These principles reflect a procedural approach to maximizingindividual control over data rather than individual or societal welfare.As theoretically appealing as this approach may be, it has proven unsuccessfulin practice. Businesses and other data users are burdened with legal obligationswhile individuals endure an onslaught of notices and opportunities for oftenlimited choice. Notices are frequently meaningless because individuals do not seethem or choose to ignore them, they are written in either vague or overly technicallanguage, or they present no meaningful opportunity for individual choice. Tryingto enforce notices no one reads has led in the United States to the Federal TradeCommission’s tortured legal logic that such notices create enforceable legalobligations, even if they were not read or relied upon as part of the deal.Moreover, choice is often an annoyance or even a disservice to individuals.For example, the average credit report is updated four times a day in the UnitedStates. How many people want to be asked to consent each time? Yet howmeaningful is consent if it must be given or withheld for all updates as a group?How meaningful is a credit reporting system if individuals can selectively choose
Electronic copy available at: http://ssrn.com/abstract=1156972
Consumer Protection in the Age of the Information Economy
what to include and exclude? Most people appear to go out of their way to avoidmaking choices about information collection and use; if forced to, they are oftenill-equipped to appreciate the risks either to our privacy or the benefits that may belost if information is not available.In addition, many services cannot be offered subject to individual choice.Requiring choice may be contrary to other activities important to society, such asnational security or law enforcement, or to other values, such as freedom of communication. This explains why so many laws that purport to invest individualswith control over information about them exempt so many activities: it simply isnot feasible or desirable to provide for individual control (or, in many cases, noticeor access either).Enforcement of notice, choice, and the other FIPPS is uneven at best.Individuals are rarely in a position to know if personal information about them has been used in violation of some prior notice that they received or consent that theygave. Situations likely to threaten greatest harm are often subject to the leastoversight, while innocuous or technical violations of FIPPS may be prosecutedvigorously if they are the subject of a specific law or obligation and they can beused to generate popular or political pressure. This was documented by thedisclosure during 2005 that tens of millions of business records containing personal information in the United States, Japan, and other countries had beenhacked, stolen, or lost. Experts observed that this has been going on for years.Until these disclosures, however, regulators had addressed information security, part of all sets of FIPPS, only when privacy notices made representations aboutsecurity that were later demonstrated to be untrue.
 In short, the control-based system of data protection, with its reliance onnarrow, procedural FIPPS, is not working. The available evidence suggests that privacy is not better protected. The flurry of notices may give individuals someillusion of enhanced privacy, but the reality is far different. The result is the worstof all worlds: privacy protection is not enhanced, individuals and businesses paythe cost of bureaucratic laws, and we have become so enamored with notice andchoice that we have failed to develop better alternatives. The situation only growsworse as more states and nations develop inconsistent data protection laws withwhich they attempt to regulate increasingly global information flows.This chapter reflects a modest first step at articulating an approach to privacylaws that does not reject notice and choice, but does not seek to rely on it for all purposes. Drawing on other forms of consumer protection, in which standards of  protection are not negotiable between providers and consumers, I propose thatnational governments stop subjecting vast flows of personal data to restraints based on individual preferences or otherwise imposing the considerable transaction
The Failure of Fair Information Practice Principles
costs of the current approach. Instead, I propose that lawmakers reclaim theoriginal broader concept of FIPPS by adhering to Consumer Privacy ProtectionPrinciples (CPPPS) that include substantive restrictions on data processingdesigned to prevent specific harms.The CPPPS framework is only a first step. It is neither complete nor perfect, but it is an effort to return to a more meaningful dialogue about the legal regulationof privacy and the value of information flows in the face of explosive growth intechnological capabilities in an increasingly interconnected, global society.
The Evolution of Fair Information Practice Principles
According to Professor Paul Schwartz, a leading scholar of data protection law inthe United States and Europe, “[f]air information practices are the building blocksof modern information privacy law.”
Marc Rotenberg, president of the ElectronicPrivacy Information Center, has written that “Fair Information Practices” have“played a significant role” not only in framing privacy laws in the United States, but in the development of privacy laws “around the world” and in the developmentof “important international guidelines for privacy protection.”
In fact, soimportant are these principles that Rotenberg writes of them only in capital letters,like one might refer to the Bible or the Koran. What are FIPPS and from where didthey originate?
The HEW Code of Fair Information Practices
In the early 1970s, mounting concerns about computerized databases prompted theU.S. government to examine the issues they raised—technological and legal—byappointing an Advisory Committee on Automated Personal Data Systems in theDepartment of Health, Education and Welfare. The Advisory Committee issued itsreport,
 Records, Computers and the Rights of Citizens
, in 1973
In that report, theAdvisory Committee called on Congress to adopt a “Code of Fair InformationPractices,” based on five principles:1.
There must be no personal data record-keeping systems whose very existenceis secret.2.
There must be a way for a person to find out what information about the person is in a record and how it is used.3.
There must be a way for a person to prevent information about the person thatwas obtained for one purpose from being used or made available for other  purposes without the person’s consent.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->