In the United States, privacy legislation is commonly thought of as a hot button, trendy, 21st century topic. However, its presence can actually be traced back in history before the founding of the United States to the Magna Carta (circa 1215) which first laid out the right to the privacy of one’s home.
In the last few decades, the exponential increase in the accessibility and availability of personal data has led to a proliferation of privacy laws in the US and the rest of the world.
It is vital to understand its evolution both to understand current trends and properly be prepared for any legislation in the future, as 100 of 196 countries currently have some form of privacy legislation.
This post will cover the evolution of privacy law in the United States, recent privacy laws as an important topic, and why it’s important for organizations to care immensely about being compliant.
Privacy law in the United States began at the same time as the country itself, right in its founding documents: The United States Constitution and the Bill of Rights (1791). While the ideas contained within are now considered well-established, nearly universal legal concepts, it was far from the case at the time.
While the U. S. Constitution overall contains no express right to privacy, The Bill of Rights specifically reflects the concerns of the framers for protecting specific aspects of individual freedom and privacy. These aspects include the privacy of beliefs (1st Amendment), the home (3rd Amendment), person and possessions (4th Amendment), and the 5th Amendment’s privilege against self-incrimination, which provides protection for the privacy of personal information.
In addition, the Ninth Amendment states that the “enumeration of certain rights” in the Bill of Rights “shall not be construed to deny or disparage other rights retained by the people.” In Griswold v. Connecticut (1965), the United States Supreme Court ruled that the 9th amendment also joins the 1st, 3rd, 4th, and 5th amendment in protecting a person’s right to privacy, even those not explicitly outlined in the Constitution.
Outside of constitutional amendments, privacy was making appearances before the court long before the 20th century, showing up as a statutory matter as early as 1864.
An enterprising stockbroker named D.C. Williams would eavesdrop on corporate telegraph lines then turn around and sell information on what he heard to other stock traders. He was subsequently convicted of wiretapping and is, essentially, the first case of insider trading.
A few decades later, two United States Supreme Court justices would go on to publish “The Right to have Privacy” in the Harvard Law Review (1890), which is considered a seminal article on the notion of privacy and became the genesis of subsequent law over the next century.
Why are people concerned about privacy laws now?
If privacy law goes back nearly 250 years, why does it seem like there’s such a fervor surrounding privacy law now?
The reason is multi-faceted.
For one thing, the ability to create, store, and analyze colossal troves of data makes it far easier for personal privacy to be infringed upon from anywhere in the world without one even knowing.
Likewise, there has been a rise in the misuse of said data, either intentionally or through a data breach. There’s a broad spectrum of unethical and improper and outright illegal uses of data that we are now vulnerable to.
Third, there’s increased public awareness of the issues surrounding privacy. It seems like data breaches are in the news nearly every single day or an organization is sending out a press release informing of one that has happened. Technologies have made this even more possible due to our dependence on technology.
Finally, the GDPR is punishing those violating its rules and regulations with data breaches, resulting in serious fines.
And now, it turns out, the European authorities mean business with the GDPR. They are aggressively enforcing it; they’re supplementing it with all sorts of rules and regulations that enforce it on a granular level. If someone is running a business organization that’s subject to the GDPR, there really is no choice but to be compliant or pay the price. The authorities will audit, fine, and do everything in their power to make sure that you comply with that law.
Privacy laws are clearly here to stay and there are two possible paths to take, either comply or don’t.
Non-compliance with laws, regulations, standards and published privacy and security notices is a road to disaster. The end of the road is just a dead end of punishing fines, a damaged reputation, or both.
Compliance, meanwhile, is not an inexpensive venture. The amount that you invest in a privacy program can add up over time, but on the other hand, when you’re looking at 4% of annual revenue fines for GDPR violations, that does add up significantly over time.
But there’s an additional dimension of privacy compliance to consider: ethics and peer pressure.
Privacy standards are increasingly written into law and are now even explicitly called out in contract terms. What’s more, either explicitly or by implication, standards and contractual terms applicable to you are also applicable to business partners with whom you share data, especially in the United States.
While Europe has a data controller and data processors, the United States has only the main party who acts as the controller of the data. Thus, the contract signers aren’t the only ones liable, but all their employees are as well – making promises that they’re managing and protecting the data in accordance with the law.
At the end of the day, the result is an interlocking series of contracts and obligations. Everybody is liable to everybody else. It’s a point of consideration that when you choose your vendors, you should choose ones with near same ethics principles as your own organization has. This includes anybody that touches your customer’s data, such as your cloud provider or any relevant entity in your supply chain.
The basic principles of law apply so you’re only as good as the weakest link in your chain. If somebody in your chain falls short, it might implicate your organization, even if that vulnerability occurs due to one of your vendors failing to protect data privacy.
This means that you are wise to select your vendors as partners you can trust. And from a legal perspective, in the case of privacy and ethics, a partner really goes beyond just a corporate partnership. It could be that some partners should be considered records and information managers.
Ethics that could be tied to the quality of your reputation should be baked into your policies and decisions around privacy compliance.
With changes happening nearly every day, building a privacy compliance program today can often feel like hitting a moving target.
When working with a sizeable, wide-reaching project like a privacy compliance program, the most important thing to start with is some sort of framework or starting point rather than choosing to reinvent the wheel.
The first step should be looking at how other organizations like yours have managed their privacy program, which can certainly save you time, staff and other resources. You can customize it from there as needed to fit your specific use cases.
For more guidance on building a privacy compliance program that’s compliant today and scalable tomorrow, check out our digital guides: Data Privacy for the Information Professional and Developing a Privacy Program That Works