What we try to do in our organization is to trace what information should be collected, what are some of the problems with collection and what should be done, what kind of notice should people have when that information is collected, what kind of transparency should the organizations have when they use that information. Then ultimately what can and can’t they do with that information, what kind of decisions can they make about people and how do we put all this together. –Dan Solove, Project Reporter

The Principles of the Law, Data Privacy (Data Privacy Principles) are designed to guide the protection of data privacy in various areas and types of law. This area of law is generally referred to as information privacy law or data privacy law in the United States and data protection law in most other countries.

Data privacy law developed in the 1960s as a response to computer processing of personal data. Today, data privacy law is an interrelated amalgam of different areas of law, including federal and state constitutional law, federal and state statutory law, tort law, evidentiary privileges, property law, contract law, and criminal law.

This project is directed towards a variety of parties at the federal and state levels, including legislators, attorneys general, administrators at governmental agencies, and other regulators and policymakers. These Principles are also directed towards private actors, who can draw on them for guidance about best practices. Finally, the Data Privacy Principles present guiding concepts in this area of law in a fashion intended to be helpful to international policymakers to assess available U.S. privacy safeguards.

This Principles project is organized around key Fair Information Practice Principles (FIPPs) that establish duties and responsibilities for entities that process personal information. They also describe the rights that people should have regarding their data.

These Principles draw on statutory expressions of FIPPs as found in federal laws such as the Fair Credit Reporting Act (1970), the Privacy Act (1974), the Video Privacy Protection Act (1988), the Health Insurance Portability and Accountability Act (1996), the Children’s Online Privacy Protection Act (1998), and the Gramm-Leach-Bliley Act (1999). States have also incorporated important statutory expressions set out in FIPPs.

Despite the fact that the law has relied so heavily on the FIPPs module, key differences remain in the various formulations of FIPPs and in the way that laws interpret particular principles. Although FIPPs have served as a common starting point for data privacy laws, they have thus far not achieved a sense of uniformity and specificity that might reduce the significant differences in various data privacy laws. Moreover, changes in technology, law, and business organization challenge existing FIPPs.

The Data Privacy Principles seek to clarify and improve existing privacy principles and law in light of new concerns and changes in the scale, use, complexity, and social and economic importance of the use of personal data.

Current Table of Contents:

CHAPTER 1. PURPOSE, SCOPE, AND DEFINITIONS

  1. Purpose and Scope of the Data Privacy Principles
  2. Definitions

CHAPTER 2. DATA PRIVACY PRINCIPLES

  1. Transparency
  2. Individual Notice
  3. Consent
  4. Confidentiality
  5. Use Limitation
  6. Data Quality
  7. Access and Correction
  8. Data Portability
  9. Data Destruction
  10. Data Security

CHAPTER 3. ACCOUNTABILITY AND REDRESS

  1. Accountability
  2. Remedies and Redress

Reporters

Paul M. Schwartz

Reporter, Data Privacy Principles

Paul M. Schwartz, Professor of Law at UC Berkeley School of Law, is a leading international expert on information privacy, copyright, telecommunications and information law. He has published widely on these topics. His co-authored books include Data Privacy Law (1996, supp. 1998) and Data Protection Law and On-line Services: Regulatory Responses (1998), a study carried out for the Commission of the European Union that examines emerging issues in Internet privacy in four European countries. See his full list of publications.

Daniel J. Solove

Reporter, Data Privacy Principles

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School.  He is also the founder of TeachPrivacy, a privacy and cybersecurity training company. One of the world’s leading experts in privacy law, Professor Solove has lectured at universities, companies, and government agencies around the world.  He is the author of numerous books, including Nothing to Hide: The False Tradeoff Between Privacy and SecurityUnderstanding Privacy, and The Future of Reputation: Gossip and Rumor in the Information Age. Read more about his publications online.

Responding to Security Breaches

Security breaches remain big news, virtually every day. Executives and managers understand it is a question of “when,” not “if,” their companies will be targeted. Companies in all industries, as well as a host of other organizations, are affected. Hackers are engaged...