Privacy is the right of a person or person’s property to be free from unwarranted public scrutiny or exposure. In other words, it is the right to personal autonomy and to express oneself selectively. Privacy includes both bodily integrity and the protection of confidential information, including medical and financial records.
Implied Constitutional Right
Privacy is an implied Constitutional right, meaning it is a right based on the “zones of privacy” created by the US Constitution. However, the word “privacy” is not in the Constitution itself.
The right to privacy was first mentioned in a Harvard Law Review article in 1890 by Samuel Warren and Louis Brandeis, who later served on the US Supreme Court from 1916 until 1939. Warren and Brandeis argued the right to privacy is an important civil liberty which should not be violated by sensational journalists and developments in technology. The technology in the late 1890s they were the most concerned with was photography and telephones. In particular, they were concerned about people losing their right to privacy when others take photographs of them or listen to their conversations.
Privacy was discussed in the legal community for 75 years before the US Supreme Court expressly held individuals have a Constitutional right to privacy in the 1965 Griswold v. Connecticut decision.
Privacy cases involve different circumstances, such as the right to choose whether to marry and to whom, the right to choose whether to have children, and the right to protect confidential information such as medical and financial records.
The Framers of the Constitution did not include the word “privacy” in the Constitution but it is a fundamental right underlying the core tenets of the document. The Bill of Rights begins by recognizing fundamental rights that are essential to an individual’s identity: speech, religion, press, assembly, and petition for redress from the government. From there, the Bill of Rights expands protection of individuals to include their homes and possessions. For example, the Fourth Amendment prohibits unreasonable searches and seizures by the government. As reflected in the Bill of Rights, privacy is an essential right the Constitution intends to protect.
When analyzing privacy cases, courts ask whether an individual has a reasonable expectation of privacy. To establish a “reasonable expectation of privacy,” a person must meet two requirements:
- The individual has an actual, subjective expectation of privacy. In other words, did that particular person think he or she was doing something in private that others could not observe?
- Society accepts the individual’s expectation of privacy as reasonable. In other words, as a community do we expect those circumstances to be private?
This legal test has both a subjective and objective standard. If an individual does not expect their actions to be private, then no right to privacy exists under the circumstances. Similarly, if society as a whole does not expect to have privacy under the circumstances, it does not matter what the individual may personally believe, no right of privacy exists.
For example, if a person calls her doctor to discuss medical test results, then she has a subjective expectation of privacy. If she calls her doctor from her home, then she has an objective expectation of privacy because society recognizes the right of people to have private conversations in their own homes. However, if she has the conversation on her cell phone while riding the bus, then she does not have a right to privacy because it is not objectively reasonable to expect privacy on public transportation.
Privacy cases also focus on whether a person has given either express or implied consent to disclose or use personal information. Express consent is often given in the form of contracts, including end user agreements. Implied consent is usually based on the person’s actions, such as a history of business transactions. In essence, implied consent means that a business has reason to believe that a person would give consent if the business asked for it. For example, customers who sign up for a loyalty program may give implied consent to receive marketing emails from that particular business.
While consent and the expectation of privacy are interrelated concepts, they are legally different concepts.
Congress and state legislatures have also passed various laws to protect the privacy of individuals and their property. Some of the most important federal laws related to workplace privacy are discussed below.
There is a growing trend among states to require internet service providers to obtain consent from consumers before sharing any of their personal information, including websites visited and consumer habits.
The right to privacy is contained in Article 12 of the Universal Declaration of Human Rights, which was adopted in 1948 in response to the horrors of World War II. The Universal Declaration of Human Rights states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.
The Universal Declaration of Human Rights has been adopted by the majority of nations, including the United States.
Many other bilateral treaties and conventions recognize the right to privacy in various circumstances. Currently, about 150 nations recognize privacy as part of their international legal obligations. However, enforcement of the right to privacy is inconsistent across nations.
It is important for US businesses operating in Europe or conducting business transactions with Europeans to understand that the European Union (EU) has a comprehensive set of laws to protect the privacy of European individuals and businesses. The EU General Data Protection Regulation (GDPR) applies to all businesses, even located outside of Europe, that collect, store, or process data about any European. Under GDPR, individuals have the right to know how their personal data is being collected and used, to remove information from the internet, and to stop companies from processing their data. GDPR has significant penalties. For example, businesses mishandling customer information may be fined up to four percent of their annual worldwide revenue.
Under GDPR, businesses must comply with six data processing principles. Personal information must be:
- Processed lawfully, fairly and transparently;
- Collected only for specific legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Stored only as long as is necessary; and
- Processed in a manner that ensures appropriate security.