Professor Jane Winn recently published a chapter in the book, Challenges of Privacy and Data Protection Law – Perspectives of European and North American Law [Défis du droit à la protection de la vie privée] (Cahiers du Centre de Recherches Informatique et Droit, Bruylant, 2008).
Professor Winn’s chapter, entitled “Can a Duty of Information Security Become Special Protection for Sensitive Data Under U.S. Law?” discusses the United State’s approach to information privacy law. According to Winn, U.S. information privacy law is made up of a number of individual and very specific information security laws. Winn discusses the information privacy protections of the Fair Credit Reporting Act, the Video Privacy Protection Act, the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach Bliley Act, and the Federal Information Security Management Act, in particular.
Winn asserts that the United States' piecemeal approach to creating information privacy laws has created a “de facto” category of sensitive data. European countries, on the other hand, have opted instead for a “de jure” category of sensitive data, created in part by Article 8 of the EU Data Protection Directive, which establishes a special category of sensitive data that is subject to higher levels of protection.
Winn argues that emerging U.S. information security law “is not intended to prevent the collection and use of personal financial information, but rather to prevent clearly unauthorized uses. The commodification of personal financial information plays an essential role in the sociology of consumption in the US today, and few US consumers would support an information privacy law reform that would threaten to radically curtail their current consumption behavior” (p. 257).
To learn more about U.S. and European information privacy laws, check out Challenges of Privacy and Data Protection Law, available at Gallagher.
-- Rachel Turpin