Privacy Lawls with Donata
Ep. 3 | The History of Privacy — Part 2 (Guest: Kimberly Pack)
From the novel 1984, to U.S. amendments, how was privacy viewed during the pre-internet days?
We chat with Kimberly Pack, privacy counsel at United Airlines, to get a better idea of how businesses, governments, and society thought about privacy before the internet.
Show Transcript
Privacy Lawls Episode 3
Hello, and welcome to the third episode of Privacy Laws, where we’ll be discussing the history of privacy. This is part two of our discussion on the history of privacy, where we’ll be talking about privacy pre-internet. As we learned in the last episode, people have been thinking about privacy for a very long time, and privacy has evolved over the years as well.
So I’m very excited to talk to you all today about how privacy evolved after the novel 1984 to right before the internet. So today I’ll be interviewing Kimberly Pack, who’s the Privacy Counsel at United Airlines. Kimberly also worked as the Associate General Counsel of Privacy, Ethics, and Compliance at Anheuser Busch and the Director of Compliance at Prudential Financial.
Kimberly attended Spelman College, holds a JD from the Harvard Law School, and holds a CIPP and CIPM certifications. So Kimberly, thank you so much for agreeing to be on the podcast today. It’s great to have you here. Can you please tell us a bit more about your career and how you got interested in privacy?
Yeah, so I think I started my career actually in compliance and every aspect of my career had some touches of privacy, but I was more of a compliance professional or, or legal generalist. And ultimately I really. Saw how interesting privacy was from, like, the personal aspect of I care about how my own personal data is used.
I, you know, I’m reading other privacy policies. I’m seeing, you know, announcements of different data breaches and my personal information’s a part of it. That really made me be interested in privacy. And so I started transitioning my career. To have that privacy focus because privacy programs are really a compliance program.
And so I thought my existing skills would really be an asset. And then that privacy as it continues to evolve in like a meaningful way that it would be like a cool job to have.
It is a really cool job to have. It’s a really fun job, I think, because there’s so many things that are constantly changing. So you have to be. You know, always at the top of your game, always staying up to date with things, and all of that. You know, my first introduction to privacy was the target data breach. So I had a target card, and then I got a letter saying that my data was breached, and I was really, really confused about what that meant.
And really surprised that something like that could happen. I think I was really naïve at that point in time. So it’s interesting that you mentioned data breaches and all of that. It’s a fun job for sure. I definitely agree with that. So now that you work as privacy counsel at United Airlines, what is that like? Can you tell us a little bit more about what you do?
Sure. I think, you know, as a privacy attorney, particularly one that’s supporting A global program is that, you know, you’re, you’re trying to help the organization stay compliant with all the applicable privacy laws which, as we know, that landscape is evolving on an almost weekly basis.
So, on a day to day, there are tons of questions that arise from many different stakeholders, you know, the marketing colleague, loyalty, HR. Security other attorneys, and then you add like your international colleagues to the mix and then you, you also have the general administration of the maintenance of the program itself.
So you’re doing your PIAs and you’re doing your data subject access request, and you, you’re trying to make sure that that program is actually doing the things that it’s supposed to do. So, it’s, it’s varied and it’s very interesting. And so it’s, it’s a really enjoyable job.
That sounds very interesting because United Airlines is everywhere, right? You guys fly everywhere. So you probably have quite a few privacy laws to have to comply with.
Yes. United flies everywhere in a lot of different places. And sometimes it’s, you know, the only American airline in the jurisdiction, which is always interesting as well. And I think the other thing that’s unique about an airline is that.
We always would have to share information. You know, when we, when airlines are going into different jurisdictions, it’s a national security issue. And so countries want to know who’s coming and going. And so it’s, it’s as a part of national security. So we, we would. Airlines would never have options of not sharing that kind of information and that makes sense.
And I also think from the customer side, customers want to have a seamless experience, right? And so, as you fly with cold shares or other partners or other airlines, there’s this real importance that this information is kind of shared and people have like this seamless experience so they could, you know, enjoy their benefits of status or going into a lounge.
And so, It requires it means that a lot of data privacy laws are applicable to the, to, you know, to airlines. And so again, making the job really necessary for, you know, to continue to operate and to operate compliantly and to continue to build trust. Absolutely. [00:05:00] Yeah, those, those lounges are primo.
They’re very, very nice. So I totally get that. So can you tell us about, The most challenging aspect of your job. I think that’s I think we already hit it right this idea of Understanding what’s going on and being in the know, and certainly no one expects 1 person to know every single thing that’s going on.
But as a global privacy attorney, you are expecting to know a lot and to be able to issue spots as know when things are, you know, happening or. You know, identify with other colleagues what process might need to be happening or clarifying what we’re actually doing in a space and also when to bring an outside counsel, right?
So, you know, provide some more support or guidance or information, because again, 1 person can’t know 1 thing, but I think that ability to issue spot and to know a little bit about at least all the major places where you go, where there’s huge implications. So, like, Europe, China. So there’s some places where you [00:06:00] can prioritize, but yeah, that’s the hardest part is knowing all the things that are happening because there’s also laws.
That aren’t just comprehensive privacy laws that impact privacy. Right? And so there’s, we’ve always had some privacy requirements before we started getting all these other, you know, louder laws, like GDPR and all that we’ve always had requirements. And so some of them are innocuous and they could be small, you know, whatever they might be.
And so that’s the hardest part is keeping the note. But again, it keeps you on your toes. It really makes me reach out to the privacy community on a regular basis. And I really rely on folks like you who post religiously on LinkedIn every update that’s happening because I certainly couldn’t do it myself.
Well, I’m happy to do that. I’m happy to provide that service. I think for a lot of people and law students and attorneys working as privacy counsel at a company like United Airlines, it seemed like, you know, like a dream job to a lot of people. Do you have any tips for attorneys or even law students who want to work as privacy counsels in [00:07:00] large companies?
Yes, I think for law students, or even attorneys that might be switching careers. I really think that certifications are helpful. I know some people don’t like certifications, or they think they’re too basic, but I do think as a law student, or someone’s transitioning, it signals a few things, getting a certification, a privacy certification, it signals interest.
It signals that, you know, the basics of privacy principles. I think being connected to organizations like IAPP, the International Association of Privacy Professionals, gives you network, it gives you educational opportunities and I think that network piece is really important because those are the people who may be able to, you know, mentor you on some aspects or, you know, put a good word in for a job or identify things for you.
So I think, you know, starting to just be a part of the privacy community, Goes a long way, but I also think just the certification part really sends a lot of good messages. And you’ll see in a lot of job descriptions, even for very senior privacy [00:08:00] terms, they still say, you know, CIP preferred or, you know, CIP preferred.
So organizations like to see their privacy leaders have the certifications. So it’s definitely something worth looking into. Absolutely. I have the CIPP certification as well, and I gotta say it’s extremely helpful just from the information that you learn from getting that certification. It’s super helpful, and yeah, it looks like a lot of job placements do look for those certifications, so I totally agree with you on that.
So, let’s get into the history of privacy. So in 1948, the UN Declaration of Human Rights was drafted. So Article 12 says that no one shall be subject to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks on his honor or reputation. So how did Article 12 come about, why was it drafted, and how does it reflect the attitudes towards privacy at the time?
So I think what’s most interesting about [00:09:00] looking into this a little bit further is that It’s really not clear where this came from, which, which is the most interesting part of it all. It’s like, this idea that it made it in you know, from a recommendation of a U. S. person that really was limited to privacy.
You know, as a, in a private home and like, unreasonable search and things like that. But then, as you look through different revisions, you know, privacy In this declaration became like an umbrella term, like, this idea that you that people should have a right to privacy, which at the time to be in such a document, particularly international document was like a big deal because none of the other states countries, right?
Country states had privacy in their constitutions at the time. And so this is an international document an agreement that is. Offering privacy as a fundamental right, which was, you know, again, which is very interesting. And when you ask the question, what does it mean about the privacy at [00:10:00] the time? I’m not 100% sure.
I think when we look at the revisions of article 12. It was narrow at some points, it was an umbrella at some points at 1 point, it was completely taken out and there wasn’t a lot of discussion around it. So I don’t know if people were really even. Aware at the time, how fundamental and like a big deal, these changes and revisions were, but ultimately ended with this idea that people have a right to privacy as an umbrella, you know, and I think it’s interesting because in the US and other jurisdictions.
Up to this point, privacy was really limited to like your private home. And in some instances, correspondence like mail and things like that. And maybe your body maybe. Right? And so this idea, though, that you had some bigger, you know, unencumbered rights of privacy is like a really interesting novel idea in that article 12, it still was relied on by a lot of different declarations and articles that came out later [00:11:00] on.
And so it was just like a start of something really big. Yeah, it’s really a foundational document, right? And if we go from the idea that our mail is protected to everything around us is protected, you know, that’s a huge, huge expansion for sure. And in the U. S. in 1965, we had the Griswold versus Connecticut decision, which was issued by the U.
S. Supreme Court, and it said that couples have a right to marital privacy when it comes to contraception. And can you tell us a little bit more about that case and what it means? Yeah, so for this case, like the facts of it, you know, Connecticut had passed a law that banned the use of any drug, medical device or other instrument in furthering contraception.
And we have this guy in the colleges at the Yale School of Medicine, Lee Buxton, and open up a birth control clinic in New Haven in conjunction with Estelle Griswold, who was the head of Planned Parenthood in Connecticut, and they were arrested and convicted of violating the [00:12:00] law. And their convictions were affirmed.
By higher state courts, and it’s interesting because they actually plan. This is 1 of these early places where they’re planning to test the laws. So, the whole time there was a plan to use the clinic to challenge the constitutionality of the statute under the 14th Amendment before the Supreme Court. And what’s interesting here is that the court.
Acknowledged and affirm this idea of infirming privacy rights that are not explicitly enumerated in the Bill of Rights.
And so in this case, and this grid while Griswold case is determined that the marital relationship is this zone of privacy that this Connecticut law had unconstitutionally infringed upon. It’s interesting when you look at it today, it seems like we’re back to debating the same exact issues, which is.
It’s kind of sad, right? Like we’ve had this come out in 1965 and now it’s 2023 and we’re still kind of talking about this and still unsure whether or not [00:13:00] we will be afforded these protections in the future. So we’re kind of moving backwards almost it seems. Yeah, I think so. And I, I think it’s a really interesting idea in some of the more recent cases like Dobbs v.
Jackson Women’s Health Organization, which You know, got a lot of noise because it, you know, overruled Roe v. Wade and this idea of what the courts basically said was they didn’t this was too far to infer privacy in this way, but outside of just. Contraception or abortion, you know, these inferences of privacy have taken place in other things to legalize gay marriage, interracial marriage you know, the right to associate the right available of making freedom of.
Access to available information, so there’s these other places where the courts over time have inferred this privacy, right? And so if it’s going to be chipped away now, and it’s very interesting and it puts the, puts us all as [00:14:00] American citizens in a place to question what is the source of our real foundational privacy rights?
Because even as we look at, and I know we’re doing history, but even if we looked at some of the state laws that’s coming in place around privacy, it’s really about privacy collection. How we use is not about, it’s not granting anyone. A foundational privacy, right? And so this is a really interesting time to be looking at the history and seeing how it’s playing out today.
Yeah, so let’s talk about freedom of access to information. And in 1966, the Freedom of Information Act FOIA was enacted. So that provides that any person has a right to obtain access to federal agency records. So the act was proposed by Congressman John Moss after the cold war. And he believed that that led to a steep rise in government secrecy and the act was amended a number of times.
But what does the enactment of FOIA tell us about attitudes towards privacy and attitudes towards government at that time? Yeah, so I think, I think FOIA is a good place [00:15:00] where we see. From hearings and what’s going on that there’s this need to have some accountability with government. I don’t really see it as a big space for necessarily this enlargement for privacy more.
So, this idea that, you know, government might overstep and that there’s this. Need for federal agencies, because a 4 year again, only applies to records created by federal agencies that they need to be accountable. And so that people should be able to request certain records to again, hold these government agencies to be, you know, to account.
And to make sure that the citizen street is we’re informed, right? And that, you know, we, and having this in place would perhaps encourage, you know, these agencies from corruption, right? Because this will be a new way. For you know, of accountability and that these records, if you request them, you know, have to be disclosed, except that there’s some exclusion.
There’s like a bunch of weird exclusion. I think I talked to you about this [00:16:00] before that 1 of those exclusions is dealing with whales, which is completely random and I will not bore anyone with that. But 1 of the exemptions relates to wells. It’s, it’s crazy. I think it really kind of says that at that point in time, people were really concerned about their privacy when it comes to the government, right?
Is the government spying on me? Is the government doing something they’re not supposed to be doing? You know, things like that versus now, it seems like there’s a bigger shift towards being concerned about what companies are doing with data. Do you kind of agree with that? Do you see that? I do agree with that.
And I do think, and I do think that some of the limitations and some, you know, and some of the things that we’ve looked to for privacy, like the 4th Amendment, things like that. It’s really about government actions. And so, you know, having the ability to see what’s out there and to again, hold government to account.
Is important and this [00:17:00] was like novel in some ways, right? To have to be able to get access, though. It’s still limited, right? So you still can’t request these from other judicial branches or courts or things like that. But it’s a start, right? It’s an important start to getting access to, you know, what information is being held by the government.
It’s interesting as well, at least from what I’ve noticed, I’m a huge fan of like, true crime podcast, right? So I’ll do puzzles and I’ll listen to true crime podcast because I’m 100. But, you know, in those true crime podcasts, they say we filed a FOIA request to gain information about this case, but we couldn’t get the information because it’s an open investigation and they refuse to share it.
So there do seem to be limits to FOIA as to what you can and cannot get. For sure. But let’s go back to the U. S. Supreme Court. So 1967, Katz v. United States. So there, the Supreme Court extended the 4th Amendment protections against the lawful searches and seizures beyond the individual’s home and property.
So they expanded it [00:18:00] to anywhere a person has a reasonable expectation of privacy. So what do they mean by reasonable expectation of privacy? I think what they’re meaning here is any place where you wouldn’t expect some interference from the government, or, you know, extending that to companies and things like that at some point.
Right? But I think it’s important to remind what the facts were of this case, because here we have, you know, Charles Katz, who is, you know, in California, and he’s being suspected of being part of this wagering, this illegal wagering crime ring and he. This case is brought to, like, the District Court for the Southern District of California, and he has this 8 count indictment, charging him with transmitting wagering information by telephone from Los Angeles to Miami and Boston in violation of a federal statute.
And then at the trial, the government was permitted to introduce this evidence of, of cats and of telephone conversations overheard by [00:19:00] FBI agents. Who had attached an electronic listening and recording device to the outside of the public telephone booth that in which he had placed calls, and he had objected to that.
And ultimately, he was convicted and here we go. Right? Where that’s, you know, that there was no violation. He was convicted with this no violation of the 4th Amendment because there was no physical interest into an area occupied. By, you know, by cats. And I think to your point, this expansion here is where privacy kind of first originated originally was really just your house.
It’s like this real separation between your public life. In your private life and what you should be able to do in your home and so to have cats on the phone and a public phone booth outside and the FBI being able to tap that and the court, the Supreme Court coming back and said, no, no, no, there was an expectation of privacy.
There is. It’s not. It’s unreasonable for him to have thought right that this would not be private conversation. It’s truly a really big deal of [00:20:00] expanding what. What was covered before what was what types of things were thought to be covered before again, usually limited to your own house or your body and stuff like that.
And so this was a really good case and a really interesting 1 again, and expanding how over time, a court might. Look at our bill of rights and what what privacy might mean for us. It seems like really during this time, the, the Supreme Court really said, Hey, this is what we were thinking privacy was, but now as times have changed, we need to expand that definition to afford people additional rights and additional protections, which I think is really interesting that that’s what was happening at that time.
It seems like people are getting more privacy rights, more information about what the government was doing. Things like that, which I think is really cool. And I think that brings us to 1972, and the Griswold protections being expanded. So Eisenzart versus Bard, [00:21:00] guaranteeing the right of unmarried couples to possess contraception.
So Griswold and Connecticut covered married couples, but now we’re covering unmarried couples as well. What are your thoughts on this?
So, yeah, I think you’re absolutely right that this court, even though it’s not resting its decision on this expanded privacy, right? Because it really holds it based on the 14th amendment. It still took the time in. In this opinion to really affirm that there are these.
Inferred privacy rights. It really affirms that Griswold still stands and that people have fundamental privacy rights. And I do think that was important to have. So I think there was this desire to continue to solidify this idea that we all have fundamental privacy rights in the Constitution. Yeah, absolutely.
And I think it’s still, it’s interesting to know, you know, at this time. Families were a little bit more traditional, [00:22:00] right? You had the, a male and a female getting married and having children. But I think it’s, it’s really interesting how this court kind of recognized the fact that unmarried couples may be engaging in relations as well.
Even though maybe it wasn’t talked about as much as like a proper thing to do at the time, but it was still happening. So I think it’s interesting that they’ve kind of, you know, tried to keep up a little bit with it at times, acknowledging that. Yeah, and I think you just made me remember something that was in it because Griswold created this like zone of privacy and marital relationship.
And this case does expand on that. Say no, as individuals, right? We would want to have this privacy right to contraception and that’s notable as well. Yeah. So trying to expand from just the married people in this zone of privacy to expanding into individuals is a, is an important development with this case.
Absolutely. So let’s talk about FIPS. That’s a very common term heard in the privacy world still, even after all these years. [00:23:00] But in 1973, the Department of Health, Education, and Welfare came out with a report listing the Fair Information Practices Principles, otherwise called FIPS. So can you tell us a bit more about FIPS and how it impacted privacy and whether or not they’re still used today?
Yes, I wanted to go back to the report, right? Itself. So there’s this report, which he was the Department of Health, education, welfare, and they did a report based on, you know, changing times. The fact that computers are being used and all of this record keeping is happening. And so they had this report entitled the records, computers and the rights of citizens.
And the, the object of this report was to assess. Any harmful consequences that may result from this automatic personal data systems, this record keeping safeguards that might protect against those harmful consequences, what the redress might look like, and particularly policies and practices on the issuance and the use of the [00:24:00] social security number.
And so part of the recommendation in this report was that there should be. These fair information practice principles and these principles, there were 5 basic principles, which. You know, they did a miss sentences, but to keep them kind of like 1 word or 2 words, there’s just transparency and there’s notice.
There’s purpose limitation, this ability to correct and amend your record. And then that the owner, the organization that’s creating or maintaining these records have data quality and security. And so these. This is really setting a foundation for how government agencies should treat, well, even beyond that though, how information should be treated, personal information should be treated, and what information and access and rights individuals should have.
And I, and I think this was really helpful because. Actually, this is coming from the U. S. And I think [00:25:00] sometimes the U. S. doesn’t get sometimes credit for some of the developments in privacy. We’re often U. S. seems to be often compared negatively to the Europe, but these principles ended up being, you know, used to back, you know, international standards.
And this was, these were pretty, Transformative at the time to create kind of this framework that ends up being the framework for, you know, other US laws and privacy laws and other ways that federal agencies use this type of information. But again, even internationally, the, they are borrowed as they try to set laws and standards and other jurisdictions.
I can’t help, but say that I wonder if a lot of the legislation that’s being written today is. It’s based somewhat on FIPS as part of like our collective conscience, not necessarily as, you know, they looked at FIPS and said, Hey, these are the principles we want to borrow. But just hearing about the principles like [00:26:00] transparency, right?
Every privacy law has a requirement for a privacy policy or privacy notice or privacy rights. You know, a lot of them have the right to access or the right to delete. So maybe this is just part of our collective consciousness now and isn’t the new laws aren’t necessarily based exactly on FIPS, but that information is being used to guide what should be in those laws.
Yeah, I think so. And I think, I think the idea of, you know, as privacy continues to get refined that even if we look at this time, it was literally like, hey, we’re using computers like technology, even in 19, You know, in this year, right? We’re like, they’re like, oh, technology is pushing us in different ways.
We’re having new access to information. It’s not paper anymore. And and what does that look like in grappling with that? And I think as technology continued advances, it’s the. The thing that will continue to have us ask lots of questions, and even about identifiers, I think the fact that this report focused on.
The uses of social security numbers also goes to how purpose of information changes and how that could have [00:27:00] negative effects like the social security number. Originally, it’s 1 purpose was to be able to track how much money you put into your social security account. And then a few years later, you know, there was an executive order by Roosevelt to use it.
Just as an identifier, generally speaking, across all these agencies, so this expansion of how we use data and how, you know, how identifiable information is used. And so now we have these, this, this identifier for all of us that we didn’t opt into. It just happened to us and then it’s used all kind of different ways.
I mean, there’s a period in time where we had our social security numbers on our driver’s licenses on. School university IDs, and it was just using this very important number, you know, haphazardly. So it’s I think that conversation around that report and what kind of drove it is some of the same conversations we’re having today around new technologies or new ways of trying to identify a person or simplify or make a process efficient by having some kind of unique identifier.
Yeah, maybe now we’re moving from social security [00:28:00] numbers, which can be changed, used as an identifier to biometrics, you know, things that cannot be changed. But I do remember some years back, there was a CEO of some company that provided like credit reporting and protection against identity theft.
And I think he rented a billboard that he would drive around with a social security number on it. touting how great his company was and how secure the information was that even if it was on a billboard it couldn’t be stolen and I think within a couple days it was stolen and he was the victim of identity theft.
So yeah. Yes, I mean, if there’s no other points, please don’t put your social security number on the billboard. I think that is a fantastic point. Yeah. Lesson number 1. So let’s talk about some a little bit more specific laws at this time. So, 1974, FERPA was passed. So that was safeguarding the privacy of student education records.
Can you tell us a little bit more about FERPA? Yeah, [00:29:00] so one of the things that’s interesting Again, I always go back to, like, why something happened. And so with Ferber in particular, there’s this junior senator at the time from New York, James Buckley. And he has these concerns that’s risen from the abuse of powers from Watergate.
And also, interestingly enough, an article in the Parade magazine titled, How Secret School Records Can Hurt Your Child. And in this article, it details the story of a junior high student who wasn’t allowed to attend graduation ceremonies because the student had been deemed quote, unquote, a bad citizen.
And when the parents asked the school, you know, well, what has, you know, our child done? The principal basically said, yes, she has a record, you know, that’s a whole file that shows her being this quote, unquote, poor citizen, but you guys can’t get access to it. And it was this kind of particular matter actually got a legal hearing, like the parents went up to the New York state commission on education and and that commissioner disagree with the school and concluded that, you [00:30:00] know.
If nothing else, it’s really apparent that no 1 had a greater right to such information than parents. And so this is a backdrop where the Senator Senator Buckley here introduces this family and educational rights and privacy act. And funny enough, it was added as an Amendment to an already. Standing general education provisions, so there’s not a lot of discourse on, like, what people thought about, but it basically has, like, 2 parts.
1st, it gives students the right to inspect and review their own education records, request corrections, things that, you know, we’ve talked about before, like, be able to hold the release of certain personally identifiable information and obtain a copy of the records and their institutional policies concerning access to the educational records.
And then, secondly. It prohibits these educational institutions from disclosing personally identifiable information and educational records without the written consent of the student, or the student is a minor, the student’s parents and then if a school failed to do so, they could, [00:31:00] they would risk losing federal funding.
And so I think this one is really interesting. One, there’s lots of exceptions, you know, as a lot of laws tend to have, right? So there, there are exceptions to this, including like, you know, sharing with other schools. The school wants to attend and for financial aid and to comply with a judicial order.
But this was still really very interesting that. Here, it’s not necessarily like a government agency, but this is like educational opportunities where people feel like. The schools are creating lots of records on students, and some of it could be superfluous, some of it could be, you know, inappropriate, or they’re making decisions about stuff, but it’s a secret, and this shouldn’t be.
And so to make this stand and say, no, no, in this space, you know, they need to disclose it, I think was a very interesting development in privacy as well. I think that could be, you know, it’s such a subjective space in school, right? Like the grades that you get are the grades that you get. But let’s say you ask a teacher a question they didn’t like, and all of a [00:32:00] sudden now you’re a troublesome student when all you were trying to do was learn.
I think it’s so important to have access to those records because those records could follow you into your further career, right? Like, you’re trying to get into a college that you want to get into but your file says that you’re a troublesome teen because you asked a question that somebody didn’t like.
You know, that can really affect your opportunities further in life, like the job that you get and, and all of those things. So, I think that’s very, very important. Especially for, for young students who are learning how to behave in life, right? They’re not going to act as adults because they’re not adults.
They’re learning how to be adults, you know what I mean? So, having that ability to view those and correct those and have that right to be heard. Yeah, very important for young people, for sure. And I think it’s also interesting that before this schools didn’t have obligation to share. Like, that just seems weird today to be like, hey, I’m creating a whole record on your child and you, but you have no access to parents or the child.
This is just for us. It’s just a very interesting position that schools [00:33:00] really did take. And so this was actually very needed because people were having these types of issues and getting access to this information and schools are so important to. Our society and that they were kind of being off their authoritarian around this information and making decisions and, you know, really having a real impact on folks like you already noted.
Yeah, absolutely. So then after for we have the privacy act of 1974. So that governs the collection, maintenance use and disclosure of personal information, but us federal agencies. So how does that reflect attitudes towards privacy at the time? Yeah, so I think this one is really similar to FOIA, right?
In the sense that here. Again, this is coming off the Watergate scandal still rising growth of use of computers to store public information. This act is really the purpose is to give individuals a right of access to records about themselves. And it also [00:34:00] allows individuals the right to amend these records about themselves versus FOIA, which was really about making sure that.
You were able to get access to information from these federal agencies. And so when people would file something now, you should file on the both for you and the privacy, right? Act to make sure you get access to the largest aspect of it. But I think, I think this is also another point in time where, you know, legislators are reacting and responding to abuse of power.
And I do think that. Yeah. Well, we have these things and points of time where people say, wait, wait, wait, this is not how we want things to be. And so to be able to get this information about yourself and importantly, to be able to correct, especially since again, the government agencies get to make a lot of decisions about us in times.
And so the information is not correct. There could be real harm to an individual. And so I think this was a very important and notable step to again, giving access and being more transparent and. Yeah. [00:35:00] And provisioning more rights to access between people in the government. Do you get the sense that at this time, a lot of the privacy actions that we had in the United States were based on correcting very specific harms?
Or do you think that the US looked at privacy more broadly, and we’ve kind of talked about, you know, access to contraception, educational records, information maintained by the government. Those seem like very specific harms. Yeah, and I, I think that’s, I think that’s been the approach and I think that’s what we see because we still in the U.
S. particularly don’t have a federal comprehensive privacy law. I think it’s, it’s, you know, at best at the federal level sectoral where, you know, we have HIPAA and we have, you know, Grammys by Lee and then we have this hodgepodge of constitutional rights that we’ve gotten through the court system.
And then the legislative laws that have come out have been quite reactionary, right? They something that’s happened and people said, no, we don’t want this. This is against [00:36:00] our conscience. This is not who we want to be. And so they take to pen and paper and, you know, pass some law, which. You know, where we are today, politically, it’s a really hard thing to get done.
So, as we consider, you know, us not having this, you know, as a fundamental right spelled out somewhere. And if we would have to look, if the courts are become unwilling to infer, you know, privacy rights where there aren’t explicit, then we would be looking to rely on, you know, our legislators to actually draft laws that really convey and without question, give us these fundamental rights.
And. Thank you. And I’m not sure our current legislative body is up for that challenge. So that’s a little concerning for me as an individual and U. S. citizen. Absolutely, I mean, they presented the, which is supposed to be a comprehensive federal privacy law. It didn’t pass. It didn’t even come close to passing.
And I think they’re thinking about re, introducing it with some senators want to add provisions in there at the last minute. It’s not a [00:37:00] great system and that’s why we have the state patchwork of privacy laws that keeps us privacy professionals super busy and always scratching our heads about what’s coming next from, from what state, but getting back to the 1980s the OECD issued guidance on data protection so they issued the guidelines Guidelines on the protection of privacy and transporter flows of personal data.
What were the purposes of those guidelines? I think just what we just talked about too, is that this reactionary parts. So I think what’s happened at this time are different countries are restricting. You know, personal information from transferring outside their borders, and it’s having an impact on business.
So let’s be clear that some of this is originating from trying to get some consensus and agreement on being able to allow trans border flows of personal data, but. The is the organization of economic cooperation and development, and it has 30 member countries to [00:38:00] address economic, social and environmental challenges of globalization.
And these guidelines had 2 main purposes is the main purpose was 1 to reflect privacy standards and 2 to advance the free flow of information between member countries. And so these guidelines really are building off. The fits that we talked about before, so they kind of revise them, but there’s, it’s clear that that you report and that in the code of fair information practices, it’s really built on here.
And so they end up having 8 principles, the collection limitation, data, quality, purpose, specification, use limitation, security, safeguards, openness, individual participation, accountability, all things that. You know, you could have inferred from the report and things that we even confer, we can see in other legislation or other declarations or privacy laws that come past 1980.
And so. You know, that’s that on the prints on the privacy side, and then on [00:39:00] the trans border flows of personal data side, they basically are trying to get member countries to think about one another when it comes to the process in a real exporting personal data and to, you know, take reasonable steps and reason, you know, appropriate steps that the data flows are secure and reframe from even creating laws against, you know, that in which unduly, you know, hinders such transfers again in the In their purpose of, you know, advancing this cross border data flows, data flows.
And, you know, the only other thing I want to note is that in this, they do refer to data controller as a term and then defines it. And so because the U. S. is a part of this, I just thought it was interesting that we totally could have went in the other direction and always used the term data controller.
And I’m looking at California for intentionally not using that term. Yeah, we’ll talk about data transfers in a little bit in our privacy news segment, but the United States has struggled with that the last couple of years for transferring data [00:40:00] from the EU to the US. And I think a lot of people don’t think about the economic impact of that, which is absolutely huge.
If you’re a US company and the entire European market is completely, you know, shut off for you because you can’t transfer data and process it back in the United States. To provide even, you know, products or services that you provide, not even doing anything crazy with it. That has a huge economic impact potentially, which is why I think they were so quick to try to come up with a solution to that.
But we’ll talk about that in the privacy segment. Let’s finish this part off. Overall, how do you think that attitude source privacy differed pre internet and post internet? Are the things that people worried about different? Are the threat actors different? You know, how do people feel about privacy pre internet versus post?
You know, I think there’s a common thread, regardless of the time. I think, I think [00:41:00] that as more and more technological advances happen. And so technological advances included like a telephone booth, right? So that’s pre internet, but it was a new technology. It created a new. Experience for us within society.
And as as I think what technology does is continue to have us converge what’s a private life and what’s a public life, particularly with the Internet, because now. Because of social media and the way we engage with each other, like, what, what is actually private if you’re putting something on LinkedIn or what’s actually private if you’re putting it on Facebook, even if it’s just what your quote, unquote, friends and family is not on a public setting.
And so I do think that I think the core is always going to be that people want. To be able to keep close and secure and personal and private those things that matter most to them, and that could be. Questions about, you know, their affiliations, you know, their sex life, who they choose to marry, love those kind of things, but also [00:42:00] particularly around their personal information and how people use that information.
I think, I think even pre Internet, people would have cared about that, which is why we had some things around social security numbers and things like that. And so I think. The thing driving it will continue to be. Technology, as we continue to use new technology, see new technology, but I do think the thoughts.
Are the same, I do think that’s why. You know, article 12, having an umbrella privacy, right? Is important and I think it’s the right way to go because I do think inherently we all feel like we, we should and we want to have this, this fundamental right to privacy. And so. I think, like I said, I think the thread throughout is the same, and just the way it looks is going to be different as technology impacts what our access to, what our access to things are.
I totally agree with that. And I think, you know, everyone wants a fundamental right to [00:43:00] privacy, whether or not they realize it, and whether or not they actually use that right. Because, you know, when you do need to use that right, that’s when it really becomes important. And a lot of times that’s when it becomes too late.
Right is once that information is breached or abused or used against you or any of that at that point It’s already out there. You can’t take it back You know, unless you have a right to to be forgotten. Maybe sometimes years later. You could take it back from those Google search results But you know those things affect you and I think now a lot more people know that information Right like back in the day if you did something stupid, maybe only your parents know But now, it could be millions of people now, right away, even without you intending that.
So, I think it’s, the landscape has changed in the sense that it involves more people. You know, you can’t really run away from, from certain things anymore. So, thank you so much for sharing your thoughts into the [00:44:00] history of privacy. In our next episode, we’ll be talking about the history of privacy from 1980 into our modern era, taking a specific look at how the proliferation of the internet affects privacy.
But let’s talk about our last portion here, which is our privacy news segment. So the latest news in privacy is that the Department of Justice and the Office of the U. S. National Intelligence Director announced the completion of the commitments. And so EU US data privacy framework, and the framework has since gone into effect.
So can you tell us a little bit about why that’s important and what it means for businesses? Yeah, so now that a final adequacy decision has been adopted in the form of this EU-US framework. That is able to flow freely and safely between the EU and the US companies certified, of course, by the U.S. Department of Commerce.
And so. U. S. companies will be able to join this framework by committing. To comply with the detailed set of privacy obligations. Now, [00:45:00] the thing is eligible organizations include those regulated by the Department of Transportation, but this really helps because I think. A lot of companies in the U.S. has been in this limbo process where again, we talked about the economic impact, you know, being able to. You know, process data and even to transfer data. It’s really key to a lot of our business. Europe is a very big market for a lot of multinational, you know, U.S. corporations. And so to feel like you can’t.
Do that securely, you can’t do it based on, you know, things outside your control, which a lot of that is around, you know, us government surveillance and us government practices. So this is a really, I’m assuming for most people really welcomed development and I’m sure most people are trying to get over to that D.F. That program and self-certified, particularly those who might have already certified under the previous transfer mechanisms, privacy shield, you know, have a little less lab work to do. But this is a really big [00:46:00] deal. And then I’m sure you have something to add, but, you know, and what does it mean in practice, given that this mechanism is the 3rd attempt.
At a data transfer mechanism that’s still left to, you know, be seen since state power and private shield were both, you know, invalidated in the past. But for today, this is a very good welcomed development. I think a lot of us are excited, but we’re also very cautious and kind of holding our breasts to see if max rams and N.O. I. B. Decide to challenge this, this new framework and what that’s going to look like and whether or not it’s going to be invalidated. So I’m wondering, you know, whether companies are really going to put their full effort into that certification until it has been challenged and it has been decided that it is sufficient to hold up.
Because if you do invest, you know, hundreds of thousands of dollars and then the next day it’s invalidated, you know, I’m sure some of that work could be reused for your existing privacy program. But some of it may also just go out the window. [00:47:00] So people have to be cautious about it. Right. And I agree. And I wouldn’t even advise, you know, it’s, it’s a strong consideration for some companies who might want to stop using, you know, the standard contractual clauses, if that’s something you might.
Some companies may decide they want to continue to have for that very reason to have just like some another transfer mechanism that they’re trying to hold fast to again, even companies who are really in earnest trying to comply. It’s a really great area because if history repeats itself, we might be revisiting this and.
Maybe there’ll be a fourth and final attempt, or maybe this will be what it is every few years. We’ll get some mechanism that works. We’ll all rejoice. And then we will regroup when it’s invalidated and and come up with something else. But I do think I think the hard thing is, I think the true thing is that business will continue.
I think people want business to continue and it’s just about trying not to be, I guess, the organization that’s the face of all this. And, and to try to, you know, do the best you can to [00:48:00] comply with what’s, what’s legal and lawful today. Yeah. Well, Kimberly, thank you so, so much for talking to me today.
This was absolutely wonderful. For those of us listening, please make sure to subscribe. We’ll come out with our next episode talking about privacy in the modern age meaning post-internet, but yeah, Kimberly, thank you. Thank you. This was super fun.