Chapter 6:Privacy and Freedom of Information

6

Privacy and Freedom of Information

---

6.1 INTRODUCTION

Chapter 5 discussed how the United States and Germany differed in their approaches to resolving the tensions between formal and substantive values.¹ Both countries subordinated the formal value of free speech to certain substantive values, but in the case of the United States, the trumping substantive value was an aversion to pornography, while for Germany it was an aversion to hate speech and its Nazi overtones.

This chapter examines potential tensions between another substantive value (privacy) and a formal value (transparency in government, as exemplified by notions of "freedom of information," or FOI). The situation is not quite the same as that in the earlier chapter, however. Free speech is more or less understood in the same way in both nations and it enjoys explicit constitutional protection, which can be abridged only in very limited circumstances. Privacy, on the other hand, is not interpreted in the same way in the two countries and, at least in the United States, arguments continue as to whether it enjoys constitutional protection.

Freedom of information is also interpreted in different ways in the United States and Germany, and is not explicitly protected in either constitution. How privacy and freedom of information are actually interpreted in the two countries determines when and how they are in tension as values. What kinds of information are explicitly designated as public in the pertinent statutes, and, at least in the United States, what protection of privacy is provided for in statute, determine when and how they are in tension as a legal matter.

Although neither nation protects privacy or freedom of information as strongly as it does free speech, to the extent that they do provide protection Germany puts greater emphasis on privacy and the United States favors transparency. Germany, and Europe more generally, have comprehensive systems of law and regulation in place to protect privacy. The United States, by contrast, has a patchwork of incomplete protections. With respect to freedom of information, the situation is reversed. The United States has a comprehensive system that provides the public with access to an enormous range of information and data, while Germany has a patchwork system.

With respect to freedom of information, both countries rely on ordinary legislation rather than constitutional law to specify which documents should be accessible to the public and under what terms. The situation with respect to privacy is somewhat different, in that German constitutional jurisprudence does recognize the right explicitly and many American scholars argue that privacy protection is implicit in a number of constitutional provisions. Nevertheless, here too legislation plays the more important role in defining the meaning of the right.

A further distinction between the tensions described in this chapter and the one addressed in the preceding chapter is that the threat to privacy does not necessarily come about because of information made available by the government; it often derives from information collected by and/or shared between private parties.²

Privacy and freedom of information are not always in tension; in some instances, society's commitment to freedom of information is the key to maintaining a person's privacy. That is, if an individual can invoke FOI rights to learn what personal information the government holds about him or her and how it has used the information, the government can be held accountable for any misuse. Thus, the person can effectively exercise some control over abuse of the information, which is one of the important dimensions of privacy.

In many other cases, rights to privacy and FOI rights do not intersect at all--for instance, data on the performance of the economy, on land use, or on a host of other issues of importance to governments are not obviously relevant to privacy.³ In other words, to the extent that privacy refers to keeping personal information private and under the control of the individual with whom it is associated, privacy rights need not conflict with the free disclosure of information relevant to the workings of government. Even in these cases, however, the formal value of transparency of state activities is not necessarily viewed by governments as an unalloyed good. That is, a question arises concerning the extent to which governments need to be able to deliberate in private or to control the release of raw data to prevent public panic (one end of the spectrum) or provide a desired spin (perhaps the other end).

But despite these caveats, privacy rights and FOI rights do, in many instances, come into conflict. In these cases, privacy is in conflict not only with the formal value of transparency of state activities, but also with the public interest (e.g., in the prevention and prosecution of criminal offenses) or commercial interests (e.g., in the collection and exploitation of data).

Global networks such as the Internet have raised the stakes significantly for both privacy and freedom of information. Clearly, they facilitate dissemination of information held by both public and private institutions. But perhaps even more significantly, the capabilities of computers and software to mine, sort, and reorganize data have increased the ability of many institutions to exploit that information. They can more readily put it into useful formats and tease out of disparate databases comprehensive and accessible profiles on private individuals and the actions of governmental bodies.

6.2 PRIVACY

6.2.1 The Values Involved

Privacy is the epitome of a substantive value. It encompasses ideas of autonomy, dignity, and personal freedom and control, and it provides protection for the individual. Box 6.1 describes examples of what might be regarded as violations of privacy.

Privacy is different from secrecy and confidentiality. Secrecy is a functional concept, requiring an agreement on the part of those who are party to some information to not share it with others. It generally does not require (or seek) the sanction of society, merely the commitment of those who share the information. Confidentiality is a more formal and social concept, a set of rules that govern the use of information held by institutions about individuals and the conditions under which that information can be shared. Privacy is quite distinct from both of these concepts; it refers to the right of individuals to control information about themselves--to keep it secret or to share it with others only as they see fit.

Although privacy in essence serves individuals by protecting and empowering them, it also serves society and government. When a person believes that his or her privacy is threatened, that individual may become defensive, minimizing personal exposure by being cautious about expressing views and disengaging from society as much as possible. But because democratic societies rely on full participation and free expression by its citizens, the threat that gives rise to the individual's defensiveness becomes a threat to society as well.

Obviously, privacy is not an absolute right. For example, commitments to maintain privacy may conflict with free expression (if, for example, that free expression might divulge private information). Societies have asserted a need (and therefore a right) to gather and use information about individuals for such purposes as taxation, census, and health; to hold people to their obligations as citizens; to serve them in accordance with their entitlements; and to support law enforcement efforts. Such societal assertions must be balanced against the desirability of the personal right of individuals to know what information about them is being gathered and used; in that way, they can monitor the conformity of such use to law, and control any uses beyond those sanctioned purposes.

Private institutions or other individuals do not have a constitutional right to violate an individual's privacy, although they may gain the privilege of using someone's personal information in certain ways under a contractual arrangement with that person. (On the Web, personal information is often collected under a theory of "implied consent," in which use of a Web site grants the site operator the right to collect certain personal information automatically through "cookies" and the like (Box 6.2).

To illustrate the conflicting pressures, it is instructive to compare disclosure policies for health records with policies for pizza-delivery records. There are many users who can legitimately argue for access to patient health records without the specific authorization of the patient. In order to meet a number of social, economic, and health needs, a society may allow access to some parts of health records by public health authorities, health researchers, fraud and abuse investigators, accreditation firms, and even law-enforcement agencies under some circumstances. Actually, electronic databases may provide for greater privacy protection in these instances than traditional paper records because it is easier to limit access to only certain parts of the patient record. For pizza-delivery records, on the other hand, it may never be appropriate to allow for any nonconsensual disclosures because there are no overriding societal needs that justify it.

The privacy interests of individuals are likely to be greater in their medical records, however, than in their pizza-delivery records. And, the public uproar over unauthorized release of medical records is inevitably much larger than in the case for pizza delivery records. Confidentiality of medical information has also been regarded as a prerequisite for free and candid discussions between health-care professionals and their patients. For these reasons, a culture of resistance to unauthorized disclosure of medical records is common in the health profession.

6.2.2 German and American Perspectives

In 1983 the German Constitutional Court summarized the underlying value balance as follows:

The individual . . . has the right to know and to decide on the information being processed about him. At the same time, as a social being the individual cannot avoid becoming the object of information processing. However, limitations to his basic right have only to be accepted when there is an overriding general interest and if that interest is molded into a law that follows the basic requirements of clarity and proportionality. To protect these principles a number of safeguards are required; these safeguards consist of data processing principles (correctness, timeliness, purpose limitation, fairly and lawfully obtained), derived rights (access, correction), and organizational safeguards (independent institutions).⁴

In the United States, the development of privacy policy has been slow and uneven, with the privacy of information collected and held by government receiving much more attention than information collected and held by private companies and organizations. For example, the Privacy Act of 1974 (P.L. 93-579) and the subsequent Privacy Protection Study Commission both focused on information collected and held by the government as the potential misuser of personal information. The Privacy Act in particular provides a broad policy framework for privacy relevant to such information.

Some specialized privacy protections applicable to nongovernmental entities emerged in the 1970s and 1980s, including the Fair Credit Reporting Act of 1970, the Family Educational Rights and Privacy Act of 1974, the Cable Communications Policy Act of 1984, the Electronic Communications Privacy Act of 1986, and the Video Privacy Protection Act of 1988. The privacy of health information was addressed in the Health Insurance Portability and Accountability Act of 1998 and the Children's Online Privacy Protection Act of 1999. However, U.S. privacy policy remains unsettled, in part because of concerns about the costs (and other burdens) of compliance, ambiguity about the appropriate application of underlying philosophical principles (property and free speech, for example), and unresolved political clashes between those who collect and process data and those who advocate for broad privacy protection.

As the above paragraphs illustrate, the United States and Germany (which is much like the rest of Europe in this respect) approach privacy from very different political and legal traditions. The German approach is rooted in its experience with totalitarian regimes and military occupation, which has given rise in Europe to a strong antipathy toward, even an anxiety about, invasions of privacy or illegal surveillance. On the other hand, Europeans, and Germans in particular, tend to trust their government more than Americans do and turn to it to protect their interests. Thus the first data-protection law in the world, the Hesse Data Protection Act, was passed in Germany in 1970, and it established an enforcement structure that became the model for data protection all over Europe. The act created a governmental structure to preserve each individual's privacy rights, and it stipulated that the data-protection officer established under this act, though formally a public official, would be independent from all other branches of government.⁵

As importantly, the willingness to trust government has made it acceptable for German privacy law to take a comprehensive approach. All record keepers, public and private, have to comply with fair information practices (Box 6.3). Although earlier laws imposed different rules on public and private record keepers, more recent legislation dealing with the Internet largely removes that distinction. The 1997 Teleservices Data Protection Act⁶ implementing the European Union directive on the protection of privacy in the telecommunications sector,⁷ and the 2001 amendments to the German Federal Data Privacy Act⁸ implementing the 1998 European Union's directive on data protection,⁹ apply to private companies and individuals as well as to public authorities. German law does distinguish between privacy ("Schutz personenbezogener Daten") and business secrets, providing less protection for business secrets on the argument that the individual rights at stake are not of the same order.

By contrast, the United States has a populist mistrust of governmental institutions and a strong tradition of relying on market forces not only to regulate the economy but to serve many social needs as well. Thus while the U.S. Congress has adopted legislation to protect personal privacy from encroachment by federal agencies,¹⁰ the regulation of private industry has moved more slowly and in a piecemeal manner. In practice, the U.S. norm is a patchwork of legislation and court decisions arising from episodic scandals and political pressures from both industry and privacy advocates. Thus, highly specialized solutions have been crafted for different technologies (e.g., statutory regimes specific to the protection of postal mail, telephone communications, e-mail, and other Internet communications) and for different subject areas (Box 6.4).

Finally, in U.S. law, privacy--that is, the control of one's personal data--is basically understood as a property right. Individuals can transfer or sell their property rights to a firm interested in its use or even to government, provided that the transfer is voluntary and the terms and conditions are fair. But the traditional European approach treats individuals' interests in data about themselves as an inalienable liberty right--that is, a right that cannot be given up, even voluntarily.

Yet despite the differences in legal traditions, both Germany and the United States over the last 25 years have developed what have become known as "fair information principles" that reflect substantial agreement on basic issues. This common ground is summarized in Box 6.3. The question is whether these commonalties--coupled with the strong linking forces introduced by global networks in general as well as the more specific desire to exploit them for commercial uses--will ultimately lead to harmonization, in which the United States moves toward the more comprehensive and integrated approach to privacy that is prevalent in Europe.

If privacy is to be protected by direct legal enforcement, then there are two possible approaches (regardless of whether privacy rights are characterized as property or liberty interests). The first approach is to establish independent governmental data-protection authorities responsible for monitoring and enforcing fair information principles, as is done in the German system. This approach avoids the high transaction costs, and the difficulty of proving cause and establishing injury, that may make individual enforcement illusory. However, as a practical matter, it is difficult for publicly funded enforcement authorities to handle all individual complaints.

The second approach is to allow individuals to bring lawsuits to protect their privacy rights and to recover damages for injuries resulting from violation of those rights. This approach decentralizes enforcement of privacy rights, but it may not be efficacious because it is difficult to prove cause, and the stakes involved in any particular invasion of personal privacy may be so small that individuals are unwilling to pay the costs of litigation (though efficiency can be increased when numerous injury cases are grouped into class actions).

6.2.3 Technology and Privacy

Individuals have many good reasons to want information about themselves to be stored electronically and to be made available over communications networks. The rapid and accurate transfer of electronically stored medical records can improve a person's medical care and might even save a life; stored credit card and address information makes Internet shopping convenient; and user-friendly online banking transactions have attracted millions of customers.

Yet advances in information technology can also threaten privacy. A visitor to a Web site may involuntarily leave behind personal information that the Web site owner can later use for commercial purposes. Seemingly harmless fragments of information left at different sites can be combined into a potentially harmful aggregate. Even easier, cookies can be set in a user's hard drive, creating a built-in history of sites visited, material browsed, and purchases made. Such data can be used for marketing purposes--targeting an individual with ads that are customized to his or her tastes--which may represent a convenience to some and little more than an annoyance to others. However, it is the absence of control over the collection or the use of the information that is the quintessential violation of privacy, and it is not difficult to construct scenarios in which that violation can be harmful to individuals.

Of course, personal information can be collected by Internet service providers as well as by Web site hosts. ISPs can and do record information on user actions for internal purposes or to comply with court orders, and this might include sites visited, the amount of information downloaded, and when such visits occurred.

Databases containing "public" information are another source of privacy concern. Much of such information--e.g., records pertaining to property tax, motor vehicles, drivers' licenses, convictions--was heretofore not public because it was hard to access or extract from voluminous databases.¹¹ Making such information easily available to the general public through the Internet may well be viewed as a violation of an individual's privacy rights because this allows it to be used for purposes other than those for which it was originally collected (together with the individual's implied or explicit consent). In the United States, for example, these databases have been a valuable source of information for telephone-solicitation operations.

Other methods of data collection are possible as well, including records of cellular-telephone location, records of building ingress and egress (created when magnetic cards are used to gain access), and records of credit-card and telephone usage. And the World Wide Web itself is a source of information about individuals. Commercial transactions and political dialogues posted in forums create opportunities to collect information about personal interests and activities.

Today, different structures exist for regulating personal data collection and use in each of these areas of activity from local exchange to long distance telephone companies to cable television companies and Internet service providers. That is certainly a source of confusion and chaos. Technological convergence, however, is leading companies to strive to become sole-source information providers and handlers, and the differing regulatory traditions and customs that characterize each domain may well come to overlap, leading, at least initially, to greater turmoil even within national borders. The technical convergence can also create the opportunity for a kind of regulatory arbitrage that can work to the detriment of privacy rights. On the other hand, the turmoil and the obvious regulatory inequities may serve as a stimulus to rationalize the present cacophony of regulatory regimes. In so doing, it could reinforce the fundamental concepts of privacy sometimes lost or distorted in the past as individual sectors developed rules that weighed particular political, commercial, and even technical factors more heavily than privacy per se.

Information technology is not only a threat to privacy; it can also provide the technical means for increasing one's privacy. For example:

• Encryption (Box 6.5) is widely used to ensure privacy and to enable secure commerce. Encryption (at the sending end) and decryption (at the receiving end) provide end-to-end confidentiality when the intermediate communications channels are either public or, if private, subject to malicious intrusion.
• Anonymization enables a user to send (and sometimes to receive) messages anonymously (Box 6.6). Anonymizing services make it very difficult and sometimes impossible to trace the identity of a user.
• Automated privacy-negotiation protocols, such as the Platform for Privacy Preferences Project (P3P), enable Web site operators to express their privacy policies in a standardized machine-readable format that can be interpreted by clients linking to the Web site. Clients "remember" their users' own privacy preferences, which are automatically compared with the policies of the visited Web site. If the two match, the connection is allowed; otherwise, discrepancies are called to the user's attention. Thus, the human user need not read the privacy policies at every site he or she visits, but rather can rely on his client for this task.

Reliance on technical approaches has two major drawbacks. First, technical approaches generally require explicit user action--an individual wanting to protect privacy must take an action to do so (this may change in the future if defaults for encryption are widely built into e-mail or other communications software). Because many individuals do not know that the tools exist or do not have the skills to use them effectively, the privacy interests of those individuals may be compromised.

Second, if privacy protection relies on software that both client and provider must install, such as P3P, then it is viable as a privacy-protection mechanism only if a large number of Web site operators adopt the same software and a critical mass of users install it in some relatively brief initial period. The issue of timing is important because the value of the system grows with numbers of users (an illustration of positive network externalities discussed further in Chapter 7), so that the willingness of operators to invest in such a system depends strongly on how rapidly users can be recruited and a financial return generated.

In any case, although technical tools can offer some degree of data protection, few in the United States or Europe advocate relying on them exclusively. Technical tools per se do not provide a framework for balancing competing values where privacy is involved--or, for that matter, in any other case. The appropriate balance cannot and should not depend on the ever-changing state of technology and the relative power it may confer at any particular moment on those who seek to protect their privacy or on those who seek to invade it. It is the role of communities to come to agreement about the appropriate framework and to use institutional structures to regulate, guide, or stimulate the use of technical and other tools to achieve the desired value balance.

6.2.4 Privacy Protection as a Challenge to Governance

Although, or perhaps because, European and American approaches to privacy differ, together they provide a rich array of tools to help an individual maintain control over personal information. These include not only mandatory legal regulations introduced through laws and enforced by courts and government agencies, but also a variety of self-regulatory procedures and practices.

The Limited Power of Traditional National Regulation

The globalization of information flows makes it much more difficult for a single nation-state to unilaterally protect the privacy of its citizens. Routine consumer transactions can involve players in five or even more countries, given that consumers, merchants, manufacturers, Web site operators, credit-card issuers, and other parties to a single transaction can all be located in different political jurisdictions.

In effect, a nation's data-protection laws are subject to a kind of competitive pressure. In many instances, strict privacy legislation in one nation-state can be circumvented by shifting the collection and use of the data to another nation-state that has less restrictive laws. However, data protection differs from content regulation in the global-networked environment. The businesses collecting personal data during commercial transactions often require a local presence in order to make money. If so, this feature makes an out-of-nation vendor vulnerable to the extraterritorial application of national rules. Even if the actual storing or processing takes place abroad, local data-protection authorities can argue that the local entity representing the operator is subject to local law and, moreover, responsible for the parent company's actions. Thus, the local authorities can take action against the local representative.

Neither the argument nor the threat is merely theoretical. In the well-publicized conflict between the European Union and the United States concerning e-commerce transactions, the European position embodied in the European Privacy Directive--which stated that personal data cannot, in most instances, be transferred out of the European Union to countries that do not provide an "adequate" level of privacy protection¹² --was effectively an extraterritorial applicability argument.¹³ The fact that U.S. corporations were vulnerable to prosecution through their local offices gave significant negotiating power to the European position, resulting in the "safe harbor" compromise whereby American corporations undertook a contractually enforceable commitment to privacy protection (see discussion below).

International Legal Harmonization

A straightforward solution to harmonizing data protection would be the conclusion of an international treaty on the issue. Within Europe, this is precisely what happened. The Council of Europe prepared its Convention for the Protection of Individuals with Regard to Automated Processing of Personal Data, and the European Union used its power to legislate the Directive on Data Protection. These two legal instruments effectively harmonize the standards and, more to the point, spread and reinforce the substantive value.

Similar approaches have been tried in the broader international arena as well. In September 1980 the Organization for Economic Cooperation and Develoment (OECD) adopted Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,¹⁴ and in December 1990 the General Assembly of the United Nations adopted Guidelines Concerning Computerized Personal Data Files.¹⁵ But neither instrument has the enforceability associated with domestic law. Indeed, as noted elsewhere, substantive international treaties work only when there is such complete agreement on the values involved that domestic law is, or can easily be made, consistent with the treaty's provisions.

There are in fact sufficient differences between the United States and Europe on defining what privacy does and does not mean with respect to government and commercial institutions that such agreement has proven difficult to obtain. Moreover, both jurisdictions fundamentally differ in their approach to structuring institutions of enforcement. While the Europeans are willing--indeed, prefer--to rely on command-and-control regulation and governmental enforcement authorities, the United States prefers industrial self-regulation and litigation.¹⁶

Finally, it should be noted that the traditional international treaty process is slow and cumbersome, certainly more so than the process of reaching agreement within the European Union. Few who are familiar with the International Telecommunications Union or the World Trade Organization would view a similar approach to privacy protection as practical, particularly within the context of the rapidly evolving technical environment of the Internet.

Internationally Coordinated Private Law

A second technique for resolving the U.S.–European conflict over data protection involves coordinating legislation with the help of each nation's rules on the application of foreign commercial law to international cases. This technique, called the conflict-of-laws approach, is available because the protection of data among private parties is generally covered by private rather than public law,¹⁷ and privacy issues on the Internet often involve the use of data by private businesses rather than by government.

One obstacle to this approach, however, arises from the distinct difference between the U.S. view of privacy (analogous to a property right) and the traditional European view (which deems individuals' interests in data about themselves as an inalienable liberty right). In a case in which this difference was significant, it is quite possible that Europeans might not regard the U.S. legal provisions as being functionally equivalent to their European counterparts. Under those circumstances, the national conflict rules might require that the European, rather than the U.S. rules, apply.

There are other complications as well. If a private lawsuit is brought by a foreign customer in the country of origin of the supplier, will the courts be convinced that an Internet transaction between these two parties is properly viewed as having occurred in the home country of the customer (so that the customer's national laws apply)? Furthermore, even though the private-law rules can generally be applied where only private entities are concerned, nation-states have generally been unwilling to apply foreign rules if they are perceived as a hidden regulatory tool. This is likely to be the case with data-protection rules, given the conceptual differences between nations about what should be protected and how.¹⁸ Indeed, the fact that independent public officials have jurisdiction to intervene would signal the inherent public-law character of data protection laws. Finally, from a pragmatic point of view, it seems doubtful that Europeans would accept, for example, a data-protection arrangement under which European nationals would have to sue U.S. firms before U.S. tribunals; nor would Americans be comfortable with the opposite arrangement.

Self-regulation Without Direct State Intervention

Many data users in the United States have expressed a strong preference for self-regulation, and American industry has begun to move in that direction. Whether motivated by the need to respond to consumer pressure or the desire to avoid legislation, American companies acknowledge the pressures that lead to calls for regulation but assert that they can police their own actions. When the Federal Trade Commission (FTC) undertook a series of investigations of online privacy in the mid-1990s and began to develop guidelines for possible regulation, the Direct Marketing Association responded by adopting a code of Fair Information Practices. Since 1998, industry representatives have worked with the Federal Trade Commission to develop credible and effective self-regulatory approaches and accompanying audit and enforcement mechanisms. There are limits to how far the FTC can go. For example, the Children's Online Privacy Protection Act, which was passed in 1999, makes the Commission responsible for rulemaking and requires any Web site or online service that is directed to children to obtain parental consent before collecting personal information from children under the age of 13.

Self-regulatory approaches can be more decentralized and flexible than governmental regulation, and thus more responsive to particular circumstances. On the other hand, they are unlikely to have much credibility if they comprise no more than broad guidelines. Effective self-regulation needs substantive rules, as well as mechanisms to ensure that consumers know the rules--e.g., a requirement that companies publish privacy policies. Furthermore, there must be some sanction for failure to comply with these rules. Among the suggested approaches are the creation of certifying seals or logos, which can be withdrawn for noncompliance; publishing the names of noncompliant companies on a "bad actor" list; or making a company liable under fraud laws. Other possibilities are audits of compliance with established fair information practices or independent authorities with power to resolve complaints.

None of these self-regulatory approaches, including the publication of codes of good practice, are acceptable to most privacy advocates, who view them as toothless and therefore not truly protective of individual interests. However, some of these advocates are willing to agree to a system with "opt-in" provisions, which requires individuals to agree explicitly to the collection or use of personal information. (Industry usually argues for "opt-out" provisions that permit collection or use of personal information unless individuals explicitly object.)

Self-regulation has been strongly opposed on the European side for many of the same reasons advanced by the privacy advocates. Many, perhaps even most, Europeans do not trust the mechanism, suspecting that self-regulation is merely a cover for lowering the standards of data protection, or ignoring them entirely.

Hybrid Regulation

Thus there is a growing interest in new forms of governance, which might be characterized as "hybrid" in character, that feature flexible international public-law frameworks within which private self-regulation is used to work out the details. Private self-regulation within a public international law framework may not only provide solutions to the inherently international character of traffic in personal data; they also may avoid some of the problems of the fragmented regulatory structures currently in place. Some precedent for such an approach can be found in a German-U.S. contract between the Berlin Data Protection Commissioner and Citibank (Box 6.7).

A more contemporary example, and one that has received a great deal of attention, is the hybrid regulatory scheme developed by the European Commission and the United States government to avoid privacy-related disruptions of transborder data flows and international trade. In 2000, they exchanged letters that articulated a "safe harbor" for U.S. companies and other organizations receiving personal data from the European Union.¹⁹ Organizations receiving personal data transfers from the EU and complying with certain principles (Box 6.8) would be regarded as meeting the "adequacy" requirements for data protection in accordance with the European Union's Directive on Data Protection.

In this instance, hybridization allowed the United States and Europe to organize the coexistence of their diverging regulatory traditions and styles. The Europeans came to the negotiation table with their trust in government, and with an existing framework of independent data-protection officers. The United States, for its part, had neither a strong regulatory framework nor the inclination to impose one. The compromise was self-regulation with public oversight via the Federal Trade Commission--i.e., a hybrid solution.²⁰

The actual implementation mechanism is complex, with roles established for both government and nongovernment organizations, the issuance of a "seal of compliance," and the creation of a dispute-resolution body. Noncompliance is penalized by a range of sanctions, including publicity for findings of noncompliance, the requirement to delete data in certain circumstances, suspension and removal of a seal, compensation for individuals for losses incurred, and injunctive orders. In addition, the U.S. Federal Trade Commission has committed itself to reviewing allegations of noncompliance with safe-harbor principles made by privacy self-regulatory organizations; the Commission will be looking to see whether the alleged actions amount to violations of the FTC Act prohibiting unfair or deceptive acts or practices in commerce. In this context, all of the usual tools available to the FTC can be applied, including administrative cease-and-desist orders prohibiting the challenged practices, as well as pursuing complaints in U.S. federal courts to obtain judicial remedies. Persistent failure to comply can be punished by denying the violator the benefits of the safe harbor.

The success of these safe-harbor negotiations between the European Union and the United States does not mean that the agreement is without controversy. For example, the Trans Atlantic Consumer Dialogue (TACD), representing a group of consumer and privacy groups, argued that the safe-harbor agreement ". . . fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks an effective means of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacrifice their legal right to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by businesses."²¹

The controversy illustrates what is bound to be a continuing debate between those who see hybrid regulation as the answer to the conflicting approaches and inconsistent regulations between one country and another, and those who see it as a threat to the existing protections that national regulation provides in at least some countries. Experience gained in these next years with the Safe Harbor agreement may well provide important evidence for future decisions on whether or not to use this approach.

6.3 FREEDOM OF INFORMATION

The term "freedom of information," as used in this report, is not only a legal concept but also a social and political one. In the former sense, it refers to the legally enforceable right of access to information--an individual right. But in the social and political sense, it is a measure of the openness of the society, as discussed below. It is in this context that we may define what kinds of information ought to be accessible and, additionally, begin to understand the associated conflicts in public and private interests.

6.3.1 The Value Involved

As pointed out in the introduction to this chapter, freedom of information is a formal value. Adherence to this value safeguards transparency and accountability of governmental action, and it is closely related to the Western concept of democracy. Access to information gives citizens a sense of ownership of their society, and it creates confidence in the legitimacy and appropriateness of government administration. Freedom of information is a tool for engaging citizens in the work of government, alerting them to any excesses of government, and providing them with the basis to exercise their rights and obligations more knowledgeably. In Thomas Jefferson's words, "The best protection of a democratic society is an informed public."

Technological developments have affected the availability of information in at least two ways. First, the Internet and the World Wide Web have made it increasingly practical for enormous amounts of information to be made available--quickly, easily, and inexpensively--to the public. The complete texts of laws, court records, judicial findings, administrative rules and records, statements of public officials, transcripts or minutes of public meetings, and the like can all be put online for the public to access, copy, or search. This is an extraordinary new tool for implementing freedom of information in societies unambiguously committed to that value. However, it is also a challenge to those who are less than enthusiastic about such total disclosure (and who, in the past, could be shielded from the need to justify restrictions on the distribution of information by simply citing its impracticality).

Second, new computer tools allow the manipulation and reorganization of data and records into much more useful and transparent forms. Tools for searching, filtering, organizing, and analyzing data can produce intermediate products that, in a very practical sense, make the raw data significantly more accessible and, in so doing, make freedom of information as much a practical reality as a formal commitment or value. However, these new technical tools create two problems. First, the very capacity to manipulate and mine public data may expose private information embedded within it; thus a formal balancing of interests is involved in the collection and publication of data for public purposes. Again, this is a problem that did not need to be urgently confronted in the past because of the practical limitations on teasing the private information out of the public database.

Furthermore, because many intermediate data products serve a public purpose, it is in the public interest for government to encourage the growth of markets for these products. That means creating incentives for the private sector to invest in their development. Generally, these incentives have taken the form of intellectual-property protection. Conflict then arises in determining what balance between the public nature of information and the private protection of intellectual property will maximize freedom of information as a practical reality.

In the following sections, such conflicts and tensions are examined in the context of specific kinds of public information and specific legal approaches.

6.3.2 Types of Information Subject to Freedom of Information

Primary Legal Information

"Primary legal information"--information having the force of law, such as parliamentary enactments, judicial decisions,²² and comparable instruments from administrative agencies such as rules and orders--is the raw material of democracy. Most observers committed to freedom of information would agree that making primary legal information widely accessible to the public is not only consistent with individual rights but also important for effective governance. Indeed, if the public doesn't know the law, it can't follow it. In addition, if it doesn't have complete access to information about the operations of government, it can't exercise democratic oversight. Thus there is an overriding public interest in easy and inexpensive access to primary legal information.

An important and ongoing controversy related to the public's right to legal information is the issue of who may hold a copyright on information subject to disclosure under freedom-of-information laws. If private entities obtain information from public entities under such laws and then reorganize it, may they copyright the product thus created? If so, what does the copyright cover?

In the United States, these controversial questions have been raised in connection with the U.S. Congress's consideration of two database-protection bills²³ modeled in part on the European database-protection directive.²⁴ Specifically, both of these proposed bills would have granted certain property-like rights to database owners entirely apart from whatever copyright interest they did or did not hold; in general, these rights would have forbidden other parties from extracting large quantities of information from these databases in a way that caused financial harm to the database owner.

On the other hand, federal entities in the United States are precluded from copyrighting public information. In Germany, the situation is slightly more complicated. According to Article 5 of the Copyright Act, "Laws, ordinances, official decrees and notices [and] also decisions and official grounds [for] decisions" cannot be copyrighted. The same applies to other official works published to satisfy the official goal of informing the public. But information collected and maintained by public agencies can be granted a private copyright when it is material actually written by private individuals.

In the United States, some courts have held that certain state and local laws can sometimes be copyrighted, and have forced third parties to refrain from reproducing or distributing primary legal information contained in such statutes and court decisions. For example, Peter Veeck posted on a private Web site the municipal building code for Denison, Texas. The text of this building code is actually owned by the Southern Building Code Congress International (SBCCI), a private, not-for-profit organization whose primary mission is to develop and maintain a set of model building codes. The SBCCI has developed the building code and gives it free to municipalities as an incentive for adopting it. However, sales of the code to engineers and architects is a revenue-generating enterprise for SBCCI, and thus it sued Veeck for copyright infringement. The case is working its way through the U.S. court system; in February 2001, a panel of the Fifth Circuit Court of Appeals upheld by a vote of 2-1 that SBCCI had the right to force Veeck to refrain from publishing these materials on the Web.²⁵

It has been argued in the past that the private publication of government information is the only practical way to ensure its broad distribution, and that the incentive of copyright protection is necessary to encourage the involvement of the private sector. However, Internet and PC technologies have sharply reduced the costs and increased the ability of government agencies to publish their own material. As noted earlier, these same technologies have also created incentives for the private sector to create value-added products from the raw data produced by government agencies. The challenge is to develop appropriate criteria to protect private-sector innovations that enhance the usability of original government data without depriving the public of its access to that data.²⁶

Public Records Containing Personal Information

Public records that contain personal information create an obvious conflict between freedom of information and privacy rights. In principle, this is not a new concern, but advances in information technology have made it a practical concern. In the past, the cost and effort of extracting personal data from public records was so great that few attempted it. However, as such records are computerized and become available under freedom-of-information law, the threat to privacy becomes quite real.

Whether privacy or freedom of information takes precedence depends on the particular situation. If the invasion of an individual's privacy is limited and noninjurious, one might argue that the cost is worth the benefit of retaining the public's access to government information. On the other hand, if the interest in access to public records is purely commercial and unrelated to the democratic and integrative functions of freedom of information, then one might argue that protection of individual privacy should be given greater weight.

In addition to facilitating the mining of databases for personal information, technological advances affect the balance of rights in two other ways. First, information technology enables "profiling"--the linking of data from a number of different sources to create much more serious invasions of individual privacy than would be possible with any single record. The possibilities for such profiling are thus an element in judging the harm to individuals that results from granting access to public records, though the number of actual instances in which an individual has been harmed by profiling is apparently small. Second, and on the other hand, information technology also facilitates the anonymization of data, a practice that can help to protect privacy without compromising the public's access to the aggregated database.²⁷

Some have argued that anonymizing data can reduce its worth because the process essentially blocks certain information that might, in fact, be useful. But that raises the question of whether the competing principles of privacy and public interest have, in the past, been thoroughly weighed in deciding what information on individuals it is appropriate for governments to collect. In the past, the government may have had no alternative but to gather more information than it had a right to gather, in order to glean the information that it needed and to which it was entitled. The practice may not have been challenged because, as a practical matter, there were limitations on the misuse of the private data. However, the mere fact that the government has collected or is in possession of the aggregated database does not mean that it is actually entitled to use all of the data or to use it for any purpose. Because technology increases the ability to link information, the potential for such misuse by government--and others--increases, and government agencies will have to revise their past approaches to collecting data and weigh the competing claims of privacy and public need more rigorously.

Notes, Drafts, and Intermediate Documents of Public Officials and Bodies

Documents that shed light on the administrative aspects of government's decision-making process (e.g., preliminary or internal drafts) present thorny problems, and how far a society should go in providing access to such documents is a matter requiring much further discussion.²⁸ On the one hand, transparency in the political and administrative decision-making process is of major importance in a democracy and one of the strongest arguments for a freedom-of-information principle. On the other hand, disclosure of every conversation and recorded thought between administrators or judges and their advisors would have a chilling effect on candid deliberation that would, in fact, reduce the quality of decisions. Government needs space and time in which to assess arguments and conduct internal debates with a certain degree of privacy of its own.

Technology (though not necessarily as part of global networks) again complicates matters. In the past, a good deal of highly informal conversation might have taken place on the telephone or in face-to-face meetings. It was possible to record these kinds of conversations, but not required.²⁹ When they were recorded, they might well have been subject to freedom-of-information requests (or subpoena, as Richard Nixon learned). The applicability of freedom-of-information regulations in these instances was often debated, even litigated. But the participants had an option that allowed them to control the balance between privacy privilege and the public's right to information; except where public meetings were involved (itself a question of definition), they could decide whether or not to record the conversation.

Now, many of these same interactions are conducted through vehicles such as e-mail or bulletin board postings. Electronic records of these exchanges exist and are frequently the subject of freedom-of-information requests. In effect, technology has shifted the balance and the control without any change in the substantive social and political facts. In this, as in other instances, each society must determine if the shift is consistent with its balance of the values involved. The technology itself should not be the determining factor.

Records Associated with Publicly Funded Research

A relatively new area of contention, particularly in the United States, is the public accessibility of research data produced with government grants. Although the principle of openness in research is, in and of itself, an important value in the scientific community, freedom-of-information requests for scientific data in recent years seem to have been motivated by political agendas outside that community. As scientists have become more engaged in issues with strong political overtones--such as the health effects of tobacco, the environmental effects of industrial wastes, or the relative contributions of nature and nurture to I.Q., lawyers, lobbyists, and other advocates have sought access to scientists' raw data. The reasons for such requests vary, and how they are viewed depends on the eye of the beholder. What is seen by one party as a legitimate attempt to understand the basis of a scientist's conclusions can be seen by another as an effort to discredit or harass.

The matter has been further complicated by the heightened concern about scientific fraud. Public bodies, including congressional committees, have sought access to the notebooks of scientists in order to assess the veracity of their published works. They have used forensic approaches to determine the time sequence of notebook entries, the actual (expected) randomness in raw data, the inclusion or exclusion of data in final reports, and the laboratory instruments actually used in measurements. In so doing, they have tried to assess not only the integrity of scientists, but their competence as well.

In some respects, this is a rather new facet of the issue of privacy. That is, to what extent is the practice of one's profession--the way one thinks, how one creates, what one's personal style is like--a public activity for which the researcher must be accountable? Where should we draw the line between legitimate access and inappropriate revelation of one's personal information and idiosyncrasies? The balance to be struck must ensure accountability while respecting the intellectual process and avoiding the chilling effects of harassment or intimidation.

The U.S. Congress attempted to balance these considerations in a law recently enacted³⁰ that requires all recipients of federal research grants to disclose research data in accordance with the provisions of the Freedom of Information Act. However, the law defines the term "research data" as "the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not" such things as trade secrets, commercial information, personnel and medical information, and any "similar information which is protected under law." In addition, it limits the application of the new provision to "research data relating to published research findings," which it defines as either "[r]esearch findings [that] are published in a peer-reviewed scientific or technical journal" or those that are "publicly and officially cite[d] . . . in support of an agency action that has the force and effect of law." It is too early to assess the effects of the law, because it is still being shaped as administrators develop rules for its enforcement and requests for information lead to court cases that will provide further interpretation. Certainly, the issue remains one of great concern to the scientific community.

6.3.3 Global Networks Affecting Freedom of Information

As with privacy, global networks exert direct and indirect pressure on national disclosure policies. Global networks are multiplying the options through which citizens can gain access to information and are making it more difficult for nations to maintain restrictive policies.

New Technical Options

In the past, even if the public was legally entitled to access governmental files, in practical terms it was not easy to exercise this right. In the earliest times, the citizen had to go to the appropriate office and transcribe excerpts by hand. Photocopiers significantly reduced the logistical burden on these efforts. But the digital representation of public documents means that they can be searched, stored, and combined at will. Moreover, if these files are available online, access becomes so comfortable that it can become a routine operation for citizens.

There has been considerable progress in this direction. Congressional legislation is available online; all of the opinions of the U.S. federal appellate courts are available in full-text form and in popular word-processing formats on the Web, and a growing number of state courts and agencies also publish information on the Web. German authorities are moving into the same direction, albeit at a somewhat slower pace. All decisions of the Bundesverfassungsgericht are already available online free of charge. Other federal courts in Germany are planning to follow, and the European Commission has launched a similar initiative.

The Modest Effect of Globalization

Although the Internet has had a strong impact on national policies concerning free speech and privacy, its effect on FOI policies is much weaker because it is the disclosure of information held by local governments that is often at issue. Global networks do not change the local character of the source. Thus, even under changed technological conditions, each country can in principle pursue its own policy. However, for a number of reasons, this may be an unwise choice for nations where present policy appears to limit freedom of information, or at least to not promote it vigorously.

First, global networks expose people to new ideas from other places. Thus citizens in a more restrictive nation who see examples of governmental openness in other nations may demand more openness and access at home.³¹ Given the pronounced differences in regulatory traditions, there is a great potential for such policy diffusion. Of course, it took hundreds of years for the legal structure providing for freedom of information to spread beyond the borders of Sweden (where the first law on the subject was enacted in 1766). But with the present high degree of connectedness between nations it is inconceivable that a concept such as freedom of information could long remain contained within the borders of one or a few nations. Other hastening factors include the concept's inherently democracy-promoting character, the United States' broad commitment to it, and its manifestation on the Web.

In the United States, freedom-of-information norms are expressed in a collection of federal and state statutes: the Freedom of Information Act of 1966;³² the Paperwork Reduction Act of 1980 (revised subsequently in 1995);³³ the Federal Register Act of 1935;³⁴ and the Electronic Freedom of Information Act of 1996.³⁵ Most American states also have freedom-of-information laws. These typically adopt the same norms as those of the federal laws. There are, however, some differences. Many states provide no deadlines for agency responses to private requests for information. Others are vague about the availability of judicial review. Still others require the identification of a legitimate private interest in the information requested. And some distinguish between requests that are made for personal reasons, which are favored, and those made by commercial entities for a profit-making purpose, which are not favored.³⁶

Germany, on the other hand, has not yet established a Freedom of Information Act at the federal level. The only applicable provisions are those of the German Basic Law art. 5, subsec. 1³⁷ and the Federal Law on Administrative Procedure §§ 29, 30.³⁸ These legal instruments, however, actually express a principle of secrecy rather than openness, restricting provision of information on administrative procedures to persons who take part in the procedures or who might be affected by their outcomes. This tradition obviously does not give rise to a general public right to government information, and no other specific law addresses such access.

Still, there is currently some movement away from government secrecy and toward greater transparency, both in Germany and throughout Europe. The general approach is to build on the foundation of individual rights, beginning with the existing rights of participants in particular proceedings to obtain information pertinent to those proceedings. This is rather different from the American approach, which links freedom of information to democratic oversight of governmental operations and thus grants rights of access to all citizens. Nonetheless, the strategy has already been successful in several cases. For example, in 1994, the German Federal Freedom of Access to Environmental Information Act was adopted,³⁹ implementing a European Union directive granting access to environmental information held by public authorities.⁴⁰

On the state level, the East German States of Brandenburg and Mecklenburg-Vorpommern provide a general right of access to information in their constitutions. General freedom-of-information acts were also enacted in Brandenburg⁴¹ and Berlin⁴² in 1998 and 1999, respectively. However, comprehensive nationwide or EU-wide legislation on freedom of information is not yet a reality, although it is becoming a goal. Indeed, the present coalition government in Germany has expressed its intention to enact a general freedom-of-information law on the federal level. In addition, Directorate General 13 of the European Commission has been working for more than 5 years on the development of a legal regime for freedom of information, seeking to implement the transparency guarantee of the Maastricht treaty. However, recently published drafts have been criticized for being too tentative (Box 6.9).

Second, the impact of global networks is not limited to disseminating a normative yardstick. A restrictive national policy with respect to freedom-of-information principles can be undermined to a certain extent by use of the Internet. Ironically, this became obvious recently as drafts of the European Community's freedom-of-information regulation were leaked and published on the Internet.

Third, and perhaps most important, economic considerations in a globalized world may provide an even stronger motivation for adopting freedom-of-information principles in Germany. As the European Com-mission's "Green Paper on Access to Public Information"⁴³ states, "Without user-friendly and readily available administrative, legislative, financial, or other public information, economic actors cannot make fully informed decisions." Therefore, the Commission notes, "the ready availability of public information is an absolute prerequisite for the competitiveness of European industry. In this respect, EU companies are at a serious competitive disadvantage compared to their American counterparts, which benefit from a highly developed, efficient public-information system at all levels of the administration." In addition, public-sector information may itself be a vehicle for economic growth, as the public sector is the biggest single producer of information in areas such as legislation, statistics, culture, finance, geography, transport, and research. Box 6.10 provides more discussion.

Because nations can determine their own FOI policies that are, in their essence, nonoverlapping, there is no particular need for international harmonization of freedom-of-information laws. It is important, however, to ensure that international treaties do not hamper national freedom-of-information policies. A case in point is internationally harmonized copyright law. So far, the pertinent international rules are silent with respect to copyrighting governmental information; neither the TRIPs agreements under the WTO treaty,⁴⁴ the Berne treaty,⁴⁵ nor the World Intellectual Property Organization (WIPO) conventions⁴⁶ deal with the issue. If they were extended to such information, the potential for conflict between treaty obligation and FOI for government data would be obvious.

NOTE ADDED IN PROOF

In the wake of the horrific events in New York City and Washington, D.C., on September 11, 2001, the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism" (USA PATRIOT) Act was enacted into law (P.L. 107-56). Reflecting congressional concern that the legislative tools available to law enforcement were inadequate in an advanced-technology environment in which terrorists can freely travel and operate relatively free of the constraints imposed by national borders, the act expanded government authority to monitor Internet traffic, to compel disclosure of information contained in public and private records if approved by the judicial branch, and to share information collected in grand jury investigations with "any Federal law enforcement, intelligence, protective, immigration, national defense, or national security official in order to assist the official receiving that information in the performance of his official duties."⁴⁷ This legislation has implications for privacy interests of individuals vis à vis government, and a number of public interest groups have strongly criticized this legislation for weakening protection for these interests.⁴⁸

In addition, in the freedom of information domain, the Bush administration has promulgated a policy that "discretionary decision by [a federal] agency to disclose information protected under the FOIA should be made only after full and deliberate consideration of the institutional, commercial, and personal privacy interests that could be implicated by disclosure of the information. . . . When [an agency] carefully consider[s] FOIA requests and decide[s] to withhold records, in whole or in part, [it] can be assured that the Department of Justice will defend [its] decisions unless they lack a sound legal basis or present an unwarranted risk of adverse impact on the ability of other agencies to protect other important records."⁴⁹

Notes

¹ Recall (Chapter 3) that formal values can be regarded as general principles by which individuals choose to live, while substantive values relate to specific aspects of one's environment and behavior.

² The distinction is not always clear-cut. For example, personal data in a company's possession may enter government records (e.g., through a bankruptcy or other court proceeding). In such a case, information may be subject to FOI disclosure.

³ The development of new technologies make statements of this kind always subject to caveats. For example, the increasing capacity to mine nominally "anonymous" data to back out information about individuals is often acknowledged. Further, even when data are gathered remotely, low-orbit photoreconnaissance satellites with high resolution (or even photoreconnaissance aircraft) might yield data on the behavior of individuals.

⁴ BVerfGE 65,1 (41 ff).

⁵ The Federal Data Protection Commissioner's independence is laid down in sect. 22 par. 4 sent. 2 and 3 of the Federal Data Protection Act. He is independent in the performance of his duties and subject to the law only. According to Art. 28 par. 1 subpar. 2 of the European Directive the data protection authorities act with complete independence in exercising the functions entrusted in them.

⁶ BGBl. I 1997 S. 1871-1872

⁷ Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector: Official Journal L 024 , 30/01/1998, p. 0001-0008. Available online at <http://europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html>.

⁸ Federal Data Protection Act of December 20, 1990 (BGBl.I 1990 S.2954) as amended by law of May 23, 2001 (BGBl I S. 904).

⁹ Council Directive 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 32, 1995 O.J. (L 281) 31, 49 (requiring member states to adopt legislation conforming to terms of directive) [hereafter European Privacy Directive]. Available online at <http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html>.

¹⁰ Federal Privacy Act, 5 U.S.C. § 552a.

¹¹ In Germany, third-party access to all these kinds of information is severely controlled by law, so that the term "public" in this discussion is even more properly put in quotation marks.

¹² Article 26 of the European Privacy Directive provided several exceptions to this general prohibition. In particular, transfers of personal data to third countries that do not ensure an adequate level of protection can take place anyway if (1) the data subject has given his or her consent unambiguously to the proposed transfer, or (2) the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken in response to the data subject's request, or (3) the transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party, or (4) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims, or (5) the transfer is necessary in order to protect the vital interests of the data subject, or (6) the transfer is made from a register that according to laws or regulations is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

¹³ Although prohibiting data transfers out of Europe does not, in a formal sense, contravene international-law principles of prescriptive, adjudicative, and enforcement jurisdiction, the practical effect of such a prohibition is to disrupt international commerce. See Henry H. Perritt, Jr. and Margaret G. Stewart, 1999, "False Alarm," Fed. Commun. L.J. 51:811.

¹⁴ OECD Document C(80)58 (Final). Available online at <http://www.oecd.org/dsti/sti/it/secur/prod/PRIV-EN.HTM>.

¹⁵ Resolution Number A/RES/45/95. Available online at <http://www.un.org/documents/ga/res/45/a45r095.htm>.

¹⁶ Henry H. Perritt, Jr. 1997. "Regulatory Models for Protecting Privacy in the Internet," in William M. Daley, ed., Privacy and Self-Regulation in the Information Age, U.S. Department of Commerce, Washington, D.C., Chapter 3. Available online at <http://www.ntia.doc.gov/reports/privacy/selfreg3.htm>.

¹⁷ Reinhard Ellger. 1990. Der Datenschutz im grenzüberschreitenden Datenverkehr. Eine rechtsvergleichende und kollisionsrechtliche Untersuchung. Baden-Baden, 582 s.

¹⁸ For greater detail, see Ellger (supra note 17) 597-604.

¹⁹ The U.S. letter can be found online at <http://www.export.gov/safeharbor/larussacovernote717.htm>. The European Commission letter can be found at <http://www.export.gov/safeharbor/EUletter27JulyHeader.htm>. Other related documents can be found at <http://www.export.gov/safeharbor/sh_documents.html>.

²⁰ Henry Farrell. 2000. "Negotiating Privacy Across Arenas--The EU-US 'Safe Harbor' Discussions," in Adrienne Heritier, ed., The Provision of Common Goods: Governance Across Multiple Arenas, Boulder, CO: Rowman and Littlefield.

²¹ Available online at <http://www.epic.org/privacy/intl/TACD_SH_1299.html>.

²² Germany is a civil-law country. Court decisions thus do not, in and of themselves, have legal force erga omnes, though the decisions of the upper courts have high persuasive authority. This does not, however, change the desirability of having easy and inexpensive access to their texts.

²³ H.R. 354 in the 106th Congress, the Collections of Information Antipiracy Act, and H.R. 1858 IH, the Consumer and Investor Access to Information Act of 1999.

²⁴ Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (O.J. 27/3/96 no L 77 p. 20).

²⁵ The opinion of the panel can be found at <http://www.ca5.uscourts.gov/opinions/pub/99/99-40632-cv0.htm>. A press article on this controversy is in Daniel Fisher, 2001, "We Own That Law," Forbes, April 30, p. 60.

²⁶ This is a topic of ongoing debate in the United States. The Computer Science and Telecommunications Board is participating in a National Research Council project that addresses these issues for weather-related information.

²⁷ Such an outcome depends on the particulars of the data in question, because sometimes even anonymized data can be assembled in such a way as to uniquely identify an individual.

²⁸ It was discussed in the United Kingdom. See "Your Right to Know. The Government's Proposals for a Freedom of Information Act," presented to Parliament by the Chancellor of the Duchy of Lancaster by Command of Her Majesty, December 1997. Available online at <http://www.official-documents.co.uk/document/caboff/foi/foi.htm> (03.03.2000).

²⁹ Indeed, in many jurisdictions, it would be illegal to record such conversations--for example, if the recording were carried out by third parties or without appropriate notice.

³⁰ Office of Management and Budget's Appropriations Act for Fiscal Year 1999, Public Law No. 105-227. See FOIA Update, Vol. XIX. No. 4, available online at <http://www.usdoj.gov/oip/foia_updates/Vol_XIX_4/page2.htm> (03.03.2000).

³¹ Of course, such change is possible only when the government of the more restrictive nation is responsive to the popular will. Indeed, some government--in general, those of the more authoritarian nations--may impose restrictions on access to certain Internet content precisely in order to prevent their citizens from seeing the openness of other nations.

³² 5 U.S.C. § 552.

³³ Paperwork Reduction Act of 1980 (94 Stat. 2825; 44 U.S.C. § 3503 note) [set out as a note under § 3503 of Title 44, Public Printing and Documents].

³⁴ 44 U.S.C. § 1505.

³⁵ Electronic FOIA Amendments Act of 1996, P.L. 104-231, 110 Stat. 3048 (Oct. 2, 1996), amending 5 U.S.C. § 552.

³⁶ Media requests, which obviously serve commercial, profit-making purposes, have always been given exceptional status in the United States under the protection of the First Amendment of the Constitution (see Chapter 8).

³⁷ Grundgesetz für die Bundesrepublik Deutschland of May 23, 1949 (BGBl. I S. 1) as amended up to and including Gesetz zur Änderung des Grundgesetzes of July 16, 1998 (BGBl. I S. 1822).

³⁸ Verwaltungsverfahrensgesetz vom 25 Mai 1976 (BGBl. I S. 1253), as amended up to and including Gesetz of August 6, 1998 (BGBl I 1998, 2022).

³⁹ BGBl. I, 1490.

⁴⁰ Council Directive 90/313/EEC of 7 June 1990 on the freedom of access to information on the environment, Official Journal L 158, 23/06/1990, p. 0056-0058. See <http://europa.eu.int/eur-lex/en/lif/dat/1990/en_390L0313.html>. Note that the directive allows a number of exemptions that specify environmental information that can be withheld from the public. Specifically, it may be withheld if the release of the information affects the "confidentiality of the proceedings of public authorities, international relations and national defence; public security; matters which are, or have been, sub judice, or under inquiry (including disciplinary inquiries), or which are the subject of preliminary investigation proceedings; commercial and industrial confidentiality, including intellectual property; the confidentiality of personal data and/or files; material supplied by a third party without that party being under a legal obligation to do so; material the disclosure of which would make it more likely that the environment to which such material related would be damaged." In addition, requests for information may be refused "where it would involve the supply of unfinished documents or data or internal communications, or where the request is manifestly unreasonable or formulated in too general a manner."

⁴¹ Akteneinsichts- und Informationszugangsgesetz (AIG) vom 10. März 1998 (GVBl. I S. 46).

⁴² Berliner Informationsfreiheitsgesetz vom 15. Oktober 1999 (GVBl. I, S.561).

⁴³ COM (1998) 585 final.

⁴⁴ The TRIPS Agreement (Agreement on Trade-Related Aspects of Intellectual Property Rights) is Annex 1C of the Marrakesh Agreement Establishing the World Trade Organization signed in Morocco on 15 April 1994. It is available online at <http://www.wto.org/english/tratop_e/trips_e/t_agm0_e.htm>.

⁴⁵ Berne Convention for the Protection of Literary and Artistic Works of September 9, 1886, as amended on September 28, 1979, UNTS No. 11850, available online at <http://www.wipo.int/treaties/ip/index.html>.

⁴⁶ WIPO Copyright Treaty adopted by the Diplomatic Conference on certain copyright and neighboring rights questions, Geneva, on December 20, 1996 and WIPO Performances and Phonograms Treaty adopted by the Diplomatic Conference on December 20, 1996. Available online at <http://www.wipo.int/treaties/ip/index.html>.

⁴⁷ See <http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:>.

⁴⁸ See, for example <http://www.cdt.org/press/011025press.shtml> and <http://www.epic.org/>.

⁴⁹ See <http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm>.