Public access and privacy

Offentliggjort 06/14/2008, senest redigeret 07/10/2008

Copenhagen – April 25-27, 2001

HANDOUT - Public Access and Privacy

Prepared by:
David B. Smallman, Esq.
First Amendment Counsel
Investigative Reporters and Editors, Inc.
The National Institute for Computer-Assisted Reporting
DBSLaw@att.net
Tel. 212.713.5858
Fax. 212.504.3283


ACCESS

Access to U.S. Federal Agency Records (e.g., State Department, FBI, CIA, Treasury Department, etc.) is available under the Freedom of Information Act (“FOIA).

Background: FOIA AND 1996 E-FOIA AMENDMENTS

The Freedom of Information Act (FOIA) is a federal statute. FOIA generally provides that any person has a right to request access to federal agency records, except to the extent the records are protected from disclosure by any of nine exemptions contained in the law or by one of three special law enforcement record exclusions.

• Enacted in 1966, and amended in 1974, 1976, 1986, 1996

• FOIA was the first US Federal Law to establish a legal right of access to government information, subject to certain statutory exemptions

• Through e-FOIA, Congress recognized problems with federal agency responsiveness in providing access to electronic records, and tried to encourage improvements by
-providing requesters with an opportunity to limit the scope of their requests to obtain faster processing
-authorizing agencies to implement multi-track processing of requests, giving them flexibility to respond to relatively simple requests more rapidly
-requiring agencies to implement expedited processing for requests determined to meet criteria for “compelling need”

The FOIA was recently amended by the Electronic Freedom of Information Act Amendments of 1996 (E-FOIA). Among other things, E-FOIA grants the public access to government documents via computer telecommunications. The provisions of the FOIA, as amended by E-FOIA, can be found at 5 U.S.C. 552.

Exemptions:

The enumerated FOI exemptions contain two express provisions that restrict access based upon privacy (Nos. 6 and 7). Be proactive. Formulate requests for documents that anticipate privacy concerns (e.g., ask for records with personal data fields redacted). FOI specialists and media lawyers can assist you in formulating requests that have a greater probability of success based upon precedent. Here’s a list of the FOIA exemptions:

(a) The following categories of records maintained by the Department of State [or other federal agency] may be exempted from disclosure:

(1) Records specifically authorized under criteria established by an executive order to be kept secret in the interest of national defense or foreign policy and in fact properly classified pursuant to such executive order.

(2) Records related solely to the internal personnel rules and practices of an agency.

(3) Records specifically exempted from disclosure by statute. Included in this category are records relating to the officers and employees of the Foreign Service, including efficiency records (sec. 612 of the Foreign Service Act of 1946, as amended, 22 U.S.C. 986), the records of the Department of State or of diplomatic and consular officers of the United States pertaining to the issuance or refusal of visas or permits to enter the United States (sec. 222(f), of the Immigration and Nationality Act of 1952, as mended, 8 U.S.C. 1202(f)), ``Restricted Data'' under section 224 of the Atomic Energy Act (42 U.S.C. 2274), records of expenditures certified under 22 U.S.C. 2671 and 31 U.S.C. 107, records subject to section 102(d) of the National Security Act of 1947 (61 Stat. 498) and records subject to section 501 of the U.S. Information and Educational Exchange Act of 1948 (22 U.S.C. 1461, as amended).

(4) Records of trade secrets and commercial or financial information obtained from a person and privileged or confidential.

(5) Records which are inter-agency or intra-agency memorandums, letters, telegrams, or airgrams which would not be available by law to a party other than an agency in litigation with the agency.

(6) Records such as personnel and medical files and similar files the public disclosure of which would constitute a clearly unwarranted
invasion of personal privacy.

(7) Records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement
records or information--
(i) Could reasonably be expected to interfere with enforcement proceedings;
(ii) Would deprive a person of a right to a fair trial or an impartial adjudication;
(iii) Could reasonably be expected to constitute an unwarranted invasion of personal privacy;
(iv) Could reasonably be expected to disclose the identity of a confidential source, including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by a criminal law enforcement authority in the course of a criminal
investigation, or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source;
(v) Would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law; or
(vi) Could reasonably be expected to endanger the life or physical safety of any individual.

(8) Records contained in or related to examination, operation, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.

(9) Geological or geophysical information and data, including maps, concerning wells.

(b) Any reasonably segregable portion of a record shall be provided to any person requesting such record after deletion of the portions which are exempt under paragraph (a) of this section. Normally a portion of a record shall be considered reasonably segregable when segregation can produce an intelligible record which is not distorted out of context and does not contradict the record being withheld.

[45 FR 58108, Sept. 2, 1980, as amended at 52 FR 32124, Aug. 26, 1987;
64 FR 54539, Oct. 7, 1999]

Note that FOIA does not apply to records created by U.S. legislative or judicial branches of government. Here are some useful, free sources on the Web:

LEGAL DATA
• Guide to Law Online <http://lcweb2.loc.gov/glin/us.html> - Sponsored by the Library of Congress; Code, Statutes at Large, Constitution, Agencies and Regulations, Federal Court System and Decisions.
• Lexis One <http://www.lexisone.com>- Federal and state cases from 1996; Supreme Court cases from 1790.
• LII: Cornell University Law School <http://www.law.cornell.edu>- District Court and Bankruptcy Court Decisions, by Circuit.

FEDERAL LEGISLATIVE RECORDS
• FirstGov <http://www.firstgov.gov>- One stop access to all federal government resources.
• Thomas <http:Thomas.loc.gov>- Federal legislative information; searchable databases.
• CONGRESS.ORG <http://www.congress.org> - Databases for elected officials, issues and legislation, media guide.
• GPO Access - Database List <http://www.access.gpo.gov/su_docs/db2,html>- Includes: US Budget, CFR, Congressional Bills, Congressional Record, Federal Register,

GAO Reports, Weekly Compilation of Presidential Documents.
• GPO Access - Alphabetical Listing <http://www,access,gpo.gov/su-docs/alphabet.html - Review the list to see the depth of the content.
• United States House of Representatives <http://www.house.gov>- Directory, Member Offices, Committee Offices, Leadership Offices, US Code searchable database.
• United States Senate http://www.senate.gov
• EPA: Window to My Environment - Beta (Region III only) <http://www.epa.gov/enviro/wme> - Powerful new web based tool that provides a wide range of federal, state, & local information about environmental conditions and features.

Court Rules, Forms, and Dockets
• LLRX Court Rules, Forms & Dockets http://www.llrx.com/courtrules - Links to over 700 sources for state and federal court rules, forms and dockets. You can browse to find the resource you need, or search by keyword.
• FedForms http://www.fedforms.gov - Free forms for the top 500 Government services.
• U.S. Court Forms <http://www.uscourtforms.com> - Free court forms for all states (interactive versions require a fee.)

Public Records
• Pac-Info<http://www.pac-info.com> - Over 4,000 free searchable public records databases(US, Canada, Europe, Asia, Worldwide).

PRIVACY

Safe Harbor Overview <http://www.ftc.gov>
The European Commission’s Directive on Data Privacy went into effect in October, 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor -- approved by the EU this year -- is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.

SAFE HARBOR BENEFITS
The safe harbor provides a number of important benefits to U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor will include:
• All 15 Member States of the European Union will be bound by the European Commission’s finding of adequacy
• Companies participating in the safe harbor will be deemed adequate and data flows to those companies will continue;
• Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and
• Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.
The safe harbor framework offers a simpler and cheaper means of complying with the adequacy requirements of the Directive, which should particularly benefit small and medium enterprises.

An EU organization can ensure that it is sending information to a U.S. organization participating in the safe harbor by viewing the public list of safe harbor organizations posted on the Department of Commerce’s website (www.export.gov/safeharbor). This list will become operational at the beginning of November 2000. It will contain the names of all U.S. companies that have self-certified to the safe harbor framework. This list will be regularly updated, so that it is clear who is assured of safe harbor benefits.

HOW DOES AN ORGANIZATION JOIN?
The decision by U.S. organizations to enter the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare that they do so. To be assured of safe harbor benefits, an organization needs to self certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement that it adheres to the safe harbor. The Department of Commerce will maintain a list of all organizations that file self certification letters and make both the list and the self certification letters publicly available.

To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; or (2) develop its own self regulatory privacy policy that conforms to the safe harbor.

WHAT DO THE SAFE HARBOR PRINCIPLES REQUIRE?
Organizations must comply with the seven safe harbor principles. The principles require the following:
Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.

Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

To provide further guidance, the Department of Commerce has issued a set of frequently asked questions and answers (FAQs) that clarify and supplement the safe harbor principles.

HOW AND WHERE WILL THE SAFE HARBOR BE ENFORCED?
In general, enforcement of the safe harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization's safe harbor commitments the force of law vis a vis that organization.

Private Sector Enforcement: As part of their safe harbor obligations, organizations are required to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes and procedures for verifying compliance. They are also required to remedy problems arising out of a failure to comply with the principles. Sanctions that dispute resolution bodies can apply must be severe enough to ensure compliance by the organization; they must include publicity for findings of non-compliance and deletion of data in certain circumstances. They may also include suspension from membership in a privacy program (and thus effectively suspension from the safe harbor) and injunctive orders.

The dispute resolution, verification, and remedy requirements can be satisfied in different ways. For example, an organization could comply with a private sector developed privacy seal program that incorporates and satisfies the safe harbor principles. If the seal program, however, only provides for dispute resolution and remedies but not verification, then the organization would have to satisfy the verification requirement in an alternative way.

Organizations can also satisfy the dispute resolution and remedy requirements through compliance with government supervisory authorities or by committing to cooperate with data protection authorities located in Europe.

Government Enforcement: Depending on the industry sector, the Federal Trade Commission, comparable U.S. government agencies, and/or the states may provide overarching government enforcement of the safe harbor principles. Where a company relies in whole or in part on self regulation in complying with the safe harbor principles, its failure to comply with such self regulation must be actionable under federal or state law prohibiting unfair and deceptive acts or it is not eligible to join the safe harbor. At present, U.S. organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation with respect to air carriers and ticket agents may participate in the safe harbor. The Federal Trade Commission and the Department of Transportation with respect to air carriers and ticket agents have both stated in letters to the European Commission that they will take enforcement action against organizations that state that they are in compliance with the safe harbor framework but then fail to live up to their statements.

Under the Federal Trade Commission Act, for example, a company's failure to abide by commitments to implement the safe harbor principles might be considered deceptive and actionable by the Federal Trade Commission. This is the case even where an organization adhering to the safe harbor principles relies entirely on self-regulation to provide the enforcement required by the safe harbor enforcement principle. The FTC has the power to rectify such misrepresentations by seeking administrative orders and civil penalties of up to $12,000 per day for violations.

Failure to Comply with the Safe Harbor Requirements: If an organization persistently fails to comply with the safe harbor requirements, it is no longer entitled to benefit from the safe harbor. Persistent failure to comply arises where an organization refuses to comply with a final determination by any self regulatory or government body or where such a body determines that an organization frequently fails to comply with the requirements to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of Commerce of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001).

Søg

Læs mere

Se alle dokumenter om emnet i denne artikel:

• Aktindsigt

Få et tip om nye artikler og kurser:

• Mailingliste om mediejura
• UPDATEs nyhedsbrev

 

• Ris og ros til webstedet