480 DENVER LAW JOURNAL 1. Constitutional Amendment and/or Federal Statutes [Vol. 60:3 One commentator argues that a constitutional amendment and federal statutes are needed: to balance the interests between the need for data and privacy protections; to restrict access of outsiders to confidential information; and to provide stricter sanctions and penalties for improper dissemination of personal data.258 This commentator concludes that federal sanctions and protections must be implemented because only a nationwide system will effectively protect privacy rights.259 Reliance on state privacy protection systems "will be only as strong as the weakest state law."260 In implementing legislation, the following aspects should be considered: 1) limiting the type of data maintained, 2) controlling the collection and recording of data, 3) informing an individual of the existence of a file concerning him and disclosing names of persons who have seen the records, 4) automatically expunging obsolete data, 5) permitting access to records only on a “need to know" basis, 6) categorizing files as personal or statistical, 7) easing the obstacles to discovery and proof, 8) limiting access to on-site retrieval, and 9) restricting the exchange of personal information between government agencies.261 Those believing that a general right of privacy could be established by constitutional amendment or federal statute, in effect, propose that courts be the primary mechanism to enforce privacy rights. An injured party, however, would still need to bring an action. Courts will not initiate actions against databanks allegedly violating statutes. In today's political climate, it is unlikely that a constitutional amendment to protect privacy could successfully be enacted. 2. Federal Control Agency A federal agency could be established to supervise and control governmental acquisition, storage, and release of computerized information.262 A "Data Processing and Management Office" could act as a watchdog over federal utilization of computerized data and impose sanctions for violations of privacy standards. If this agency were given authority to register and license data systems, conformance with privacy safeguards could then be a condition precedent to obtaining a license.263 3. State Control Agency A state control agency could use licensing and registration to monitor credit reporting agencies. Granting a state agency broad powers could, however, endanger privacy by giving the state access to confidential data. The 258. Halls, Raiding the Databanks: A Developing Problem for Technologists and Lawyers, 5 J. OF CONTEMP. L. 245, 264-65 (1978). 259. Id. at 265-66. 260. Id. at 264-65. 261. Id 262. See, eg, Comment, Agency Access to Credit Bureau Files: Federal Invasion of Privacy?, 12 B.C. INDUS, AND COMM. L. REV. 125 (1970). 263. Id at 127. 1983] COMPUTERS AND PRIVACY 481 agency could be given power to intercede in the event of a violation, but not the power to correct the situation.264 The advantages of the flexibility of such an agency might be outweighed by its potential heavy-handed effect. 265 Many of the concerns about a state privacy protection system may also be applicable to a federally-mandated privacy protection system. 4. Code of Fair Information Practices A model Code of Fair Information Practices was developed in 1976 by the Ombudsmen Committee on Privacy of the Association for Computing Machinery.266 The code does not distinguish between public and private sectors. The guidelines apply equally, although it may be more difficult to control the private sector. A privacy protection code would be a sound foundation upon which states could develop a system for personal privacy, maximizing the utility of the computerization of information while minimizing abuses, 267 B. Transnational Trends Governments recognize that information is a powerful resource with political, economic, social, and cultural dimensions. They are, therefore, 92. 264. ORGANIZATION FOR ECONOMIC COOPEration and DEVELOPMENT, supra note 42, at 265. TASK FORCE, supra note 121, at 160. 266. OMBUDSMen Comm. on Privacy, Ass'n for Computing Machinery, PRIVACY, SECURITY, AND The Information INDUSTRY 72-79 (1976). 267. The code contains the following recommendations: 1. There should be no information system containing personally identifiable data whose existence is unknown to the data subject; 2. Personally identifiable data should not be collected unless the information system is safeguarded by a level of security commensurate with the sensitivity of the information; 3. There must be a reasonable method for the individual to find out what information is stored on him or her and how that information is used; 4. There should be no disclosure of any personal information to any organization or individual until the data subject has given permission for the disclosure in writing. Such permission may be revoked by the individual at any time, and if it is not revoked, the permission shall expire automatically at the end of one year; 5. Personally identifiable information collected for one purpose shall not be used for any other purpose without the knowledge and consent of the data subject; 6. In the event of a demand made by means of a compulsory legal proceeding, a reasonable attempt should be made to contact the data subject and to advise him or her of the demand prior to such information being given to the authorities; 7. There must be a reasonable method for an individual to contest the accuracy and completeness, pertinence and necessity of the data; to have data corrected, amended, or expunged if it is inaccurate or dated; and to assure that when there is a disagreement about a correction or expungement, the individual's claim is noted and included in subsequent disclosures; 8. Any organization creating, maintaining, using, or disseminating confidential information must assure its reliability for intended use and take precautions to prevent misuse of such confidential information; 9. Before creating a databank containing confidential information, a study should be completed to demonstrate the necessity for the information system as well as the relevancy of the collected data to its intended use. The concept of “useful life” should also be addressed; and 10. An individual should have the right to have the personal information removed from any file if the organization maintaining it cannot show any legal, useful, specific, and productive purpose for maintaining it. Id 482 DENVER LAW JOURNAL [Vol. 60:3 motivated to consider implementing control mechanisms to promote national interests in the area of privacy. Public and private collectors, users, processors, and transmitters of this information realize that such mechanisms can result in constraints and costs attaching to transnational data flows and can see to participate in these governmental decisions. The OECD and Council of Europe have taken major initiatives toward establishing an international legal regime concerning transborder data flows.268 Recommendations from both organizations recognize the need to balance privacy protection and the free flow of information. In the opinion of one commentator, the most significant of the OECD principles is the Individual Participation Principle which: recognizes the right of an individual to obtain confirmation regard- In 1980, the Council of Europe adopted the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.270 It was opened for signature at Strasbourg, Germany on January 28, 1981271 and seeks to protect individual privacy while allowing for the free flow of data across frontiers. Unlike the nonbinding recommendations of the OECD Guidelines, legally enforceable rights are established in countries that become parties to the Convention.272 Third World nations are attempting to develop high technology computer industries and will eventually face transnational data flow issues. 273 They will probably ask multinational corporations for assistance and access to databanks containing information on economic forecasting, marketing, and statistical research. These countries will play a more active role in decisions concerning international communications policies and data flows. CONCLUSION An international convention ensuring that privacy protections are maintained is necessary. Increasing interdependence among nations compels the development of binding agreements to govern information flows while ensuring protection of personal privacy. Without such protection, continued development and sharing of computer and telecommunication technology may not occur at a pace beneficial to all parties involved. Without 268. Nanda, supra note 182, at 422-24. 269. Id at 423. 270. Id 271. Id 272. Id 273. Id at 422-24. 1983] COMPUTERS AND PRIVACY 483 international protections, the abuses in areas of illegal data storage, inaccurate data transmissions, and unauthorized data disclosures could continue at an alarming rate. The high-tech threat to your privacy If you think computers know a lot about you now, WELCOME TO the world of the Ameri- ►Thanks to computer-assisted hook Changing april 1983 ups with local stores and banks, your response to questions on the screen. ► Computerized correspondence has largely done away with paper-andpencil letter writing. Instead, you use an electronic mail system to flash your messages practically anywhere in the world in an instant. You get your answer via your home computer or TV screen. Futuristic? Hardly. The technology that makes all this possible already exists; it seems only a matter of time before such scenes are cominon. It's a prospect that has a lot of people worried. In all likelihood the data on a smart card will be recorded and stored in a computer file so that a verification will be available for legal purposes. Each time you use your TV set to make a purchase or |