Data protection and privacy history is as old as the US Constitution 1789. Historically, the civil liberties provided to Americans in the first, third, fourth, and fifth constitutional amendments are the starting point of data protection and privacy. In these amendments, the fundamental rights of citizens pertaining to freedom of religion, speech, expression, assembly, no accommodation of soldiers without the consent of the owner of the house, and protection against searches and seizures without warrants have been enshrined. These basic ideas of protection of the dignity of a man ultimately stand for protecting one’s liberty and privacy.
Here began the evolution of data protection and privacy. Justice Louis Brandies of the US Supreme Court, along with Samuel D. Warren when he was a lawyer, wrote an article in the Harvard Law Review in 1890 titled “The Right to Privacy”. Both were pioneer writers who took their pens to protect data and the privacy of a natural person. This article is the most influential essay in American legal history, and it is considered the first writing on the issue of privacy rights in the US and around the globe. In this article, the writer questioned whether the existing legal structure is fair enough to protect an individual’s privacy. 1 In this article, the author further elaborated on the principle of the right to privacy, which has been discussed and elaborated as different from tort, libel, defamation, and breach of trust. The authors discussed in detail how the right to privacy differs from other common law principles, giving a new idea.
In 1914, the US again became the pioneer in the protection of private rights of the masses by establishing the Federal Trade Commission (FTC) under the Federal Trade Commissioner Act (FTCA) in 1914 under the federal government. FTC’s purpose is to protect public rights from deceptive or unfair business practices of business entities. It also envisaged controlling unfair methods of competition through strict compliance with regulations, advocacy, research, and education.
Another landmark event happened in 1917, when the Bureau of Investigation (BOI), while investigating foreign sabotage, started surveillance of various activities, including mail opening. Solicitor General Judge William Lamar ruled against the BOI’s mail opening under the pretext of privacy protection.
George Orwell, a novelist, wrote the novel ‘1984’, in which he imagined a totalitarian state of Oceania without privacy. The state covers public spaces, and all the masses are under the surveillance of state agents. Even thoughts are not free, and ‘thought police’ read the people’s minds.
The United Nations Declaration of Human Rights, adopted in 1948, Article 12, protects every human being’s privacy. Almost all countries endorsed this Declaration.
William L. Prosser, in 1960, wrote an article, “Privacy,” in which he discussed privacy law at length and carved out four torts that would allow one when his/her privacy is violated. These are
- Intrusion upon the plaintiff’s seclusion or solitude or into his private affairs.
- Public disclosure of embarrassing private facts about the plaintiff.
- Publicity places the plaintiff in a false light in the public eye.
- Appropriation of the plaintiff’s name or likeness for the defendant’s advantage.
One of the seminal works and writings on individual privacy protection is by Alan Westin, who tried to illuminate the issue that the individual will determine when, how, and to what extent information about him/her is communicated to the world at large.
In the 1960s and ’70s, the US Supreme Court rulings related to privacy. Griswold v. Connecticut (1965) was a famous case in which all contraception was prohibited under the pretext of protection of marital privacy. A landmark decision in Katz v. United States (1967) extended Fourth Amendment protections against unlawful searches and seizures beyond citizens’ homes and property to anywhere a person reasonably expected privacy.
The Eisenstadt v. Baird (1972) case guaranteed the right of unmarried persons to possess contraception according to their needs. The ruling was based on an earlier ruling in Griswold v. Connecticut.
In 1972, United States v. US District Court, 407 US 297 (Keith Case), it was held that warrants are required for domestic intelligence surveillance. The Department of Health, Education, and Welfare (HEW) Secretary’s Advisory Committee on Automated Personal Data Systems (SACAPDS) developed the landmark report on records, computers, and the Rights of Citizens in 1973, which is known as the Report of the Secretary’s Advisory Committee on Automated Personal Data Systems. This report sets principles that are the basic foundation of the current legislation on privacy protection worldwide.
The Family Educational Rights and Privacy Act of 1974, or Buckley Amendment, is a US federal law protecting student education records’ privacy. It applies to all public schools and higher educational institutions. The Privacy Act of 1974 is a federal law in America establishing a code of ‘fair information practice on federal agencies’ regarding the collection, maintenance, use, and dissemination of personally identifiable data. Under this act, a privacy study commission has been established to monitor the activities of federal agencies regarding compliance with the act and issue its evaluation report.
The Telephone Consumer Protection Act (TCPA) and the National Do Not Call Registry regulate telemarketing and automated telephone dialing. The TCPA prohibits some solicitation of telemarketing. On the other hand, the Do Not Call Registry gives consumers the option to refuse to receive telemarketing calls at all. This legislation established privacy in the field of telecommunication.
The European Union 1995 organized an effort to enforce data protection and privacy in Europe. It was the first time a regional forum adopted data protection and privacy laws. European courts started adjudicating privacy cases under the Data Protection Directive 1995. Adopted by the European Union in 1995, the Data Protection Directive regulates the processing of personal data within the EU. Compared to the United States, the right to privacy is a more highly developed field of law in the EU. The General Data Protection Regulation (GDPR) superseded the Data Protection Directive in 2018.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enforced to regulate the flow of health-related data and protect personal information maintained by the healthcare system and health-related insurance firms. It is also famous as the Kennedy-Kassebaum Act. It was approved in the 104th United States Congress during Bill Clinton’s era.
Children’s Online Privacy Protection Act, COPPA, is a federal US law enforced in 1998. It regulates the digital data collection by websites or entities of kids less than thirteen years of age. It ensures that the concerned entity processing the data must get the consent of the parents or guardians and also sets down the methodologies for getting the consent. The legislation ensures data protection and privacy by kids’ data processors. The Clinton administration in 1999 established the office of Chief Privacy Counselor in all government agencies, which used to deal with privacy-related issues under the Privacy Act and the Freedom of Information Act (FOIA). Peter Swire was the Chief Privacy Counselor for the administration within the Office of Management and Budget. This slot was like that of a Data Protection Officer in the General Data Protection Regulations (GDPR).
The Gramm-Leach-Bliley Act (GLBA), or the Financial Modernization Act of 1999, is a federal law that made it compulsory for financial institutions to protect customers’ information in a specific way. This legislation envisages how and to what extent customer data can be shared with whom. It also allows customers to opt out of sharing their information. This law circumvents the procedures and options for data handling by financial institutions in the US. Federal Trade Commission’s Privacy of Consumer Financial Information Rule (Privacy Rule) ensures the act’s implementation in federal banking agencies, other federal regulatory authorities, and state insurance oversight agencies.
With the increasing number of legislation and regulations, various agencies appointed the Chief Privacy Officer (CPO), a senior-level executive responsible for managing risk related to and ensuring compliance with information privacy laws. CPO portfolio exists in many firms, public departments, and private entities. The first CPO was posted in Acxiom, a consumer database marketing company, to implement data privacy laws. The same is true with M/s All Advantage, who hired a well-known privacy lawyer, Ray Everett, for the task.
Following the terrorist attack on September 11, US Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. There was a crisis legislation passed right after 9/11. It has almost trespassed almost fifteen pieces of legislation that protect civil liberties in America. Under this draconian law, civil liberties are trespassed in the name of homeland security. Moreover, a journey of decades of data protection and privacy was deleted. No doubt, it has almost undone all the great efforts for data protection and privacy up till now in the USA.
The US Congress passed the E-Government Act in 2002, aiming to provide digital services to the masses in public sectors and regulate e-governance in the public sector. The central theme of the act is to ensure that all federal government agencies perform Privacy Impact Assessment (PIA) for any new technology that manages information associated with personality identification.
In 2003, California was the first state to introduce data breach notification laws. These laws envisage that any business or state agency dealing with personal data will disclose any personal data breach. California pioneered this kind of privacy legislation not only in the United States of America but also gave food for thought to the data breach concept in GDPR and later in the EU.
In 2018 came the landmark legislation on data protection privacy ever in history, the General Data Protection Regulation (GDPR) by the EU. European Union Parliament passed this law in vogue in the European Economic Area (EEA). DGPR is a comprehensive legislation that provides a complete skeleton of substantive and procedural laws. It also contains the enabling clauses for the member states to harmonize the legislation as per their local needs. DGPR is more detailed and deals with data protection and privacy, which was implemented by the European Union (EU) and the European Economic Area (EEA) on May 25, 2018. It also applies to transferring personal data outside of the EU and EEA. Its scope is extra-territorial.
The California Consumer Privacy Act (CCPA) is state legislation that regulates data protection and privacy during business transactions in California. It was promulgated in 2020. Its salient features cover data privacy issues related to consumers in business transactions within the state. After California, Virginia promulgated its privacy legislation in 2023 and became the second state to act on privacy protection in the United States of America.
Finally, the EU took the lead and introduced the first-ever comprehensive AI governance model. The Artificial Intelligence Act is the first EU regulation on artificial intelligence (AI). The AI Act was promulgated recently by the EU in 2024, and it is a pioneer legislation around the globe. In this act, areas of AI systems have been divided into four risk levels, i.e., unacceptable risk, high risk, limited risk, and minimal or no risk. The code of ethics, standards, liabilities, and punishment are clearly defined in this enactment. It can be safely concluded that the EU and the US played a leading role in data protection and privacy. That is the same area that we call a free world.