Book reviews Data Law - a privacy manual for the USA | For anyone wishing to gain an understanding of The treatment of in tne United the privacy scene in the USA, the following States is a major concern for the . publications will be indispensable:- This is how the two authors, Paul M. Schwartz and Joel R. Reidenberg describe the starting point Compilation of State and Federal for their recent book, Data Privacy' Law. At a Privacy Laws time when the EU Data Protection Directive is The eighth edition of the essential USA reference being implemented, and the USA is interested in book Compilation o f State and Federal Privacy developing its information , the book Laws, was published in May 1997 by Privacy makes an essential read for anyone who needs to Journal which has tracked privacy issues in the know about data protection in the USA. USA for over 20 years. It includes descriptions The book was originally prepared as a study of and legal citations for more than 700 state and American data protection law for tne European federal laws affecting the confidentiality of Commission. The objective was not to provide personal information. guidelines for the assessment of adequacy of The laws are grouped alphabetically, by state, protection of personal data in the USA, but simply and in the following categories: criminal records, an analysis of the conditions under which data is cable TV, computer crime, credit reporting and processed. However, the USA being the country credit repair, electronic , financial that will be most affected by the Directive's records, government and library records, requirement for adequacy in any transfers of employment, insurance, mailing lists, medical personal data outside the EU, the Commission was (including AIDS confidentiality), polygraphs, keen to see which of the Directive's provisions testing in employment (including HIV and genetic can be found in the USA. testing), privileged communications, the right to The study, which was undertaken by two publicity, student records, state constitutions, American data protection specialist:; and lawyers, Social Security numbers, tax records, telephone begins with a comparison of the conceptual solicitation, and telephone services. framework and legal systems in Europe and the The full texts of major laws are included, as . It is noted that in the United States well as a listing of Canadian laws on privacy. it is customary to speak of privacy rather than Also included is the first published version of the data protection. The authors, however, continue new federal Fair Credit Reporting Act, as revised to use the term data protection which they regard in 1996. as more precise than privacy. 119 pages Price: $31 plus postage The analysis then progresses to ook at fair ISBN 0 930072-11-1 information practices in the public iind private Directory of Privacy Professionals sectors. Areas covered within the private sector are telecommunications, financial services, direct Privacy Journal also publishes a Directory of marketing and employment. Transporter data Privacy Professionals which lists names and flows are also mentioned. addresses, telephone numbers, specialities and World Wide Web sites for 400 key individuals Inadequate federal legislation and organisations in the information-privacy area. There are numerous pieces of federal legislation in the USA that address the issue of die Updated regularly. $24.50. government's collection and use of personal data. Contact: Robert Ellis Smith, Publisher, The two most important ones, according to Privacy Journal, POB 28577, Providence, Schwartz and Reidenberg are:- the . Rhode Island 02908, USA. 1974 and the Freedom o f Information Act 1996 Tel: +(1) 401 274 7861 Fax: +(1) 401 273 4902 (PL&B May 1997 p.10). e-mail [email protected] The Privacy Act grants some important rights but has, nevertheless, failed to mak: a real impact. This is mainly due to the p roblems

Privacy Laws & Business Newsletter Page 18 December 1997 □

relating to its application and compliance. The quickly lead into new legislation - this was exactly Privacy Act applies to data controlled by only one die case with the Video Privacy Protection Act part of the government, namely federal agencies, 1988. which have not made much effort to change their European protection for transfers across the data processing practices. In addition, the Act Atlantic does not give federal courts the power to force The authors conclude by suggesting that strict these changes. However, despite its weaknesses, liability of the data exporter for personal data, and the Act places some restrictions on the collection a contractual approach could, in most cases, and processing of personal data. ensure adequacy of protection in transborder data No coherent legislation at state level flows. European companies complying with the The legislation at state level is no less complex. national data protection legislation would be likely Surprisingly, some data protection exists in every to require information about the data protection state, but the level of regulation varies from state practises of their US trading partners. to state. Comprehensive sets of obligations for It is suggested that the transparency effect, the public sector are missing in most states. The together with audits, and the possibility of law in Florida, for example, does not place any individuals able to pursue available remedies restrictions on data matching. In contrast to under European law, would greatly improve US Florida, California has the most comprehensive data protection practices. The authors data protection framework with a specific acknowledge, however, that European actions may reference to privacy. Californians have also used not be able to stop unfair foreign processing their privacy rights successfully. directly. Eventually, the civil and criminal Despite hundreds of federal and state laws, and penalties available under many European data supporting self-regulation, the authors urge the protection laws should act as an incentive for creation of a more comprehensive data protection European exporters to require satisfactory environment. For this to be achieved, they compliance. suggest that a data protection law should be This approach would give European Data enacted in all states. Protection Authorities a significant consultative Commercial pressure more influential than role. The authorities could, for instance, specify regulation conditions under which transfers would be While the protection of personal data does not permitted in a contract situation (PL&B Dec. '96 generally match European regulations, limited pp. 6-10, October '97 pp. 4, 9). protection does exist. The existing regulations seem to concentrate on subject access rights and Data Privacy Law: A Study o f United States Data the right to have,false data corrected. It is a Protection by Professor Paul M. Schwartz, strong view of the authors that a Federal Data University of Arkansas School of Law, Protection Agency should be established to assist Fayetteville and Professor Joel R. Reidenberg, individuals in exercising their rights, and to Fordham University School of Law, New York. monitor the rapid changes in information Publisher: Michie, 1996 ISBN 1-55834-377-6 technology. Michie, PO Box 7587, Charlottesville, VA On the other hand, they recognise that in the 22907-6094, USA. Price: $90 plus sales tax, USA commercial pressure affects companies to shipping and handling. such an extent that they are eager to handle Tel: 800 562 1197 Fax: 800 643 1280 personal information in a maimer that compares Internet: http://www.michie.com favourably with European principles. There is already evidence that strong public concern can

Privacy Laws & Business Newsletter Page 19 December 1997