|Part of the common law series|
|Liability and remedies|
|Duty to visitors|
|Other common law areas|
Privacy law refers to the laws that deal with the regulation of personal information about individuals, which can be collected by governments and other public as well as private organizations and its storage and use.
Classification of privacy laws
Privacy laws can be broadly classified into:
- General privacy laws that have an overall bearing on the personal information of individuals and affect the policies that govern many different areas of information.
- Specific privacy laws that are designed to regulate specific types of information. Some examples include:
- Communication privacy laws
- Financial privacy laws
- Health privacy laws
- Information privacy laws
- Online privacy laws
- Privacy in one's home
International legal standards on privacy
Article 8 of the European Convention on Human Rights, which was drafted and adopted by the Council of Europe in 1950 and meanwhile covers the whole European continent except for Belarus and Kosovo, protects the right to respect for private life: "Everyone has the right to respect for his private and family life, his home and his correspondence." Through the huge case-law of the European Court of Human Rights in Strasbourg, privacy has been defined and its protection has been established as a positive right of everyone.
Article 17 of the International Covenant on Civil and Political Rights of the United Nations of 1966 also protects privacy: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Privacy laws by country
The current state of privacy law in Australia includes Federal and state information privacy legislation, some sector-specific privacy legislation at state level, regulation of the media and some criminal sanctions. The current position concerning civil causes of action for invasion of privacy is unclear: some courts have indicated that a tort of invasion of privacy may exist in Australia;. However this has not been upheld by the higher courts, who have been content to develop the equitable doctrine of Breach of Confidence to protect privacy, following the example set by the UK. In 2008, the Australian Law Reform Commission recommended the enactment of a statutory cause of action for invasion of privacy.
A Brazilian citizen's privacy is protected by the country's constitution, which states:
- The intimacy, private life, honor and image of the people are inviolable, with assured right to indenization by material or moral damage resulting from its violation
In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use and disclosure of personal information in connection with commercial activities and personal information about employees of federal works, undertakings and businesses. It generally does not apply to non-commercial organizations or provincial governments. Personal information collected, used and disclosed by the federal government and many crown corporations is governed by the Privacy Act. Many provinces have enacted similar provincial legislation such as the Ontario Freedom of Information and Protection of Privacy Act which applies to public bodies in that province.
There remains some debate whether there exists a common law tort for breach of privacy. There have been a number of cases identifying a common law right to privacy but the requirements have not been articulated.
In Eastmond v. Canadian Pacific Railway & Privacy Commissioner of Canada Canada's Supreme Court found that CP could collect Eastmond's personal information without his knowledge or consent because it benefited from the exemption in paragraph 7(1)(b) of PIPEDA, which provides that personal information can be collected without consent if "it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement".
Computer Processed Personal Information Protection Act was enacted in 1995 in order to protect personal information processed by computers. The general provision specified the purpose of the law, defined crucial terms, prohibited individuals from waiving certain rights.
France adopted a data privacy law in 1978. It applies to public and private organizations and forbids gathering sensitive data about physical persons (sexuality, ethnic, political or religious opinions...). The law is administered by the Commission nationale de l'informatique et des libertés (CNIL), a dedicated national administration.
During the military dictatorship era the 57 AK law prohibited taking photos of people without their permission but the law has since been superseded. The 2472/1997 law protects personal data of citizens but consent for taking photos of people is not required as long as they aren't used commercially or are used only for personal archiving ("οικιακή χρήση" / "home use"), for publication in editorial, educational, cultural, scientific or news publications, and for fine art purposes (e.g. street photography which has been uphold as legal by the courts whether done by professional or amateur photographers). However, photographing people or collecting their personal data for commercial (advertising) purposes requires their consent. The law gives photographers the right to commercially use photos of people who have not consented to the use of the images in which they appear if the depicted people have either been paid for the photo session as models (so there is no separation between editorial and commercial models in Greek law) or they have paid the photographer for obtaining the photo (this, for example, gives the right to wedding photographers to advertise their work using their photos of newly-wed couples they photographed in a professional capacity). In Greece the right to take photographs and publish them or sell licensing rights over them as fine art or editorial content is protected by the Constitution of Greece (Article 14 and other articles) and free speech laws as well as by case law and legal cases. Photographing the police or children and publishing the photographs in a non-commercial capacity is also legal.
In Hong Kong, the law governing the protection of personal data is principally found in the Personal Data (Privacy) Ordinance (Cap. 486) which came into force on 20 December 1996. Various amendments were made to enhance the protection of personal data privacy of individuals through the Personal Data (Privacy) (Amendment) Ordinance 2012. Examples of personal data protected include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records. As Hong Kong remains a common law jurisdiction, judicial cases are also a source of privacy law. The power of enforcement is vested with the Privacy Commissioner (the "Commissioner") for Personal Data. Non-compliance with data protection principles set out in the ordinances does not constitute a criminal offence directly. The Commissioner may serve an enforcement notice to direct the data user to remedy the contravention and/or instigate the prosecution action. Contravention of an enforcement notice may result in a fine and imprisonment.
In June, 2011, India passed a new privacy package that included various new rules that apply to companies and consumers. A key aspect of the new rules requires that any organization that processes personal information must obtain written consent from the data subjects before undertaking certain activities. Application of the rule is still uncertain.
Section 43A, which deals with implementation of reasonable security practices for sensitive personal data or information and provides for the compensation of the person affected by wrongful loss or wrongful gain.
Section 72A, which provides for imprisonment for a period up to 3 years and/or a fine up to Rs. 5,00,000 for a person who causes wrongful loss or wrongful gain by disclosing personal information of another person while providing services under the terms of lawful contract.
Act on the Protection of Personal Information was fully enacted in 2005 for the purpose to protect the rights and interests of individuals while taking consideration of the usefulness of personal information. The law applies to business operators that hold the personal information of 5,000 or more individuals.
In July 5, 2010, Mexico passed a new privacy package focused on treatment of personal data by private entities. The key elements included where:
- Set fines for up to $16,000,000 MXN in case of violation of the law.
- Set prison penalties to serious violations.
In New Zealand, the Privacy Act 1993 sets out principles in relation to the collection, use, disclosure, security and access to personal information.
The introduction into the New Zealand common law of a tort covering invasion of personal privacy at least by public disclosure of private facts was at issue in Hosking v Runting, and was accepted by the Court of Appeal. In Rogers v TVNZ Ltd the Supreme Court indicated it had some misgivings with how the tort was introduced, but chose not to interfere with it at that stage.
Complaints about privacy are considered by the Privacy Commissioner
- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed and ratified by the Russian Federation on December 19.2005;
- the Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, regulating the processing of personal data by means of automation equipment. It is the operator who is required to comply with that Act.
As a general rule, consent of the individual is required for processing, i.e. obtaining, organizing, accumulating, holding, adjusting (updating, modifying), using, disclosing (including transfer), impersonating, blocking or destroying of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party.
- Data protection principles and legislation in the Russian Federation (in English)
- On-line database of the Russian laws (in Russian)
- Federal Service on supervising in the sphere of communications, information technology and mass media (in Russian)
Singapore enacted the privacy law in 2012, overseen by the Personal Data Protection Commission. On top of protecting personal privacy, new laws was introduced to govern telemarketing (and other marketing activities in similar nature) in which individuals can now list their contact number as part of a Do Not Call list.
As a member of the European Convention on Human Rights, the United Kingdom adheres to Article 8 ECHR, which guarantees a "right to respect for privacy and family life" from state parties, subject to restrictions as prescribed by law and necessary in a democratic society towards a legitimate aim.
However, there is no independent tort law doctrine which recognises a right to privacy. This has been confirmed on a number of occasions.
The right to privacy is not explicitly stated anywhere in the Bill of Rights. The idea of a right to privacy was first addressed within a legal context in the United States. Louis Brandeis (later a Supreme Court justice) and another young lawyer, Samuel D. Warren, published an article called "The Right to Privacy" in the Harvard Law Review in 1890 arguing that the U.S. Constitution and common law allowed for the deduction of a general "right to privacy".
Their project was never entirely successful, and the renowned tort expert Dean Prosser argued that "privacy" was composed of four separate torts, the only unifying element of which was a (vague) "right to be left alone". The four torts were:
- Appropriating the plaintiff's identity for the defendant's benefit
- Placing the plaintiff in a false light in the public eye
- Publicly disclosing private facts about the plaintiff
- Unreasonably intruding upon the seclusion or solitude of the plaintiff
For additional information on Privacy laws in the United States, see:
- Health Insurance Portability and Accountability Act (HIPAA)
- Financial Services Modernization Act (GLB), 15 U.S. Code §§ 6801-6810
- Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313
- Fair Credit Reporting Act (FCRA), 15 U.S. Code §§ 1681-1681u
- Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. §§ 1692-1692
- Driver's Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721–2725
Though the right to privacy exists in several regulations, the most effective privacy protections come in the form of constitutional articles of Uzbekistan. Varying aspects of the right to privacy are protected in different ways by different situations.
- Data Protection Act 1998 (United Kingdom)
- Data Protection Directive (European Union)
- Data protection and privacy laws (Russia)
- Electronic Communications Privacy Act (United States)
- Personality rights
- Privacy Act of 1974 (United States)
- Privacy Act 1988 (Australian)
- Right to be forgotten
- Grosse v. Purvis  QDC 151 AustLII; see also Jane Doe v. Australian Broadcasting Corporation  VCC 281 AustLII
- Giller v. Procopets  VSCA 236
- "Invasion of privacy : penalties and remedies : review of the law of privacy : stage 3" (2009) (Issues paper 14), New Zealand Law Commission, ISBN 978-1-877316-67-8, 2009 NZIP 14 accessed 27 August 2011
- Constituição da república federativa do Brasil de 1988
- See for example, Somwar v. McDonald's Restaurants of Canada Ltd,  O.J. No. 64 for a discussion on this
- Eastmond v. Canadian western Railway & Privacy Commissioner of Canada, June 11, 2004
- Article 14 of the Constitution of Hellas
- Hong Kong Ordinances - Personal Data (Privacy) Ordinance (Cap.486)
- Hong Kong Government Gazette Ord No.18 of 2012
- Hong Kong Department of Justice - Legal System in Hong Kong
- The Privacy Commissioner for Personal Data Official Website
- Regulation of the Cloud in India, Ryan, Falvey & Merchant, Journal of Internet Law, Vol 15, No. 4 (October 2011).
- "Information Technology (Amendment) Act, 2008" (PDF). Ministry of Law and Justice, Government of India. Retrieved 3 May 2011.
- "Section 72 A: Punishment for Disclosure of information in breach of lawful contract". Section 72 A: Punishment for Disclosure of information in breach of lawful contract.
- Warren and Brandeis (December 15, 1890). "The Right to Privacy". Harvard Law Review. IV (5): 193. doi:10.2307/1321160.
- Dean Prosser, "Privacy" (1960) 48 California Law Review, 383
- Office for Civil Rights, U.S. Department of Health and Human Services, "Health Insurance Portability and Accountability Act".
- 2014 International Compendium of Data Privacy Laws, provided by BakerHostetler
- Handbook on European data protection law