Skip to Content

Privacy & Data

A Remedy for Every Wrong? Why We Need a Consistent Privacy Act

The Privacy Act of 1974-the law designed to protect your rights as the government collects, uses, and shares your data-fails to consistently protect of citizens' privacy because circuit courts disagree on how to interpret its language. Different interpretations and decisions based on this law have come out of circuit courts and have helped support the notion that a consistent and updated set of federal privacy regulations is needed. The Eleventh Circuit's recent ruling against two Vietnam veterans who sued under the Privacy Act is a prime example of a claim that could have prevailed if it were brought elsewhere, highlighting the need for a clear and consistent set of privacy rules across the board.

In January 2007, a hard drive containing the unencrypted names, social security numbers, birth dates, and health records of over 198,000 living veterans went "missing" from a Department of Veterans Affairs (VA) medical center in Birmingham, Alabama (a different incident than the Spring 2006 theft of a laptop from a VA employee's house in Maryland). The United States Court of Appeals for the Eleventh Circuit and the VA both agree that security in the facility was inadequate and that the VA violated both the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) through its failure to adequately supervise the IT Specialist in charge of the hard drive. Yet the court affirmed last week in Fanin v. U.S.The Privacy Act of 1974 – the law designed to protect your rights as the government collects, uses, and shares your data – fails to consistently protect of citizens' privacy because circuit courts disagree on how to interpret its language. Different interpretations and decisions based on this law have come out of circuit courts and have helped support the notion that a consistent and updated set of federal privacy regulations is needed.  The Eleventh Circuit's recent ruling against two Vietnam veterans who sued under the Privacy Act is a prime example of a claim that could have prevailed if it were brought elsewhere, highlighting the need for a clear and consistent set of privacy rules across the board. In January 2007, a hard drive containing the unencrypted names, social security numbers, birth dates, and health records of over 198,000 living veterans  went "missing" from a Department of Veterans Affairs (VA) medical center in Birmingham, Alabama (a different incident than the Spring 2006 theft of a laptop from a VA employee's house in Maryland). The United States Court of Appeals for the Eleventh Circuit and the VA both agree that security in the facility was inadequate and that the VA violated both the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) through its failure to adequately supervise the IT Specialist in charge of the hard drive. Yet the court affirmed last week in Fanin v. U.S. Dep't of Veterans Affairs that two veterans whose data was stolen have no recourse under the Privacy Act.

Adding insult to injury, the court admits that the plaintiffs could have proceeded if they had brought the case in a different circuit. In the 2004 case Doe v. Chao, the Supreme Court decided that Doe could only claim the $1,000 minimum damages provided by the Privacy Act if he could prove at least some small amount of "actual damages." The Eleventh Circuit had already decided, in 1982, that actual damages under the Privacy Act include only monetary damages, even though other courts, like those of the Fifth and Tenth Circuits, include mental anguish. Doctors have documented these veterans' injuries – increased "sleeplessness, isolation, anxiety, and anger" caused by aggravation of their post traumatic stress disorder, which have required new prescriptions and higher dosages – yet these documented injuries don't meet the Eleventh Circuit's test.

The Eleventh Circuit's test, like the ruling in Doe, leads to some strange results. As Justice Ginsberg pointed out in her dissent, a court's decision might hinge on a fact so tangential as whether a plaintiff shelled out $10 for a credit report or co-paid on a Valium prescription. It's no small irony that the two men in Fanin, already vulnerable in their reliance on the VA, cannot bring a suit because they're not paying out of pocket for their treatment.

The Privacy Act should guarantee all citizens the same right to privacy regardless of where they or their data reside. Fortunately, this problem is easy to fix. All it requires is revision of the awkward language from the Act that led to the Doe decision. The Center for Democracy and Technology is proposing amendments to the Privacy Act that would make this change, among others, to facilitate more consistent enforcement of the Privacy Act. CDT is accepting comments at eprivacyact.org through July 12 [Update: The deadline has been extended to July 18th]. Let us know what you think of these ideas.

Related Reading

White document on black background.

Department of Commerce “Know Your AI Customer Rule” Must Protect Privacy
EU AI Act Brief–Privacy and Surveillance. Blue and green gradient background, white and yellow text.

EU AI Act Brief – Pt. 2, Privacy & Surveillance
White document on black background.

CDT Files Comments with DOJ in Response to Advance Notice of Proposed Rulemaking on Bulk Sale of Data