The U.S. Constitution has been largely ignored in the recent flurry of privacy laws and regulations designed to protect personal information from incursion by the private sector, despite the fact that many of these enactments and efforts to enforce them significantly implicate the First Amendment. Questions about the role of the Constitution have assumed new importance in the aftermath of the September 11 terrorist attacks on the World Trade Center and the Pentagon. Efforts to identify and bring to justice the perpetrators and to protect against future terrorist attacks, while threatening to weaken constitutional protections against government intrusions into personal privacy, demonstrate vividly the value of information collected in the marketplace and the need for such information in the future.
While there is some suggestion that the First Amendment may be a source of privacy rights applicable to the collection and use of personal information by the private sector, it is clear that the First Amendment restrains the power of the government to enact and enforce privacy laws that curtail expression. The precise extent of that restraint depends on a number of factors, not all of which have been clearly resolved by the Supreme Court. But, as the events of September 11 starkly remind us, the price of privacy may be very high indeed. Legislators, regulators, and prosecutors who ignore the First Amendment when considering privacy laws do so at their—and our—peril.
I. The Absent Constitution
The past three years have witnessed a surge in legislation, regulation, and litigation designed to protect the privacy of personal information. In 1998 Congress adopted legislation restricting the collection and use of information from children online,3 and the following year enacted the first comprehensive federal financial privacy legislation as part of the Gramm-Leach-Bliley Financial Services Modernization Act,4 as well as the first federal law prohibiting access to historically open public records without individual “opt-in” consent.5 Federal regulators have not only implemented these and other privacy laws, but also adopted sweeping health privacy rules under the Health Insurance Portability and Accountability Act6 and negotiated a privacy “safe harbor” for U.S. companies seeking to comply with European privacy law. The Federal Trade Commission, under former Chairman Robert Pitofsky, reversed its longstanding position and released two proposals for legislation concerning adult’s online privacy.7 Newly installed Chairman Tim Muris has promised renewed enforcement of existing privacy laws and policies, even while re-examining the FTC’s support for new privacy legislation. And state legislatures have considered more than 400 privacy bills while state attorneys general have initiated aggressive privacy investigations and litigation.