Reasonable Expectation of Privacy: An Evaluation of Privacy Law Frameworks in the Digital Age

By Lesley Kelley, Policy Group Intern, Goeman Bind HTO
The author, Lesley Kelley, is currently a candidate for a Masters of Public Policy at Georgia State University, Andrew Young School of Policy Studies, where she is focusing on policy evaluation and research. Her areas of interest include youth empowerment, human rights and international development. She currently holds the position of Policy Intern at Goeman Bind HTO, a Think Tank.
This paper is approved by Mr. Harjit S. Sandhu, Expert Fellow & Leader with Goeman Bind HTO. 
Anyone can quote from this paper but due acknowledgement and reference should be given to Goeman Bind HTO, Think Tank.

In their essay, The Right to Privacy, Samuel D. Warren and Louis D. Brandeis grapple with the right to privacy in the face of technological advances.  While their focus is the rise of “[instantaneous] photographs and newspaper enterprise” (leaving the individual more exposed to libel and slander), their observations remain relevant in today’s rapidly changing society, specifically the need for law to adapt with technological advancements.

Warren and Brandeis set forth an evolution of the concept of privacy.  They argue that:

…in very early times, the law gave a remedy only for physical interference with life and property… ‘the right to life’ served only to protect the subject from battery in its various forms; liberty meant freedom from actual restraint; and the right to property secured the individual his lands and cattle…now the right to life has come to mean the right to enjoy life – the right to be let alone; the right to liberty secured the exercise of extensive civil privileges; and the term ‘property’ has grown to comprise every form pf possession – intangible, as well as tangible (Warren and Brandeis, 1890).

With the changing view of privacy came the need to examine the existing laws governing privacy and infringements thereon.   At that time, the law only protected physical property and not “feelings” or “intangible property”. The authors reason that “now that modern devices afford abundant opportunities for the perpetration of such wrongs without any participation by the injured party, the protection granted by the law must be placed upon a broader foundation.”  In turn, tort law must be used to enforce a modernized definition of the right to privacy which includes not only tangible possessions but also “all rights and privileges, and…the right to an inviolate personality” (Warren and Brandeis, 1890).

As technology continues to advance, existing legal definitions of what is “private” are becoming less applicable in the sense that they fail to address the intangible.  Additionally, “many of one’s most private things, such as medical records, may be stored in a database far from one’s ‘person’ or ‘house’” (DeVries, 2003).  Historically, the law has adapted at a slow pace to a rapidly changing technology, creating a lag between availability of information and the rights to individual privacy. The rise of the internet has made widespread dissemination and virtual storage a reality for most of the developed world. Jerry Berman and Deirdre Mulligan identify three challenges the internet poses to privacy: ‘(1) the increase in data creations and the resulting collection of vast amounts of personal data – caused by the recording of almost every modern interaction; (2) the globalization of the data market and the ability of anyone to collate and examine this data; and (3) lack of the types of control mechanisms for digital data that existed to protect analog data” (Berman and Mulligan, 1998) (DeVries, 2003).

In addition to technological changes, the U.S. National Research Council (NRC) also points out that societal shifts and discontinuities in circumstances have affected privacy to justify voluntary disclosure of personal information to third parties and the use of mass government surveillance.  The NRC explains that there have been “evolutionary changes in the institutions of society” that have led to “the transformation of social institutions, practices, and behavior through [the routine use of technology].”  In other words, people must now make personal information available for routine tasks involving almost every aspect of life.  Additionally, disruptions in norms (often cause by events) can cause changes in how we view privacy.  The rise of global terrorism is something that has had a profound effect on privacy, particularly in response to counterterrorism surveillance by governments. In short, attitudes towards privacy are “context dependent” and fluid (Waldo et al., 2007).

Expanding upon the relationship between technology and privacy, DeVries identifies four examples where personal information has become ubiquitous: (1) Financial Information; (2) Public Records; (3) Medical privacy; and (4) Digital Dossiers.  Currently, financial information is only protected by statutory regulation under the Financial Services Modernization Act of 1999.  This legislation, while providing federal and state governments more access to financial institutions, also offered privacy regulations which the Federal Trade Commission “strongly promoted”.  Without Constitutional authority, however, the courts have struggled to protect financial privacy against free speech claims (DeVries, 2003).

Technology has also led to increased accessibility of public records which often contain highly personal and sensitive information.  Court websites often provide electronic case records and even sex offender registrations resulting from “Megan’s Law” statutes (DeVries, 2003).

The legal framework for medical privacy lacks continuity.  Medical privacy rights have historically not received the same protections as physical privacy and decisional authority by supreme court, although an individual’s medical information, particularly genetic and prescription information, can lead to discrimination.  The Health Insurance Portability and Accountability Act of 1996 was enacted mostly to allow continuity in health coverage, it requires states to protect privacy of medical records from unwanted distribution to third parties (DeVries, 2003).

Last, with the proliferation of big data and ease of access, information about an individual can now be aggregated into dossier for profiling and marketing.  Additionally, the Pentagon uses data mining programs to monitor digital data to fight terrorism which may be used to collect information about ordinary citizens.  This kind of data collection “is the epitome of the digital information privacy problem: seemingly innocuous information accumulated and used un privacy-invasive ways” (DeVries, 2003).

With technology rapidly changing, we are faced with the challenge of defining privacy and judging the adequacy of our current laws.  DeVries argues that privacy law in the United States is “disjointed and piecemeal”.  He identifies two branches of American privacy law: “the traditional physical and decisional ‘right to be let alone’” and “the more recent notion of control over (or rights concerning) personal information.”  While physical privacy is mostly protected by Constitution, common law and tort law, informational privacy, which pertains to one’s right to protect his or her information against abuse by third parties (including the government), has not received the same level of protection (DeVries, 2003).    The result is a “patchwork of state laws, federal sectoral laws, and other nonprivacy laws invoked in privacy matters”, leading to inconsistency and unreliability (Suuberg, 2013).

The Constitutional protection for privacy in the United States is the Fourth Amendment.  The Fourth Amendment provides that “[the] right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” It is important to note that the Fourth Amendment does not protect from all search and seizures, but merely those performed by the government and considered unreasonable pursuant to the law.  The determination of infringement of an individual’s Fourth Amendment rights rests on the concept of one’s “expectation of privacy”, and whether it was “arbitrarily violated by the government” (

The Fourth Amendment protects against “unreasonable searches and seizures” by the state.  Despite its intangibility, the government’s motive for searching digital data is no different than the motive for searching one’s possessions.  These digital searches, however, are not held to the same standards as physical searches.  Although statutes fill some gaps, they do not offer overarching protection for individual’s electronic data.  Additionally, the use of government surveillance in deterring crime and the threat of terrorism makes the argument for Fourth Amendment protection of digital personal data that much more complex (DeVries, 2003).

With regard to the aggregation of private information, the First Amendment serves as a formidable opponent in limiting protections.  Third parties argue (and courts have often agreed) that “aggregated information is not truly ‘private.’”  While mostly harmless in its unaggregated state, when compiled, this information “can do real damage to an individual’s sense of self-determination and autonomy”.  The problem lies in the fact that, once an individual voluntary submits his personal information to a third party, that information essentially becomes public.  This begs the question of whether or not individuals realize what they are giving up when they volunteer their information to third parties (DeVries, 2003).

The first federal law in the United States to address informational privacy as a whole was the Privacy Act of 1974.  The Privacy Act was essentially passed as a response to the federal government’s accumulation of and access to personal information.  DeVries notes, however that the Privacy Act “only applies to such state-issued or collected information as welfare benefit data and Social Security Numbers [and] is limited by exceptions for ‘routine use’ and by the Freedom of Information Act”.  Additional federal regulations, such as the Fair Credit Reporting Act, Electronic Communications Privacy Act, are additionally limited in scope, are industry specific and do not establish a framework for informational privacy law (DeVries, 2003) (Suuberg, 2013).

As previously noted, certain events have changed the ways individuals and governments view privacy.  As a response to the September 11 Terrorists Attacks, the United States enacted the USA PATRIOT ACT (“Patriot Act”).  Until this time, digital surveillance laws and collection of digital data were in “legislative limbo.”  DeVries’ interpretation of the Patriot Act is that it:

…generally loosens procedural and substantive limits regarding government investigative and surveillance powers, both foreign and domestic…allows broader sharing of gathered information between law enforcement and intelligence agencies, amends Foreign Intelligence Surveillance Act (FISA) to expand the federal government’s ability to investigate and search foreign entities and organizations, allows law enforcement to install ‘roving wire taps’ and obtain ‘pen registers’ and ‘trap and trace’ orders for telephones – and now for computers – with less procedural barriers (DeVries, 2003).

Further, the Patriot Act legalized “Carnivore” searches (digital monitoring software used to monitor online communications by the FBI) required judges to authorize searches without proper review.

Although it does have some privacy provisions, DeVries maintains that the Patriot Act is more concerned with “easing restrictions on government surveillance of digital communications” than with countering terrorism (DeVries, 2003).  The Patriot Act, however, met with little resistance from average Americans who remained in a constant state of fear and all too ready to sacrifice their right to privacy in exchange for protection.

In contrast to the Patriot Act is the recent Equifax ordeal where millions of Americans’ personal data was compromised due to negligence.  Although no official action has been taken, this breach brings the issue of privacy to the forefront of public debate.  Questions regarding the legality of aggregation and storage of personal data dominated the news cycle while lawmakers admonished executives in heated interviews. Concerns over the power wielded by credit reporting agencies (“CRAs”) is nothing new, however. As Senator Proxmire argued during a congressional testimony in 1969, “Tight security standards are expensive…Since credit bureaus are almost entirely responsive to the needs of business and have little responsibility to consumers, it is difficult to see major expenditures on security systems in the absence of public standards.”  In 1970, the Fair Credit Reporting Act (“FCRA”) was put into place as a response to abuses, denial of individual’s access to their personal information, fabrications, collection of personal information and unauthorized sharing on the part of the CRAs.  Technically, the Federal Trade Commission is in charge of enforcing laws that apply to credit reporting agencies but is somewhat impotent (Cowley et al, 2017).  The Equifax breach has proved that existing laws and methods of enforcement are ineffective in protecting the privacy of individuals.

Just as events have shaped privacy law in America, so have the courts.  Although the Supreme Court has failed to establish a definitive concept of a “reasonable expectation of privacy”, some of its decisions illustrate the evolution of concepts of privacy in American society.

The “[Property Rights Approach] posits that a ‘search,’ for Fourth Amendment purposes, occurs when governmental authorities physically intrude into a constitutionally protected area.” The 1928 case of Olmstead v. United States[1] involved the surveillance of the defendants through wiretaps on their home telephones and business.  Because the wiretaps were installed without any form of physical intrusion upon defendant’s actual property, the court determined the tap to be legal.  Accordingly, in the case of Silverman v. United States, where an actual intrusion had occurred when a police microphone penetrated a heat duct in the defendant’s home, the court ruled that a search had occurred which violated the Fourth Amendment (Scott-Hayward, et al., 2015).

The decline in the “Property Rights Approach” was marked by a new approach focused specifically on the expectation of privacy.

In the case of Katz v. United States[2], wherein the defendant used a public phone to place gambling bets.  Citing that the Fourth Amendment actually protected a person as opposed to a physical location, the court declared the FBI’s installation of a listening device unlawful.  Specifically, the court opined, “it becomes clear that the reach of that Amendment cannot turn upon the presence or absence of a physical intrusion into any given enclosure…The fact that the electronic device…did not happen to penetrate the wall of the booth can have no constitutional significance”.  The court further concluded that the installation of the recording device violated the defendant’s (justifiably) expected privacy.  Justice John Harlan’s contribution set forth the notion of the “reasonable expectation of privacy” test.  He explained, “My understanding of the rule…is that there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as reasonable.”  This test would serve as the standard for subsequent privacy challenges although the determination of what constitutes a “reasonable expectation of privacy” remains subjective (Scott-Hayward et al., 2015).

In the case of United States v. Miller[3], the Supreme Court found that “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to government authorities.”  This “Third Party Doctrine” is not without controversy, however.  While proponents argue that it allows law enforcement to fight crime, it assumes that personal information passed to third parties is voluntary and that individuals are in agreement to the dissemination of this information (Scott-Hayward et al., 2015).

The Third Party Doctrine has also been criticized for its inapplicability to the state of current technology.  In United States v. Jones,[4] the “Court upheld that the government’s warrantless use of a global positioning device to track the public movements of a criminal suspect…was an unconstitutional search and seizure under the Fourth Amendment” (Fong and Delaney, 2012).  In her concurrence, Justice Sotomayor stated that [the Third Party Doctrine] “is ill suited to the digital age, in which people reveal themselves to third parties in the course of carrying out mundane tasks.”[5]  In United States v. Davis[6], the judge remarked:

In our time, unless a person is willing to live ‘off the grid,’ it is nearly impossible to avoid disclosing the most personal of information to third-party service providers on a constant basis, just to navigate daily life.  And the thought that the government should be able to access such information without the basic protection that a warrant offers is nothing less than chilling.

In order to determine what is considered legally subject to physical surveillance by law enforcement, courts consider a number of factors, with the nature of the place being observed (in terms of expectation of privacy) as the most important.  With regard to digital surveillance, the courts are mostly concerned with the period of time over which the subject is surveilled as long-term surveillance “can present a composite of a person’s life in ways that traditional surveillance cannot”, often termed the “Mosaic Theory”.   (Scott-Hayward et al., 2015).

Protections for online information stored on third party servers have varied according to their nature.  In 2010, the Sixth Circuit Court held that “individuals have a reasonable expectation of privacy in the content of their emails”.  In United States v. Meregildo[7], where “law enforcement viewed Facebook postings that were visible only to select ‘friends’ through the cooperation of a witness on the defendant’s ‘friends list’”, the court determined that there was not a reasonable expectation of privacy.  On the subject of metadata, the courts have historically been divided while determining that “nonpublic cloud data is not in the public domain.”  The courts have also maintained that there is an expectation of privacy in the content of the messages and that, while the numbers of text senders and recipients may be, the content is not subject to the Third Party Doctrine (Scott-Hayward et al., 2015).

European privacy law has similarly adapted over the course of history although its philosophical roots are quite different from those of the United States.  In the 1970’s Germany passed the Hesse Act as the first data protection law, followed by France, Sweden and Denmark.  Over the next twenty years, Norway, Finland, Spain, Portugal, Luxembourg and Belgium would pass their own data privacy laws in the 1980’s.  In 1983, the German Constitutional Court handed down a decision which guaranteed, “specific rights for the individual concerning the whole process of personal data processing”, providing the basis for subsequent European law (Suuberg, 2013). In 1995 the E.U. adopted the Data Protection Directive (“DPD”) however, at the time, the world wide web was in its fledgling stages and the law did not consider the subsequent rise of the internet and smart devices.

The General Data Protection Regulation (“GDPR”) replaced the Data Protection Directive in 2016 and is the current law protecting informational privacy in the European Union.  The goal of the GDPR was to create uniformity in E.U. privacy law and establish a “two-part legal framework that addresses both the processing of personal data in criminal investigations and prosecutions, and consumer control over the way that Web sites and marketing companies surreptitiously collect information” to create profiles of individuals as consumers.  The GDPR also contains expansive definitions of what is considered subject to privacy law and expectations for third parties who control the personal information of individuals (Voss, 2016) (Suuberg, 2013).

There were several notable challenges to existing regulations which shaped privacy law in Europe, particularly concerning its relationship with America.  In 2000, in response to a provision of the Data Protection Directive, the United States and the European Union negotiated a the “U.S. – E.U. Safe Harbor” cross-border data-transfer framework to “allow personal data transfers to U.S. companies that self-certified their compliance with the substance of E.U. data protection law”.  Due to concerns about the United States’ use of mass surveillances, however, the E.U. revoked the Safe Harbor, which was eventually replaced by the “E.U. – U.S. Privacy Shield” (Voss 2016).  These laws essentially coerced the United States into complying with stricter European privacy laws or risk losing business with Europe (Suuberg, 2013).

Additionally, 2014 case against Google Spain resulted in a “right to compel delisting” from pages containing prejudicial information of an individual.  In Google Spain SL v. Agencia Española de Proteccion de Dato’s, the court ruled that the DPD, the governing law at the time, dictated that Google must delete personal data upon request by the individual.  In this case, “the court’s interpretation is firmly grounded in the text of the Directive and its underlying values” which is the protection of individual privacy (Using HLR, 2014) (Voss, 2016).

While both have evolved with the rise of technology, there are fundamental differences in the nature of U.S. and E.U. Privacy Law.  While there is not a difference in the value of privacy between the U.S. and Europe, the concept of privacy has “evolved differently”.  The European value of privacy is based in “dignity” and “self-determination”, the United States’ appreciates privacy as freedom from government control and “the right to be let alone”.  Privacy rights in the U.S. are additionally “derived from property rights” and “defined externally rather than being internally related to the person”, whereas the European’s focus is “to create a sphere for personal matters in which an individual can feel free from outside interference and to ensure citizens’ unbiased participation in the political process” (Suuberg, 2013).

Given the inherent cultural differences regarding values related to privacy, it is no surprise that privacy laws vary greatly between the U.S. and the E.U.  “In contrast with their European counterparts, the American private-sector protections that developed over time were more decentralized, taking the form of industry-specific regulation, such as the Fair Credit Reporting Act, the Cable Communications Privacy Act, and the Video Privacy Protection Act of 1988” (Suuberg, 2013).  Historically, European privacy law regarding the protection of personal data has included private data processing in addition to government activities.  While original laws addressed the collection of social-welfare data, the subsequent laws involved the individual’s right to “object to data collection and the right to call for deletion of old information” as illustrated by the Google Spain case set forth above (Suuberg, 2013).

In contrast, American law is more focused on protecting the individual from the intrusion of the government.  “American anxieties focus on the sanctity of the home, and the prime danger since the eighteenth century has been that the government will intrude there.”  In contrast, there is little continuity in laws regulating private entities when it comes to informational privacy (Suuberg, 2013).

While both the E.U. and the U.S. privacy laws respect the rights of those subject to their laws, a larger question of privacy as a human right remains.  Technological advances promote globalism, giving nations a greater reach over those who may not be protected by its laws.  With that reality comes the question of whether all humans have the right to privacy and to what extent and at what cost.

In 2013, Edward Snowden revealed a mass surveillance and data collection operation on American citizens by the Central Intelligence Agency.  Questions over whether the personal freedoms lost to mass surveillance were justifiable in order to catch criminals leading to a larger debate over the legality of these programs assessed within framework of international human rights law.

The current state of international privacy law in the context of human rights is centered around the International Covenant on Civil and Political Rights (“ICCPR”) and the European Convention on Human Rights (“ECHR”).  While both protect right to privacy, there are differences which cause subjectivity in the determination of the legality of extraterritorial surveillance.  The ICCPR is based on Universal Declaration of Human Rights (“UDHR”) Article 12 and declares that “(1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation; and (2) Everyone has the right to protection of the law against such interference or attacks.”[8]  The EHCR states that “(1) Everyone has the right to respect for his private and family life, his home and his correspondence; and (2) there shall be no interference by a public authority with the exercise if this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”[9]

In 2013, a resolution entitled “Right to Privacy in the Digital Age” passed which:

firmly puts the issue of electronic surveillance within the framework of international human rights law and directly invokes both Article 12 of the UDHR and Article 15 of the ICCPR.  In the preamble, the Assembly expresses its deep concern ‘at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carries out on a mass scale, may have on the exercise and enjoyment of human rights…that the same rights that people have offline must also be protected online, including the right to privacy…[that states should] respect and protect the right to privacy, including in the context of digital communication’ – the reference to the obligation to protect being especially significant since it requires states to regulate the conduct of non-state actors, such as telecommunications companies (Milanovic, 2015).

Additionally, the resolution called for a report “on the protection and promotion of the right to privacy in the context of domestic and extraterritorial surveillance and/or interception of digital communications and collection of personal data…” (Milanovic, 2015).

The question of whether foreigners deserve privacy has historically been a condition of citizenship.  The United States prohibits surveillance of any citizen (at home or abroad) or person located within the U.S. or its territory.  One argument for why privacy protections are afforded only to U.S. citizens by the government may be the social contract inherent in citizenship.  If this is the case, however, what about the basic American tenant that “all men are created equal”?  Is respecting rights of non-citizens mutually exclusive?  Why are rights given to non-citizens located within the United States?  This logic, at best, is morally inconsistent.  Moreover, court decisions and presidential rhetoric do not provide any additional clarity on the topic.  FISA states that surveillance “may not intentionally target any person known at the time of acquisition to be located in the United States.”[10]  In its report, a Review Group set up by President Obama (“Review Group”) found that:

“[the most compelling reason for protecting the privacy of foreigners] is the simple and fundamental issue of respect for personal privacy and human dignity – wherever people may reside.  The right of privacy has been recognized as a basic human right that all nations should respect.  Both Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights proclaim that ‘No one shall be subjected to arbitrary and unlawful interference with his privacy…’  Although that declaration of provides little guidance about what is meant by ‘arbitrary and unlawful interference,’ the aspiration is clear.  The United States should be a leader in championing the protection by all nations of fundamental human rights, including the right of privacy, which is central to human dignity.”

Obama’s policy directive followed this reasoning.

There are two arguments for the applicability of human rights treaties to foreign surveillance programs.  First, human rights (particularly privacy rights) should not be determined by a state according to one’s nationality.  Second, “if human rights treaties do apply to a particular interception (or other surveillance activity), and the intercepting state draws distinctions on the basis of nationality (as many do), this potentially implicates not only the privacy guarantees in the treaties, but also their provisions on equality and non-discrimination” (Milanovic, 2015).

There is also a debate about whether the “and” in the ICCPR language is conjunctive. The ICCPR states that “[e]ach State Party to the present Covenant undertakes to respect and ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in the present Covenant”[11] while the ECHR simply dictates that “High Contracting Parties shall secure to everyone within their             jurisdiction the rights and freedoms defined in Section I of this Convention.”[12]  The conjunctive interpretation of the “and” in the ICCPR language can be used to exclude non-citizens within the United States and U.S. citizens located outside of the United States from privacy protections afforded by the Covenant.  Despite claims to the contrary, there was no real consensus among drafters of the covenant regarding extraterritoriality.

Both the Bill Clinton and George W. Bush administrations took the position that the Covenant was not extraterritorial, Bush’s main reasoning being the surveillance needed for the “War on Terror”.  The Bush administration argued that conjunctive language “was clear and that the impossibility of the ICCPR’s extraterritorial application was supported by the drafting history”, though the Human Rights Council has rejected this position. The Obama administration did not take a hard position either way, showing a lack of consistency in U.S. position on the subject (Milanovic, 2015).

Advances in technology have led to new and increasing threats to individual privacy by governments and private actors and increased the scope of these threats by facilitating globalism through the rise of the internet.  As such individual is then faced not only with possible uncertainty as to his rights within his own country, but also by privacy threats from foreign actors, both governmental and private.  As set forth above, even the European Union and the United States (developed countries who share the same liberal democratic values) have very different frameworks for privacy laws which do not seem to be moving on a path of reconciliation.  Establishing privacy as a basic human right, governed and enforced by the Office of the United Nations High Commissioner for Human Rights seems a logical solution to variation in privacy laws between nations; however, as illustrated above, there is no consensus on the extraterritoriality of these protections, thus deflating any hopes of a universal privacy framework.  Although there is no normative theory about why human rights should not extend beyond borders, the reality is that nations have and will continue to operate in a manner that serves their own interests.  As long as there is terrorism, there will be a need to surveil potential terrorists.  As long as companies operate globally, there will be a need to limit privacy protections for the sake of commerce.  Perhaps then, the role of the state is merely to protect its own citizens against privacy violations.  As social networks and markets continue to expand beyond borders, however, nations will be forced to rethink ways to protect the privacy of their citizens while operating on the world stage.


Berman, Jerry and Dierdre Mulligan. “Privacy in the Digital Age: Work in Progress,” Nova L. Rev. 23, no. 551 (1998).

Cowley, Stacy, Tara Siegal Bernard and Danny Hakim, “Equifax Breach Prompts Scrutiny, but New Rules May Not Follow,” New York Times, September 15, 2017,

DeVries, Will Thomas. “Protecting Privacy in the Digital Age,” Berkeley Technology Law Journal, 18 (2003): 283-311.

Fong, Ivan K. and David G. Delaney (October 2012). American the Virtual: Security, Privacy, and Interoperability in and Interconnected World. Keynote Address at Department of Homeland Security Symposium.

Milanovic, Marko. “Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age.”  Harvard International Law Journal, 56 (2015) 81 – 119.

“Recent Cases: Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (May 13, 2014).” Harvard Law Review, 128 (2014): 735 – 742.

Scott-Hayward, Christine, Henry F. Fradella, and Ryan G, Fischer, “Does Privacy Require Secrecy?  Societal Expectations of Privacy in the Digital Age.” Am. J. Crim. L. 43, 1 (2015): 20-58

Suuberg, Alessandra, “The View from the Crossroads:  The European Union’s New Data Rules and the Future of U.S. Privacy Law.”  Tulane Journal of Technology and Intellectual Property. 16 (2013): 267 – 286.

Voss, W. Gregory, “European Union Data Privacy Law Reform: General Data Protections Regulation, Privacy Shield, and the Right to Delisting.” Business Lawyer, 72, 1 (2016): 221-233.

Waldo, James, and Lynette I. Millett, eds. Engaging privacy and information technology in a digital age. Translated by Herbert Lin. Washington, D.C.: The National Academies Press, 2007.

Warren, Samuel D. and Louis D. Brandeis, “The Right to Privacy.”  Harvard Law Review, IV, 5 (1890).

[1] Olmstead v. United States, 277 U.S. 438, 466 (1928).

[2] Katz v. United States, 389 U.S. 347 (1967).

[3] United States v. Miller, 425 U.S. 435 (1976).

[4] United States v. Jones, 132 S. Ct. 954 (2012).

[5] Id, at 957 (2012).

[6] United States v. Davis, 785 F.3d 498 (11th Cir. 2015).

[7] United States v. Meregildo, 883 F. Supp. 2d 523, 526 (S.D.N.Y. 2012).

[8] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, p. 171, available at: [accessed 25 October 2017] (hereinafter “ICCPR”).

[9] Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950, ETS 5, available at: [accessed 25 October 2017] (hereinafter “EHCR”).

[10] United States. Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 or FISA Amendments Act of 2008. [Bethesda, MD: ProQuest], 2011.

[11] ICCPR (emphasis added).

[12] EHCR.