Business Credit Business Travel Franchising Personal Finance Sales & Selling Technology Women in Business Careers E-Commerce & Internet Finance & Accounting Labor & Employment Management Marketing & Advertising Operations Starting a Business > See All

by Title A-H by Title I-P by Title Q-Z > See All

Business Intelligence Small Business Blog Business Planning E-Commerce & Internet Finance & Accounting Home-Based Business Human Resources & Employment Management & Leadership Marketing & Advertising Operations Sales Technology Women in Business > See All

Hiring & Firing Intellectual Property Internet & Technology Legal Mergers & Acquisitions Money & Fundraising Real Estate/Landlord-Tenant Sales & Marketing Starting a Business Business Guides Forms Kits > See All

Construction Medical Practices Restaurants Retail Trade Manufacturing Real Estate Wholesale Trade > See All

Accounting Advertising & Marketing Computers & Software Financial Services Human Resources Internet & Online Management Small Business > See All

Business Exchange Business Answers Buyer's Guides Franchise Opportunities Glossary Trials & Downloads Partner Resources Podcast Library Quote Center Video Library Web Site Tools > See All

The disparity between public and private sector employee privacy protections: a call for...

By Trotter, Clayton
Publication: American Business Law Journal
Date: Friday, September 22 1995

Introduction

In 1880, legal scholar E.L. Godkin wrote, "Nothing is better worthy of legal protection than private life, or, in other words, the right of every man to keep his affairs to himself."(1) It is all the more necessary to protect privacy(2) today, in our technological age, than

in 1880. As Aleksandr Solzhenitsyn describes in The Cancer Ward:

Every person fills out quite a few forms in his life, and each form

contains an uncounted number of questions. The answer of just one

person to one question in one form is already a thread linking the

person forever with the local center of the dossier department. Each

person thus radiates hundreds of such threads, which, all together,

run into the millions. If these threads were visible, the heavens

would be webbed with them, and if they had substance and resilience,

the people themselves would no longer be able to move. . . .

They are neither visible nor material, but they are constantly felt

by man.(3)

Louis D. Brandeis and Samual D. Warren warned, in their seminal 1890 article on privacy, that "[n]umerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the housetops."'(4) In fact, the U.S. Privacy Protection Commission estimates that there are over 8,000 different record systems in the files of the federal government that contain individually identifiable data on citizens.(5) The various agencies within the government can now match their information regarding any one individual with the information of another agency and complete an entire information cheek on individual citizens. Indeed, employers are required by federal statutes to collect more and more information on their employees, and face increasing demands for disclosure of the information maintained.(6) Beyond the pure threat of unwarranted invasions of privacy, a problem exists regarding the accuracy of such records. For instance, studies estimate that as much as one half of local law enforcement criminal histories are incorrectly reported and maintained.(7)

Intrusions into the private lives of individuals are not limited to acts by the government; with advances in technology, more personal information is now within the grasp of private employers, allowing intrusion by methods never before considered.(8) Drug and alcohol testing through hair follicles reveals data relating to the subject's personal life for a period of up to six months for a three-inch section of hair.(9) Employee monitoring or surveillance systems infiltrate the worker's daily environment, yielding information as banal as how many times the individual takes bathroom breaks during the work day.(10) In one instance, telephone calls received by airline reservation agents were electronically monitored on a second-by-second basis; agents were allowed only eleven seconds between each call and twelve minutes of break time each day.(11) In fact, it is estimated that American employers monitor more than 750 calls every minute.(12)

Surveillance permeates other areas of the work place, as well. Employers monitor the key-strokes of two-thirds of all computer operators, and complaints of employer e-mail intrusions are increasing.(13) A recent MacWorld survey found that twenty-two percent of large businesses in a variety of industries "engaged in searches of employee computer files, voice mail, electronic mail, or other networking communications," and fewer than one-third of these companies warn the workers that such surveillance is taking place.(14)

Notwithstanding these actual and potential invasions of every worker's personal life, Godkin would be surprised to know that private life is now only considered worthy of statutory legal protection from employer invasions when public sector employees are making and pursuing claims, and that employees in the private sector are left to pursue claims against their employers through common law remedies alone.(15) More than a century has passed since Godkin's statement; yet the issue of private sector privacy legislation continues to be a critical and unresolved issue in the American work place. A wide gap exists between the privacy rights afforded to the public and private sectors of the work force. Although various individual privacy rights are protected by the First, Fourth, Fifth, and Fourteenth Amendments to the United States Constitution,(16) the Constitution protects only against deprivation of those rights by the State (i.e. state action),(17) thus generally offering protection only to public sector employees because they are employed by the State.(18)

Private sector privacy is not so protected.(19) As the Constitution applies only to state action, private sector employees must rely on common law protections or state statutory protection, both of which vary widely from state to state. For example, if an employer discloses the results of an employee's performance appraisal without authorization in Connecticut, the employer may be in violation of its statute which requires employee authorization for any disclosure of information, with the exception of the employee's dates of employment, title and, salary.(20) On the other hand, if the same incident took place in Alabama, which has no privacy protection statute, the act would not be considered wrongful.(21)

There are inherent problems with a state-by-state program for privacy protection. Not only are an employee's rights dependant upon the state in which he or she lives, but the obligations of a multistate employer become muddled. Moreover, while several state constitutions contain privacy clauses, most of these protections apply only to invasions by the state, not by private employers.(22)

Consistent federal protection of privacy in the private sector is warranted.(23) An employment privacy conflict inevitably arises, whether in connection with the employee's person, property, or private conversations, the employee's private life or beliefs, the use of irrelevant, inaccurate, or incomplete facts by employers in employment decisions, or the disclosure of employment information to third parties.(24) Employers attempt to make safe and informed business decisions, while employees seek to protect their presumed fundamental right to privacy while being gainfully employed in the work place. The conflict is exacerbated by the lack of legislation offering privacy protection to employees in the private sector in which many feel that they have a moral right to privacy in certain matters. Indeed, only four out of ten Americans say their right to privacy is adequately protected today by laws and organizational practices, and only nine percent agree strongly with this statement.(25) Eighty percent of the public believes that consumers have lost all control over how personal information about them is circulated and used by companies.(26)

This article will illustrate the recent growth of privacy invasions in the employment arena, define the extent of present privacy protection in the public and private sector work places, identify the limitations of protections in the private sector, and propose the extension of federal privacy protection to the private sector. In addition, the international ramifications of this extension, given the status of the EC Directive and OECD Guidelines, will be discussed, and general guidelines towards the formulation of a federal act that would apply to public and private sector employees alike will be offered. Consistent protection of privacy rights in the private sector is warranted to prevent arbitrary enforcement of rights, to adequately protect a right which the courts have held to be fundamental,(27) and to allow American businesses to compete effectively in the world marketplace.(28) Such an extension is the only means by which to alleviate the imbalance in the protection of public and private sector workers, an imbalance which no longer has any rational justification.

Rationale for Protection

No area of an employee's personal life remains untouched by the employer. For example, HIV testing has become a standard post-offer, pre-employment query, yielding personal information which, arguably, bears no relation to a bona fide occupational qualification.(29) Concerns relating to employer liability for sexual harassment have led to policies regulating dating and other relationships within the work place.(30) In questionnaires seeking to develop employee personality profiles in order to predict qualities such as laziness or psychological barriers, employers have been known to ask whether the following questions are true or false: "I have read little or none of the Bible," "My sex life is satisfactory," or "I am very seldom troubled by constipation."31

Other alleged invasions involve the employer's refusal to allow employees to examine their personal files and wrongful use of credit reports, criminal records or workers' compensation claim histories.32 In addition, there are forms of surveillance and monitoring that have not yet even been commercially tapped. For instance, brain wave testing involves a technique used to predict a prospective employee's concentration abilities.(33) Chair sensors have been used by some employers to determine the amount of time an employee remains seated in his or her chair. Voice stress analysis devices may be installed in telephones to assess an employee's stress level and degree of honesty.(34)

Advances in technology have also allowed unbridled disclosure of personal information by employers. Private companies gather an enormous amount of personal information relating to their employees, then sell this information to others on a regular basis and without authorization or consent.(35) The threat posed by this form of disclosure may be greater than that posed by government intrusions.(36)

The Office of Technology Assessment noted as early as 1987 that "[t]here are no legal requirements in the U.S. law that monitoring be `fair.'''(37) In fact, several years ago, forty employees at an automobile manufacturing plant brought an action against their employer for installing video cameras in their restrooms.(38) The cameras had been installed in an effort to capture people involved with a Colombian drug cartel. In another incident, male security guards in a Connecticut hospital installed cameras in the locker rooms of female nurses.(39) A third employer terminated a computer systems administrator when she complained that the employer's interception of personal electronic mail messages violated employee rights.(40)

Similarly, while almost all states (except Nebraska, New Mexico, and South Carolina) limit access to employee medical records, only a few require employee authorization for the release of other information. In connection with another form of intrusion, some states have made polygraphs completely illegal except in certain specified circumstances,(41) while others allow employers to request that employees submit to the testing.(42)

The federal government has responded to the dearth of work place privacy protection with legislation including parts of the Freedom of Information Act (1966),(43) the Fair Credit Reporting Act (1970),(44) and the Privacy Act of 1974;(45) however, none of these acts sufficiently or effectively guard the privacy rights of employees in the private sector. Indeed, private sector employers were included in an earlier version of the Privacy Act but that provision was removed at the last minute because Congress did not believe that the benefits of privacy legislation in the private sector justified the costs.(46) The Privacy Protection Study Commission was created pursuant to the Privacy Act of 1974(47) and charged with the responsibility to investigate this problem and to offer feasible solutions; however, there has been no federal legislation passed to combat this problem.(48)

In contrast, privacy rights, or "data protection" as it is considered in Europe, is not a new legislative concept in the countries of the European Union (EU).(49) As early as 1970 and 1973, Germany(50) and Sweden,(51) respectively, had instituted data protection. Sweden's Data Act requires all information systems to be licensed by the government, and Germany's Law for Protection Against Misuse of Personal Data During Data Processing(52) contains similar provisions.(53) In addition, there are nonbinding guidelines relating to personal data protection and transborder data flow issued by the Organization for Economic Development and Cooperation (OECD),(54) a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data adopted by the Council of Europe (COE),(55) and a recently enacted Directive regarding data protection(56) submitted to European Union (EU) states by the Commission of the EU.

Each of these pieces of legislation represents a growing awareness by the global community of the need for increased regulation of the use of personal information. As will be discussed in greater detail later,(57) American business will have no choice but to comply with many of the proscriptions of these regulations.(58), In fact, the issue goes beyond business. The processing of personal data is considered "a challenge to human rights and the very structure of a democratic society."(59)

Current Privacy Protections for Private Sector Employees

and Their Limitations

Because the United States Constitution fails to protect the privacy rights of private sector employees and because the protections offered by state statutes are insufficient,(60) private sector employees are left with few options by which to protect their privacy rights: enforcement of those rights through a tort action,(61) through contracts, or through the minimal federal statutory protections established for their benefit.

Common Law Tort Protection

A number of common law tort actions seek to protect privacy, including unreasonable intrusion upon the seclusion of another and intentional infliction of emotional distress, defamation, portrayal of the individual in a false light in the public eye, and public disclosure of private facts which is highly offensive to a reasonable person.(62) However, only intrusion into the seclusion of another is well-suited for an employer's invasion of an employee's private affairs. Additional common law tort protections, while appropriate for other types of invasions, are not necessarily employment-related actions.(63)

Intrusion upon Seclusion

Intrusion upon seclusion occurs when one intentionally intrudes, physically or otherwise, on the solitude, seclusion, private affairs, or concerns of another. She or he will be subject to liability for the invasion of privacy if the intrusion would be highly offensive to a reasonable person.(64) The prima facie case of intrusion upon seclusion therefore includes the following elements: (1) an intrusion; (2) into the private affairs of another; (3) in a manner that would be considered highly offensive to a reasonable person.

In the employment context, such an intrusion may occur if an employer electronically monitors personal telephone calls or electronic mail, conducts other surveillance or investigation of employees, searches an employee's personal belongings, conducts polygraph, drug, or psychological testing, or if the employer demands certain personal information from its employees as a condition of continued employment.(65) In many tort claims, unreasonable intrusion upon the seclusion of another and intentional infliction of emotional distress are linked together, based on the assumption that an intentional unreasonable intrusion upon the seclusion of another would consequently cause emotional distress to the individual whose seclusion was violated.(66)

The intrusion in question must be substantial and consist of conduct or behavior that would be highly offensive or objectionable to the ordinary reasonable person. Once the defendant's conduct exceeds the bounds of reasonableness, it becomes actionable. In the employment setting, those intrusions that are justified by public policy are often considered reasonable by courts.(67)

Given the fact that intrusion into seclusion is a common law remedy, courts may differ in their interpretation and remedy from state to state, therefore potentially offering different protections from similar intrusions. In addition, the tort is based on a question of fact to be determined in each case; few intrusions are so flagrant and deplorable that a jury will find them to be actionable.(68) For instance, in McClain v. Boise Cascade Corp.,(69) the employer disputed the employee's claim of a work-related back injury. In order to prove that the injury was not as substantial as the employee claimed, the employer hired an investigator to take photographs of the employee conducting everyday activities. Despite the fact that the investigator trespassed on the employee's property to obtain the photographs, the Oregon court held that the intrusion was not highly offensive.(70) On the other hand, in Pemberton v. Bethlehem Steel Corp.,(71) a Maryland court held that surveillance of an employee by the employer was highly offensive when it went beyond a public place.(72)

Common Law Defenses to Invasion of Privacy

Consent operates as an absolute defense to any of the four types of invasion of privacy as long as the invasion does not exceed the scope of the consent.(73) Consent may be limited to one person and one occasion or may be broader in scope, and it may even extend to the publication of false information about the plaintiff. However, failure to honor whatever limits are placed on the consent may lead to liability.(74) Consent may be obtained expressly, impliedly from conduct of the parties, or imposed by statute.

The defense of consent prevents these common law protections from adequately safeguarding the rights of employees. Consent in the case of the employment relationship is tenuous because there may be unequal bargaining powers between the two parties.(75) If one applies for a position and is told that he or she must submit to a psychological or drug test prior to obtaining an offer, though there may be "consent" to the test, arguably the consent may not be willingly given.(76) Is this consent sufficient to bar a claim of invasion of privacy? The state courts say yes.(77) Without a legislative response, many private sector employees may not have the power to protect themselves.

Contracts as Privacy Protection

Tort protection against wrongful invasions of privacy is not the sole means by which the law shields an employee from intrusion. Employment contracts, employee handbooks, company mission statements, and collective bargaining may be considered binding on the employer, depending upon the circumstances and may serve to protect further the employee's right.(78) Employment in the private sector may be viewed as a contractual agreement between the employer and the employee. This enables the employee, as well as the employer, to agree upon some mutually beneficial terms of employment, which can include privacy rights for the employee. For example, employee handbooks, policy statements and company missions are tools utilized by employers to communicate their expectations of their employees, and if these expectations violate an employee's perceived zones of privacy, the employee has the right to refuse to enter into the contract.(79) However, such contracts and handbooks are drafted by the employers or their attorneys and, for all practical purposes, imposed upon employees as a take-it-or-leave-it offer. Outside of the collective bargaining environment, such contracts will contain few, if any, privacy protections for employees.

Collective bargaining through labor unions is another means by which to balance each party's needs; however, over three-quarters of all private sector employees do not have such protections.(80) Although labor unions provide due process protection through just-cause requirements for termination as well as arbitration criteria, only a minority of private sector employees benefit from this protection. While employment contracts do provide limited privacy protection, they are no substitute for federal legislation.

Current Federal Statutory Protection of Private Sector Privacy

Rights and Limitations

In reviewing the efforts of the courts to offer common law tort and contract-based privacy protection to employees, the Advisory Committee on Automated Personal Data Systems explained to Congress that "the judicial process seems functionally ill-suited to initiating development of general common law rules relating to record-keeping practices."(81) As a consequence of this generally accepted principle, Congress has enacted various pieces of legislation that have had limited effect in protecting the privacy rights of private sector employees.

Fair Credit Reporting Act

The Fair Credit Reporting Act of 1970(82) (FCRA) was considered "an important federal effort to influence private sector privacy activities"(83) and is one of the few statutes that applies specifically to private sector privacy issues. Before the FCRA was passed, an individual's medical history, financial status and history, and information about personal life and associations including sexual relationships could be released by credit reporting agencies to anyone who made a reasonable request for the information.(84) The FCRA now provides that a consumer reporting agency furnish a report only under the following circumstances: (1) in response to a court order; (2) in accordance with the consumer's written instructions; or (3) if it has reason to believe that the person requesting the information will use it for a credit transaction involving the customer, employment purposes, underwriting insurance involving the customer, determining customer's eligibility for a license, or fulfilling a legitimate business need of the customer.(85) In addition, when an employer requests a credit report in connection with an individual who has applied for a position and, due to information contained in the report, decides not to hire or to fire that individual, the employer must notify the person of the name and address of the credit agency that supplied the report.(86) The individual may then contact the agency to learn the "nature and substance" of the information maintained on him or her, the sources of that information, and the names of all persons who have requested the information within the past six months.(87) If a dispute arises over the information maintained, the individual may request that the agency reinvestigate the matter and modify the record if necessary.(88) If no resolution is found, the individual's version of the dispute must be included in the report.(89)

Absent other federal protections, the FCRA is one means to protect the rights of private sector employees. However, because its protective scope is limited to a particular type of information (information provided in a credit report), and because it allows free access to that information by those asserting a legitimate business need,(90) the FCRA provides only negligible additional protection to private employees.

Omnibus Crime Control and Safe Streets Act

Interception and monitoring of employee communications is a primary concern of many employees.(91) Applying to both private and public sector employers, Title III of the Omnibus Crime Control and Safe Streets Act(92) prohibits the intentional interception by any person of any wire, oral, or electronic communication and intentional use of any electronic, mechanical, or other device to intercept any oral communications under certain circumstances, unless the action is covered by an exemption. Exemptions include situations in which one party to the communication has given prior consent,(93) or the interception is over a telephone extension used by an employer in the ordinary course of business.(94) Courts have held, however, that personal calls may not be intercepted by employers in the ordinary course of business except as necessary to guard against unauthorized telephone use or to determine whether the call is personal in nature.(95) The problem, of course, arises in the determination of whether a call is made for personal purposes and the means by which that determination is made. As a consequence, an employee may be legally subject to monitoring of the number of times a computer key is pressed, a printout is made, or a telephone call is transmitted.(96)

Notwithstanding the Act, the U.S. Office of Technology Assessment estimates that the performance of six million workers is monitored by electronic surveillance.(97) In order to protect further those monitored, Senator Paul Simon of Illinois introduced the Privacy for Consumers and Workers Act of 1993 in the Senate.(98) The proposed PCWA was designed to prevent abuses of work place monitoring through electronic, surveillance and applied to both the public and private sectors.(99) The PCWA required employers to provide written notice of monitoring, its forms, frequency, and use, and the data collected.(100) As long as there is a visual or aural signal that lets the employee know that monitoring is taking place, the American Civil Liberties Union considers monitoring to be acceptable and legitimate.(101) The 103d Congress ended without taking action on Simon's bill. Had it passed, as with the FCRA, its proposed scope was limited to specific types of intrusions and would have added but one more isolated section to the patchwork quilt of privacy protection.

Employee Polygraph Protection Act of 1988

The Employee Polygraph Protection Act(102) puts an end to polygraph use in public and private sector employment selection and greatly restricts its use in many other employment situations.(103) First, the Act provides that an employer may not directly or indirectly require, request, suggest or cause any employee to take or submit to any lie detector test, e.g. a polygraph, deceptograph, voice-stress analyzer, psychological-stress evaluator, or any similar mechanical or electrical device used to render a diagnostic opinion about the honesty of an individual.(104) Second, the employer may not use, accept, refer to, or inquire about the results of any lie detector test of any job applicant or current employee.(105) Third, the employer may not discharge, discipline, discriminate against, or deny employment or promotion to (or threaten to take such adverse action against) any prospective or current employee who refuses, declines, or fails to take or submit to a lie detector test, or who fails such a test.(106)

There are certain employers who are exempt from these regulations, including private employers whose primary business purpose is to provide security services. Prospective employees may be tested if the positions to which they are applying involve the protection of nuclear power facilities, shipments, or storage of radioactive or other toxic waste materials, public transportation, or currency, negotiable securities, precious commodities, or proprietary information.(107) Employers involved in the manufacture, distribution, or dispensing of controlled substances are also exempt. Employers may administer polygraph tests to applicants for positions that would provide direct access to the manufacture, storage, distribution or sale of a controlled substance.(108) Federal, state, and local government employers are also exempt. The federal government may also test private consultants or experts under contract to the Defense Department, the National Security Agency, the Defense Intelligence Agency, and the Federal Bureau of Investigation.(109)

According to the Act, a private employer may also test current employees if the following four conditions exist. First, the test must be administered in connection with a workplace theft or incident investigation. Second, the employee must have had reasonable access to the missing property or loss incurred. Third, the employer must have reasonable suspicion that this particular employee was involved. Fourth, the employee must have been given written information regarding the basis for the investigation and for the suspicion that she or he is involved.110 This is called the ongoing investigation exemption.

Again, as with the FCRA and the Omnibus Crime Control and Safe Streets Act, private sector employees are not protected from broad invasions of their privacy by their employers, but only from exceptionally specific circumstances under which selected aspects of their personal privacy have been abridged, as explained above.(111) Moreover, the extent of protection varies as a result of the type of abridgment, creating arbitrary and inconsistent protection.(112)

Privacy Protection for Public Sector Employees

Though more complete and extensive than that offered to private sector employees, protection offered to public sector employees also is made on a piecemeal basis.113 Once sewn together, the patchwork of statutes and constitutional protections provides for the public sector work force a broad shelter from government intrusion.(114) As discussed above, public employees are protected by the Constitution from state action that unreasonably invades their privacy.(115) Further, as detailed in the next section, federal statutes evidence a trend towards greater protection of individual privacy.

Freedom of Information Act

While the Freedom of Information Act of 1966 (FOIA)(116) was enacted to allow free access to information under the control of the federal government, it also implicitly protects the privacy rights of public sector employees. The FOIA is governed by five basic principles: 1) privacy is a fundamental right; 2) protection against the government's intrusions into an individual's private affairs is guaranteed by the right to privacy; 3) an informed electorate is essential to safeguard privacy; 4) publicity is a protection against the potential of government official misconduct; and 5) secrecy is an essential part of bureaucracy but may not be a beneficial facilitator of bureaucratic efficiency.(117) Accordingly, the Act's primary focus is ensuring free access to government data, while protecting the rights of individuals mentioned in those documents.

Under the FOIA, any individual is allowed access to agency opinions, policy statements, agency manuals and instructions, and other agency records that affect the public interest.(118) An agency refusing to allow any individual access to such information, among other consequences, forfeits its right to use material against the individual.(119) Two important exemptions limit disclosure. First, the FOIA does allow an agency to delete from the information provided to a requesting party names of private individuals if the disclosure of that information would constitute an excessive invasion of the subject's privacy.(120) Second, the FOIA provides nine exemptions to the general rule of disclosure, thus precluding third parties' access to agency information that falls into one of the exemptions. One of these provides that the Act does not allow disclosure of "files, such as personnel or medical files, which constitute an unwarranted invasion of privacy.(121) If information does fall under one of the nine exemptions, the exempted information should be separated from the rest of the data and the remainder released to the third party seeking that information.(122)

Although the FOIA protects privacy to a certain extent, third parties are frequently granted access too readily because the ultimate decision of whether to disclose information is left to the agency itself.(123) In addition, the FOIA applies only to information held by government agencies. Consequently, private sector employers are not bound by this restriction on disclosure and their employees are accordingly without protection.(124) Privacy Act of 1974 In recognition of the increased need for privacy protection and as a result of concerns that the FOIA did not adequately protect individual privacy,(125) the FOIA was amended in 1974 by the Privacy Act.(126) Because the FOIA is mainly concerned with the disclosure of information maintained by the federal government, the Privacy Act was created in order to allow individuals to examine, rectify, and copy the information maintained in their files by the government.(127) Information maintained by the private sector was again ignored in the formulation of the Act.(128)

Through the Privacy Act, public employees are afforded greater protections as a result of elevated awareness of the need for such protections, while private sector employees remain vulnerable. With certain exceptions, the Act provides that agencies' records may only contain relevant and necessary information.129 Second, agencies should attempt to collect information directly from the subjects of the records rather than from third parties.(130) Third, when information is requested on individuals, they must be informed of the purpose of its collection and the uses to which the information will be put.(131) Fourth, individuals must be afforded an opportunity to review their files upon request,(13)2 and individuals may request amendment of a record (and other requirements similar to the (FCRA). Fifth, records about an individual should not be disclosed to third parties without the subject's written consent,(134) unless the disclosure is for a "routine" use, 135 and a record of all disclosures made about an individual must be made available to him or her upon request.(136) Finally, individuals may sue for damages and injunctive relief for violations of the above provisions.(137)

The exceptions specifically provided for in the Act include a number of non-employment related situations,(138) as well as one that provides:

No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be ... (3) a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section; [a purpose that is specifically compatible with the purpose for which the information was gathered](139)

Accordingly, if information gathered during the normal course of business is used by a public employer for a purpose compatible with the reason it gathered the information in the first place, disclosure is allowed.(140) For instance, if an employer gathers credit information in order to determine whether an applicant is responsible for a certain position, the employer may also use that information at a later date to make a similar decision about a promotion.

When one of the Privacy Act exceptions applies, the Act does not require the individual's consent and offers the agency total control over the use of the file.(141) The right to privacy is therefore not absolute. The information requested under the Privacy Act is subject to a balancing test weighing the employer's need to know the information against the employee's privacy interest.(142) The Ninth Circuit in Minnis v. Dept. of Agriculture(143) and in Church of Scientology v. Dept. of the Army(144) developed guidelines in order to assist in this balancing test. The court directed that a data collector balance the individual's interest in disclosure of the information sought, the public interest in disclosure, the degree of invasion of personal privacy, and whether there are alternative means of obtaining the information before determining whether the intrusion should be allowed.(145)

It is interesting to note that the Privacy Act applies only to individuals and not to corporations; consequently, a firm may not demand that the government change or modify information contained in government files. Instead, the request must always be made by an individual and confidential information about a corporation contained in government files is protected only if it falls within one of the above exemptions or other FOIA exemptions.(146)

Extension of Federal Privacy Act protection to the Private Sector

The Privacy Protection Study Commission's Evaluation and Concerns

The Privacy Protection Study Commission was created by the Privacy Act of 1974 to examine individual privacy rights and record-keeping practices in different environments. While it was given the responsibility of assessing the effectiveness of protections for personal privacy in the public sector, including the effectiveness of the Privacy Act of 1974 as it applies to individual privacy from the federal government,(147) it was also charged with evaluating privacy rights in the private sector. The three broad public policy objectives of the Privacy Protection Study Commission were to minimize intrusiveness, to maximize fairness, and to create a legitimate and enforceable expectation of confidentiality.(148)

Much of the concern leading up to the Act's inception was with governmental accumulation of data,(149) So it was not surprising when, after its investigation and research, the Commission drafted recommendations and concluded that they should be adopted by private companies merely on a voluntary basis.(150) The Commission explained that

[the] recommendations assign employers an important task: to adopt policies and practices regarding the collection, use, and disclosure of information on applicants, employees, and former employees without being forced to do so by the government. Unless each employer has a conscientious program on which applicants and employees can rely to safeguard the records the employer keeps about them, the voluntary approach recommended will prove unsuccessful. Thus, a future commission or legislative bodies may have to consider compulsory measures.(151)

The Commission expressed the view that a determination regarding extension of the Privacy Act protections to the private sector should not be made until such time as voluntary action failed to protect the rights of employees.(152) While case law and research evidences a disregard for the Commission's recommendations in the private sector,(153) and an expectation that an extension to the private sector is imminent,(154) no future commission has yet been established and no extension to the private sector has yet occurred.(155)

The Privacy Protection Study Commission also reviewed the present legislative status of privacy. On that basis, it recommended statutory and legislative action in order to discourage the use of truth verification devices and pretext interviews, amendment of the FCRA to ensure that more thorough background investigations on applicants and employees are conducted, and the imposition of vicarious responsibility on federal agencies for the intrusive acts of their private sector investigative contractors where reasonable care was not used in the selection of those contractors.(156)

In evaluating the Privacy Act, the Commission sought to distinguish the private sector employment relationship from the public sector employment relationship in order to justify restricting its recommendations for legislative action in connection with private sector privacy rights. The Commission recommended voluntary adoption of privacy protection in the private sector, as opposed to mandatory enforcement, based on the following observations.(157) First, the absence of a general framework of rights and obligations in the private sector that could accommodate disputes about recorded information places severe limitations on the extent to which rules governing the creation, use, and disclosure of employee records can be enforced.(158) Second, enforcement of mandated private sector privacy rights is too labor intensive.(159) Third, there is a relative lack of use of the Privacy Act, compared to the FOIA. Fourth, opening up complex legislation like the Privacy Act to full congressional hearing may inhibit later amendment of the Act.

Reactions to The Commission Report

The fact that no new commission has yet been established is not due to lack of effort. Throughout the 1970s and 1980s, privacy protection bills were introduced in Congress by various representatives with little success.(160) A commonality among the bills was a call for the formation of a privacy protection commission or board.(161) In 1993, Senator Simon (Illinois) introduced the "Privacy Protection Act of 1993."(162) The purpose of the bill was to establish a Privacy Protection Commission to

... (A) ensure that privacy rights of United States citizens in regard to electronic data and fair information practices and principles are not abused or violated; (B) provide advisory guidance to the public and private sector on matters related to electronic data storage, communication and usage; (C) provide the public with a central agency for information and guidance on privacy protections and fair information practices and principles....(163)

The bill provides that the proposed Commission develop standards for public agencies in implementing the Privacy Act, publish guides to the Privacy Act, compilations of agency systems and indexes, and develop model privacy, data protection, and fair information practices and guidelines for use by the private sector, among other responsibilities.(164)

While Senator Simon's bill was defeated, it has generated concerns within the community of privacy scholars. Simon Davies, Director General of Privacy International,(165) has expressed reservations based on perceived weaknesses of the bill. Davies contends that the bill creates a privacy agency with no powers of enforcement.(166) Davies also cautions that the bill provides "the lowest common denominator of protection over vital issues of information privacy."(167)

Jonathan Graham, in his article, Privacy, Computers and The Commercial Dissemination of Personal Information,(168) proposes an alternative explanation for the distinction between private and public sector privacy, while still supporting the expansion of protection to the private sector:

The failure to address the privacy interests of individuals fully vis-a-vis the private sector ... may be viewed as a product of the greater concern that the government presents a greater danger to privacy than does private business. Yet whether it is a governmental or private entity that invades one's privacy makes no difference to the individual's sense of shock and outrage. It can be argued, of course, that the result of government intrusion undermines more serious societal concerns. The sense of violation accompanying the invasion of privacy, however, is the same. Protection of the values of individual autonomy and human dignity is as necessary in relationship to the private sector as toward the government. This may be particularly true in times of relative domestic tranquility, when the average citizen's privacy is more likely to be invaded by private institutions than by government.(169)

Response to the Commission's Failure to Recommend Extension,

Modification or Amendment

No time is better than the present to protect private sector employees from unwarranted intrusions by their employers. the concerns that restricted the Commission's actins in the 1970s are no longer relevant in the more technologically advanced '90s; experience has demonstrated that a voluntary scheme for protection is ineffective.(170) In 1991, during a statement in support of amendments to the Privacy Act, Representative Wise explained, "[T]he problems with the act have grown steadily worse. Changes in information technology have made the act's defects more critical. It is time for Congress to begin the amendment process. We need to modernize the Privacy Act and to make it effective."(171)

The alleged distinctions between private and public employees' privacy protection are no longer valid. Initially, the argument ignores the development of state case law which gives direction on standards for determining the proprietary of reasonableness of intrusions. Moreover, it is based on a circular argument that no rights should be extended because there is no operating legal framework. Prior to the enhancement of the Privacy Act, there existed no comprehensive legal framework of rights and obligations in the public sector. Congress, however, subsequently created a a framework in which the Act was to be enforced. prior to the enactment of the Employee Polygraph Protection Act, there existed no legal framework for enforcement of that Act, but Congress created the necessary framework. Additional privacy rights afforded employees should be no different, regardless of whether they work in the public or private sector. As it stands now, public employees have "more" rights than private employees, creating a "privileged class" of public employees.

Nor is the basic premise of the argument correct. It is argued that the employment relationship is different from that of the public sector.

One might give an employee the right to sue for failure to produce records on request, for example, but such a right would hardly be effective where records are difficult to identify with any specificity; where it is difficult to link adverse decisions to records; and where it is often difficult to determine even that a particular decision is adverse.(172)

The Commission further contended that the scope of records kept and the scope of their use is more elusive and unpredictable in private employment than in public employment.(173) Yet, proof of an employment discrimination case is based on answers to similar questions, and there is no evidence that governmental agencies are any more adept than private employers at maintaining consistent records. Neither are the records of governmental agencies any less elusive than those of private employers at providing connecting information that would allow an employee to identify the necessary link between the records disclosed and any adverse action taken in such a case.

The second concern that may have encouraged restraint on the part of the Commission was consideration of the costs of enforcing such regulation. Should privacy be sacrificed because its protection in the private sector may be difficult to enforce? In fact, enforcement of the Privacy Act under these circumstances differs little from enforcement in the public sector. In addition, informal private sector workplace monitoring is already in place as is evidenced by the Department of Labor's Hearings on Workplace Privacy.(174)

In addition, the Commission maintained that a new government program would be required. However, there is no reason present departments could not oversee its enforcement. The Department of Labor is uniquely suited to oversee federal labor laws. Finally, the private sector is subject to a great deal of regulation and supervision by government agencies such as antitrust legislation regulated by the Department of Justice, fair labor standards enforced by the Department of Labor, and environmental protection regulated by the Environmental Protection Agency. There does not appear to be sufficient justification for the failure to protect the rights of private sector employees through similar mechanisms. The Office of Management and Budget, which presently oversees enforcement of the Privacy Act, has the ability to do so.

The third proffered justification for restricting Privacy Act enforcement in the private sector is the relative lack of use of the Privacy Act, compared to the FOIA. FOIA amendments, Ehlke contends, have been occasioned by judicial construction of the FOIA relating to law enforcement and intelligence agencies seeking to obtain relief from the burden of the FOIA.(175) Because there has been no similar amendment drive surrounding the Privacy Act and since little case law exists regarding the Privacy Act, there is little reason to modify it, and the courts have offered little direction regarding appropriate action.(176) In addition, another restrictive justification is that there is less need for the Act's expansion inasmuch as it is seldom used now. Both of these arguments focus on the relative paucity of cases filed under the Privacy Act. However, public sector employees are afforded protection from disclosure of information in their personnel files through a FOIA exemption. The FOIA exemption does not allow disclosure of personal information if disclosure would constitute an unwarranted invasion of privacy.(177) This remedy overlap creates less demand for use of the Privacy Act and, consequently, there is little need to enforce rights to privacy protection through the Privacy Act when a clear mandate exists in the FOIA, although less specific than the Privacy Act. On the other hand, should the Privacy Act be expanded to protect private sector employees and to restrict the disclosure of their personnel and personal information, there would be no overlap, and the Privacy Act would be their sole recourse. Hence, one could expect a resulting increase in actions brought to enforce the protections afforded by the Act. In addition, a low number of filings by public sector employees under the Privacy et may also be due to employees' lack of awareness of the protection or fear of employer retaliation, both of which may be alleviated if a greater, more expansive remedy is provided.

Finally, congressional hearings on the Privacy Act may be just what is needed in order to identify the needs of the entire work force and to articulate further the extent of protection that should be afforded to all employees and perhaps the general public. Notwithstanding the Act's lack of clarity, definitional limitations, and ineffective remedial structure, a new age of information transfer exists today, quite different from that of the 1970s, and legislation must constantly be reviewed for timeliness. Threats to privacy exist today that were not even contemplated at the time the Act was adopted. Electronic mail, increased abilities to monitor employees at their work stations (and beyond), increased access to personal information through information retrieval networks, and the national information infrastructure pose problems never before addressed.

As Representative Wise noted in his plea in the House of Representatives for Privacy Act Amendments, "I believe that the problems with the Act have grown steadily worse. Changes in information technology have made the Act's defects more critical.... We need to modernize the Privacy Act and to make it effective."(178) Accordingly, Congress must make a second, focused examination of the distinction between privacy concerns in private and public employment, and the rights of any individual in our society that should be protected against unwarranted infringement.

The Case for Extension of Privacy Protection to The

Private Sector

In addition to arguments proffered by the Privacy Protection Study Commission, opponents of the extension of the Privacy Act to the private sector may argue that businesses are regulated enough and that additional regulation will only serve to strangle the American economy, inhibit competitiveness, and cause a tragic and final demise to the already eroded concept of employment-at-will. Nevertheless, there are several arguments that serve to support the extension. First, there is a basic need for this protection. As stated earlier, individuals in the private workplace are subject to invasions of all kinds - invasions that are not limited to work-related, justifiable intrusions, but intrusions of such a personal nature that they would be highly offensive to a reasonable person. As a result of the increased ability of employers to invade the private lives and personal information of employees through burgeoning technological abilities,(179) employees are now subject to oppressive invasions of monumental caliber.(180)

Second, private industry in America has become so large and interconnected that it has begun to present a threat similar to that of the government in earlier years.(181) The ability of a private employer to access information about an individual is not so distinct from the same ability of the government. On the other hand, as the government is now run much like a large business operation, the differences between public and private businesses are not so well-defined.(182)

Third, given recent European developments in the area of transborder data flow, the United States may have no choice but to implement more strict regulation of personal data management. In 1980, the Organization for Economic Development and Cooperation (OECD) issued advisory, nonbinding guidelines on personal data protection and transborder data flow applicable to its member countries.(183) These Guidelines encourage each member country to formulate individual responses to privacy protection through legislation.(184) While this may appear to encourage inconsistency among member countries, the Guidelines also provide for "equivalent protection."(185) Equivalent protection provides that a member country may not transmit information to another member country unless the receiving country provides protection for the information equivalent to that provided by the country in which the information originates.(186)

In 1981, the Council of Europe (COE) adopted the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.(187) The provisions of the Convention are similar to those found in the OECD Guidelines, except that the COE Convention binds all member states(188) and requires that each member state enact national data protection laws that relate to both the public and private sectors.(189)

In 1992, the Commission of the EU submitted to member states a proposed Directive regarding data protection.(190) The European Union's Council of Ministers reached an agreement on a new text for the EU Data Protection Draft Directive on February 20, 1995. The Council then issued a Common Position which was published in the Official Journal of the European Community on April 13, 1995, and which was later adopted definitively.(191) After final passage, the Draft contemplates a three-year period during which member states will have to ensure that their national laws comply with the Directive.(192)

The 1992 Directive is of particular interest to the United States. Contrary to the equivalent protection standard of the COE Convention and the OECD Guidelines, the Directive requires that any country receiving information from an EU member country must maintain certain minimum standards for the protection of that information.(193) In addition, the minimum standards of the Directive have been interpreted to require that each receiving country maintain a data protection commission or government agency of equivalent status and authority.(194) At present, the protections offered in the United States do not meet the minimum standards required by the Directive, nor is there installed a data protection commission.

If the Directive is approved, it is unlikely that a firm with offices in an EU country could transmit even an employee roster to its American offices. Consequently, the prospect of an independent data protection commission in the United States has become all the more critical to the participation of the United States in global business development.(195) The nonbinding nature of the OECD Guidelines and the lack of support from other countries for the COE's Convention allowed the United States to be lax in its response.(196) The Directive is not so permissive. In order for American business to maintain a role in the global economy, the United States must respond to these recent developments.

Finally, the enactment and implementation of a federal law relating to personal information, employee privacy, and data flow will insure uniformity across state lines. This erasure of the arbitrary and inconsistent enforcement of privacy principles throughout the country will relieve firms of the burden of complying with a variety of state laws and regulations. The savings from the benefit of consistent operations and policy will allow American business to be more effective and efficient.

General Qualities of A Proposed Federal Act for Employee

Privacy Protection, Applicable to Both Public and Private

Sector Employees

It is critical at this juncture to develop a federal agenda for privacy protection and to create, simultaneously, federal legislative protection of privacy in the private sector work force. This section will address those qualities or components necessary to that legislation and federal agenda.

While it may be easiest simply to rewrite the Privacy Act with sections of the Fair Credit Reporting Act in order to make it applicable to the private sector, such a simple solution is not necessarily the most effective means of reaching the desired result of a protected private sector employee. A balance between the privacy rights of the employee and the interests of the employer in informed decision-making must be struck and certain modifications to the Privacy Act must be made. The Privacy Commission established three general policy goals relating to the institution of privacy legislation, and they are reflected in this analysis: minimizing intrusiveness, maximizing fairness, and creating legitimate expectations of confidentiality.(197) Areas of concern to the private sector employer, such as security issues, the personnel function of collecting personal data on employees for management decisions, and a limitation on the cost to the employer of employee privacy protection (in connection with the administration of record keeping practices and of insuring that certain information is removed from the decision-making process) dictate the framework of a proposed act in connection with the collection, maintenance, use, and disclosure of personal information.(198)

Three principles can be discerned as necessary and sufficient components of a federal privacy act for application to all employees. The underlying theme of the principles is to balance the privacy rights of employees with the management and other business needs of employers.

Collection of Information

The employer's interest is to collect the information necessary to make proper management decisions and to prevent disruption of the workplace. Depending on the position, the employer may seek to obtain information about prior experience, ability to work with others, honesty, technical abilities, and other job-specific data.(199) The employer, however, should not be able to obtain information relating to the home life situation of the employee, the extent to which he dreams at night, whether that person ever expressed anger at his father, marital relations, and other personal information, unless it can be shown that such information is necessary to the individual's performance. If information is considered a business necessity and justifiably collected by the employer, the employee should be given notice of the type of information that will be collected and the purpose for which it will be collected.(200)

The distinction is clear: If an employer can establish the business necessity of certain information (whether personnel- or security-related), that information must be made available to the employer, unless the employee can provide similar information through a less intrusive manner. For instance, when similar information may be obtained through a reference check as well as through a lie detector, the former should be utilized in lieu of the latter in order to prevent unnecessary intrusion into the employee's personal information. When applying this framework to employers' frequent questions relating to such personal issues as divorce, past illnesses, or even past residences, it is clear that this type of question is completely inappropriate. The responses do not offer the employer greater information relating to the individual's ability to do the job but instead allow baseless stereotypes to be perpetuated by biased employment decisions.

In addition, the term "record" or "information" must clearly reflect the changing technology of our century. One's right to the privacy of personal information must not be based on the medium, whether paper, recording, computer disk, or videotape. Equitable, respectful information practices must apply independently of the technology used to create or store the information.

The intent in connection with the guideline for collection of data is to strike a balance through the imposition of a business necessity standard for intrusions. In doing so, the employee is not only given fair notice of the intrusion through the expected zone of privacy each position may encompass, but also provides the employer with a clearer standard by which to reach a decision of the propriety and legality of the intrusion. By offering both parties to the intrusion sufficient warning and direction, one may assume that conflicts are reduced and that, once instructional precedent has been established, the burden placed on any proposed privacy protection administrator or board is similarly diminished.

Maintenance and Use of Information

The critical issue for the employee regarding the maintenance of records is their confidentiality. A precept similar to that stated above in terms of collection of information applies to record maintenance: The employer must ensure that access to the personal information properly needed is limited to those people with a business justification for access to the information.(201) Individuals within the workplace may have access to the personal information provided by the employee only on an "as necessitated by the business" basis. In order to guarantee that the information maintained regarding an individual is true, the individual must also have reasonable access to the information and the ability to contest and modify it, if necessary. This formulation modifies the Privacy Act's "routine use" exception which allows the use of any information collected as long as that use is compatible with the purpose for which the information was collected. This proposal suggests that a routine use must be necessary for the purpose for which the record was collected.

Disclosure of Personal Information

That internal disclosure of information should be limited to legitimate business purposes was discussed in the preceding paragraph. The concern of the employee relating to additional disclosure arises when information is disseminated to external parties such as during a reference cheek. In order to safeguard the employee's right to control the knowledge and information about herself or himself, the employee should be granted full control such that dissemination to external organizations may occur only with the consent of the employee.(202) The exception to this general principal may arise if the employee does not have an expectation of privacy regarding the information or the employer has notified employees that this information may be disseminated to others.(203) Accordingly, if an employer disseminates information during the ordinary course of its business and such disclosure is reasonably necessary to the efficient operation of the business, the disclosure would be considered expected and acceptable without consent. For example, disclosure of medical information would be acceptable when offered to the company's life insurer, just as routine disclosure of performance evaluations would be acceptable when given to the individual's supervisor for employment decisions such as promotions or raises.

Conclusion

The structure of today's work force has drastically changed due to industrialization, urbanization, and scientific and technological advancements leading to more efficient and effective methods of gathering and disseminating information.(204) Although traditional privacy issues such as unauthorized searches and seizures and freedom of expression and association still remain valid concerns, changes in the structure of the work environment, advances in technology, and the wide gap between the privacy rights afforded to public and private sector employees indicate that the issue of privacy is now more than ever a crucial issue in the workplace, which can only be effectively addressed by a Uniform Privacy Act.

The proposed Act responds to the patchwork quilt status of America's privacy protections, not only for private sector employees who now enjoy only slight protection, but also provides a more consistent and less arbitrary framework by which to protect public sector workers as well. In raising the standards of protection for U.S. employees, America is more effectively positioned to respond to recent technological, geopolitical, and industrial changes throughout the world. Moreover, the rights of the worker to personal privacy are efficiently balanced against the costs to society of protecting those rights. (1) Comment, The Right to Privacy in Nineteenth Century America, 94 Harv. L. REV. 1892, 1909 (1981) (citing Edward L. Godkin, Libel and Its Legal Remedy, 12 J. Soc. Sci. 69, 80 (1880)). (2) For clarity of understanding and usage, the authors accept and use herein Alan Westin's concise definition of privacy: "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others." Alan Westin, Privacy and Freedom 7 (1967). (3) Aleksandr Solzhenitsyn, The Cancer Ward 221 (1968). (4) Louis D. Brandeis & Samual D. Warren, The Right to Privacy, 4 Harv. L. Rev. 193 (1890). Brandeis was continually concerned with the prospect of new technology allowing or even inducing greater personal invasions. He considered personal privacy "the most comprehensive of all rights" and the right most cherished by citizens of a free nation. U.S. Privacy Council and Computer Professionals for Social Responsibility, Privacy Law in The United States: Failing to Make The Grade i (June 1991) (available from CPSR, 666 Pennsylvania Ave., Washington, D.C. 20003). (5) Richard Mason, Four Ethical Issues of The Information Age, MIS Q., Mar. 1986, at 5. (6) Gary Murg & Marilyn Maledon, Privacy Legislation - Implications for Employers, 3 Emp. Rel. L.J. 168 (1977). (7) Id. (8) David S. Hames & Nicki Dierson, The Common Law Right to Privacy, 42 Lab. L.J. 757 (1991). See also Thomas E. Reinert, Jr., Federal Protection of Employment Record Privacy, 18 Harv. J. Leg. 207 (1981). (9) Ann M. O'Neill, Legal Issues Presented by Hair Follicle Testing, Emp. Rel. Today 411 (Win. 1991/92). (10) The Privacy for Workers and Consumers Act: Hearings before the Senate Comm. on Labor and Human Resources, Subcomm. on Employment and Productivity, 103d Cong., 1st Sess. 3 (1993) [hereinafter PWCA Hearings]. (11) Charles Piller, Bosses with X-Ray Eyes, MacWorld, July 1993, at 2 (Special Report on Electronic Privacy, Workplace and Consumer Privacy Under Siege). (12) Id. at 1. (13) Id. at 2, 6; 9to5, The Privacy for Consumers and Workers Act 1 (undated publication, available from 9to5, 250 10th St., Atlanta, GA 30309). (14) PWCA Hearings, supra note 10, at 7. (15) As the Constitution protects only against State action, private sector employees are not subject to Fourth Amendment protection from unreasonable searches and seizures. Borse v. Piece Goods Shop, Inc., 963 F.2d 611, 618 (3d Cir. 1992); Wagner v. Metropolitan Nashville Airport Auth., 772 F.2d 227, 230 (6th Cir. 1985); United States v. Gumerlock, 590 F.2d 794 (9th Cir. 1979) (en banc); Booth v. McDonnell Douglas Truck Services, Inc., 585 A.2d 24, 39, appeal denied, 597 A.2d 1150 (Pa. 1991). (16) Among these are the freedom of speech, beliefs, and associations, the right to due process of law, the right to not testify against oneself, and the protection against unreasonable searches and seizures. (17) For a more complete discussion of the state action requirement, see Thomas Lewis, The Meaning of State Action, 60 Colum. L. Rev. 1083 (1960). (18) In addition, judges have developed case law that specifically affords individuals a constitutional right to privacy. Roe v. Wade, 410 U.S. 113, 154-64 (1973); Doe v. Taylor Indep. School Dist., 15 F.3d 443 (5th Cir. 1994); Walters v. Webre, 88 B.R. 242, 245 (9th Cir. 1988); Hoffman v. United States, 767 F.2d 1431, 1434-35 (9th Cir. 1985). This "right to privacy," while vague in some cases, has slowly been expanded by the courts to include such areas as sexual intercourse, child-bearing and rearing, affinity orientation, and other personal realms if the intrusion is made by the State. Thorne v. City of El Segundo, 726 F.2d 459, 468-72 (9th Cir. 1983) (investigation regarding police officer applicant's sexual involvement with a married man was found to violate individual's right to privacy); Greenberg v. Kimmelman, 494 A.2d 294 (N.J. 1985) (right to privacy in marriage and familial associations); In re Quinlan, 355 A.2d 647 (N.J. 1976) (right to privacy in refusal of medical treatment); State v. Saunders, 381 A.2d 333 (N.J. 1977) (right to privacy in consensual adult sexual relations). But see Hedge v. County of Tippecanoe, 890 F.2d 4, 7 (7th Cir. 1989) (court recognized a confidentiality strand in the constitutional right to privacy but found that case law had not advanced to the stage at which there was a clearly established constitutional right to be free from employment questions regarding sexual history).

Courts are more apt to rely on clearly established and articulated state common, statutory, or constitutional law in finding a right of privacy. See, e.g., Borse v. Piece Goods Shop, 963 F.2d at 620, 623 n.12 (finding a common law right to privacy in Pennsylvania which precludes an employer from requiring employees to furnish urine samples as part of a drug prevention program); Sanders v. Parker Drilling Co., 911 F.2d 191, 195 n.3 (9th Cir. 1990) (applying Alaska constitutional right to privacy). (19) See infra notes 60-112 and accompanying text. (20) Conn. Gen. Stat. Ann. [sections] 31-128f (West 1987). (21) See also Mass. Ann. Laws ch. 66A, [subsections] 1-3, ch. 214, [sections] 3B (Law. Co-op. 1987); Minn. Stat. Ann. [sub sections] 13.02-.09 (West 1988); Ohio Rev. Code Ann. [subsections] 1347.01-.10, 1347.99 (Baldwin 1993); Utah Code Ann. [subsections] 63-50-1 to -10 (1993); Va. code Ann. [subsections] 2.1-377 to -386 (Michie 1987). (22) While some state constitutions recognize a right to privacy, e.g. Alaska Const. art. I, [sections] 22; Ariz. Const. art. II, [sections] 8; Cal. Const. art. I, [sections] 1; Wash. Const. art. I, [sections] 7, courts have held that many of these provisions do not protect against private sector invasions. See, e.g., Luedtke v. Nabors Alaska Drilling, Inc., 768 P.2d 1123 (Alaska 1989). See also Ira M. Shepard, Workplace Privacy: Employee Testing, Surveilance, Wrongful Discharge, and Other Areas of Vulnerability 31 (2d ed. 1989). (23) Not only is private sector legislation warranted, but it has been forecasted since as early as the mid-1970's. See Murg & Maledon, supra note 6; Schien, Privacy and Personnel, A Time for Action, 55 Pers. J. 604 (1976). (24) Kurt H. Decker, Employee Privacy Law and Practice 12-13 (1987). (25) Louis Harris and Associates, Health Care Information Privacy: A Survey of the Public and Leaders, Study No. 934009, 28 (1993). (26) Id. (27) Roe v. Wade, 410 U.S. 113, 154-64 (1973); Walters v. Webre, 88 B.R. 242, 245 (9th Cir. 1988) (identifying a fundamental right as "one based expressly on the terms of the Constitution or necessarily implied therefrom, for example, privacy"); Hoffman v. United States, 767 F.2d 1431, 1434-35 (9th Cir. 1985). See also Planned Parenthood of Southeastern Pennsylvania, 112 S. Ct. 2791, 2846 (1992); Webster v. Reproductive Health Services, 492 U.S. 490 (1989). (28) See infra notes 183-96 and accompanying text. (29) For a general discussion of the job-relatedness of HIV, see Laura B. Pincus, The Americans With Disabilities Act: Employers' New Responsibilities to HIV-Positive Employees, 21 Hofstra L. Rev. 561 (1993). (30) Samuel J. Bresler & Rebecca Thacker, Four-Point Plan Helps Solve Harassment Problem, HRMagazine, May 1993, at 117; Ira M. Shepard & Chris Mason, The Unwanted Advance, Bus. L. Today, Jan./Feb. 1993, at 4, 7; Elizabeth R. Koller, Sexual Harassment Laws: Have We Gone Too Far? 4 (unpublished manuscript on file with the authors). (31) See Piller, supra note 11, at 4. (32) See Hames & Dierson, supra note 8. See also Reinert, supra note 8. (33) Brian R. Bawden, Privacy and Confidentiality in The Workplace 1 (November 18, 1993) (unpublished manuscript on file with the authors). (31) Id. at 2. (35) U.S. Privacy Council and Computer Professionals for Social Responsibility, supra note 4, at 1. (36) Remember Big Brother? Now He's A Company Man, N.Y. Times, Mar. 31, 1991, at E7. (37) Office of Technology Assessment, The Electronics Supervisor: New Technology, New Tensions 2 (1987). (38) Caroline Cooney, Who's Watching the Workplace?, 35 Security Management 26, 26 (1991). (39) Id. (40) Id. (41) These states include Alaska (Alaska Stat. [sections] 23.10.037(a) (1986)), Connecticut (Conn. Gen. Stat. Ann. [sections] 31-51g (West 1987)), Delaware (Del. Code Ann. tit. 19, [sections] 704 (1986)), District of Columbia (prohibited as a condition of employment, D.C. Code Ann. [sections] 36-801-803 (1981)), Hawaii (Haw. Rev. Stat. [sections] 378-21 (1985)), Idaho (prohibited in private sector, Idaho Code [sections] 44-903 (1973)), Iowa (may not require as a condition of employment, Iowa Code Ann. [sections] 730-4 (West 1987)), Maine (Me. Rev. Stat. Ann. tit. 32, [sections] 7154 (West 1979)), Massachusetts (may not require as a condition of employment, Mass. Ann. Laws, ch. 149, [sections] 19B(2) (Law. Co-op. 1987)), Montana (may not require as a condition of employment, Mont. Code Ann. [sections] 39-2-304 (1987)), New Jersey (N.J. Stat. Ann. [sections] 2C:40A-1 (West 1987)), New York (N.Y. Lab. Law [sections] 733 (McKinney 1987)), Pennsylvania (Pa. Cons. Stat. Ann. [sections] 7321 (1987)), Rhode Island (R.I. Gen. Laws [subsections] 28-6.1-1 to 28-6.1-3 (1987)), Vermont (Vt. Stat. Ann. tit. 21, [sections] 494 (1993)), Washington (Wash. Rev. Code Ann. [sections] 49.44.120 (West 1987)), and West Virginia (W. Va. Code [sections] 21-5-5a (1983)). (42) The following states prohibit mandatory polygraph examinations: Alabama (Ala. Code [sections] 34-25-4 (1994)), Arkansas (Ark. Code Ann. [sections] 17-32-211 (Michie 1987)), Louisiana (La. Rev. Stat. Ann. tit. 37, [sections] 36A:2835 (West 1993)), Maryland (MD. Labor & Emp't Code Ann. [sections] 30-702 (1991)), Michigan (Mich. Comp. Laws Ann. [sections] 37.201 (West 1987)), Minnesota (Minn. Stat. Ann. [sections] 181.75(1) (West 1987)), Mississippi (Miss. Code Ann. [sections] 73-29-31 (1980)), Oklahoma (Okla. Stat. Ann. tit. 59, [sections] 1455 (West 1994)), South Carolina (S.C. Code Ann. [sections] 40-53-180 (Law. Co-op. 1972)), and Texas (Tex. Rev. Civ. Stat. Ann. art. 4413(29cc) (West 1987)). (43) 5 U.S.C. [sections] 552 (1988). While the purpose of the FOIA is to allow for more complete disclosure of public information within the control of the federal government to the public, the FOIA also protects public sector employees in that the government must delete information from the records provided if the disclosure of that information would constitute an excessive invasion of the subject's privacy Id. [sections] 552(a)(2). Where a named subject is also a public sector employer, he or she is therefore protected. (44) Pub. L. No. 91-508, [sections] 601, 84 Stat. 1127 (1970) (codified at 15 U.S.C. [subsections] 1681-1681t (1988)). See infra notes 82-90 and accompanying text. (45) U.S.C. [sections] (45) 5 U.S.C. [sections] 552a (1988); see infra notes 126-46 and accompanying text. (46) Murg & Maledon, supra note 6, at 172. (47) Pub. L. No. 93-579, [sections] 5(b)(2), 88 Stat. 1906 (1974). (48) There have been bills proposed both in the House (e.g., H.R. 1218, 102d Cong., 1st Sess. (1991)) and the Senate (e.g., S. 516, 102d Cong., 1st Sess. (1991)), relating to privacy protection. H.R. 1218, for example, would have protected workers against surreptitious or electronic monitoring and required notification to a prospective or current worker of the existing forms of monitoring to which she or he might be subject. H.R. 1218, 102d Cong., 1st Sess. [sections] 3 (1991). The bill provided that employees would have access to the information collected and maintained, id. [sections] 4, and created a private right of action to harmed employees, id. [sections] 7. (49) See Robert Boehmer & Todd Palmer, The 1992 EC Data Protection Proposal: An Examination of Its Implications for U.S. Business and U.S. Privacy Law, 31 Am. Bus. L.J. 265 (1993). (50) While the German State of Hesse passed one of the first data protection laws in 1970, a nationwide data protection law was not enacted in Germany until 1978. Wayne Madsen, Handbook of Personal Data Protection 24 (1992). (51) Id.. (52) Gesetz zum Schutz vor Missbrauch Personenezogener Daten bei der Daten-verarbeitung or Budesdatenschutzgesetz - BDSG, translated in Law on the Protection Against Misuse of Personal Data in Data Processing, Gesetz zum SCHUTZ vor Missbrauch Personenbezogener Daten (Ursula Gleiss ed. & trans., 1977). The 1991 Amendments to the Act were called Gesetz zur Forten Wicklung der Daten Verarbeitung und Des Datenschutzes. (58) Madsen, supra note 50, at 35-37. (54) Organization for Economic Co-operation and Development, Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, O.E.C.D. Doe. C(80) 58 final (Oct. 1, 1980), reprinted in 20 I.L.M. 422 (1981) [hereinafter OECD Guidelines). For a more complete discussion of the Guidelines, see Boehmer & Palmer, supra note 49, at 273-76. (55) Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Jan. 28, 1981, Eur. T.S. No. 108, reprinted in 20 I.L.M. 317 (1981) [hereinafter COE Convention]. For a more complete discussion of the COE Convention, see Boehmer & Palmer, supra note 49, at 276-79. (56) Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, COM(92)422 final 1992. See also corrigendum issued Oct. 28, 1992; Common Position (EC) No. 1/95, 2/20/95, Official Journal (EC), Vol. 38 (4/13/95) [hereinafter 1992 Directive]. One of the primary objectives of the Directive is to harmonize national laws and to establish a community standard of privacy protection. See Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier for Individual Privacy Rights?, 55 Fed. Comm. L.J. 195, 238 (1992). (57) See infra notes 183-96 and accompanying text. (58) 1992 Directive, supra note 56, art. 30, [sections]1. (59) Spiros Simitis, New Trends in National and International Data Protection Law, in Recent Development in Data Privacy Law 17 (J. Dumortier ed., 1992). (60) See supra notes 15-26 and accompanying text. (61) Shepard, supra note 22, at 26. (62) Id. at 26-30. (63) The tort claim of defamation does not adequately protect the privacy interests of the employee as that tort requires proof that the information transmitted or disclosed be false. Restatement (Second) of Torts [sections] 558 (1977). The concern of this article is access to or disclosure of any personal information of the employee, whether it be false or true, as long as it is personal. In addition, defamation requires publication to a third party in order for it to be actionable. Houston Belt and Terminal Rwy. Co. v. Wherry, 548 S.w.2d 743, 751 (Tex. App. 1976), cert. denied, 434 U.S. 962 (1977); Montgomery Ward and Co. v. Peaster, 178 S.w.2d 302, 306 (Tex. App. 1944). The concern of this article is not only with publication but mere knowledge by the employer of an employee's private information. The torts of public disclosure of private facts and portrayal of an individual in a false light are inadequate for similar reasons. As public employees are protected against disclosure of personal information without the additional requirement that such disclosure cause damage to that individual's reputation, see infra notes 116-24 and accompanying text, so too should private sector employees be granted the same protection. (64) Floyd v. Park Cities People, Inc., 685 S.w.2d 96, 97 (Tex. App. 1985); Gill v. Snow, 644 S.w.2d 222, 224 (Tex. App. 1982), Restatement (Second) of Torts, supra note 63, [sections] 652B. (65) Miller v. Motorola, 560 N.e.2d 900 (Ill. 1990); Eddy v. Brown, 715 P.2d 74 (Okla. 1986); Ellenberg v. Pinkerton's, Inc., 202 S.e.2d 701 (Ga. 1973). (66) Birnbaum v. United States, 588 F.2d 319, 323 (2d Cir. 1978). C.T.W. v. B.C.G., 809 S.w.2d 788, 796 (Tx. App. 1991); Boyles v. Kerr, 806 S.w.2d 255, 259 n.2 (Tex. App. 1991); Wilkerson v. Eaton Corp., 1994 WL 77719 (Ohio App. 8 Dist. 1994). In one case, Rulon-Miller v. International Business Machines Corp, 162 Cal. App. 3d 241 (1984), an IBM employee was discharged because she continued dating a previous IBM employee who was currently working for a competitor after she was told to terminate her relationship due to the perceived conflict of interest. Id. at 243-44. Rulon-Miller, the employee, successfully sought damages based on claims of wrongful discharge and intentional infliction of emotional distress. Id. at 247. A jury awarded her compensatory and punitive damages against IBM; this verdict was upheld on appeal. Id. at 255. In this case, however, the acts of the employer were so egregious as to justify damages for wrongful termination. (67) Cort v. Bristol-Myers Co., 431 N.e.2d 908 (Me. 1982) (employer held not in violation of public policy for discharge of employees for their refusal to provide information on a questionnaire); Texas Dept. of Mental Health v. Texas State Employees Union, 708 S.W.2d 498, 504 (Tex. App. 1986); Penokie v. Michigan Tech. Univ., 287 N.W.2d 304 (Mich. App. 1979). On the other hand, those intrusions that are considered in violation of public policy which result in termination of an employee may give rise to a claim for wrongful discharge. Because the public policy exception to employment at will is applied on a state-by-state basis, such decisions vary depending upon the jurisdiction of the termination. For instance, in Roe v. Quality Transportation Services, 838 P.2d 128 (Wash. 1992), the court held that the common law tort of invasion of privacy (intrusion into seclusion) was not a clear mandate of public policy so as to prohibit a private employer from terminating an employee for refusal to submit to a drug test. But see Hennessey v. Coastal Eagle Point Oil Co., 609 A.2d 11, 19 (N.J. 1992), in which the court held that drug testing by private employers could be an invasion of privacy sufficient to breach public policy for purpose of determining whether an at-will employee has a claim for wrongful discharge. See also Luedtke v. Nabors Alaska Drilling, Inc., 768 P.2d 1123, 1131-33 (Alaska 1989) (court held that, while Alaska's constitutional privacy protection is inapplicable to private employee's claim, such can form the basis of public policy); Cordle v. General Hugh Mercer Corp., 325 S.E.2d 111, 117 (W. Va. 1984) (contrary to public policy for an employer to require that an employee submit to a polygraph test as a condition of employment). (68) In Young v. Jackson, 572 So. 2d 378 (Miss. 1990), the court held that it did not constitute an unwarranted invasion of privacy when a co-worker disclosed the fact of employee's partial hysterectomy. While the court admitted that such a disclosure would be highly offensive to a reasonable person, it held that the co-worker had a right to disclose the information based on a qualified privilege concerning the possibility that the procedure had been necessary as a result of radiation exposure within the work place. In Leggett v. First Interstate Bank of Oregon, 739 P.2d 1083, 1086 (Or. 1987), the court held that privilege applies only if the information is published to third parties and not if the employer is merely gathering information. (69) 533 P.2d 343 (Or. 1975). (70) Id. at 346-47. (71) 502 A.2d 1101 (Md. Ct. Spec. App. 1986). (72) Id. at 1116-17. (73) Wood v. Hustler Magazine, Inc., 736 F.2d 1084 (5th Cir. 1984); Kimbrough v. Coca-Cola/USA, 521 S.W.2d 719, 723-24 (Tex. App. 1975). (74) Speer v. Ohio Dept. of Rehabilitation and Correction, 624 N.E.2d 251 (Ohio 1993) (employee's consent to search did not authorize surveillance of employee from bathroom ceiling). (75) The court in State v. Community Distributors, Inc., 317 A.2d 697 (N.J. 1974), explained the disparity in bargaining power between an employee and employer in connection with a request that the employee submit to a polygraph examination as follows:

Nor is there any assurance of true voluntariness [in taking a polygraph examination] for the economic compulsions are generally such that the employee has no realistic choice. Organized labor groups have often expressed intense hostility to employer requirements that employees submit to polygraph tests which they view as improper invasions of their deeply felt rights to personal privacy and to remain free from involuntary self-incrimination.

Id. at 699. See also Burk v. K-Mart Corporation, 770 P.2d 24, 30 (Ok. 1989); National Consultants, Inc. v. Burt, 366 S.E.2d 344, 350, cert. vacated, 374 S.E.2d 532 (Ga. 1988); Rash v. Toccoa Clinic Med. Assn., 320 S.E.2d 170 (Ga. 1984); Anderson v. Savin Corporation, 254 Cal. Rptr. 627, 631 (Cal. App. 1988); Wallis v. Superior Court, 207 Cal. Rptr. 123 (Cal. App. 1984).

But see Richard A. Epstein, In Defense of the Contract at Will, 51 U. Chi. L. Rev. 947, 953 (1984), in which Professor Epstein argues that the contract at will works to the mutual benefit of both parties as long as the power of each party is measured at the time of the contract's formation and not at the time of dispute. For more complete discussions of this debate, see also Lawrence E. Blades, Employment At Will vs. Individual Freedom: On Limiting the Abusive Exercise of Employer Power, 67 Colum. L. Rev. 1404 (1967); Mark M. Hager, The Emperor's Clothes Are Not Efficient: Posner's Jurisprudence of Class, 41 Am. U. L. Rev. 7 (1991); Karl E. Klare, Workplace Democracy and Market Deconstruction: An Agenda of Legal Reform, 38 Cath. U. L. Rev. 1 (1988). (76) In Jennings v. Minco Tech. Labs, Inc., 765 S.w.2d 497 (Tex. 1989), the plaintiff/employee argued that her consent to a drug testing requirement would be ineffective because, if she did not consent to the testing, she would lose her job, which she could not afford to do. The court rejected her argument. Id. at 500. But see Community Distributors, Inc., in which the court addressed the issue in exactly opposite terms in connection with polygraph examinations. 317 A.2d at 699. (77) Farrington v. Sysco Food Services, Inc., 865 S.w.2d 247, 253 (Tex. 1993) (drug testing of private sector employees does not amount to a tortious invasion of privacy where there is consent); Jennings v. Minco Tech. Labs, Inc., 765 S.W.2d 497, 500 (Tex. 1989); Ballaron v. Equitable Shipyards, 521 S.2d 481 (La. 1988) (employer's requirements that employee sign polygraph examiner's consent forms did not constitute actionable invasion of privacy). But see cases where state constitutional privacy protections apply, such as Soroka v. Dayton Hudson Corp., 18 Cal. App. 4th 1200, 1209 (1993). In that case, the court, in determining whether the employees could consent to a psychological screening test that allegedly invaded their privacy, noted that, "[s]imply put, applicants for jobs ... have a choice; they may consent to the limited invasion of their privacy resulting from the testing, or may decline both the test and the conditional offer of employment." Id. (citing Wilkinson v. Times Mirror Corp., 264 Cal. Rptr. 194, 204 (Cal. App. 1990)). However, the court concluded that, based on California's constitutional guarantee of privacy rights to all citizens, the psychological screening was not a justified invasion of employees' or applicants' rights; see also Luck v. Southern Pacific Transp. Co., 267 Cal. Rptr. 618 (Cal. App. 1990) (employer's termination of employee for failure to submit to drug urinalysis constituted a violation of employee's right to privacy). (78) Lisa Brunn, Privacy and The Employment Relationship, 24 Hous. L. REV. 389, 401 (1988). (79) Sowards v. Norbar, Inc., 605 N.E.2d 468 (Ohio 1992); Toussaint v. Blue Cross & Blue Shield of Michigan, 292 N.W.2d 88 (Mich. 1980). But see Martin v. Capital Cities, 511 A.2d 830 (Pa. Super. 1986) handbook is not considered a contract unless the employer states that it is legally binding); Gates v. Life of Montana, 638 P.2d 1063 (Mont. 1982) (dictum) handbook is not a contract but instead a unilateral employer statement). (80 Privacy Protection Study Commission, Personal Privacy in an Information Society: The Report of The Privacy protection Study Commission 225 (1977). The Commission was established pursuant to the Privacy Act, Pub. L. No. 93-579, [sections] 5(b)(2), 93rd Cong., 2d Sess., 88 Stat. 1906 (1974). (81) Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and The United States 67 (1992) (citing Advisory Committee don Automated Personal Data Systems of the Secretary of Health, Education and Welfare, U.S. HEW, Records, Computers, and the Rights of Citizens 37 (1973)). (82) Pub. L. No. 91-508, [sections] 601, 84 Stat. 1127 (1970). (83) Decker, supra note 24, at 46. (84) Id. (85) 15 U.S.C. [sections] 1681b (1988). (86) Id. [sections] 1681m(a). (87) Id. [sections] 1681g(a)(1)(3). (88) Id. [sections] 1681i(c). (89) Id. [sections] 1681i(b)(c). (90) Id. [sections] 1681i(b)(c). (91) Edward Ottensmeyer, Ethics, Public Policy and Managing Advanced Technologies: The Case of Electronic Surveillance, 10 J. Bus. Ethics 519 (1991). (92) 18 U.S.C. [subsections] 2510-2521 (1988). (93) Id. [sections] 2511(2)(d). (94) Id. [sections] 2510(5)(d). (95) Abel v. Bonfanti, 625 F. Supp. 263 (S.D.N.Y. 1985). (96) Ottensmeyer, supra note 91, at 520. (97) Id. at 521. (98) S. 984, 103d Cong., 1st Sess. (1993) [hereinafter PCWA]. The bill was first introduced in 1991 as S. 516 (by Sen. Simon) and in the House of Representatives as H.R. 1218, 102 Cong., 1st Sess. (by Rep. Williams). (99) PCWA, supra note 98, Preamble and [sections] 2(4). The PCWA applied to continuous electronic monitoring and provided that employees shall be notified of the monitoring, regulated periodic or random monitoring, and provided for a review and amendment of surveillance records, as well as specific privacy protections. Id. [sections] 3-10. (100) Id. [sections] 3, 4, 5, 8, 10. (101) Cooney, supra note 38, at 30. (102) 29 U.S.C. [sections] 2001-09 (1988). (103) Id. (104) Id. [sections] 2002. (105) Id. (106) Id. (107) 29 U.S.C. [sections] 2006(e). (108) Id. [sections] 2006(f). (109) Id. [sections] 2006(a)-(c). (110) Id. [sections] 2006(a). (111) See notes 107-10 and accompanying text. (112) For instance, under the FCRA, the employer must show that there is a legitimate business need for the information, while the Omnibus Crime Control and Safe Streets Act requires only that the information be collected during the ordinary course of business. (113) Charles Piller, Privacy in Peril, MacWorld, July 1993, at 129. (114) This "quilt-like" method of protection has been criticized to a great extent by privacy scholars. Evan Hendricks, editor of the Privacy Times, explains, "[a]round the world, the U.S. is a laughingstock among privacy experts because we have a law protecting video tape-rental records, but not medical records." Piller, supra note 113, at 129 (Piller was referring to the Video Privacy Protection Act of 1988, 18 U.S.C. [subsections] 2701-2711 (1988), which, among other protections, limits the access of third parties to personally identifiable information retained by a video tape service provider. Id. [sections]2710(a)(4).) Simon Davies, director of the Australian Privacy Foundation and a member of the Board of Directors of Computer Professionals for Social Responsibility, adds, "[t]he U.S. is an embarrassment to the privacy movement overseas; the U.S. stands alone as an example of what a superpower should not do in privacy." Piller, supra note 113, at 129. (115) U.S. Const. amend. IV ("The right of the people to be secure in their persons, homes, papers and effects, against unreasonable searches and seizures, shall not be violated....") (116) 5 U.S.C. [sections] 552 (1988). (117) Decker, supra note 24, at 44. (118) 5 U.S.C. [sections] 552(a)(2)(A)-(C) (1988). (119) Id. 552(a)(1)-(2). (120) Id. [sections] 552(a)(2). (121) Id. [sections] 552(b)(6). (122) Id. [sections] 552(a)(2). (123) Ludmila Kaniuga-Golad, Federal Legislative Proposals for the Protection of Privacy, 8 Fordham Urb. L.J. 773, 788 (1979). (124) Id. The FOIA has been applied to protect public sector employees from excessive and unwarranted invasions of their privacy when private sector employees would not have similar protections. Because the FOIA contains a specific exemption from disclosure of information that would constitute an excessive invasion of privacy, 5 U.S.C. [sections] 552(a)(2), public sector employees have a safe harbor in which to bring their claims. Private sector employees have no similar guarantee. In Maynard v. Central Intelligence Agency, 986 F.2d 547, 566 (1st Cir. 1993), the court held that the names of FBI employees could not be disclosed by their employer because the employees' privacy interest outweighed the public's interest in "what government was up to." In Hopkins v. U.S. Dept. of Housing and Urban Development, 929 F.2d 81, 86-88 (2d Cir. 1991), the court held that payroll records of government contractors were exempt from disclosure requirements of the Act because disclosure would constitute a clearly unwarranted invasion of privacy. In a number of other cases, courts have held that unions were not allowed access to the names and addresses of public employees because it would constitute an invasion of their privacy under the FOIA. See Federal Labor Relations Authority v. U.S. Dept. of Defense, Army and Air Force Exchange Service, 984 F.2d 370 (10th Cir. 1993); Federal Labor Relations Authority v. U.S. Dept. of Defense, 977 F.2d 545 (11th Cir. 1992) (court held that public interest side of balance carried little weight and was not sufficient to outweigh demonstrably significant invasion of privacy). Names and addresses were also considered to be beyond a FOIA request, particularly if coupled with personal financial information, in NARFE v. Horner, 879 F.2d 873, 875 (D.C. Cir. 1989) and Aronson v. HUD, 822 F.2d 182, 186 (1st Cir. 1987). (125) Kaniuga-Golad, supra note 123, at 790. (126) 5 U.S.C. [sections] 552a (1988). (127) Kaniuga-Golad, supra note 123, at 787. (128) The Privacy Protection Study Commission was established by the Act in order to evaluate the effectiveness of extending the requirements of the Act to the private sector. See infra notes 147-55 and accompanying text. (129) 5 U.S.C. [sections] 552a(e)(1) (1988). (130) Id. [sections] 552a(e)(2). (131) Id. [sections] 552a(e)(3). (132) Id. [sections] 552a(d)(1). (133) Id. [sections] 552a(d)(2). (134) 5 U.S.C. [sections] 552a(b). (135) Id. [sections] 552a(b)(3). (136) Id. [sections] 552a(c)(3). (137) Id. [sections] 552a(g)(1). (138) Id. [sections] 552a(b)(1)(11). (139) 5 U.S.C. [sections] 552a(b)(3). (140) Id. (141) Id. [sections] 552a(b). (142) Minnis v. U.S. Dept. of Agriculture, 737 F.2d 784, 786-87 (9th Cir. 1984). (143) Id. (144) 611 F.2d 738, 746 (9th Cir. 1979). (145) Id. at 746; Minnis, 737 F.2d at 786. (146) Patrick Cole, New Challenges to The U.S. Multinational Corporation in The European Economic Community: Data Protection Laws, 17 N.Y.U.J. Int'l L. & Pol. 893 (1985) (147) The application of the Privacy Act of 1974 to individual privacy lies in its prohibition of the disclosure of personal information pursuant to the FOIA and the provisions by which the Act allows individuals to examine, rectify, and copy information maintained in their files by the government or federal agency. 5 U.S.C. [sections] 552a (1988). (148) Privacy Protection Study Commission, supra note 80, at 231. (149) United States v. Westinghouse Elec. Corp., 638 F.2d 570, 576 (3d Cir. 1980). (150) Privacy Protection Study Commission, supra note 80, at 231. It has also been suggested that the Commission was under terrific pressure from private sector lobbyists who recommended that the Act not be extended to the private sector. Madsen, supra note 50, at 107. (151) Madsen, supra note 50, at 274. (152) Id. at 232-33. (153) Courts have held that mere collection of information is not an invasion of privacy, and its internal use by the employer is not subject to privacy rights of the employee because the employee record is considered employer property. Privacy Protection Study Commission, supra note 80, at app. 1, p. 21; Mordechai Mironi, The Confidentiality of Personnel Records: A Legal and Ethical View, 25 Lab. L.J. 270, 288-89 (1974); George Stevens, The Publicity Requirement and the Employee's Right to Privacy, 16 Am. Bus. L.J. 360, 365 (1979). See Saldana v. Wyoming, 846 P.2d 604, 651 (Wyo. 1993) ("[R]etrenchment by the United States Supreme Court and the report of the Privacy Protection Study Commission have made it abundantly clear that the right of privacy will be fully protected only if there is action by the states. It is time to take that step. It is vital to a free society to establish a zone of privacy in which each individual is free from physical and psychological intrusion and has the autonomy to make vital personal decisions." Id. (Urbigkit, J., dissenting)). See also Johnson v. Carpenter Tech. Corp., 723 F. Supp. 180 (D. Conn. 1989); Esnor v. Rust Eng'g Co., 704 F. Supp. 808 (E.D. Tenn. 1989); Greco v. Halliburton Co., 674 F. Supp. 1447 (D. Wy. 1987); Peller v. Retail Credit Co., 359 F. Supp. 1235 (N.D. Ga. 1973), aff'd mem., 505 F.2d 733 (5th Cir. 1974); O'Keefe v. Passaic Valley Water Comm., 624 A.2d 578, (N.J. 1993); Cort v. Bristol-Myers, 431 N.E.2d 908, 914 (Mass. 1982). In addition, the former chairman of the Privacy Protection Study Commission, David Linowes, conducted a study which showed that, of the employers questioned, 64% do not have programs that provide employees privacy protection. In addition, 36% of the employers would not create such programs until required to do so by law. Dept. of Labor Hearings on Workplace Privacy, 44 Fed. Reg. 57537 (1979), 44 Fed. Reg. 75755 (1979) (statement of Prof. David Linowes). On the other hand, some of this country's larger firms have exhibited efforts at conformance. These firms include AT&T, Aetna Life & Casualty, Eastman Kodak, and Prudential Insurance. Alan Westin, What Should Be Done about Employee Privacy?, 25 Pers. Admin. 27, 30 (1980). See also David Ewing, IBM's Guidelines to Employee Privacy, Harv. Bus. Rev., Sept./Oct. 1976, at 82. (154) Murg & Maledon, supra note 6. (155) Privacy Act Amendments of 1991, 137 Cong. Rec. H3449-06 (1991). (156) Privacy Protection Study Commission, supra note 80, at 238-41. (157) Id. at 232. (158) Richard Ehlke, The Privacy Act after a Decade, 18 John Marshall L. Rev. 829, 840 (1985). (159) Id. (160) Madsen, supra note 50, at 141-42. (161) Id. See, e.g., Individual Privacy Protection Act, H.R. 126, 135 Cong. Rec. E402-02 (daily ed. 1989). (162) S. 1735, 103d Cong., 1st Sess. (1993). A similar bill was proposed in the House of Representatives by Illinois Rep. Cardiss Collins. H.R. 135, 103d Cong., 1st Sess. (1993). H.R. 135, however, did not make specific reference to application to the private sector, while it also did not exclude trial application. Id. [sections] 6(b)(2). One additional point worth noting is that H.R. 135 stated that the "right to privacy is a personal and fundamental right protected by the Constitution of the United States." Id. [sections] 2(4). (163) Id. [sections] 2(5)(A)-(C). (164) Id. [sections] 6. (165) Privacy International is an independent non-governmental organization established in 1990 with the objective of protecting personal privacy and monitoring surveillance by governments, financial institutions, intelligence agencies, media, political groups, police, and other organizations. (166) Simon Davies, The United States Privacy Protection Act, 1993 (S. 1735), Draft Discussion Paper at 2 (Mar. 11, 1994); see also, Simon Davies, Comment: A U.S. Privacy Commission, 2 Int'l Privacy Bull., Jan./Mar. 1994, at 3. (167) Davies, The United States Privacy Protection Act, 1993 (S. 1735), Draft Discussion Paper, supra note 166. (168) Jonathan Graham, Note, Privacy, Computers and the Commercial Dissemination of Personal Information, 65 Tex. L. Rev. 1395 (1987). (169) Id. at 1422-23 n.146 (citation omitted). (170) Privacy Act Amendments of 1991, supra note 155, at 3450. (171) Id. (172) Privacy Protection Study Commission, supra note 80, at 232. (173) Id. (174) 44 Fed. Reg. 57,537 (1979), 44 Fed. Reg. 75,755 (1979). See also Cooney, supra note 38, for an extensive discussion of the status of work place monitoring in today's private sector industry. (175) Ehlke, supra note 158, at 840-41. (176) Id. (177) 5 U.S.C. [sections] 552(b)(6) (1988). (178) 137 Cong. Rec. H3449-06 (daily ed. May 22, 1991) (statement of Rep. Wise).