The latest decision revolves around Stanmore C. Cooper, a pilot who filed false paperwork in 1985 with the Federal Aviation Administration claiming he was not suffering from HIV. At the time, HIV would have meant his flight license would be revoked. When the FAA conducted a database verification process called "Operation Safe Pilot" that cross-referenced various government databases, they discovered Cooper had lied about his HIV status. He received a $1000 fine and lost his pilots license.
From the NY Times article:
The ruling turned on the meaning of the statutory phrase “actual damages,” which has been described as a chameleon that takes on different legal hues in different contexts. In the privacy law, the court decided, Congress had left the meaning of the term ambiguous enough that it could not be used to waive the sovereign immunity that often protects the government from being sued for damages.The privacy implications are profound. The government can cross-reference multiple databases and act on the new information gained from this activity with relative immunity. If a government agency wanted to "encourage" a citizen to make a certain choice or act in a certain way, that agency can troll multiple databases to create a digital dossier on any particular individual and use information gathered about that person at any time. This information can then be made publicly available - as it was in the Valerie Plame case and multiple others - without any recourse.
The 1974 Privacy Act relied on a 1973 Health, Education, and Welfare committee report that created the Fair Information Principles. These principles have been used by many nations to create privacy protecting statutes, and include
- There must be no personal data record-keeping systems whose very existence is secret.
- There must be a way for a person to find out what information about the person is in a record and how it is used.
- There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
- There must be a way for a person to correct or amend a record of identifiable information about the person.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.
The power of combining multiple sources of data and the ability to create a digital dossier, and use that dossier with little fear of consequence, seems like a major step in the wrong direction.