For nearly half a century, organizations and governments have used internationally accepted principles to communicate their privacy goals to the world. These principles are referred to as Fair Information Practice Principles, Fair Information Principles, simply "principles," or, most commonly, FIPPs. Since their emergence, the influence of FIPPs is in nearly every adopted data protection legislation. The EU General Data Protection Regulation codified FIPPs in its Article 5. The recent California Consumer Privacy Act rulemaking file references the data minimization FIPP as one justification for the CCPA regulations. This article explores the history of FIPPS and examines the current impact of two FIPPS — Collection Limitation and Use Limitation — in privacy regulation today. 

A brief history of FIPPs

FIPPs organize aspirational principles for responsible data practices by requiring those who collect or use personal information to be accountable, sensible and transparent. FIPPs helped establish a framework for regulation since their rise in popularity in the 1970s and '80s. Although they have evolved since, FIPPs have consistently emphasized control over personal information, the information life cycle and individuals' rights regarding their personal information. 

Despite scholar's attempts to determine the exact genesis of the term "FIPPs," their origin is unclear. In 1973, the U.S. Department of Health, Education, and Welfare released the HEW report, which focused on the impact of computerization on information privacy. The report articulated a Code of Fair Information Practice that promoted transparency, accessibility and accountability, as well as limited the use of information for secondary purposes without consent. 

The following year, the United States enacted one of its earliest federal privacy laws, The Privacy Act of 1974, which used the HEW Report Code to establish safeguards in the life cycle of personal data held by the federal government. A few years later, the Organisation for Economic Co-operation and Development, an international organization that encourages countries to develop global standards and objectives to improve economic and social well-being, built from the HEW report and adopted eight principles in its 1981 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The most widely recognized OECD FIPPs are: 

  • Collection Limitation.
  • Data Quality.
  • Purpose Specification.
  • Use Limitation.
  • Security Safeguards.
  • Openness.
  • Individual Participation. 
  • Accountability.

After the OECD FIPPS were issued, the first legally binding international treaty on data protection arrived when the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data opened for signatures in 1981. Convention 108 required signatories to incorporate data protection provisions like the OECD FIPPs into their domestic laws to safeguard data quality, protect special categories of data, establish data security and facilitate transborder data flow. Since that Convention, nearly every data protection regulation adopted globally directly incorporated or massaged FIPPs into its regulatory or aspirational framework.  

Collection Limitation

The Collection Limitation FIPP is a substantive principle that directs the behavior of a collector of data. As articulated by the OECD, the principle states "there should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject." What began as consent and lawfulness in the 1980s has grown. Today, the Collection Limitation FIPP, as implemented in privacy laws worldwide, commonly encompasses transparency and accountability in data collection. 

Canada's Personal Information Protection and Electronic Documents Act governs personal information controlled by private sector organizations during commercial business. PIPEDA includes 10 principles at the core of its legislation. Principle 4 is similar to the Collection Limitation FIPP and mandates "the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization and that information shall be collected by fair and lawful means." The Act's language goes beyond the OECD FIPP, including "shall" and mandating organizations identify their collection purposes. Additionally, Principles 2 and 4 limit the collection of personal information by both the amount and the type of personal information to that "which is necessary to fulfill the purposes identified." While these ideals are found in the eight traditional OECD FIPPS, PIPEDA's principles more clearly articulate the framework of the legislation and codify otherwise aspirational goals into substantive legal requirements. 

The impact of the Collection Limitation FIPP is also present in Panama's new privacy law, the Personal Data Protection Law 2019. This law aims to regulate the processing of personal data and is supported by Panama's FIPP-influenced constitution. Article 11 of the law requires a specified, explicit, lawful and authorized use of personal data at the time of collection. This article stems directly from Panama's constitutional right for every person to have their personal information collected only for specific purposes and requiring consent or an otherwise lawful basis. Together, Article 42 of the Constitution and Article 11 of the Data Protection Law mandate the substantive practices articulated by the Collection Limitation FIPP. Yet, the specific elements in Panama's data protection law that require defined purpose and consent prior to data collection move Panama beyond the aspirational and offer more protection for consumers.

In contrast to Panama's constitutional and national codification of FIPPs, the most direct use of FIPPs in the United States stems from the works of the Executive Branch. In 2012 the Obama Administration published a report supporting the creation of a Consumer Privacy Bill of Rights that would carry certain FIPPs forward as "rights" for consumers in the U.S. The Privacy Bill of Rights included a "Focused Collection" right that proposed "consumers have a right to reasonable limits on the personal data that companies collect and retain," which imposes obligations on a company when determining what data needs to be collected for a specific purpose. 

While Congress did not act on the proposed Privacy Bill of Rights, the U.S. Federal Trade Commission issued its own report emphasizing many of the same themes and calling for a more comprehensive approach to privacy, including reasonable collection limits for specific business purposes. Although there is no comprehensive federal data protection law in the U.S., recent proposals such as the Information Transparency & Personal Data Control Act from Rep. Suzan DelBene, D-Wash., still choose to incorporate the aspirational elements of the Collection Limitation FIPP, and it remains prominent in today's discussion of future regulation.  

Use Limitation 

The Use Limitation FIPP guides what conduct is permissible after data is collected. The OECD Use Limitation FIPP states, "personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except a) with the consent of the data subject, or b) by the authority of law." Over time, "use" and "processing" limitations became interchangeable in some jurisdictions. The inclusion of either term illustrates the regulation's intent to protect data by limiting what a controller does with personal data once it is collected, as well as the tension limited use of data can cause in foreseeable circumstances. It is this tension that makes the Use Limitation FIPP particularly difficult in practice as exceptions become necessary. 

Hong Kong's Personal Data (Privacy) Ordinance aims to protect a person's privacy rights about their personal data and incorporates a concise version of the Use Limitation FIPP. PDPO Principle 3, the use of personal data, states "personal data shall not, without the prescribed consent of the data subject, be used for a new purpose." However, Principle 3 continues with an exception: The data may be used for a new purpose if the data user has "reasonable grounds" to believe the new purpose is "clearly" in the interest of the data subject. Additionally, Principle 3 does not apply to personal data in records transferred to the Government Records Service, in emergency situations, in statistics and research, in news of the public interest, in some legal proceedings or in circumstances where harm to the physical or mental health of a person would result. 

These exceptions broaden the otherwise adopted OECD FIPP in the interest of efficiency or protection of the data subject and are standard in modern data protection regulation. 

While the PDPO applied the term "use," Brazil's General Data Protection Law employs "processing" language to more broadly adopt the Use Limitation FIPP and include specific limitations on how personal data can be "processed" following collection. LGPD Article 6 requires good faith processing of personal data according to several principles, including "processing done for legitimate, specific and explicit purposes of which the data subject is informed, with no possibility of subsequent processing that is incompatible with these purposes." 

Article 7 supplements Article 6 with the circumstances the processing of personal data can occur. Article 7 also provides a lawful basis, referred to as a "legitimate interest," that allows a controller to use personal information for a purpose neither specified at the time of collection nor explicitly authorized by an individual. While this exception to the limited use of personal data appears large on its face, the LGPD restricts the use of information for "legitimate interest" in several subsequent provisions. These provisions require personal information used under the "legitimate interest" basis to have both specific and explicit purposes and be limited to strictly necessary information. The LGPD moved beyond the OECD FIPP by incorporating the themes of the Use (i.e., Purpose) Limitation FIPP amongst other principles and exceptions. As governments begin the difficult task of promoting privacy by curtailing the unfettered use of collected data, they face the reality of the modern world — global pandemics, terrorist threats, public safety — and must create innovative approaches to serve and protect their populace.   

Conclusion

Approaching 50 years, FIPPs survived and continue to influence legislation around the world. Despite increasing criticism for their alleged inability to adequately address and preserve individual control over data, FIPPs still provide a common language for nations to communicate their privacy values to the world. The arguments that FIPPs cannot adequately address the world's current privacy needs have merit. Nevertheless, legislative bodies still attempt to remain true to these shared fair information privacy practices as they create innovative methods to accomplish their goals. 

Photo by Kendall Scott on Unsplash