Anti-Privacy Legislation in the US

Privacy law proponents often find themselves at odds with policymakers developing security regulations. In order for effective monitoring to take place, the Government and law enforcement agencies require access to sensitive information about individuals including their financial transactions, and electronic and phone communications. The following laws are known colloquially as “anti-privacy laws” because they take away some individual privacy rights in the interest of trying to detect and prevent fraud, terrorism and other significant crimes.

Bank Secrecy Act

The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transaction Reporting Act was passed in 1970 to help the United States Government monitor and prevent possible money laundering schemes. Under the BSA, all financial institutions must keep records about customer transactions and submit reports to the Federal Government for certain types of transactions

A Currency Transaction Report (CTR) must be filed for:

  • Any cash financial transactions (deposit/withdrawal/exchange) made by an individual in an amount greater than $10,000
  • Any cash transactions made by or for one individual in a single business day in which the aggregate total is greater than $10,000

A Currency and Monetary Instrument Report (CMIR) must be filed for:

  • Any person or entity that transports an individual or aggregate amount greater than $10,000 into or outside of the United States in the form of currency, traveler’s checks, bank notes or other monetary instruments.

A Suspicious Activity Report (SAR) must be filed for:

  • Abuse by an employee of the financial institution
  • Violations in which a suspect can be identified and the aggregate amount is $5,000 or more.
  • Violations in which no suspect can be identified and the aggregate amount is $25,000 or more.
  • A transaction through a bank in which the teller has reason to believe may be designed to avoid BSA regulations
  • A transaction through a bank in which the teller has reason to believe may involve potential money laundering or criminal activity

Many banks use automated records systems that keep customer information on file and generate the relevant reports when such transactions occur. The creation of multiple reports for a single person or entity signals law enforcement agencies to look closer for fraudulent activity.

Foreign Intelligence Surveillance Act of 1978

The Foreign Intelligence Surveillance Act was passed in 1978 and amended in 2007 in order to monitor communications between “foreign powers” outside the United States and “agents of foreign powers” within the United States in order to maintain national security.

The Act allows electronic surveillance or the physical search of “premises, information, material or property used exclusively by” a foreign power or agent of a foreign power for the collection of foreign intelligence information:

  • Without a court order for the period of one year
  • Without a court order for 15 days after a declaration of war by Congress
  • With a court order approved by the FISA court after reasonable cause has been determined.
    • A warrant also expands the types of entities that may fall under surveillance to include international terrorist groups, political organizations and other organizations not backed by a foreign government.


The Right to Financial Privacy Act

The Right to Financial Privacy Act was passed by Congress in response to the 1976 Supreme Court ruling United States v. Miller in which the court held that bank customers have no legal expectation of privacy. Under the ruling, the Federal Government could request individual financial records without restriction.

The Right to Financial Privacy Act attempted to reassert individual rights by requiring:

  • Customers to receive notice of the disclosure to the government prior to the release of their records
  • The creation of a mechanism for customers to challenge the disclosure of their information.
  • Government agencies to keep an audit trail of all disclosures of customer information to the agency and any interagency transfers.

In order for a government agency to obtain customer financial records, they must meet one of the following requirements:

  • Receive customer consent for their release
  • Provide an administrative subpoena or summons
  • Provide a search warrant
  • Provide a judicial subpoena
  • Provide an appropriate written authorization from a government agency

It is important to note that the act only applies to disclosures to the Federal Government. It does not pertain to state and local governments. While the Right to Financial Privacy Act was designed to protect customer financial privacy, it is considered an “anti-privacy law” because it’s protections are weaker than those granted under the fourth amendment. The US Patriot act further weakened the law’s protection by allowing disclosure when terrorism is suspected.

Electronic Communications Privacy Act

The Electronic Communications Privacy Act was passed in 1986 to expand government restrictions on wiretaps to include electronic communications. It is an extension of the original wiretap law the Omnibus Crime Control and Safe Streets Act which protects oral communications. Furthermore, the ECPA expanded the types of crimes that allow law enforcement in intercept communications. It also allows the use of pen registers and trap and trace orders that record the telephone numbers that have been dialed and the calls that have been received. Though the ECPA was passed to protect electronic privacy, it has been criticized for being too weak to adequately protect personal privacy.


USA Patriot Act

The Uniting and Strengthening of America by Providing the Appropriate Tolls Required to Intercept and Obstruct Terrorism Act was passed in 2001 after the September 11th terrorist attacks. The Patriot Act introduced wide changes across several sectors and amended several laws already in effect. Due to its strong focus on security, the US Patriot Act has been criticized for the limits it places on personal privacy.

The Patriot Act introduced the following changes to privacy laws:

  • Expanded the type of information the U.S. may receive by subpoenaing Internet Service Providers to include not only personally identifiable information but also session durations and times, services used, IP addresses and payment information. Disclosure may also take place if the service provider suspects danger to “life and limb”
  • Title II expanded surveillance procedures:
    • Allows “Sneak and Peek” warrants to allow delayed notice of search warrants
    • Roving wiretaps that do not require the specification of carrier or third parties
    • Amended the Foreign Intelligence Surveillance Act by expanding the duration of search and surveillance orders and removing the requirement to prove reasonable cause to monitor non U.S. citizens.
    • Expanded wiretapping capabilities under the Electronic Communications Privacy Act to allow surveillance of packet switched networks.
    • Allows the U.S. Government to obtain any “books, records, papers, documents and other items” that may aid in investigations to protect against terrorism.

Many Title II regulations were set to expire on Dec. 31, 2005 but were reauthorized until December 31, 2009. The USA Patriot Extension Act of 2009 seeks to extend those regulations even further.

  • Title III attempts to prevents money laundering to deter terrorism by amending the Bank Security Act and the Money Laundering Control Act of 1986.
    • Subtitle I placed strong regulations on financial institutions, especially with regard to transactions with foreign countries. It expanded record keeping requirements, prohibited transactions with banks not subject to a banking authority and expanded the definition of money laundering.
    • Subtitle II allows suspicious activity reports to be sent to U.S. Intelligence agencies and made it illegal to structure transactions in such a way as to avoid BSA regulations.
    • Subtitle III made the evasion of currency reporting a criminal offense. It also made further provisions to deter money laundering

The Patriot Act contained several other regulations that affected immigration law, criminal law, created funding for necessary defenses and provided funds for victims of terrorist attacks.


REAL ID Act of 2005

The Rearing and Empowering America for Longevity Against Acts of International Destruction Act was passed in 2005 to standardize security, authentication and issuance procedures for state identification cards and driver’s licenses so that they may be used by the Federal Government for “official purposes.”

The issuing of ID cards, is a state privilege, and as such, the REAL ID Act has been opposed by many states. Enforcement of the law has been postponed until 2011 in the hopes of gaining more support among the States. When enforced, individuals carrying a non-compliant ID card will not be allowed entrance to Federally controlled buildings or areas such as Federal Government buildings and airport security. Furthermore the act requires all states to share Department of Motor Vehicle data with other states.

A REAL ID card must:

  • Include a person’s legal name; signature; date of birth; gender; identification number; photograph of their face; address of residence
  • Include security features to prevent duplication, tampering and counterfeiting
  • Make use of machine readable technology to be set by the Secretary of Homeland Security, the Secretary of Transportation and the States.

The REAL ID Act has been widely criticized as being comparable to the issuing of a National Identification card, to which many proponents of privacy object. It is believed that a National Identification card would quickly become the default method of identification and allow for the tracking of the activity of U.S. citizens. A further privacy risk would be the storing of large amounts of personal information electronically on a national level, increasing the risk of unauthorized access.


There is no easy answer to resolve the conflict between privacy and security. While the “anti-privacy laws” were not developed as a deliberate attempt to restrict personal privacy, privacy has nonetheless suffered in the interest of providing more effective monitoring and violence prevention. Privacy proponents must continue to advocate the creation of adequate privacy regulations to prevent the further imposition on individual privacy in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • Laws compelling the disclosure of personal data (I.B.b.i-vi.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>