There’s a need for privacy officers to not be seen as aliens we don’t want in the room. If you want to do a privacy impact assessment or Privacy by Design, you need to be perceived as part of the team. There’s a tension there profoundly felt by privacy pros on a daily basis.
--Deirdre Mulligan on the Privacy Act's shortcomings
As we reported yesterday, Georgetown Law’s Center on Law and Technology last week hosted a fete to commemorate “The Privacy Act @ 40.” Hosted by the center’s executive director, Alvaro Bedoya, the event featured an all-star roster of panelists to discuss the sociopolitical climate leading to the U.S. Senate’s passage of the act in 1974 and to, perhaps more importantly, discuss its shortcomings to date.
The gist: the act remains important if for no other reason than for its requirement that federal agencies publicly announce the establishment of a database as a “system of records” in the Federal Register and then show data subjects the data stored on them and protect that information by following the Fair Information Practice Principles. It also places restrictions on data-sharing among agencies and allows individuals to sue the government for violating the law’s provisions.
But where the law falls short is in its failure to define key terms in critical ways; exemptions to the law’s data disclosure rules exist for “routine uses” of data, for example. Over time, agencies have taken some liberties in defining what a “routine use” might be. In addition, the idea of a “system of records,” which is defined under the law as a database that functions by retrieving data via personally identifiable information like a name and Social Security number, for example, is obsolete, panelists agreed. To avoid registering a database, agencies are circumventing the wording by retrieving data via other identifiers.
Finally, Jonathan Cantor, deputy chief privacy officer at the Department of Homeland Security (DHS), said the law regularly fails on the technology side in that it hasn’t kept pace with the advent of advances like big data, algorithms and the amount of data that’s being shared with law enforcement.
But what to do?
Proposed Solutions to Shortcomings
Bob Gellman, a privacy consultant who worked closely with the Privacy Act on a government subcommittee charged with overseeing it in the '70s, said Congress isn’t the place to turn for clarifications in the law such as which disclosures should be allowed, what routine use seems to make sense or not. That’s too much detail for a body like Congress to tackle, and there’s too much change over time to count on legislation to cover it anyway.
Besides, said Mark Lynch of Covington & Burling, it can be difficult to get changes that pose a threat to law enforcement’s access to data through the executive branch. That was evident in 1974, when President Gerald Ford pushed back against the Privacy Act, feeling pressure from the FBI.
“When you’re the president, you tend to take the advice of those who want to support your powers and not give them away willingly,” Lynch said. “I’ve noticed over 40 years, administrations get very worried if they think they are going to lose the national security bureaucracy. They don’t want to push those folks too far.”
Despite the perceived difficulties ahead in getting it done, EPIC’s Khaliah Barnes said there need to be clarifications in the law on key terms including the definition of “individual” to cover “non-citizens.” The U.S. is routinely collecting data through SWIFT or for passengers under the Secure Flight program.
“The time is now,” Barnes said. “Especially in light of all the records we collect on non-U.S. citizens.”
Speaking more broadly, Gellman said what’s needed is some tension in the system: While the Office of Management and Budget (OMB) is responsible for oversight of the act, that ain’t happening.
“There needs to be true oversight when a routine use is proposed,” Gellman said. “There needs to be somebody to look at it and say, ‘This use is too broad; this is unnecessary.' There’s no one who does that now. The public doesn’t do it. OMB doesn’t do it. The Hill doesn’t do it.”
Barnes agreed that OMB’s oversight of the act has thus far been ineffective.
“We need more guidance from the OMB as these issues are evolving,” she said.
If that can’t be, perhaps an independent U.S. agency could provide agencies with the assistance they need.
“We need an independent mechanism that is only charged with evaluating the proposed disclosures” from agency to agency, Barnes said.
Sidley Austin’s Alan Raul said perhaps the solution could be that the Privacy and Civil Liberties Oversight Board have its mandate expanded so it oversees compliance. But there should be one person with ultimate responsibility.
“There should be a privacy czar, and it should be under OMB,” Raul said.
Focus More on People, Gov’t Failures
Deirdre Mulligan of UC Berkeley, whose focus is on information technology law and policy as well as privacy, said we should look to reform the law in its focus on the possession rather than the use and impact of data, citing the government’s ability to now, through various databases, create virtual biographies of data subjects, creating a detailed picture of their lives.
Agencies should start asking questions not only about what data is being collected and later disclosed but also, “What is the impact of the information on individuals?”
While there’s an instinctual desire for us to call for transparency, that becomes difficult in an age where we’re heavily reliant on automated systems and code. Maybe transparency should start to take a different shape.
“Notices of what government is doing is important,” she said, “but they might be accompanied more by notices of government failures and greater clarity about when things go wrong.” She suggested that privacy officers, generally privy to such failures, might make a greater effort to do such reporting.
Privacy professionals also should feel more empowered, Mulligan added. We need to focus more on the people on the front lines and not focus so exclusively on tools, she said.
“Thinking about how we empower professionals within these agencies to use the tools we’ve given them more effectively should be a very important part of our reform,” she said. “There’s this tension between privacy as a deeply political issue and then the need for it if we want to operationalize privacy. There’s a need for privacy officers to not be seen as aliens we don’t want in the room. If you want to do a privacy impact assessment (PIA) or Privacy by Design, you need to be perceived as part of the team. There’s a tension there profoundly felt by privacy pros on a daily basis.”
PIAs as a Solution?
What of PIAs? Could they be where privacy pros make up for the gaps left by the Privacy Act?
DHS’s Cantor said while PIAs are helpful to look at data systems from a different perspective and telling a story, they don’t quite get the job done for accountability.
“They are very weak in terms of providing any direct remedy,” he said.
But Peter Swire, CIPP/US, of Georgia Institute of Technology's Scheller College of Business said rather than redefining terms, he sees PIAs as the way forward.
The University of Colorado Law School's Paul Ohm said he worries about privacy on the ground now and sees a hard task ahead for privacy pros charged with reminding others about privacy.
“I worry a little that privacy on the ground might mean a lot of people with a lot of authority who don’t really know what the rules are or what to do,” he said. “We need more very bright line rules that keep privacy by keeping pieces of information away from one another. Maybe we need a new Privacy Act that’s less contextual with really bright lines: 'Thou shalt not mix this data.'”
If you want to comment on this post, you need to login.