Order Code RS21851
May 27, 2004
CRS Report for Congress
Received through the CRS Web
Privacy Protection: Mandating New
Arrangements to Implement and Assess
Federal Privacy Policy and Practice
Harold C. Relyea
Specialist in American National Government
Government and Finance Division
Summary
When Congress enacted the Privacy Act of 1974, it established a temporary
national study commission to conduct a comprehensive assessment of privacy policy and
practice in both the public and private sectors and to make recommendations for better
protecting the privacy of individuals. While the panel subsequently produced a
landmark July 1977 report, its recommendations were not legislatively implemented.
Nonetheless, interest in creating new arrangements for better implementing and
assessing federal privacy policies and practices continued, the most recent proposal
offered in the 108th Congress being legislation (H.R. 4414) to designate a Chief Privacy
Officer within the Office of Management and Budget, as well as privacy officers in each
principal department and the independent agencies, and establish a temporary
commission to examine privacy issues related to the government’s anti-terrorism efforts.
This report will be updated as events warrant.
An expectation of personal privacy — not being intruded upon — seemingly has
long prevailed among American citizens. By one assessment, American society, prior to
the Civil War, “had a thorough and effective set of rules with which to protect individual
and group privacy from the means of compulsory disclosure and physical surveillance
known in that era.”1 Toward the end of the 19th century, new technology — the telephone,
the microphone and dictograph recorder, and improved cameras — presented major new
challenges to privacy protection. During the closing decades of the 20th century,
extensions of these and other new technology developments — the computer, genetic
profiling, and digital surveillance — further heightened anxieties about the loss of
personal privacy. In response, Congress has legislated various privacy protections. To
assist in this effort, Congress, on two occasions, has sought the views of a temporary
national study commission.
1 Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1970), pp. 337-338.
Congressional Research Service ˜ The Library of Congress

---

CRS-2
Privacy Protection Study Commission
While the Privacy Act of 1974 directly addressed several aspects of personal privacy
protection, the statute also mandated the Privacy Protection Study Commission, a
temporary, seven-member panel tasked to “make a study of the data banks, automated
data processing programs, and information systems of governmental, regional, and private
organizations, in order to determine the standards and procedures in force for the
protection of personal information.”2 The commission was to “recommend to the
President and the Congress the extent, if any, to which the requirements and principles
of [the Privacy Act] should be applied to the information practices of [such] organizations
by legislation, administrative action, or voluntary adoption of such requirements and
principles, and report on such other legislative recommendations as it may determine to
be necessary to protect the privacy of individuals while meeting the legitimate needs of
government and society for information.”3
The commission began operations in early June 1975 under the leadership of
chairman David F. Linowes, a University of Illinois political economist, educator, and
corporate executive.4 The final report of the panel, published in July 1977, offered 162
recommendations.5 In general, the commission urged the establishment of a permanent,
independent entity within the federal government to monitor, investigate, evaluate, advise,
and offer policy recommendations concerning personal privacy matters; better regulation
of the use of mailing lists for commercial purposes; adherence to principles of fair
information practice by employers; limited government access to personal records held
by private sector recordkeepers through adherence to recognized legal processes; and
improved privacy protection for educational records. The panel also recommended the
adoption of legislation to apply principles of fair information practice, such as those found
in the Privacy Act, to personal information collected and managed by the consumer credit,
banking, insurance, and medical care sectors of the U.S. economy.
Congressional response to the commission’s report was largely positive; some 200
bills incorporating its recommendations were introduced. However, an effort to enact
legislation applying fair information practice principles to personal information collected
and managed by the insurance and medical care industries failed in the final days of the
96th Congress. The opposition was sufficient to discourage a return to such legislative
efforts for several years.
Federal Paperwork Commission
In 1974, Congress also established a temporary, 14-member Commission on Federal
Paperwork, giving it a broad mandate to consider a variety of aspects of the collection,
processing, dissemination, and management of federal information, including “the ways
2 88 Stat. 1906.
3 Ibid.
4 See David F. Linowes, “The U.S. Privacy Protection Commission,” American Behavioral
Scientist, vol. 26, May-June 1983, pp. 577-590.
5 U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society
(Washington: GPO, 1977).

---

CRS-3
in which policies and practices relating to the maintenance of confidentiality of
information impact upon Federal information activities.”6 The panel was cochaired by
Representative Frank Horton (R-NY) and Senator Thomas J. McIntyre (D-NH);
conducted its work largely in parallel with the Privacy Protection Study Commission; and
produced 36 topical reports, with recommendations, as well as a final summary report of
October 3, 1977.7 One of these reports was devoted to confidentiality and privacy. Issued
July 29, 1977, it offered 12 recommendations.8 Although a House subcommittee devoted
a hearing to the report, no immediate action was taken on its recommendations.9
Subsequently, however, a recommended new organization to centralize and
coordinate existing information management functions within the executive branch was
realized in the Paperwork Reduction Act of 1980.10 Located within the Office of
Management and Budget (OMB), the Office of Information and Regulatory Affairs
(OIRA) was to assist the OMB director with the government-wide information
coordination and guidance functions assigned to him by the act.
Indicating that one of the purposes of the Paperwork Reduction Act was “to ensure
that the collection, maintenance, use and dissemination of information by the Federal
Government is consistent with applicable laws relating to confidentiality, including ... the
Privacy Act,”11 the statute assigned the OMB director the several privacy functions: “(1)
developing and implementing policies, principles, standards, and guidelines on
information disclosure and confidentiality, and on safeguarding the security of
information collected or maintained by or on behalf of agencies; (2) providing agencies
with advice and guidance about information security, restriction, exchange, and
disclosure; and (3) monitoring compliance with [the Privacy Act] and related information
management laws.”12 These privacy functions would be expanded, and privacy
responsibilities would be specified for the federal agencies, in a 1995 recodification of the
act.13 In 1988, amendments governing computer matches of personal information by
government agencies were enacted.14
6 88 Stat. 1789.
7 U.S. Commission on Federal Paperwork, Final Summary Report: A Report of the Commission
on Federal Paperwork (Washington: GPO, 1977).
8 U.S. Commission on Federal Paperwork, Confidentiality and Privacy: A Report of the
Commission on Federal Paperwork (Washington: GPO, 1977), pp. 139-175.
9 U.S. Congress, House Committee on Government Operations, Privacy and Confidentiality
Report and Final Recommendations of the Commission on Federal Paperwork, hearing, 95th
Cong., 1st sess., Oct. 17, 1977 (Washington: GPO, 1978).
10 94 Stat. 2812; 44 U.S.C. 3501 et seq.
11 94 Stat. 2813.
12 94 Stat. 2816.
13 109 Stat. 163; 44 U.S.C. 3501 et seq.
14 102 Stat. 2507.

---

CRS-4
Pursuing New Privacy Arrangements
As the 21st century approached, heightened interest in a new privacy study
commission was evidenced. During the 106th Congress, three bills were introduced to
establish a temporary study commission to examine personal privacy issues. One of these
(H.R. 4049), offered by Representative Asa Hutchinson (R-AR), would have created a
17-member Commission for the Comprehensive Study of Privacy Protection to “conduct
a study of issues relating to protection of individual privacy and the appropriate balance
to be achieved between protecting individual privacy and allowing appropriate uses of
information.” Referred to the Committee on Government Reform, the bill was considered
by the Subcommittee on Government Management, Information, and Technology.15 The
subcommittee amended the bill, increasing the panel’s funding authorization from $2.5
million to $5 million; authorizing it to issue subpoenas to obtain needed information, but
prohibiting the panel from acquiring any classified information relating to national
security; and reducing the number of required field hearings from 20 to 10. Further
modified by the Committee on Government Reform, the bill was brought up on the floor
on October 2, 2000, for approval under a suspension of the House rules, but the bill failed
to pass on a vote of 250 yeas to 146 nays (two-thirds approval required).16
Representative Hutchinson introduced a modified version of his earlier privacy
commission bill, with bipartisan support, in the 107th Congress (H.R. 583), but it was not
reported by the Committee on Government Reform. A companion bill, of sorts, was
introduced in the Senate, with bipartisan support (S. 851), by Senator Fred Thompson (R-
TN), the chairman of the Committee on Governmental Affairs, to which the bill was
referred.17 Unlike the Hutchinson bill, the Thompson measure would have focused
commission attention on public sector privacy issues, including the extent to which
federal, state, and local governments collect, use, and distribute personal information;
their compliance with the Privacy Act; and the extent to which individuals can obtain
redress for privacy violations by these governments. The Committee on Governmental
Affairs took no action on the legislation.
In the 108th Congress, Representative Kendrick Meek (D-FL) introduced, for himself
and 25 cosponsors, on May 20, 2004, a bill (H.R. 4414) requiring the presidential
designation of a senior official within OMB as the Chief Privacy Officer, with primary
responsibility for privacy policy throughout the federal government; requiring the heads
of the principal departments and each independent agency in the executive branch to
appoint a senior official to assume primary responsibility for privacy policy; and
mandating a temporary Commission on Privacy, Freedom, and Homeland Security to
conduct a comprehensive legal and factual study relating to United States efforts to further
homeland security in a manner that protects privacy, civil liberties, and individual
15 U.S. Congress, House Committee on Government Reform, H.R. 4049, to Establish the
Commission for the Comprehensive Study of Privacy Protection, hearings,106th Cong., 2nd sess.,
May 15-16, 2000 (Washington: GPO, 2001); also see U.S. Congress, House Committee on
Government Reform, The Privacy Commission: A Complete Examination of Privacy Protection,
hearing, 106th Cong., 2nd sess., Apr. 12, 2000 (Washington: GPO, 2001).
16 Congressional Record, daily edition, vol. 146, Oct. 2, 2000, pp. H8561-H8570, H8588-H8589.
17 See Congressional Record, daily edition, vol. 147, May 9, 2001, pp. S4604-S4607.

---

CRS-5
freedoms. During the Clinton Administration, attorney Peter Swire served as Chief
Counselor for Privacy at OMB, a new position he held from March 1999 to January 2001.
The successor Bush Administration did not continue the position. When the Department
of Homeland Security was established with the Homeland Security Act of 2002, the
statute mandated a Privacy Officer for the department.18 Some other entities — such as
the Department of Health and Human Services, Department of Justice, and Internal
Revenue Service — have an administratively established Privacy Officer.
Representative Meek’s legislation, denominated the Strengthening Homeland
Innovation to Emphasize Liberty, Democracy, and Privacy Act, or the SHIELD Privacy
Act, seeks to create new arrangements to avoid proactively privacy problems or violations
arising from new and expanded efforts at combating terrorism. Its introduction occurred
coincidently in the aftermath of the March release of the report of the Technology and
Privacy Advisory Committee, a temporary study panel appointed by Secretary of Defense
Donald H. Rumsfeld in February 2003, following considerable public controversy
concerning Department of Defense sponsorship of the development of data mining
technology thought by some to be threatening to personal privacy values.19 The panel’s
report was apparently of broader scope than some anticipated and, according to one press
view, “offers sweeping recommendations for privacy safeguards throughout the
government.”20
The proposed SHIELD Privacy Act does not create new privacy leadership positions,
but requires that a senior official at OMB and within the principal departments and the
independent agencies be designated to assume certain responsibilities, specified in the
legislation, regarding personal privacy policy. The 10-member study commission
established by the legislation would be chaired by a presidential appointee (other members
would be appointed by majority and minority leaders of the House and Senate), function
for two years, possess subpoena authority, and issue a final report (and might issue
interim reports). The measure authorizes $4,750,000 for the commission to carry out its
work. The bill was referred to the House Committee on Government Reform.
18 116 Stat. 2135 at 2155.
19 See U.S. Department of Defense, Technology and Privacy Advisory Committee, Safeguarding
Privacy in the Fight Against Terrorism (Washington: March 2004).
20 Robert Pear, “Panel Urges New Protection on Federal ‘Data Mining’,” New York Times, May
17, 2004, p. A12.

---