Order Code RS21851
Updated December 7, 2005
CRS Report for Congress
Received through the CRS Web
Privacy Protection: Mandating New
Arrangements to Implement and Assess
Federal Privacy Policy and Practice
Harold C. Relyea
Specialist in American National Government
Government and Finance Division
Summary
When Congress enacted the Privacy Act of 1974, it established a temporary
national study commission to conduct a comprehensive assessment of privacy policy and
practice. While the panel subsequently produced a landmark July 1977 report, its
recommendations were not legislatively implemented. Nonetheless, interest in creating
new arrangements for better implementing and assessing federal privacy policies and
practices continued, as the recent establishment of a Privacy and Civil Liberties
Oversight Board and assignment of privacy officer responsibilities in certain
departments and agencies attests. This report tracks active legislative efforts (H.R.
1271, H.R. 1310, H.R. 2360, H.R. 3041, H.R. 3058, H.R. 3402) to further privacy policy
in the 109th Congress, and will be updated as events warrant.
An expectation of personal privacy — not being intruded upon — seemingly has
long prevailed among American citizens. By one assessment, American society, prior to
the Civil War, “had a thorough and effective set of rules with which to protect individual
and group privacy from the means of compulsory disclosure and physical surveillance
known in that era.”1 Toward the end of the 19th century, new technology — the telephone,
the microphone and dictograph recorder, and improved cameras — presented major new
challenges to privacy protection. During the closing decades of the 20th century,
extensions of these and other new technology developments — the computer, genetic
profiling, and digital surveillance — further heightened anxieties about the loss of
personal privacy. In response, Congress has legislated various privacy protections and,
on two occasions, mandated national study commissions to assist in this effort.
1 Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1970), pp. 337-338.
Congressional Research Service ˜ The Library of Congress
CRS-2
Privacy Protection Study Commission
While the Privacy Act of 1974 directly addressed several aspects of personal privacy
protection, the statute also mandated the Privacy Protection Study Commission, a
temporary, seven-member panel tasked to “make a study of the data banks, automated
data processing programs, and information systems of governmental, regional, and private
organizations, in order to determine the standards and procedures in force for the
protection of personal information.”2 The commission was to “recommend to the
President and the Congress the extent, if any, to which the requirements and principles
of [the Privacy Act] should be applied to the information practices of [such] organizations
by legislation, administrative action, or voluntary adoption of such requirements and
principles, and report on such other legislative recommendations as it may determine to
be necessary to protect the privacy of individuals while meeting the legitimate needs of
government and society for information.”3
The commission began operations in early June 1975 under the leadership of
chairman David F. Linowes. The final report of the panel, published in July 1977, offered
162 recommendations.4 In general, the commission urged the establishment of a
permanent, independent entity within the federal government to monitor, investigate,
evaluate, advise, and offer personal privacy policy recommendations; better regulation of
the use of mailing lists for commercial purposes; adherence to principles of fair
information practice by employers; limited government access to personal records held
by private sector recordkeepers through adherence to recognized legal processes; and
improved privacy protection for educational records. The panel also recommended the
adoption of legislation to apply principles of fair information practice, such as those found
in the Privacy Act, to personal information collected and managed by the consumer credit,
banking, insurance, and medical care sectors of the U.S. economy.
Some 200 bills incorporating recommendations from the commission’s report were
introduced during the 96th Congress, but major legislation applying fair information
practice principles to personal information collected and managed by the insurance and
medical care industries failed to be enacted, and the opposition was sufficient to
discourage a return to such legislative efforts for several years.
Federal Paperwork Commission
In 1974, Congress also established a temporary, 14-member Commission on Federal
Paperwork, giving it a broad mandate to consider a variety of aspects of the collection,
processing, dissemination, and management of federal information, including “the ways
in which policies and practices relating to the maintenance of confidentiality of
2 88 Stat. 1906.
3 Ibid.
4 U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society
(Washington: GPO, 1977).
CRS-3
information impact upon Federal information activities.”5 The panel was cochaired by
Representative Frank Horton and Senator Thomas J. McIntyre; conducted its work largely
in parallel with the Privacy Protection Study Commission; and produced 36 topical
reports, as well as a final summary report of October 3, 1977.6 One of these reports,
issued July 29, 1977, was devoted to confidentiality and privacy, and offered 12
recommendations.7 A House subcommittee devoted a hearing to the report, but no
immediate action was taken on its recommendations.8
Subsequently, however, a recommended new organization to centralize and
coordinate existing information management functions within the executive branch was
realized in the Paperwork Reduction Act (PRA) of 1980.9 Located within the Office of
Management and Budget (OMB), the Office of Information and Regulatory Affairs
(OIRA) was to assist the OMB director with the government-wide information
coordination and guidance functions assigned to him by the PRA.
Indicating that one of the purposes of the PRA was “to ensure that the collection,
maintenance, use and dissemination of information by the Federal Government is
consistent with applicable laws relating to confidentiality, including ... the Privacy Act,”10
the statute assigned the OMB director several privacy functions: “(1) developing and
implementing policies, principles, standards, and guidelines on information disclosure and
confidentiality, and on safeguarding the security of information collected or maintained
by or on behalf of agencies; (2) providing agencies with advice and guidance about
information security, restriction, exchange, and disclosure; and (3) monitoring compliance
with [the Privacy Act] and related information management laws.”11 These duties would
be expanded, and privacy responsibilities would be specified for the federal agencies, in
a 1995 recodification of the act.12 Earlier, in 1988, amendments governing computer
matches of personal information by government agencies were enacted.13
Pursuing New Privacy Arrangements
Among the successful efforts of the 108th Congress to strengthen privacy protection
was the establishment of the Privacy and Civil Liberties Oversight Board (PCLOB) by
5 88 Stat. 1789.
6 U.S. Commission on Federal Paperwork, Final Summary Report: A Report of the Commission
on Federal Paperwork (Washington: GPO, 1977).
7 U.S. Commission on Federal Paperwork, Confidentiality and Privacy: A Report of the
Commission on Federal Paperwork (Washington: GPO, 1977), pp. 139-175.
8 U.S. Congress, House Committee on Government Operations, Privacy and Confidentiality
Report and Final Recommendations of the Commission on Federal Paperwork, hearing, 95th
Cong., 1st sess., Oct. 17, 1977 (Washington: GPO, 1978).
9 94 Stat. 2812; 44 U.S.C. 3501 et seq.
10 94 Stat. 2813.
11 94 Stat. 2816.
12 109 Stat. 163; 44 U.S.C. 3501 et seq.
13 102 Stat. 2507.
CRS-4
Section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004,
implementing many of the recommendations of the 9/11 Commission.14 Located within
the Executive Office of the President, the board consists of a chair, vice chair, and three
additional members, all appointed by, and serving at the pleasure of, the President.
Nominees for the chair and vice chair positions are subject to Senate approval. While the
board does not have subpoena power, it may request the assistance of the Attorney
General in obtaining desired information from persons other than federal departments and
agencies.
Section 1062 of the statute expressed “the sense of Congress that each executive
department or agency with law enforcement or antiterrorism functions should designate
a privacy and civil liberties officer.” The obligation of the relevant departments and
agencies in this regard, however, is less than mandatory.
Section 1011 amended the National Security Act of 1947 with language at Section
103D, which established a Civil Liberties Protection Officer within the office of the newly
created Director of National Intelligence. This official has various responsibilities for
civil liberties and privacy protection within the intelligence community.
Elsewhere, when reporting the Transportation, Treasury and General Government
Appropriations Bill, 2005, the Senate Committee on Appropriations indicated that Section
520 of the legislation (S. 2806) “directs each agency to acquire a Chief Privacy Officer
to assume primary responsibility for privacy and data protection policy.” Section 520
appeared in Title V of the legislation. “Those general provisions that address activities
or directives affecting all of the agencies covered in this bill,” the committee report
explained, “are contained in title V.” Thus, the provision applied only to agencies directly
funded by the legislation. “General provisions that are governmentwide in scope,” noted
the report, “are contained in title VI of this bill.”15
Transportation, Treasury and General Government appropriations were among those
which came to be included in the Consolidated Appropriations Act, 2005 (H.R. 4818),
and constituted Division H of that legislation.16 Within that division, Section 522 stated:
“Each agency shall have a Chief Privacy Officer to assume primary responsibility for
privacy and data protection policy,” and specified nine particular activities to be
undertaken by such officers. The section further prescribed privacy and data protection
policies and procedures to be established, reviews to be undertaken, and related reports
to be made. Located in Title V of the division, the requirements of the section appeared
to be applicable only to agencies directly funded by the division. Furthermore, it did not
appear that the section created new positions, but instead prescribed privacy officer
responsibilities to be assigned to an appropriate individual in an existing position.17
14 P.L. 108-458; 118 Stat. 3638.
15 U.S. Congress, Senate Committee on Appropriations, Transportation, Treasury and General
Government Appropriations Bill, 2005, S.Rept. 108-342, report to accompany S. 2806, 108th
Cong., 2nd sess. (Washington: GPO, 2004), pp. 200, 202.
16 P.L. 108-447; 118 Stat. 2809.
17 Congressional Record, daily edition, vol. 150, Nov. 19, 2004, pp. H10358-H10359.
CRS-5
No nominations to membership positions on the PCLOB were made in the early
weeks of the 109th Congress, and the President’s initial FY2006 budget documents
contained no request for funds for the panel, although a later justification document
requested $750,000.18
In a January 2005 interview with Federal Computer Week staff covering a range of
issues, Representative Tom Davis, chairman of the House Committee on Government
Reform, took issue with the Consolidated Appropriations Act’s Section 522 requirement
concerning privacy officers. He expressed concern that these privacy officers might
undercut the authority of chief information officers. “Let’s not make it so confusing that
the CIO’s basically lose control of computer security and privacy becomes the overriding
concern,” he said in the interview. Indicating he would seek to eliminate Section 522, he
also suggested he was not opposed to the concept, saying: “These privacy officers have
got to be put into perspective.”19 Representative Davis subsequently introduced H.R.
1271, repealing the privacy section, on March 14; the bill was referred to the Committee
on Government Reform.
A February 11, 2005, memorandum to the heads of the executive departments and
agencies from Clay Johnson III, Deputy Director for Management, Office of Management
and Budget (OMB), appeared to sweep beyond the Section 522 requirement, and asked
recipients, within the next 30 days, “to identify to OMB the senior official who has the
overall agency-wide responsibility for information privacy issues.” Expressing the
administration’s commitment “to protecting the information privacy rights of Americans
and to ensuring Departments and agencies continue to have effective information privacy
management programs in place to carry out this important responsibility,” it noted that a
Chief Information Officer or “another senior official (at the Assistant Secretary or
equivalent level) with agency-wide responsibility for information privacy issues” could
be named.20
At about the same time, efforts were underway among some House members to
develop legislation that would, if enacted, reconstitute the PCLOB as an independent
agency within the executive branch, make all appointments to the board’s membership
subject to Senate confirmation, and limit the board’s partisan composition to not more
than three being from the same political party. Such legislation was introduced on March
15 by Representative Carolyn B. Maloney for herself and 23 bipartisan cosponsors as
H.R. 1310, which was referred to the Government Reform, Homeland Security,
Intelligence, and Judiciary committees.21
In early May, when recommending funds for the Department of Homeland Security
(DHS) for FY2006, the House Committee on Appropriations “included a new general
18 U.S. Office of Management and Budget, Executive Office of the President: Fiscal Year 2006
Congressional Budget Submission (Washington: n.d.), p. 111.
19 FCW staff, “The Davis Plan,” Federal Computer Week, vol. 19, Jan. 24, 2005, pp. 16, 18.
20 U.S. Office of Management and Budget, “Designation of Senior Agency Officials for Privacy,”
Memorandum for Heads of Executive Departments and Agencies from Clay Johnson III, Deputy
Director for Management (Washington: Feb. 11, 2005).
21 See Congressional Record, daily edition, vol. 151, Mar. 16, 2005, p. E456.
CRS-6
provision (Section 528) to ensure that the Privacy Officer has the independence necessary
to report privacy abuses directly to Congress and has all documents and information
necessary to carry out statutory responsibilities.” It was the committee’s view that the
Privacy Officer “should provide Congress, and thus the public, an unfettered view into
the operations of the Department and its impact on personal privacy.”22 The House
approved the appropriations bill (H.R. 2360), with the reporting provision, on May 17,
2005. It was continued by the final version of the legislation, which the President signed
into law on October 18, 2005.23
Also, in mid-May, a bipartisan group of Senators queried the White House
concerning a timetable and details on how the membership and staff of the PCLOB would
be put in place. Mandated by the Intelligence Reform and Terrorism Prevention Act of
2004, the board’s membership still awaited appointment by the President.24 On June 10,
the White House announced that President Bush would nominate Carol Dinkins to be
chair and Alan Charles Raul to be vice chair of the board, both subject to Senate approval.
The President also would name Lanny Davis, Theodore Olsen, and Francis Taylor to serve
as members of the board.
During June 29-30 House consideration of the Transportation, Treasury
appropriation bill (H.R. 3058), amendments increased funding for the Privacy and Civil
Liberties Oversight Board from $750,000 to $1.5 million, and otherwise prohibited the
use of funds by any department or agency in contravention of the of the Privacy Act or
Title 48 (Federal Acquisition Regulations System) of the Code of Federal Regulations.
Both provisions remained in the bill as approved by the House. In late July, Senate
appropriators recommended $1.5 million for the board.25 This amount was allocated in
the final version of the legislation, which the President signed into law on November 30,
2005.26
On July 27, the House Committee on the Judiciary marked up and ordered reported
a Department of Justice authorization bill (H.R. 3402) directing the Attorney General to
designate a senior official to assume primary responsibility for privacy policy in the
department (Section 305).27 The House approved the bill on September 28, 2005, on a
415-4 vote, and sent the measure to the Senate.
22 U.S. Congress, House Committee on Appropriations, Department of Homeland Security
Appropriations Bill, 2006, report to accompany H.R. 2360 , 109th Cong., 1st sess., H.Rept. 109-
79 (Washington: GPO, 2005), p. 7.
23 P.L. 109-90; 119 Stat. 2064.
24 Eric Lichtblau, “Senators Say Bush Lags on Creating Terror Panel,” New York Times, May 15,
2005, p. 25.
25 U.S. Congress, Senate Committee on Appropriations, Transportation, Treasury, the Judiciary,
Housing and Urban Development, and Related Agencies Appropriations Bill, 2006, report to
accompany H.R. 3058, 109th Cong., 1st sess., S.Rept. 109-109 (Washington: GPO, 2005), p. 201
(preprint).
26 P.L. 109-115; 119 Stat. 2396.
27 U.S. Congress, House Committee on the Judiciary, Department of Justice Appropriations
Authorization Act, Fiscal Years 2006 Through 2009, report to accompany H.R. 3402, 109th
Cong., 1st sess., H.Rept. 109-233 (Washington: GPO, 2005), pp. 105-106.
crsphpgw