Order Code RS21851 Updated August 23, 2007 Privacy Protection: Mandating New Arrangements to Implement and Assess Federal Privacy Policy and Practice Harold C. Relyea Specialist in American National Government Government and Finance Division Summary When Congress enacted the Privacy Act of 1974, it established a temporary national study commission to conduct a comprehensive assessment of privacy policy and practice. While the panel subsequently produced a landmark July 1977 report, its recommendations were not legislatively implemented. Nonetheless, interest in creating new arrangements for better implementing and assessing federal privacy policies and practices continued, as the recent establishment of a Privacy and Civil Liberties Oversight Board and assignment of privacy officer responsibilities in certain departments and agencies attest. This report tracks active legislative efforts (H.R. 1; S. 4; S. 332) to further privacy policy in the 110th Congress, and will be updated as events warrant. An expectation of personal privacy — not being intruded upon — seemingly has long prevailed among American citizens. By one assessment, American society, prior to the Civil War, “had a thorough and effective set of rules with which to protect individual and group privacy from the means of compulsory disclosure and physical surveillance known in that era.”1 Toward the end of the 19th century, new technology — the telephone, the microphone and dictograph recorder, and improved cameras — presented major new challenges to privacy protection. During the closing decades of the 20th century, extensions of these and other new technology developments — the computer, genetic profiling, and digital surveillance — further heightened anxieties about the loss of personal privacy. In response, Congress has legislated various privacy protections and, on two occasions, mandated national study commissions to assist in this effort. 1 Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1970), pp. 337-338. CRS-2 Privacy Protection Study Commission While the Privacy Act of 1974 directly addressed several aspects of personal privacy protection, the statute also mandated the Privacy Protection Study Commission, a temporary, seven-member panel tasked to “make a study of the data banks, automated data processing programs, and information systems of governmental, regional, and private organizations, in order to determine the standards and procedures in force for the protection of personal information.”2 The commission was to “recommend to the President and the Congress the extent, if any, to which the requirements and principles of [the Privacy Act] should be applied to the information practices of [such] organizations by legislation, administrative action, or voluntary adoption of such requirements and principles, and report on such other legislative recommendations as it may determine to be necessary to protect the privacy of individuals while meeting the legitimate needs of government and society for information.”3 The commission began operations in early June 1975 under the leadership of chairman David F. Linowes. The final report of the panel, published in July 1977, offered 162 recommendations.4 In general, the commission urged the establishment of a permanent, independent entity within the federal government to monitor, investigate, evaluate, advise, and offer personal privacy policy recommendations; better regulation of the use of mailing lists for commercial purposes; adherence to principles of fair information practice by employers; limited government access to personal records held by private sector recordkeepers through adherence to recognized legal processes; and improved privacy protection for educational records. The panel also recommended the adoption of legislation to apply principles of fair information practice, such as those found in the Privacy Act, to personal information collected and managed by the consumer credit, banking, insurance, and medical care sectors of the U.S. economy. Some 200 bills incorporating recommendations from the commission’s report were introduced during the 96th Congress, but major legislation applying fair information practice principles to personal information collected and managed by the insurance and medical care industries failed to be enacted, and the opposition was sufficient to discourage a return to such legislative efforts for several years. Federal Paperwork Commission In 1974, Congress also established a temporary, 14-member Commission on Federal Paperwork, giving it a broad mandate to consider a variety of aspects of the collection, processing, dissemination, and management of federal information, including “the ways in which policies and practices relating to the maintenance of confidentiality of information impact upon Federal information activities.”5 The panel was cochaired by Representative Frank Horton and Senator Thomas J. McIntyre; conducted its work largely 2 88 Stat. 1906. 3 Ibid. 4 U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington: GPO, 1977). 5 88 Stat. 1789. CRS-3 in parallel with the Privacy Protection Study Commission; and produced 36 topical reports, as well as a final summary report of October 3, 1977.6 One of these reports, issued on July 29, 1977, was devoted to confidentiality and privacy, and offered 12 recommendations.7 A House subcommittee devoted a hearing to the report, but no immediate action was taken on its recommendations.8 Subsequently, however, a recommended new organization to centralize and coordinate existing information management functions within the executive branch was realized in the Paperwork Reduction Act (PRA) of 1980.9 Located within the Office of Management and Budget (OMB), the Office of Information and Regulatory Affairs (OIRA) was to assist the OMB director with the government-wide information coordination and guidance functions assigned to him by the PRA. Indicating that one of the purposes of the PRA was “to ensure that the collection, maintenance, use and dissemination of information by the Federal Government is consistent with applicable laws relating to confidentiality, including ... the Privacy Act,”10 the statute assigned the OMB director several privacy functions: “(1) developing and implementing policies, principles, standards, and guidelines on information disclosure and confidentiality, and on safeguarding the security of information collected or maintained by or on behalf of agencies; (2) providing agencies with advice and guidance about information security, restriction, exchange, and disclosure; and (3) monitoring compliance with [the Privacy Act] and related information management laws.”11 These duties would be expanded, and privacy responsibilities would be specified for the federal agencies, in a 1995 recodification of the act.12 Earlier, in 1988, amendments governing computer matches of personal information by government agencies were enacted.13 Recent New Privacy Arrangements Among the efforts of the 108th Congress to strengthen privacy protection was the establishment of the Privacy and Civil Liberties Oversight Board (PCLOB) with the Intelligence Reform and Terrorism Prevention Act of 2004, implementing many of the 6 U.S. Commission on Federal Paperwork, Final Summary Report: A Report of the Commission on Federal Paperwork (Washington: GPO, 1977). 7 U.S. Commission on Federal Paperwork, Confidentiality and Privacy: A Report of the Commission on Federal Paperwork (Washington: GPO, 1977), pp. 139-175. 8 U.S. Congress, House Committee on Government Operations, Privacy and Confidentiality Report and Final Recommendations of the Commission on Federal Paperwork, hearing, 95th Cong., 1st sess., October 17, 1977 (Washington: GPO, 1978). 9 94 Stat. 2812; 44 U.S.C. 3501 et seq. 10 94 Stat. 2813. 11 94 Stat. 2816. 12 109 Stat. 163; 44 U.S.C. 3501 et seq. 13 102 Stat. 2507. CRS-4 recommendations of the 9/11 Commission.14 Initially located within the Executive Office of the President, the board consisted of a chair, vice chair, and three additional members, all appointed by, and serving at the pleasure of, the President. Nominees for the chair and vice chair positions were subject to Senate approval. While the board did not have subpoena power, it could request the assistance of the Attorney General in obtaining desired information from persons other than federal agencies; it also had broad access to information from federal agencies. On June 10, 2005, the President indicated he intended to nominate Carol Dinkins to be the PCLOB chair, Alan Charles Paul to be the PCLOB vice chair, and Lanny J. Davis, Theodore B. Olsen, and Francis X. Taylor to be members of the panel. Dinkins and Rauls were confirmed by the Senate on February 17, 2006. The PCLOB was appropriated $1.5 million for FY2006.15 Its appropriation for FY2007 was not finalized before the adjournment of the 109th Congress. The board held its initial meeting on March 14, 2006. Section 1062 of the intelligence reform statute expressed “the sense of Congress that each executive department or agency with law enforcement or antiterrorism functions should designate a privacy and civil liberties officer.” The obligation of the relevant departments and agencies in this regard, however, was less than mandatory. Other arrangements, however, were subsequently realized (see below). Section 1011 established a Civil Liberties Protection Officer within the office of the newly created Director of National Intelligence (DNI). This official has various responsibilities for civil liberties and privacy protection within the intelligence community. On December 7, 2005, the DNI announced the appointment of Alexander W. Joel as the Civil Liberties Protection Officer.16 Section 1016 required the President to consult with the PCLOB when issuing guidelines protecting privacy and civil liberties in the development and utilization of an “information sharing environment” (ISE) for the sharing of information about terrorism “in a manner consistent with national security and with applicable legal standards relating to privacy and civil liberties.” The role of the board and sensitivity to protecting privacy and civil liberties in the development of the ISE were reflected in the ISE implementation plan released on November 16, 2006.17 Elsewhere, when reporting the Transportation, Treasury and General Government Appropriations Bill, 2005, the Senate Committee on Appropriations indicated that Section 520 of the legislation (S. 2806) “directs each agency to acquire a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy.” Section 520 appeared in Title V of the legislation. “Those general provisions that address activities or directives affecting all of the agencies covered in this bill,” the committee report explained, “are contained in title V.” Thus, the provision seemingly applied only to 14 118 Stat. 3638. 15 119 Stat. 2396. 16 U.S. Office of the Director of National Intelligence, ODNI Announces Senior Leadership Positions, ODNI News Release No. 7-05 (Washington: December 7, 2005). 17 U.S. Office of the Director of National Intelligence, Information Sharing Environment Implementation Plan (Washington: November 16, 2006), pp. 21-22, 39, 82-92. CRS-5 agencies directly funded by the legislation. “General provisions that are governmentwide in scope,” noted the report, “are contained in title VI of this bill.”18 Transportation, Treasury, and General Government appropriations were among those which were included in the Consolidated Appropriations Act, 2005 (H.R. 4818).19 Within Division H, Section 522 stated: “Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy,” and specified nine particular activities to be undertaken by such officers. The section prescribed privacy and data protection policies and procedures to be established, reviews to be undertaken, and related reports to be made. Located in Title V of the division, the requirements of the section appeared to be applicable only to agencies directly funded by the division. Furthermore, it did not appear that the section created new positions, but instead prescribed privacy officer responsibilities to be assigned to an appropriate individual in an existing position.20 The President, however, declined to implement the section.21 A February 11, 2005, memorandum to the heads of the executive departments and agencies from OMB Deputy Director for Management Clay Johnson III asked recipients “to identify to OMB the senior official who has the overall agency-wide responsibility for information privacy issues.” Expressing the administration’s commitment “to protecting the information privacy rights of Americans and to ensuring Departments and agencies continue to have effective information privacy management programs in place to carry out this important responsibility,” it noted that a Chief Information Officer or “another senior official (at the Assistant Secretary or equivalent level) with agency-wide responsibility for information privacy issues” could be named.22 At about the same time, some House members developed legislation that would, if enacted, reconstitute the PCLOB as an independent agency within the executive branch, make all appointments to the board’s membership subject to Senate confirmation, and limit the board’s partisan composition to not more than three being from the same political party. Introduced on March 15, 2005, by Representative Carolyn B. Maloney for herself and 23 bipartisan cosponsors, the bill (H.R. 1310) was referred to the Government Reform, Homeland Security, Intelligence, and Judiciary committees, but no further action was taken.23 In early May, when recommending funds for the Department of Homeland Security (DHS) for FY2006, the House Committee on Appropriations “included a new general 18 U.S. Congress, Senate Committee on Appropriations, Transportation, Treasury and General Government Appropriations Bill, 2005, S.Rept. 108-342, report to accompany S. 2806, 108th Cong., 2nd sess. (Washington: GPO, 2004), pp. 200, 202. 19 P.L. 108-447; 118 Stat. 2809. 20 Congressional Record, daily edition, vol. 150, November 19, 2004, pp. H10358-H10359. 21 See Weekly Compilation of Presidential Documents, vol. 40, December 13, 2004, p. 2925. 22 U.S. Office of Management and Budget, “Designation of Senior Agency Officials for Privacy,” Memorandum for Heads of Executive Departments and Agencies from Clay Johnson III, Deputy Director for Management (Washington: February 11, 2005). 23 See Congressional Record, daily edition, vol. 151, March 16, 2005, p. E456. CRS-6 provision (Section 528) to ensure that the Privacy Officer has the independence necessary to report privacy abuses directly to Congress and has all documents and information necessary to carry out statutory responsibilities.” It was the committee’s view that the Privacy Officer “should provide Congress, and thus the public, an unfettered view into the operations of the Department and its impact on personal privacy.”24 The House approved the appropriations bill (H.R. 2360), with the reporting provision, on May 17, 2005. It was continued by the final version of the legislation, which the President signed into law on October 18, 2005.25 On July 27, 2005, the House Committee on the Judiciary marked up and ordered reported a Department of Justice authorization bill (H.R. 3402) directing the Attorney General to designate a senior official to assume primary responsibility for privacy policy in the department.26 The House approved the bill on September 28 on a 415-4 vote, and sent the measure to the Senate, which passed the bill, with amendments, by unanimous consent on December 16. The House agreed to the Senate-amended version of the legislation on December 17, and the President signed it into law on January 5, 2006. Section 1174 of the statute directs the Attorney General to “designate a senior official in the Department of Justice to assume primary responsibility for privacy policy,” and prescribes the responsibilities of the Privacy Officer.27 On February 21, 2006, Jane Horvath was appointed the Chief Privacy and Civil Liberties Officer of the department pursuant to this authority. Early in the 110th Congress, legislation (H.R. 1; S. 4) was introduced to implement unfinished recommendations of the 9/11 Commission. The House approved its bill on January 9, 2007, on a 299-128 vote. The Senate counterpart bill was referred to the Committee on Homeland Security and Governmental Affairs, which reported it on February 22. After considerable debate and amendment, the legislation was approved by the Senate on a 60-38 vote on March 13. Conferees on the legislation filed their report on July 25. The Senate adopted the report the following day on a 85-8 vote; the House concurred on July 27 on a 371-40 vote. The legislation, signed into law on August 3, reconstitutes the board as an independent agency with modified analysis, review, and advisory responsibilities; requires Senate confirmation of all members of the PCLOB; sets qualifications and terms for nominees to be board members; authorizes the Attorney General to exercise subpoena power on behalf of the board; requires the designation of Privacy and Civil Liberties Officers; and enhances the authorities of the DHS Privacy Officer.28 24 U.S. Congress, House Committee on Appropriations, Department of Homeland Security Appropriations Bill, 2006, report to accompany H.R. 2360 , 109th Cong., 1st sess., H.Rept. 10979 (Washington: GPO, 2005), p. 7. 25 P.L. 109-90; 119 Stat. 2064. 26 U.S. Congress, House Committee on the Judiciary, Department of Justice Appropriations Authorization Act, Fiscal Years 2006 Through 2009, report to accompany H.R. 3402, 109th Cong., 1st sess., H.Rept. 109-233 (Washington: GPO, 2005), pp. 105-106. 27 28 119 Stat. 3124. P.L. 110-53; 121 Stat. 266.