U.S. Needs Privacy Officials at Multiple Levels, ACLU Says
The U.S. is out of line with nearly every “high-income” democracy when it comes to privacy regulation and the resources dedicated to protecting privacy, the American Civil Liberties Union (ACLU) said in a report Tuesday recommending the creation of several privacy offices and organizations in the federal government. Not only has the private sector been “extremely aggressive” in collecting data about consumers, but that information in turn is shared in a “dizzying breadth of areas” with federal agencies, the report said. The ACLU recommended a bifurcated approach, with a strengthened Privacy and Civil Liberties Oversight Board -- originally a White House body with no subpoena power that suffered from alleged political tampering (WID July 25/07 p4) -- and a revamped FTC to act as a “privacy watchdog” over businesses.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
A stronger privacy regime is especially important to oversee the “city-sized” security and intelligence agencies that increasingly watch over the nation’s telecommunications and practice data-mining on vast populations, the report said. “A few members of Congress and their staff” get classified updates but feel circumscribed in their ability to act on that knowledge, while inspectors general answer to the heads of agencies they oversee, leaving it to “the rare individual whistleblower willing to risk his or her career to bring abuses to light.” One of the most notable recently was AT&T technician Mark Klein, who discovered the telco had covertly given the National Security Agency access to phone and Internet traffic at a San Francisco facility.
Only Japan and South Korea join the U.S. as major countries lacking a privacy commissioner, the report said. Officials in several countries can proactively look for violations, subpoena information and require action, including inspecting the files of agencies and initiating legal proceedings. The European Union statutorily requires commissioners to be “completely independent” as well. As a signatory to the International Covenant on Civil and Political Rights, the U.S. already has pledged to protect human rights, which include privacy rights, the ACLU said.
While the courts can be used to address privacy violations, “many technologies today are so novel, and the pace of development so rapid, that our legal system simply has not kept up” with invasive government activities, the report said. The Privacy Act is “riddled with loopholes” that have allowed agencies to avoid “basic privacy policies,” and other laws make up a “patchwork of inconsistent, often tangled and complicated” rules, in which mundane information such as video-rental records have greater protection than health data.
An independent federal regulatory commission along the lines of the FCC and FTC is the best option for a new office, given that the U.S. doesn’t operate under a parliamentary system and its judiciary doesn’t investigate cases of its own volition, the report said: The White House civil-liberties board, which Congress recast as an independent agency in 2007 but whose seats remain unfilled due to partisan bickering between then-President George W. Bush and the Democratic Congress, should be the vehicle. But it needs a bigger budget to do effective work -- only $7 million was authorized for FY 2009 -- and subpoena power not subject to the Justice Department’s veto, the ACLU said.
The board’s scope needs to be expanded to cover the whole government, not just terrorism-related activities affecting privacy, the report said: “Congress has left large openings for mischief and the possibility that as times change it will render the Board largely irrelevant.” The board should have the power to challenge agencies’ classification powers and to act decisively “when confronted with a flagrant violation of the law” -- the Italian privacy authority, for example, stopped the government from posting tax-return information on the Internet. To prevent complaints from the public from consuming the board’s time, as has happened in other countries, Congress should create a separate division with its own budget within the board to handle complaints, the report said.
A statutorily mandated Office of Management and Budget privacy counselor with explicit authority over both public and private sectors should supplement a strengthened board, the report said. Congress also should mandate the creation of chief privacy officer slots across the government, expanding on the eight officials currently required by law in agencies including the Department of Homeland Security, and give them subpoena power and fixed terms to burnish their independence. Finally, the FTC should be given broad new powers to protect privacy outside of trade practices, the report said -- currently it can only punish companies for not living up to their privacy promises. Through existing authority under CAN-SPAM and other laws, the commission has privacy expertise, and it should be given authority to enforce “fair information practices” as do counterparts around the world. The FTC should coordinate with the privacy board for “overlapping” issues, and give Congress joint recommendations, the report said, since the government “increasingly leverages and commandeers” the tracking and collection of data by businesses.