Chairman Barr, Mr. Watt, and Members of the Subcommittee,
It is a great pleasure to appear before you to discuss H.R. 4561, the "Federal Agency Protection of Privacy Act." I am Jim Harper, the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. I am also an Adjunct Fellow at the Progress & Freedom Foundation and the Founder and Principal of Information Age lobbying and consulting firm PolicyCounsel.Com.
Privacy is one of the most complex and difficult public policy issues confronting Congress and legislatures across the country today. I am pleased to lend what knowledge I have to your consideration of this legislation.
Privacilla.org is a Web site that attempts to capture "privacy" as a public
policy issue. The pages of Privacilla cover the issue of privacy
from top to bottom. We deal with fundamental
privacy concepts, privacy
from government, and privacy in the private
sector, including financial,
medical, and online
privacy. Anyone may submit ideas, information, and links for
potential inclusion on the site. The site represents the thinking
of many people and I would refer you to the Privacilla "Support"
page to get an idea of the groups we work with. Please
visit Privacilla at http://www.privacilla.org
and use it as a resource whenever your work brings you to
Chairman Barr, I salute you for introducing H.R. 4561 with broadly bipartisan support, and for holding these hearings today. Mr. Watt, and other Members of the Subcommittee, congratulations to you for joining in introducing this important bill.
Privacy is a complex and widely misunderstood public policy issue. This legislation can help protect Americans' privacy by giving the American people, the press, and Congress information they need about how federal regulation affects privacy. This legislation presents an opportunity to refine the terms of the many different "privacy" debates, so that Congress, the press, and the public can find solutions to a number of important problems.
Though they are motivated only by beneficent purposes, many government programs deprive Americans of control over personal information and their privacy. The Federal Agency Protection of Privacy Act can help restore to the people the power and autonomy that is one of the great benefits of living in the United States. There are several successful precedents in our nation's administrative laws for this proposal. Few, if any, changes are needed to perfect the legislation in terms of privacy. I urge you, though, to be aware of the many important elements of information policy beyond privacy that fall within the scope of the bill.
Defining Terms: What is Privacy?
The Judiciary Committee is the committee of American law and
legal institutions. There is no better place to define and
give structure to terms such as our focus today: privacy.
By digging deeply into privacy as a legal concept, you as
congressional leaders can dramatically improve the quality
of many public policy debates, and the outcomes Congress produces
for the American people.
Left undefined, the word "privacy" has become far too much of a stalking horse for all variety of ideological and special interest groups. Indeed, a coterie of activist organizations - including Privacilla - thrives because there is not an agreed to and limited definition for the word "privacy" in current debate. Moreover, the lack of definition has rendered Congress, state legislatures, the press, and the public less able to find solutions to the many problems and legitimate concerns that popularly fall under the heading of "privacy."
For example, identity
fraud is widely perceived as a "privacy" problem. But
it is better understood as a group of crimes that thrive on
the use of personal identification and financial information.
Because of this widespread misperception, the crimes that
constitute identity fraud go poorly enforced while Congress
considers banning many uses of Social
Security Numbers in the name of "privacy." Limiting SSN
use would likely stifle many
benefits that consumers and the economy enjoy without
effectively reducing this serious crime problem.
Similarly, unwanted commercial e-mail, or "spam,"
is an intrusion into electronic communications and a serious
annoyance that is often labeled as a "privacy" problem. Spam
exists in large part because e-mail marketers know little
or nothing about the interests of potential customers. It
is difficult to reconcile spam - e-mails broadcast to unknown
people nearly at random - with the heart of the privacy concept,
which is too much personal information being available too
At Privacilla, we have a working
definition of privacy that we believe should form the
basis of policy discussions on the topic: Privacy is a
subjective condition that individuals enjoy when two factors
are in place — legal ability to control information about
oneself, and exercise of that control consistent with one's
interests and values.
Privacy is a personal, subjective condition. It is a state of affairs individuals
enjoy based on sharing or retention of information about themselves
consistent with their own preferences. These preferences are
a product of such things as culture,
upbringing, and experience. Because privacy is subjective,
one person cannot decide for another what his or her sense
of privacy should be. You can not tell me, either by giving
your opinion or by passing a law, that my privacy is protected
when I think it is not.
The first factor above goes to the existence of choice — the legal power to control the release of information. A person who wishes to maintain privacy in the appearance of his or her body, for example, may put on clothes and be relatively certain that no one will remove that clothing without permission. Few laws require people to remove their clothing and, thanks to the concept of "battery" in state tort and criminal law, private actors may be punished for touching our clothing in any way that interferes with bodily privacy. Our choices to hide or reveal information about the appearance of our bodies are protected by law.
Likewise, a person who wants to prevent others from gaining knowledge of his
or her purchasing patterns may pay in cash and regularly change
the stores at which he or she shops. He or she may also arrange
by contract to have personal information maintained in
confidence. Various legal protections, such as the law of
contracts, give us autonomy and choice that we use to protect
The second factor is exercising that control of information consistent with our values. This is difficult in many commercial marketplaces. Many consumers are unaware of how the Information Economy works, and the fact that they are a part of it. Many industries are monolithic in their information practices. Arguably, they fail to fully inform consumers about what happens with personal information, and they offer consumers few alternatives. This is arguable, however. It may be that only a tiny, but vocal minority of consumers and activists actually wants to study commercial information practices and exercise choice among different options. If a significant number of consumers do, they are a market waiting to be served.
As policy-makers, we should not presuppose that a certain amount or type of privacy serves consumers' interests in the marketplace, and Privacilla's definition of privacy does not do this. Advocates who claim to know what consumers want in terms of privacy prove their ignorance by making the claim.
Consumers may rationally determine that they are safe
from harmful uses of information when dealing with certain
companies and leave it at that. The fact that hundreds or
even thousands of mundane facts about themselves are in the
hands of businesses may be a matter of indifference to reasonable
people. Aware, empowered, and responsible consumers can demand
of businesses what options they want in terms of information
sharing or withholding. They can also demand, if they prefer,
lower prices, customized service, combined offerings, and
Unless Congress and state legislators are going to guess at consumers' true preferences and impose them from the top down, only consumer education will deliver privacy on the terms consumers want it in the commercial world. Governments cannot protect privacy directly; they can only foster or destroy people's ability to protect their own privacy.
Governments Pose a Unique Threat to Privacy
While protecting privacy in the commercial world may be difficult,
protecting privacy from government is impossible. Dealings
with government are categorically
different from interactions in the private sector. When
citizens apply for licenses or permits, fill out forms for
regulators, or submit tax returns, they do not have the legal
power to control what information they share. They must submit
the information that the government requires. It is either
illegal to withhold information or withholding information
penalizes citizens of money or benefits to which they are
legally entitled. The notorious "Big Brother" in George Orwell's
1984 was a caution against the powers of governments. When
dealing with them, the first factor in privacy protection
- legal power to control personal information - is absent.
It would be a mammoth, but worthwhile, task to catalogue all the personal information that is demanded by all federal programs. Additional study should include the purposes for which information is collected, other purposes to which it is put, and whether such information is ever eliminated from government records when it has served its original or successor purposes. The Federal Agency Protection of Privacy Act may help us do that.
Some studies suggest the scope of personal data collection and warehousing done at the federal level. In September 2000 testimony to the House Government Reform Subcommittee on Information Management, Information, and Technology, Solveig Singleton, now of the Competitive Enterprise Institute, surveyed federal databases. Her non-exhaustive list included databases at the Commerce Department, the Department of Justice, the Department of Education, the Department of Energy, the Federal Bureau of Investigation, the Department of Health and Human Services, the Department of Housing and Urban Development, the Department of the Interior, the Department of Labor, the Social Security Administration, and the Department of the Treasury, which houses the Internal Revenue Service. Many of these databases include health and financial information.
In March 2001, a study issued by Privacilla.org
found that, during the 18-month period from September 1999
to February 2001, federal agencies announced 47 times that
they would exchange and merge personal information from databases
about American citizens. New information sharing programs
were instituted more than once every two weeks. We characterized
these programs as only the tip of an information-trading iceberg.
The Computer Matching and Privacy Protection Act, which causes
agencies to report these activities in the Federal Register,
applies only to a small subset of the federal agency programs
that use personal data about Americans. New uses of personal
information are made by federal agencies constantly. The
Privacy Act requires only a declaration in the Federal
Register of a new "routine use" before personal data is used
and shared in new ways.
In case it needs emphasis, the threats to privacy posed by government programs are not the result of malice or malfeasance of any kind. The political leaders who have instituted such programs, and the administrators who operate them, have the best intentions for serving the public. Similarly, the fact alone that any government program weakens American citizens' privacy should not be the sole reason to terminate or cut back the program. Rather, privacy should be an important factor that policy-makers consider whenever they are creating, implementing, or altering government programs. Studies like Privacy and the Digital State: Balancing Public Information and Personal Privacy by Progress & Freedom Foundation Senior Fellow Alan Charles Raul have made progress on that front. The Federal Agency Protection of Privacy Act would help make privacy part of the policy-making calculus in federal agencies and in the Congress.
The Administrative Process Should Inform the Public About Privacy Impacts
A prominent theory behind the Administrative Procedure Act's enactment in 1946 was the idea of "scientific government." This was the notion that a band of impartial public servants would discover the one true public interest underlying legislation, and regulate in its service.
Experience and modern scholarship reveal that the regulatory process, like the legislative process, does not locate some singular public interest. It responds to a cacophony of competing interests and values, among which are the interests of regulators and bureaucracies themselves. Administrative government does not improve on constitutional legislative processes so much as it improvises to accommodate the growth of the federal government in the latter half of the last century.
An increasingly prominent theory of the administrative process — though perhaps still a fallback from the idea that regulation would discern a "pure" public interest — is that it can open administrative lawmaking to public scrutiny, particularly along lines that are deemed important by Congress. Several amendments to the APA in the last twenty-five years are consistent with this approach.
The Regulatory Flexibility Act, passed in 1980, requires agencies to consider the special needs and concerns of small entities. Each time it publishes a proposed rule in the Federal Register, an agency must prepare and publish a Regulatory Flexibility Analysis describing the impact of the proposed rule on small businesses, organizations, government jurisdictions, and the like. The Initial Regulatory Flexibility Analysis is subject to public comment, and a final regulation must be accompanied by a final Regulatory Flexibility Analysis. The Reg-Flex Act apparently provides the model for the Federal Agency Protection of Privacy Act.
Along similar lines, Congress passed the Unfunded Mandates Reform Act in 1995. Among other things, UMRA requires federal agencies to inform and work with states and localities on major regulations. The Small Business Regulatory Enforcement Fairness Act, passed in 1996, requires agencies to work more closely with small business in formulating regulations. It also subjects the analysis requirements of the Regulatory Flexibility Act to judicial review.
These laws provide extensive precedent for the Federal Agency Protection of Privacy Act. The federal administrative process has been modified several times to accommodate the interests of various private- and public-sector institutions. Opening that process to the privacy interests of individual Americans is a matter of consensus among a broad cross-section of advocacy groups and congressional leaders, as we see from the wellspring of support for this legislation.
Some Important Details and Nuances to Consider
The Federal Agency Protection of Privacy Act is modeled on the Regulatory Flexibility Act, which has been used with success for more than 20 years to get greater information about the impacts proposed regulations will have on small entities. Simply, the Act would require agencies to issue the same type of analysis — an Initial Privacy Impact Analysis — along with a notice of proposed rulemaking. After considering the comments of the interested public, agencies would have to issue a Final Privacy Impact Analysis along with the finally promulgated regulation.
The success of the Regulatory Flexibility Act increased with the addition of the judicial review provisions to the Reg-Flex law in 1996, and it is pleasing to see that the Federal Agency Protection of Privacy Act also would make agency action subject to judicial review. Knowing that judicial review is available will make agencies naturally solicitous of congressional intent without requiring a great deal of litigation.
As with all legislation, there are some elements that could be improved. The casual reader may suspect that the Federal Agency Protection of Privacy Act would require agencies to assess how private sector implementation of regulatory mandates would affect privacy. This reading is probably a stretch and, judging by the public statements you and your colleagues have made, Chairman Barr, this is not your intent. Rather, it appears that your intent is for agencies to assess the consequences of their own information practices on privacy.
Language perfecting the bill could require agencies performing an Initial Privacy Impact Analysis to "describe the impact of the agency's uses of information under the proposed rule on the privacy of individuals." (proposed 5 U.S.C. § 553a(a)(1); suggested added language in bold). Likewise, agencies performing a Final Privacy Impact Analysis could be required to describe and assess "the extent to which the agency's uses of information under the final rule will impact the privacy interests of individuals . . . ." (proposed 5 U.S.C. § 553a(b)(2)(A); suggested added language in bold). These minor changes are one way to better express the intent of the legislation.
As you consider this legislation, you should be aware that it incorporates
many policies beyond privacy. Security,
for example, (made a part of Privacy Impact Analyses at 5
U.S.C. § 553a(a)(2)(A)(iv) and 5 U.S.C. § 553a(b)(2)(A)(iv))
is any number of practices and processes that respond to threats
against a company or government's ability to function. Only
one such function is carrying out privacy obligations. A business
or government that lacks proper security may well violate
its privacy commitments, but may allow much worse to happen
as well. The policy considerations that go into security of
data in the hands of governments is a separate and significant
issue beyond my expertise. There are benefits from requiring
agencies to declare that they provide for security of personal
information, as long as the agency is not so forthcoming as
to breach security in the process.
Providing access and an opportunity to correct personal information is an important consideration (made a part of Privacy Impact Analyses at proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. § 553a(b)(2)(A)(ii)). But access and the opportunity to correct information go to fair treatment much more than privacy. Consider that there is no reason to access or correct information that will never be used. It is only important that information be correct if it may be used adversely to the interests of the individual. Using incorrect information against a person is unfair, not unprivate.
Access is also generally inconsistent with security. Giving access only to appropriate parties presents difficult security challenges clustered around authentication of identity. An Advisory Committee on Access and Security, convened by the Federal Trade Commission in early 2000, concluded its work without reaching consensus because of the complex interaction between these two, essentially conflicting, interests. To illustrate this point: The privacy of information sealed in concrete and dropped to the bottom of the ocean is well protected, and it may remain private for eternity, but there is no opportunity to access it.
As with security, there is no harm in requiring federal agencies to inform the public of access and correction rights. Similar fairness protections are found in the Privacy Act of 1974, which obviously deals with more than privacy.
Using information for additional purposes (a part of Privacy Impact Analyses at proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. § 553a(b)(2)(A)(ii)) may affect privacy, depending on whether there is further disclosure of information. Information about a citizen's medical condition and address, for example, collected for making health care payments, may not be rendered less private if the same part of the same agency uses that information to research whether people with certain conditions reside in certain areas of the country. If a subsequent use of information involves sharing that information with a state agency or a different federal agency, however, then the subsequent use can be said to render the information less private than it was before.
More importantly, though, a Privacy Impact Analysis that claims there will be no further sharing of information may provide false assurance. This is because nothing prevents governments from changing the rules about their use of information after it is collected.
The National "New Hires" Database
is an excellent case in point. The Personal Responsibility
and Work Opportunity Reconciliation Act of 1996 required the
Secretary of Health and Human Services to develop a National
Directory of New Hires. This directory is a database of information
on all newly hired employees, quarterly wage reports, and
unemployment insurance claims in the United States.
The purpose of this new database was entirely laudable - helping states locate parents who have skipped out on their child support obligations. But, already, the data is being repurposed. The National Directory of New Hires has been expanded to track down defaulters on student loans. Additional expansions have been proposed that would give state unemployment insurance officials access to the database.
In the better view, privacy in information is lost when it is submitted to
government authorities. Unlike in the private sector, there
is no higher authority to which Americans can appeal when
personal information held by governments is put to new and
unanticipated uses. A Privacy Impact Analysis that claims
there are protections against use of information for changed
purpose may be accurate for weeks, months, or years. But this
is weak protection compared to contractual obligations formed
in the private sector. Privacy-protecting
contracts may be regarded as permanent because their breach
is contrary to legally enforceable obligations that neither
of the parties can unilaterally change.
This does not counsel against requiring Privacy Impact Analyses to discuss use limitations. Such analyses may make Americans more aware when commitments to restrict uses of information are changed by subsequent Congresses and Administrations. We will be better informed if the Federal Agency Protection of Privacy Act is passed with all its current provisions.
This discussion of the many nuances of the bill is intended to illustrate the enormous complexity of information policy, and to caution against unconsidered adoption of the so-called "Fair Information Practices." Often touted by pro-regulation privacy activists, they represent a vast array of different policies. Some are related to privacy; some are inconsistent with it. One does not have to agree with the baggage-laden concept of "Fair Information Practices" to support the Federal Agency Protection of Privacy Act.
The concept of "Fair Information Practices" appears to have originated in the
early 1970s from a committee convened within the Department
of Health and Human Services called "The Secretary's Advisory
Committee on Automated Personal Data Systems." The intellectual
content of its report, commonly known as the "HEW
Report," formed much of the basis of the Privacy Act of
1974 and its thinking is useful for controlling government
data collection and use.
The report treated the public and private sectors identically despite the vast differences in rights, powers, and incentives that exist in these different worlds. For this reason, it cannot be said that the HEW Report addressed all the complexities of the privacy issue. "Fair Information Practices" do not apply well to the commercial world. As an analysis of government information practices, however, the HEW Report was an important project and document. It also tells us that computers and privacy are not a new concern to Americans.
Again, Chairman Barr, Mr. Watt, and Members of the Subcommittee, congratulations on engaging an issue where you can truly improve the quality and character of life for all Americans. There is widespread consensus that people in the United States want to protect their privacy from government encroachments. The Federal Agency Protection of Privacy Act will inform the public about the privacy impacts of federal regulations, and empower them to make informed decisions about government programs. There are many nuances to consider and understand — privacy and information policy are very difficult areas — but the legislation you have proposed is an appropriate, measured, and important step in the pursuit of enhanced privacy protection for American citizens.
All content subject to the Privacilla