Privacy Protection: Mandating New Arrangements to Implement and Assess Federal Privacy Policy and Practice

Privacy Protection: Mandating New
Arrangements to Implement and Assess
Federal Privacy Policy and Practice
Harold C. Relyea
Specialist in American National Government
Government and Finance Division
Summary
When Congress enacted the Privacy Act of 1974, it established a temporary
national study commission to conduct a comprehensive assessment of privacy policy and
practice. While the panel subsequently produced a landmark July 1977 report, its
recommendations were not legislatively implemented. Nonetheless, interest in creating
new arrangements for better implementing and assessing federal privacy policies and
practices continued, as the recent establishment of a Privacy and Civil Liberties
Oversight Board and assignment of privacy officer responsibilities in certain
departments and agencies attest. This report tracks active legislative efforts (H.R. 1; S.^th
4; S. 332) to further privacy policy in the 110 Congress, and will be updated as events
warrant.
An expectation of personal privacy — not being intruded upon — seemingly has
long prevailed among American citizens. By one assessment, American society, prior to
the Civil War, “had a thorough and effective set of rules with which to protect individual
and group privacy from the means of compulsory disclosure and physical surveillance
known in that era.”¹ Toward the end of the 19^th century, new technology — the telephone,
the microphone and dictograph recorder, and improved cameras — presented major new
challenges to privacy protection. During the closing decades of the 20^th century,
extensions of these and other new technology developments — the computer, genetic
profiling, and digital surveillance — further heightened anxieties about the loss of
personal privacy. In response, Congress has legislated various privacy protections and,
on two occasions, mandated national study commissions to assist in this effort.

¹ Alan F. Westin, Privacy and Freedom (New York: Atheneum, 1970), pp. 337-338.

Privacy Protection Study Commission
While the Privacy Act of 1974 directly addressed several aspects of personal privacy
protection, the statute also mandated the Privacy Protection Study Commission, a
temporary, seven-member panel tasked to “make a study of the data banks, automated
data processing programs, and information systems of governmental, regional, and private
organizations, in order to determine the standards and procedures in force for the
protection of personal information.”² The commission was to “recommend to the
President and the Congress the extent, if any, to which the requirements and principles
of [the Privacy Act] should be applied to the information practices of [such] organizations
by legislation, administrative action, or voluntary adoption of such requirements and
principles, and report on such other legislative recommendations as it may determine to
be necessary to protect the privacy of individuals while meeting the legitimate needs of
government and society for information.”³
The commission began operations in early June 1975 under the leadership of
chairman David F. Linowes. The final report of the panel, published in July 1977, offered
162 recommendations.⁴ In general, the commission urged the establishment of a
permanent, independent entity within the federal government to monitor, investigate,
evaluate, advise, and offer personal privacy policy recommendations; better regulation of
the use of mailing lists for commercial purposes; adherence to principles of fair
information practice by employers; limited government access to personal records held
by private sector recordkeepers through adherence to recognized legal processes; and
improved privacy protection for educational records. The panel also recommended the
adoption of legislation to apply principles of fair information practice, such as those found
in the Privacy Act, to personal information collected and managed by the consumer credit,
banking, insurance, and medical care sectors of the U.S. economy.
Some 200 bills incorporating recommendations from the commission’s report were
introduced during the 96^th Congress, but major legislation applying fair information
practice principles to personal information collected and managed by the insurance and
medical care industries failed to be enacted, and the opposition was sufficient to
discourage a return to such legislative efforts for several years.
Federal Paperwork Commission
In 1974, Congress also established a temporary, 14-member Commission on Federal
Paperwork, giving it a broad mandate to consider a variety of aspects of the collection,
processing, dissemination, and management of federal information, including “the ways
in which policies and practices relating to the maintenance of confidentiality of
information impact upon Federal information activities.”⁵ The panel was cochaired by
Representative Frank Horton and Senator Thomas J. McIntyre; conducted its work largely

² 88 Stat. 1906.
³ Ibid.
⁴ U.S. Privacy Protection Study Commission, Personal Privacy in an Information Society
(Washington: GPO, 1977).
⁵ 88 Stat. 1789.

in parallel with the Privacy Protection Study Commission; and produced 36 topical
reports, as well as a final summary report of October 3, 1977.⁶ One of these reports,
issued on July 29, 1977, was devoted to confidentiality and privacy, and offered 12
recommendations.⁷ A House subcommittee devoted a hearing to the report, but no
immediate action was taken on its recommendations.⁸
Subsequently, however, a recommended new organization to centralize and
coordinate existing information management functions within the executive branch was
realized in the Paperwork Reduction Act (PRA) of 1980.⁹ Located within the Office of
Management and Budget (OMB), the Office of Information and Regulatory Affairs
(OIRA) was to assist the OMB director with the government-wide information
coordination and guidance functions assigned to him by the PRA.
Indicating that one of the purposes of the PRA was “to ensure that the collection,
maintenance, use and dissemination of information by the Federal Government is
consistent with applicable laws relating to confidentiality, including ... the Privacy Act,”¹⁰
the statute assigned the OMB director several privacy functions: “(1) developing and
implementing policies, principles, standards, and guidelines on information disclosure and
confidentiality, and on safeguarding the security of information collected or maintained
by or on behalf of agencies; (2) providing agencies with advice and guidance about
information security, restriction, exchange, and disclosure; and (3) monitoring compliance
with [the Privacy Act] and related information management laws.”¹¹ These duties would
be expanded, and privacy responsibilities would be specified for the federal agencies, in
a 1995 recodification of the act.¹² Earlier, in 1988, amendments governing computer
matches of personal information by government agencies were enacted.¹³
Recent New Privacy Arrangements
Among the efforts of the 108^th Congress to strengthen privacy protection was the
establishment of the Privacy and Civil Liberties Oversight Board (PCLOB) with the
Intelligence Reform and Terrorism Prevention Act of 2004, implementing many of the

⁶ U.S. Commission on Federal Paperwork, Final Summary Report: A Report of the Commission
on Federal Paperwork (Washington: GPO, 1977).
⁷ U.S. Commission on Federal Paperwork, Confidentiality and Privacy: A Report of the
Commission on Federal Paperwork (Washington: GPO, 1977), pp. 139-175.
⁸ U.S. Congress, House Committee on Government Operations, Privacy and Confidentiality
Report and Final Recommendations of the Commission on Federal Paperwork, hearing, 95^th^st
Cong., 1 sess., October 17, 1977 (Washington: GPO, 1978).
⁹ 94 Stat. 2812; 44 U.S.C. 3501 et seq.
¹⁰ 94 Stat. 2813.
¹¹ 94 Stat. 2816.
¹² 109 Stat. 163; 44 U.S.C. 3501 et seq.
¹³ 102 Stat. 2507.

recommendations of the 9/11 Commission.¹⁴ Initially located within the Executive Office
of the President, the board consisted of a chair, vice chair, and three additional members,
all appointed by, and serving at the pleasure of, the President. Nominees for the chair and
vice chair positions were subject to Senate approval. While the board did not have
subpoena power, it could request the assistance of the Attorney General in obtaining
desired information from persons other than federal agencies; it also had broad access to
information from federal agencies. On June 10, 2005, the President indicated he intended
to nominate Carol Dinkins to be the PCLOB chair, Alan Charles Paul to be the PCLOB
vice chair, and Lanny J. Davis, Theodore B. Olsen, and Francis X. Taylor to be members
of the panel. Dinkins and Rauls were confirmed by the Senate on February 17, 2006. The
PCLOB was appropriated $1.5 million for FY2006.¹⁵ Its appropriation for FY2007 was
not finalized before the adjournment of the 109^th Congress. The board held its initial
meeting on March 14, 2006.
Section 1062 of the intelligence reform statute expressed “the sense of Congress that
each executive department or agency with law enforcement or antiterrorism functions
should designate a privacy and civil liberties officer.” The obligation of the relevant
departments and agencies in this regard, however, was less than mandatory. Other
arrangements, however, were subsequently realized (see below).
Section 1011 established a Civil Liberties Protection Officer within the office of the
newly created Director of National Intelligence (DNI). This official has various
responsibilities for civil liberties and privacy protection within the intelligence
community. On December 7, 2005, the DNI announced the appointment of Alexander
W. Joel as the Civil Liberties Protection Officer.¹⁶
Section 1016 required the President to consult with the PCLOB when issuing
guidelines protecting privacy and civil liberties in the development and utilization of an
“information sharing environment” (ISE) for the sharing of information about terrorism
“in a manner consistent with national security and with applicable legal standards relating
to privacy and civil liberties.” The role of the board and sensitivity to protecting privacy
and civil liberties in the development of the ISE were reflected in the ISE implementation
plan released on November 16, 2006.¹⁷
Elsewhere, when reporting the Transportation, Treasury and General Government
Appropriations Bill, 2005, the Senate Committee on Appropriations indicated that Section
520 of the legislation (S. 2806) “directs each agency to acquire a Chief Privacy Officer
to assume primary responsibility for privacy and data protection policy.” Section 520
appeared in Title V of the legislation. “Those general provisions that address activities
or directives affecting all of the agencies covered in this bill,” the committee report
explained, “are contained in title V.” Thus, the provision seemingly applied only to

¹⁴ 118 Stat. 3638.
¹⁵ 119 Stat. 2396.
¹⁶ U.S. Office of the Director of National Intelligence, ODNI Announces Senior Leadership
Positions, ODNI News Release No. 7-05 (Washington: December 7, 2005).
¹⁷ U.S. Office of the Director of National Intelligence, Information Sharing Environment
Implementation Plan (Washington: November 16, 2006), pp. 21-22, 39, 82-92.

agencies directly funded by the legislation. “General provisions that are governmentwide
in scope,” noted the report, “are contained in title VI of this bill.”¹⁸
Transportation, Treasury, and General Government appropriations were among those
which were included in the Consolidated Appropriations Act, 2005 (H.R. 4818).¹⁹ Within
Division H, Section 522 stated: “Each agency shall have a Chief Privacy Officer to
assume primary responsibility for privacy and data protection policy,” and specified nine
particular activities to be undertaken by such officers. The section prescribed privacy and
data protection policies and procedures to be established, reviews to be undertaken, and
related reports to be made. Located in Title V of the division, the requirements of the
section appeared to be applicable only to agencies directly funded by the division.
Furthermore, it did not appear that the section created new positions, but instead
prescribed privacy officer responsibilities to be assigned to an appropriate individual in
an existing position.²⁰ The President, however, declined to implement the section.²¹
A February 11, 2005, memorandum to the heads of the executive departments and
agencies from OMB Deputy Director for Management Clay Johnson III asked recipients
“to identify to OMB the senior official who has the overall agency-wide responsibility for
information privacy issues.” Expressing the administration’s commitment “to protecting
the information privacy rights of Americans and to ensuring Departments and agencies
continue to have effective information privacy management programs in place to carry out
this important responsibility,” it noted that a Chief Information Officer or “another senior
official (at the Assistant Secretary or equivalent level) with agency-wide responsibility
for information privacy issues” could be named.²²
At about the same time, some House members developed legislation that would, if
enacted, reconstitute the PCLOB as an independent agency within the executive branch,
make all appointments to the board’s membership subject to Senate confirmation, and
limit the board’s partisan composition to not more than three being from the same
political party. Introduced on March 15, 2005, by Representative Carolyn B. Maloney for
herself and 23 bipartisan cosponsors, the bill (H.R. 1310) was referred to the Government
Reform, Homeland Security, Intelligence, and Judiciary committees, but no further action
was taken.²³
In early May, when recommending funds for the Department of Homeland Security
(DHS) for FY2006, the House Committee on Appropriations “included a new general

¹⁸ U.S. Congress, Senate Committee on Appropriations, Transportation, Treasury and General
Government Appropriations Bill, 2005, S.Rept. 108-342, report to accompany S. 2806, 108^th^nd
Cong., 2 sess. (Washington: GPO, 2004), pp. 200, 202.
¹⁹ P.L. 108-447; 118 Stat. 2809.
²⁰ Congressional Record, daily edition, vol. 150, November 19, 2004, pp. H10358-H10359.
²¹ See Weekly Compilation of Presidential Documents, vol. 40, December 13, 2004, p. 2925.
²² U.S. Office of Management and Budget, “Designation of Senior Agency Officials for Privacy,”
Memorandum for Heads of Executive Departments and Agencies from Clay Johnson III, Deputy
Director for Management (Washington: February 11, 2005).
²³ See Congressional Record, daily edition, vol. 151, March 16, 2005, p. E456.

provision (Section 528) to ensure that the Privacy Officer has the independence necessary
to report privacy abuses directly to Congress and has all documents and information
necessary to carry out statutory responsibilities.” It was the committee’s view that the
Privacy Officer “should provide Congress, and thus the public, an unfettered view into
the operations of the Department and its impact on personal privacy.”²⁴ The House
approved the appropriations bill (H.R. 2360), with the reporting provision, on May 17,
2005. It was continued by the final version of the legislation, which the President signed
into law on October 18, 2005.²⁵
On July 27, 2005, the House Committee on the Judiciary marked up and ordered
reported a Department of Justice authorization bill (H.R. 3402) directing the Attorney
General to designate a senior official to assume primary responsibility for privacy policy
in the department.²⁶ The House approved the bill on September 28 on a 415-4 vote, and
sent the measure to the Senate, which passed the bill, with amendments, by unanimous
consent on December 16. The House agreed to the Senate-amended version of the
legislation on December 17, and the President signed it into law on January 5, 2006.
Section 1174 of the statute directs the Attorney General to “designate a senior official in
the Department of Justice to assume primary responsibility for privacy policy,” and
prescribes the responsibilities of the Privacy Officer.²⁷ On February 21, 2006, Jane
Horvath was appointed the Chief Privacy and Civil Liberties Officer of the department
pursuant to this authority.
Early in the 110^th Congress, legislation (H.R. 1; S. 4) was introduced to implement
unfinished recommendations of the 9/11 Commission. The House approved its bill on
January 9, 2007, on a 299-128 vote. The Senate counterpart bill was referred to the
Committee on Homeland Security and Governmental Affairs, which reported it on
February 22. After considerable debate and amendment, the legislation was approved by
the Senate on a 60-38 vote on March 13. Conferees on the legislation filed their report
on July 25. The Senate adopted the report the following day on a 85-8 vote; the House
concurred on July 27 on a 371-40 vote. The legislation, signed into law on August 3,
reconstitutes the board as an independent agency with modified analysis, review, and
advisory responsibilities; requires Senate confirmation of all members of the PCLOB; sets
qualifications and terms for nominees to be board members; authorizes the Attorney
General to exercise subpoena power on behalf of the board; requires the designation of
Privacy and Civil Liberties Officers; and enhances the authorities of the DHS Privacy
Officer.²⁸

²⁴ U.S. Congress, House Committee on Appropriations, Department of Homeland Security
Appropriations Bill, 2006, report to accompany H.R. 2360 , 109^th Cong., 1^st sess., H.Rept. 109-

79 (Washington: GPO, 2005), p. 7.

²⁵ P.L. 109-90; 119 Stat. 2064.
²⁶ U.S. Congress, House Committee on the Judiciary, Department of Justice Appropriations
Authorization Act, Fiscal Years 2006 Through 2009, report to accompany H.R. 3402, 109^th^st
Cong., 1 sess., H.Rept. 109-233 (Washington: GPO, 2005), pp. 105-106.
²⁷ 119 Stat. 3124.
²⁸ P.L. 110-53; 121 Stat. 266.