Testimony of the ACLU before the House Subcommittee on Commercial and Administrative Law and the Constitution Subcommittee on H.R. 338, the Defense of Privacy Act

Chairmen Chabot and Cannon, and Ranking Members Watt and Nadler:

I am pleased to testify today on behalf of the American Civil Liberties Union in favor of the Defense of Privacy Act, H.R. 338. The ACLU is a nationwide, non-partisan organization of nearly 400,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights to the United States Constitution and in our nation’s civil rights laws. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in many aspects of American life.

Americans’ right to privacy is in peril. Individuals’ personal information, including medical and financial records, is being collected through an ever expanding number of computer networks and being stored in formats that allow the data to be linked, transferred, shared and sold, often without consent or knowledge.

The same technological advances that have brought this country enormous benefit also make people more vulnerable to unwanted snooping and accidental disclosure of personal information. The federal government’s increased reliance on computerized records increases efficiency but also poses significant challenges to privacy.

H.R. 338, the “”Defense of Privacy Act,”” would require federal agencies to issue privacy impact statements with the rules or regulations they propose. By requiring privacy impact statements, the bill would encourage agencies to develop a systematic means for reviewing how a particular regulation would affect individual privacy. In addition, such statements would put the public on notice about the choices federal agencies are making about the use and disclosure of individually identifiable information and give the public a carefully limited chance to participate in those decisions.

The Defense of Privacy Act would provide an important check and balance on federal agencies’ use and disclosure of personal information inside and outside the government. The passage of this legislation would be an important step in the effort to protect privacy, particularly as the federal government relies more and more on powerful information technology.

The History and Lessons of the “”Know Your Customer”” Banking Regulation

The history of the “”Know Your Customer”” (“”KYC””) regulations provides important background on the need for privacy issues to be considered before a regulation is adopted.

In 1998, pursuant to the Bank Secrecy Act and other federal law, each of the bank regulatory agencies published parallel “”Know Your Customer”” regulations to facilitate the filing of suspicious activity reports, an element of the agency’s broader anti-money laundering initiative. Although most banking institutions already had adopted KYC programs voluntarily, the proposed regulation established uniform standards across the banking industry. Banks were required to identify customers and their normal and expected transactions, to determine the customer’s sources of funds for transactions involving the bank, and to monitor daily transactions and identify those that appear suspicious. The impact of the regulation, however, would have been to require banks to track innocent individuals in their day to day financial transactions and collect and track an enormous amount of personal financial information through federal databases.

In 1999, the Treasury Department was overwhelmed by almost 300,000 comments on the proposed “”Know Your Customer”” regulations because the agency failed to consider the privacy implications of tracking customers’ routine banking activities and reporting personal financial information to the government before proposing the rule. As a result, the agency was forced to retreat and withdraw the proposed rule.

The KYC experience provides two clear lessons. First, Americans care about the privacy of personal information. Out of the almost 300,000 comments submitted on the proposed KYC regulations, only a small fraction were in favor the regulation. Second, federal agencies must consider privacy up front. As demonstrated by the proposed KYC regulations, because bank regulators failed to consider privacy, the proposed regulation unraveled, forcing regulators back to the drawing board and wasting federal resources.

Requirements of the Defense of Privacy Act

Although federal laws regulate the use and disclosure of personal information within the government, privacy continues to be an afterthought in the development of federal policy. In addition, the public has little opportunity to comment on – or even understand – the choices administrators are making about the use and disclosure of individually identifiable information.

The Defense of Privacy Act would establish basic checks and balances on federal agencies’ decisions to use and disclose personal information. The legislation’s “”privacy impact statement”” builds the principles of Fair Information Practices into the rulemaking process and would enhance individuals’ control over personal information stored in government databases.

The bill would require agencies to engage in a systematic review of privacy before federal regulations are adopted and irreversible privacy violations occur. In addition, it would enhance federal agencies’ public accountability for decisions about the use and disclosure of personal information.

This legislation is modeled after the Regulatory Flexibility Act (“”RFA””). 5 U.S.C. §601 seq. For over twenty years, it has required agencies to consider the needs and concerns of small business whenever they engage in rulemaking subject to the notice and comment requirements of the Administrative Procedure Act (“”APA””) or other federal law. This bill adopts requirements almost identical to those found in the RFA. Instead of assessing the impact on small business, however, the agency analyses would assess the impact of a regulation on individual privacy.

What the bill would do:

Require a systematic review of privacy issues before a regulation is adopted.

Sections 2(a) and (b) would require federal agencies to issue initial and final privacy impact analyses whenever the agency is required under the APA or other federal law to publish a general notice of proposed rulemaking, including interpretative rules involving tax laws.

The “”initial privacy impact analysis”” would be published with the agency’s proposed rulemaking and the public would have an opportunity to comment on the privacy impact statement and the underlying regulation. The contents of the impact analysis would include an assessment of the extent to which the proposed rule will impact individual privacy interests including: 1) what personally identifiable information is to be collected, and how it is to be collected, maintained and used; 2) whether and how individuals can access the personal information that pertains to them; 3) how the agency prevents the information collected for one purpose from being used for another purpose; and 4) what security safeguards are in place to prevent unauthorized disclosure of personal information. Most importantly, the agency must describe alternatives to the proposed rule which accomplish the policy objective but minimize impact on individual privacy.

A “”final privacy impact analysis”” would be issued with the final rule or regulation. This final privacy impact statement would include the same categories of information as the initial impact statement. In addition, the agency would have to explain the steps it has taken to minimize the “”significant”” privacy impact on individuals, including the factual, policy and legal reasons for selecting the alternative adopted in the final rule and why the other alternatives were rejected. The final privacy impact statement would also summarize the significant issues raised in the public comments.

Enhance public participation and agency accountability for individual privacy interests.

Section 2(d) would require the federal agency proposing a rulemaking that would have a “”significant privacy impact on individuals, or a privacy impact on a substantial number of individuals”” to ensure individuals have been given an opportunity to participate. Agencies could do this by taking steps such as announcing the rulemaking’s potential privacy impact in publications with a national circulation, holding public hearings and conferences, and directly notifying interested individuals.

Section 2(f) would provide individuals who are “”adversely affected or aggrieved”” by final agency action to obtain judicial review of compliance with the procedures for final privacy impact statements.

Section 2(e) would require a periodic review of rules that have a “”significant privacy impact on individuals, or a privacy impact on a substantial number of individuals”” to determine whether a rule can be amended or rescinded to minimize an adverse privacy impact. Such review is required to take place within ten years of the date of enactment of the regulation. Agencies are also required to publish plans for these reviews in the Federal Register and invite public comment on whether the rule should be rescinded or amended.

What the bill would not do:

The Defense of Privacy Act would take important steps to protect privacy. Equally important, however, the legislation would not undermine government rulemaking process or inhibit important government policy goals.

First, the bill does not create new substantive legal standards for the use and disclosure of individually identifiable personal information within the federal government. The Privacy Act and other federal statutes continue to regulate the use and disclosure of personal information held by federal agencies. Sections 2(a) and (b) of the bill simply offer criteria that would be used to measure the privacy impact of any particular regulation.

Second, the bill does not give an individual the power to force an agency to adopt a particular policy alternative. The final privacy impact analysis requires agencies to articulate the available policy options and state why one alternative was selected over the others. But, the bill does not require the agency to adopt the alternative that is least intrusive on privacy.

Third, the bill is not overly burdensome and would not hinder the efficiency or functioning of federal agencies. The legislation only applies to rulemaking, not to the vast amount of administrative action that falls outside the formal rulemaking process, including adjudication, informal action, and guidance.[1] Law enforcement agencies would continue to be able to investigate crimes and track down criminals just as they do under current law. In addition, a privacy impact analysis would only be required if a rulemaking is required in the first place. The APA includes exceptions that exempt certain agency functions from the rulemaking process altogether, including when rulemaking procedures are “”impracticable, unnecessary, or contrary to the public interest.”” In addition, privacy impact statements could actually increase efficiency by cutting down on privacy debacles like the proposed KYC regulation. Lots of government resources were wasted on that proposed rule because there was little to no consideration of privacy in the development of the proposed regulations.

Fourth, the bill would not result in an overwhelming amount of litigation. Judicial review is limited to review of agency compliance with the procedures related to the final privacy impact statement. It does not provide individuals a right to sue over substantive decisions the agency makes in the final regulation. In 1996, the Small Business Regulatory Enforcement Fairness Act established the same judicial review provisions in the RFA as are included in this legislation. Pub.L. 104-121.

Finally, the legislation includes the same waivers available under the RFA. Privacy impact statements would not be required when emergencies make compliance “”impracticable.””

Conclusion

The ACLU strongly commends Chairman Chabot (R-OH) for introducing this important bill. We urge other Members to join them in support of a good government measure that would enhance individuals’ privacy.

[1] In comparison, the Canadian government announced its own “”Privacy Impact Assessment Policy”” last year. The Canadian requirements apply to “”any program or service delivery initiatives”” at government institutions. Privacy Impact Assessment Policy, effective date May 2, 2002. http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.html.