Testimony of Associate Director Gregory Nojeim and Legislative Counsel Katie Corrigan on H.R. 4561, the Federal Agency Protection of Privacy Act, Before the House Judiciary Subcommittee on Commercial and Administrative Law

The American Civil Liberties Union is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights to the United States Constitution

The American Civil Liberties Union is a nationwide, non-partisan organization of nearly 300,000 members dedicated to protecting the principles of liberty, freedom, and equality set forth in the Bill of Rights to the United States Constitution. For almost 80 years, the ACLU has sought to preserve and strengthen privacy in many aspects of American life.

Americans’ right to privacy is in peril. Individuals’ personal information, including medical and financial records, is being collected through an ever expanding number of computer networks and being stored in formats that allow the data to be linked, transferred, shared and sold, often without consent or knowledge.

The same technological advances that have brought this country enormous benefit also make people more vulnerable to unwanted snooping and accidental disclosure of personal information. The federal government’s increased reliance on computerized records increases efficiency but also poses significant challenges to privacy.

H.R. 4561, the “”Federal Agency Protection of Privacy Act,”” would require federal agencies to issue privacy impact statements with the rules or regulations they propose. By requiring privacy impact statements, the bill would encourage agencies to develop a systematic means for reviewing how a particular regulation would affect individual privacy. In addition, such statements would put the public on notice about the choices federal agencies are making about the use and disclosure of individually identifiable information and give the public a carefully limited chance to participate in those decisions.

The Federal Agency Protection of Privacy Act would provide an important check and balance on federal agencies’ use and disclosure of personal information inside and outside the government. The passage of this legislation would be an important step in the effort to protect privacy, particularly as the federal government relies more and more on powerful information technology.

The History and Lessons of the “”Know Your Customer”” Banking Regulation

The history of the “”Know Your Customer”” (“”KYC””) regulations provides important background on the need for privacy issues to be considered before a regulation is adopted.

In 1998, pursuant to the Bank Secrecy Act and other federal law, each of the bank regulatory agencies published parallel “”Know Your Customer”” regulations to facilitate the filing of suspicious activity reports, an element of the agency’s broader anti-money laundering initiative. Most banking institutions already had adopted KYC programs voluntarily. The proposed regulations, however, would have mandated uniform standards across the banking industry.

The purpose of the KYC regulations was to facilitate the financial institution’s compliance with anti-money laundering laws and to protect the financial institution from accidentally facilitating criminal activity. The proposed rule required banks to establish uniform systems to identify customers and their normal and expected transactions, to determine the customer’s sources of funds for transactions involving the bank, and to monitor daily transactions and identify those that appear suspicious.

The impact of the regulation, however, would have been to require banks to track innocent individuals in their day to day financial transactions and collect and track an enormous amount of personal financial information through federal databases. The Comptroller of Currency made a nod to privacy in the preamble of its proposed KYC regulations by requiring a bank to “”obtain only that information that is necessary to comply with the regulation and ? limit the use of this information to complying with that regulation.”” Generally, however, the agencies were taken by surprise when an avalanche of public criticism came down on the proposed KYC requirements.

In 1999, the Treasury Department was overwhelmed by almost 300,000 comments on “”Know Your Customer”” regulations because the agency failed to consider the privacy implications of tracking customers’ routine banking activities and reporting personal financial information to the government before issuing the rule. As a result, the agency was forced to retreat and withdraw the rule.

The KYC experience provides two clear lessons. First, Americans care about the privacy of personal information. Out of the almost 300,000 comments submitted on the proposed KYC regulations, only a small fraction were in favor of the regulation. Second, federal agencies must consider privacy up front. As demonstrated by the proposed KYC regulations, because bank regulators failed to consider privacy, the proposed regulation unraveled, forcing regulators back to the drawing board and wasting federal resources.

Requirements of the Federal Agency Protection of Privacy Act

Although there are federal laws regulating the use and disclosure of personal information within the government, privacy continues to be an afterthought in the development of federal policy. In addition, the public has little opportunity to comment on – or even understand – the choices administrators are making about the use and disclosure of individually identifiable information.

The Federal Agency Protection of Privacy Act would establish basic checks and balances on federal agencies’ decisions to use and disclose personal information. The legislation’s “”privacy impact statement”” builds the principles of Fair Information Practices into the rulemaking process and would enhance individuals’ control over personal information stored in government databases.

The bill would require agencies to engage in a systematic review of privacy before federal regulations are adopted and irreversible privacy violations occur. In addition, it would enhance federal agencies’ public accountability for decisions about the use and disclosure of personal information.

This legislation is modeled after the Regulatory Flexibility Act (“”RFA””). 5 U.S.C. §601 seq. For over twenty years, it has required agencies to consider the needs and concerns of small business whenever they engage in rulemaking subject to the notice and comment requirements of the Administrative Procedure Act (“”APA””) or other federal law. This bill adopts requirements almost identical to those found in the RFA. Instead of assessing the impact on small business, however, the agency analyses would assess the impact of a regulation on individual privacy.

What the bill would do:

Require a systematic review of privacy issues before a regulation is adopted.

Sections 2(a) and (b) would require federal agencies to issue initial and final privacy impact analyses whenever the agency is required under the APA or other federal law to publish a general notice of proposed rulemaking, including interpretative rules involving tax laws.

The “”initial privacy impact analysis”” would be published with the agency’s proposed rulemaking and the public would have an opportunity to comment on the privacy impact statement and the underlying regulation. The contents of the impact analysis would include an assessment of the extent to which the proposed rule will impact individual privacy interests including: 1) what personally identifiable information is to be collected, and how it is to be collected, maintained and used; 2) whether and how individuals can access the personal information that pertains to them; 3) how the agency prevents the information collected one purpose from being used for another purpose; and 4) what security safeguards are in place to prevent unauthorized disclosure of personal information. Most importantly, the agency must describe alternatives to the proposed rule which accomplish the policy objective but minimize impact on individual privacy.

A “”final privacy impact analysis”” would be issued with the final rule or regulation. This final privacy impact statement would include the same categories of information as the initial impact statement. In addition, the agency would have to explain the steps it has taken to minimize the “”significant”” privacy impact on individuals, including the factual, policy and legal reasons for selecting the alternative adopted in the final rule and why the other alternatives were rejected. The final privacy impact statement would also summarize the significant issues raised in the public comments.

Enhance public participation and agency accountability for individual privacy interests.

Section 2(d) would require the federal agency proposing a rulemaking that would have a “”significant privacy impact on individuals, or a privacy impact on a substantial number of individuals”” to ensure individuals have been given an opportunity to participate. It could do this by taking steps such as announcing the rulemaking’s potential privacy impact in publications with a national circulation, holding public hearings and conferences, and directly notifying interested individuals.

Section 2(f) would provide individuals who are “”adversely affected or aggrieved”” by final agency action to obtain judicial review of compliance with the procedures for final privacy impact statements.

Section 2(e) would require a periodic review of rules that have a “”significant privacy impact on individuals, or a privacy impact on a substantial number of individuals”” to determine whether a rule can be amended or rescinded to minimize an adverse privacy impact. Such review is required to take place within ten years of the date of enactment of the regulation. Agencies are also required to publish plans for these reviews in the Federal Register and invite public comment on whether the rule should be rescinded or amended.

What the bill would not do:

The Federal Agency Protection of Privacy Act would take important steps to protect privacy. Equally important, however, the legislation would not undermine the government rulemaking process or inhibit important government policy goals.

First, the bill does not create new substantive legal standards for the use and disclosure of individually identifiable personal information within the federal government. The Privacy Act and other federal statutes continue to regulate the use and disclosure of personal information held by federal agencies. Sections 2(a) and (b) simply offer criteria that would be used to measure the privacy impact of any particular regulation.

Second, the bill does not give an individual the power to force an agency to adopt a particular policy alternative. The final privacy impact analysis requires agencies to articulate the available policy options and state why one alternative was selected over the others. But, the bill does not require the agency to adopt the alternative that is least intrusive on privacy.

Third, the bill is not overly burdensome and would not hinder the efficiency or functioning of federal agencies. The legislation only applies to rulemaking, not to the vast amount of administrative action that falls outside the formal rulemaking process, including adjudication, informal action, and guidance.[i] Law enforcement agencies would continue to be able to investigate crimes and track down criminals just as they do under current law. In addition, a privacy impact analysis would only be required if a rulemaking is required in the first place. The APA includes exceptions that exempt certain agency functions from the rulemaking process altogether, including when rulemaking procedures are “”impracticable, unnecessary, or contrary to the public interest.”” In addition, privacy impact statements could actually increase efficiency by cutting down on privacy debacles like the proposed KYC regulation. Lots of government resources were wasted on that proposed rule because there was little to no consideration of privacy in the development of the proposed regulations.

Fourth, the bill would not result in an overwhelming amount of litigation. Judicial review is limited to review of agency compliance with the procedures related to the final privacy impact statement. It does not provide individuals a right to sue over substantive decisions the agency makes in the final regulation. In 1996, the Small Business Regulatory Enforcement Fairness Act established the same judicial review provisions in the RFA as are included in this legislation. Pub.L. 104-121.

Finally, the legislation includes the same waivers available under the RFA. Privacy impact statements would not be required when emergencies make compliance “”impracticable.””

Challenges to Privacy on the Horizon

The Federal Agency Protection of Privacy Act is considered at an important time in American history. Since the terrible events of September 11, numerous proposals have been introduced in the Congress and proposed by the Administration that would undermine civil liberties in the name of security.[ii] Americans remain concerned about privacy, however.[iii]

This legislation would require agencies to consider both safety and privacy as they implement regulations on a range of security measures. Specifically, the legislation’s privacy impact assessments would require agencies to identify policy alternatives that would achieve the same security goal while limiting the impact on privacy.

The legislation would have an important impact on several security proposals the Administration is currently considering. For example:

National ID proposals: Last fall’s air security legislation requires the new Transportation Security Administration to consider implementation of a trusted passenger program. P.L. 107-71. The text of the legislation fails to detail the elements of the program, but its purpose would be to expedite security screening by establishing the identity of “”trusted”” passengers through the issuance of an ID card. The trusted passenger program is a tempting measure because it would provide frequent travelers a convenient route through the airport. Trusted passengers, however, cannot be trusted. “”Sleeper cell”” terrorists could easily be among the trusted passengers and thereby avoid heightened screening measures.[iv]

Such a system also cuts to the heart of privacy and freedom because it is a de facto national ID.[v] The card would link a multitude of databases containing personal information through unique identifiers for each air traveler.

The Administration should reject this measure entirely. At a minimum, however, there should be some consideration of other policy options that would achieve the same level of security benefit, without establishing a national ID. The Federal Agency Protection of Privacy Act would require the TSA to do just that.

Financial Privacy: Title III of the USA PATRIOT Act continued the unfortunate trend of expanding government access to personal financial information rather than safeguarding it against intrusion. P.L. 107-56. The Treasury Department has issued nine sets of regulations in the last six months to comply with Title III’s anti-money laundering requirements. Just last week, the Treasury Department issued regulations that apply anti-money laundering rules to mutual funds, credit card systems, money transfer companies and check cashers, and securities and commodities brokers in addition to the banking industry.

And, the Treasury Department’s work is not complete. The agency is currently working on anti-money laundering regulations that will apply to a range of other industries including dealers in precious metals and jewels, pawnbrokers, loan or finance companies, private bankers, insurance companies, travel agencies, telegraph companies, real estate brokers.[vi]

While there is a need to shut down the financial resources used to further acts of terrorism, the expansion of anti-money laundering programs, including suspicious activity reporting, reaches into innocent customers’ personal financial transactions. In addition, it is unclear that if the government collects more and more information about individuals’ financial transactions law enforcement agencies will in fact be able to identify terrorist activity. There are millions of innocent financial transactions every year.[vii]

H.R. 4561 would require agencies to consider the privacy implications of collection, use and disclosure of massive amounts of individually identifiable financial data reported in suspicious activity reports from all of these industries and the exchange of such information between federal agencies and private industry.

The legislation would not require the agency to choose a particular policy alternative, but it would force the agency to articulate what steps have been taken to minimize the privacy impact of the regulation and identify the policy alternatives that were rejected.

In addition, Section 2(d) of the bill would require a review of these regulations within ten years to determine if the rule could be modified or rescinded entirely to minimize the impact on privacy. These regulations clearly have a privacy impact on a “”substantial number of individuals.””

As new security measures are introduced, the Federal Agency Protection of Privacy Act ensures that agency will ask questions about privacy up front, before a regulation is adopted.

Conclusion

The ACLU strongly commends the Chairman Barr (R-GA) and Congressmen Watt (D-NC), Gekas (R-PA), Nadler(D-NY), Chabot (R-OH), and Green (R-WI) for introducing this important bill. We urge other Members to join them in support of a good government measure that would enhance individuals’ privacy.

Endnotes

[i] In comparison, the Canadian government announced its own “”Privacy Impact Assessment Policy”” last week. The Canadian requirements apply to “”any program or service delivery initiatives”” at government institutions. Privacy Impact Assessment Policy, effective date May 2, 2002. http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/paip-pefr_e.html.

[ii] See e.g. Uniting and Strengthening America By Providing Appropriate Tools Required To Intercept and Obstruct Terrorism Act (“USA PATRIOT Act”). Pub. L. No. 107-56 (2001).

[iii] This concern is reflected by the public’s dwindling interest in national ID systems. “”Immediately after the attacks, a Harris Poll found that 68% of Americans supported a national ID system. A study conducted in November 2001 for the Washington Post found that only 44% of Americans supported national ID. A poll released in March 2002 by the Gartner Group found that 26% of Americans favored a national ID, and that 41% opposed the idea.”” http://www.epic.org/privacy/survey/default.html

[iv] On February 5, 2002, Under Secretary John Magaw was asked about the trusted passenger card during a Senate Commerce Committee hearing on air security. Magaw said he would be hesitant to allow any passenger to avoid passenger and baggage screening requirements. “”[M]y whole problem is that this may be ? not as good as it looks to be. It may be convenient, but in terms of security, I don’t really see it helping us, because I would not be willing to ? allow the baggage to go unchecked or have your hand carry unchecked. So I don’t really see the benefit of it in terms of security.””

[v] National Research Council, IDs — Not That Easy: Questions About Nationwide Identity Systems, (Stephen T. Kent and Lynette I. Millett eds., 2002).

[vi] 31 C.F.R. Part 103, Financial Crimes Enforcement Network, Anti-Money Laundering Programs for Financial Institutions, Interim Final Rule, April 23, 2002.

[vii] See Veronique de Rugy, Sam Spys: The Case Against Watching Everyone, National Review Online, Dec. 17, 2001. (“”Part of the problem is that money-laundering laws create an ocean of data that law enforcement cannot hope to navigate.””)