Overview of the Privacy Act: 2020 Edition
The Privacy Act of 1974, Pub Law No. 93-579, 88 Stat 1896 (Dec. 31, 1974), codified at 5 U.S.C. § 552a (2018), went into effect on September 27, 1975, when it became the principal law governing the handling of personal information in the federal government. Enacted in the wake of the Watergate and the Counterintelligence Program (COINTELPRO) scandals involving illegal surveillance on opposition political parties and individuals deemed to be “subversive,” the Privacy Act sought to restore trust in government and to address what at the time was seen as an existential threat to American democracy. In the words of the bill’s principal sponsor, Judiciary Chairman Senator Sam Ervin, “[i]f we have learned anything in this last year of Watergate, it is that there must be limits upon what the Government can know about each of its citizens.” See S. Comm. on Gov’t. Operations & H.R. Comm. on Gov’t. Operations, 94th Cong., Legislative History of the Privacy Act of 1974 S. 3418 (Public Law 93-579): Source Book on Privacy at 4 (Comm. Print 1976) [hereinafter Source Book], https://www.justice.gov/opcl/paoverview_sourcebook.
In drafting the Privacy Act, Congress relied on a recently published and widely read report from an advisory committee of what was then the Department of Health, Education & Welfare (HEW). Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, DHEW Publication No. (OS) 73-94 (July 1973) (hereinafter HEW Report), https://www.justice.gov/opcl/docs/rec-com-rights.pdf. The HEW Report represented the first comprehensive study of the risks to privacy presented by the increasingly widespread use of electronic information technologies by organizations, replacing traditional paper-based systems of creation, storage, and retrieval of information. To address these risks, the HEW Report developed what it called a “code of fair information practices,” now more commonly called the Fair Information Practice Principles, or FIPPs.
As implemented in the Privacy Act, the FIPPs: allow individuals to determine what records pertaining to them are collected, maintained, used, or disseminated by an agency; require agencies to procure consent before records pertaining to an individual collected for one purpose could be used for other incompatible purposes; afford individuals a right of access to records pertaining to them and to have them corrected if inaccurate; and require agencies to collect such records only for lawful and authorized purposes and safeguard them appropriately. Exceptions from some of these principles are permitted only for important reasons of public policy. Judicial redress is afforded to individuals when an agency fails to comply with access and amendment rights, but only after an internal appeals process fails to correct the problem. Otherwise, liability for damages is afforded in the event of a willful or intentional violation of these rights.
The FIPPs are not only central to the framework of the Privacy Act, they have been the basis of almost every other privacy law and treaty in the world today. See, e.g., Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (known as the General Data Protection Regulation (“GDPR”)); The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801; The Health Insurance Portability and Accountability Act (“HIPAA”) of 1996, 42 U.S.C. § 320d-2; HIPPA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (repealed and replaced by the GDPR); Org. for Econ. Coop. & Dev., Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (rev. 2013). It is therefore helpful to understand something about their origins.
The FIPPs were the brainchild of three people, the HEW Secretary’s Advisory Committee Chairman Willis Ware, Executive Director David B. H. Martin, and Associate Director Carole Parsons. Chairman Ware was a legendary computer scientist and pioneer in the field of information security who had worked with John Von Neumann and Claude Shannon building the first modern computer at the Institute for Advanced Study at Princeton. Chairman Ware later diagnosed fundamental vulnerabilities in what was then called the ARPANET (now renamed INTERNET), and is recognized as the founder of the field of information security. Executive Director Martin was the principal architect of the Cape Cod National Seashore, a multi-stakeholder collaborative governance structure, which became the model for the National Environmental Policy Act of 1970. Executive Director Martin would go on to devise other innovative collaborative governance frameworks like government-backed student loans. Associate Director Parsons was a Census Bureau expert in statistics and government record-keeping systems, who later served in the White House overseeing the legislative process leading to the enactment of the Privacy Act, and served as Executive Director of the Privacy Protection Study Commission.
As explained by the authors of the HEW Report, underlying the FIPPs was an understanding of the nature of electronic data as reflecting and mediating relationships in which both individuals and organizations have an interest, made for purposes that are shared by organizations and individuals. The concept of privacy had, at that point in time, been understood as a narrow, property-based concept of individual control. Unlike paper-based information systems, individuals cannot exercise the same level of physical control of information in electronic computer systems controlled by organizations. Accordingly, the authors of the HEW Report argued that the concept of privacy needed to be reimagined to recognize the mutual interests that institutions and individuals shared in the fair and appropriate management of personal information. This meant that instead of a property-based concept of individual control, what was needed was a governance framework designed to ensure the trust of the stakeholders in the information. These included the individuals about whom the information pertained and the agency with a public need to use the information, as well as others. As such, the model of the FIPPs developed in the HEW Report bears close similarities to the framework for management of shared common environmental resources, such as the Cape Cod National Seashore, which Executive Director Martin had helped design.
As implemented in the Privacy Act, the multi-stakeholder governance idea underlying the FIPPs can be seen in the fact that each of the individual rights that Congress created also serves the interests of any reasonable agency, and is consistent with the need for other legitimate secondary users, such as public health authorities, financial oversight agencies, law enforcement and national security agencies—indeed any stakeholder with a legitimate need to use the information in the public interest—to access and appropriately use the information. Just as loss of trust in the governance framework would harm the interests of all, so proper and appropriate use of personal information within a secure governance framework would maintain trust and benefit the interests of all.
The Ninety-Third United States Congress, facing a crisis of public trust, found the information governance model of the FIPPs, as presented in the HEW Report, to be an attractive approach. Following the breakdown of trust in the government after the Watergate and COINTELPRO scandals, Congress recognized that agency implementation of the FIPPs could help restore the most critical relationship of trust of all, that between the people and their government.
In the more than 45 years since the Privacy Act was enacted, information technologies have expanded in ways that the drafters of the HEW Report could never have imagined, and the risks associated with the collection and use of personal data have grown accordingly. But the basic principles of fair information practices as implemented in the Act have continued to do their work maintaining the relationship of trust between the people and their government. The Privacy Act was later modified by the Computer Matching and Privacy Protection Act of 1988, Pub. L. No. 100-503, 102 Stat. 2507, extending the Privacy Act’s FIPPs-based protections to computer-matching activities by agencies, with requirements for certain additional internal agency procedures. The Privacy Act also has been supplemented by other structures of information governance, such as the E-Government Act of 2002, Pub. Law No. 107-347, 116 Stat. 2899, and the Federal Information Security Modernization Act of 2014, Pub. Law No. 113-283, 128 Stat. 3073. However, the original language of the Privacy Act, as drafted in 1974, has shown itself sufficiently flexible to adapt to those changes. More than any other law in the field, the Privacy Act has, to a remarkable extent, withstood the test of time.
Although the HEW Report provides key historical context for the Privacy Act, the formal legislative history of the Privacy Act is contained in a convenient, one-volume compilation. See Source Book, https://www.justice.gov/opcl/paoverview_sourcebook. The Act was passed in great haste during the final week of the Ninety-Third United States Congress. No conference committee was convened to reconcile differences in the bills passed by the House and Senate. Instead, staffs of the respective committees – led by Senators Ervin and Percy, and Representatives Moorhead and Erlenborn – prepared a final version of the bill that was ultimately enacted. The original reports are thus of limited utility in interpreting the final statute; the more reliable legislative history consists of a brief analysis of the compromise amendments – entitled “Analysis of House and Senate Compromise Amendments to the Federal Privacy Act” – prepared by the staffs of the counterpart Senate and House committees and submitted in both the House and Senate in lieu of a conference report. See 120 Cong. Rec. at 40, 405-09, 40,881-83, (1974), reprinted in Source Book, at 858-68, 987-94, https://www.justice.gov/opcl/paoverview_sourcebook.
Privacy Protection Study Commission
Section 5 of the original Privacy Act established the “Privacy Protection Study Commission” to evaluate the statute and to issue a report containing recommendations for its improvement. See U.S. Priv. Prot. Study Comm’n, Personal Privacy in an Information Society (1977) [hereinafter Privacy Commission Report], https://www.justice.gov/paoverview_ppsc. Although the Commission generated many ideas and discussions and issued its final report in 1977, it ceased operation that year and its recommendations did not result in further legislation. See generally Doe v. Chao, 540 U.S. 615, 622-23 (2004) (considering mandate and recommendation of Privacy Protection Study Commission as well as legislative history to interpret Privacy Act damages provision).
Office of Management and Budget Guidance
“The Director of the Office of Management and Budget shall—
(1) develop and, after notice and opportunity for public comment, prescribe guidelines and regulations for the use of agencies in implementing the provisions of this section; and
(2) provide continuing assistance to and oversight of the implementation of this section by agencies.” 5 U.S.C. § 552a(v).
The vast majority of Privacy Act guidelines and regulations are published in the Executive Office of the President’s Office of Management and Budget (“OMB”) 1975 memorandum. Off. of Mgmt. & Budget, Exec. Off. of the President, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28,948, 949 (July 9, 1975) [hereinafter OMB 1975 Guidelines], https://www.justice.gov/paoverview_omb-75. OMB has since supplemented and expanded upon the 1975 Privacy Act Guidelines in particular subject areas over the years. See, e.g., Off. of Mgmt. & Budget, Exec. Off. of the President, Implementation of the Privacy Act of 1974 Supplementary Guidance, 40 Fed. Reg. 56,741 (Dec. 4, 1975) [hereinafter OMB Supplementary Guidance], https://www.justice.gov/paoverview_omb-75-supp (supplementing certain sections of the 1975 Privacy Act Guidelines, including the “system of records” definition, routine use and intra-agency disclosures, consent and Congressional inquiries, accounting of disclosures, amendment appeals, rights of parents and legal guardians, relationship to Freedom of Information Act (FOIA)); Off. of Mgmt. & Budget, Exec. Off. of the President, Guidelines on the Relationship of the Debt Collection Act of 1982 to the Privacy Act of 1974, 48 Fed. Reg. 1,556 (April 11, 1983) [hereinafter OMB Debt Collection Act Guidance], https://www.justice.gov/paoverview_omb-83-dca; Off. of Mgmt. & Budget, Exec. Off. of the President, Guidance on the Privacy Act Implication of “Call Detail” Programs to Manage Employees’ Use of the Government’s Telecommunications Systems, 52 Fed. Reg. 12,990 (April 20, 1987) [hereinafter OMB Call Detail Guidance], https://www.justice.gov/paoverview_omb-87-cd; Off. of Mgmt. & Budget, Exec. Off. of the President, Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25,818 (June 19, 1989) [hereinafter OMB 1989 Guidelines], https://www.justice.gov/paoverview_omb-89-cma; Off. of Mgmt. & Budget, Exec. Off. of the President, The Computer Matching and Privacy Protection Amendments of 1990 and The Privacy Act of 1974, 56 Fed. Reg. 18,599 (Apr. 23, 1991) [hereinafter OMB CMPPA Guidelines], https://www.justice.gov/paoverview_omb-91-cma; see also Off. of Mgmt. & Budget, Exec. Off. of the President, OMB Circular No. A–130, Managing Information as a Strategic Resource (July 28, 2016) (notice of availability published at 81 Fed. Reg. 49,689) [hereinafter OMB Circular A-130], https://www.justice.gov/paoverview_omb-a-130 (establishing agency responsibilities for managing personally identifiable information); Off. of Mgmt. & Budget, Exec. Off. of the President, OMB Circular No. A–108, Federal Agency Responsibilities for Review, Reporting, and Publication Under the Privacy Act (Dec. 23, 2016) (notice of availability published at 81 Fed. Reg. 94,424) [hereinafter OMB Circular A-108], https://www.justice.gov/paoverview_omb-a-108 (establishes general reporting requirements for the Privacy Act).
Most courts give the OMB guidelines and regulations the same deference they give interpretations of an agency that has been charged with the administration of a statute. See Sussman v. Marshals Serv., 494 F.3d 1106, 1120 (D.C. Cir. 2007). In Sussman, the Court of Appeals for the District of Columbia Circuit discussed this standard: “Congress explicitly tasked the OMB with promulgating guidelines for implementing the Privacy Act, and we therefore give the OMB Guidelines ‘the deference usually accorded interpretation of a statute by the agency charged with its administration.’” Id. (citation omitted) (citing Albright v. United States, 631 F.2d 915, 920 n.5 (D.C. Cir. 1980)). With regard to the OMB 1975 Guidelines, the court stated: “The OMB apparently invited no public comment prior to publishing its guidelines, and after we decided Albright, Congress pointedly replaced its original grant of authority to the OMB with one that expressly required the OMB to respect such procedural niceties before its guidelines could be binding. But Congress made clear the change was not meant to disturb existing guidelines. Hence, the old OMB Guidelines still deserve the same level of deference they enjoyed prior to the 1998 amendment.” Sussman, 494 F.3d at 1120 n.8 (citations omitted). Numerous cases have applied this standard of deference. See, e.g., Maydak v. United States, 363 F.3d 512, 518 (D.C. Cir. 2004); Henke v. Commerce, 83 F.3d 1453, 1460 n.12 (D.C. Cir. 1996); Quinn v. Stone, 978 F.2d 126, 133 (3d Cir. 1992); Baker v. Navy, 814 F.2d 1381, 1383 (9th Cir. 1987); Perry v. FBI, 759 F.2d 1271, 1276 n.7 (7th Cir. 1985), rev’d en banc on other grounds, 781 F.2d 1294 (7th Cir. 1986); Bartel v. FAA, 725 F.2d 1403, 1408 n.9 (D.C. Cir. 1984); Smiertka v. Treasury, 604 F.2d 698, 703 n.12 (D.C. Cir. 1979); Whitaker v. CIA, 31 F. Supp. 3d 23, 47-48 (D.D.C. 2014); Rogers v. Labor, 607 F. Supp. 697, 700 n.2 (N.D. Cal. 1985); Sanchez v. United States, 3 Gov’t Disclosure Serv. (P-H) ¶ 83,116, at 83,709 (S.D. Tex. Sept. 10, 1982); Golliher v. USPS, 3 Gov’t Disclosure Serv. (P-H) ¶ 83,114, at 83,703 (N.D. Ohio June 10, 1982); Greene v. VA, No. C-76-461-S, slip op. at 6-7 (M.D.N.C. July 3, 1978); Daniels v. FCC, No. 77-5011, slip op. at 8-9 (D.S.D. Mar. 15, 1978); see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1188 (D.C. Cir. 1987) (OMB interpretation is “worthy of our attention and solicitude.”).
The United States Supreme Court has not gone that far, however. See Doe v. Chao, 540 U.S. at 620 n.11 (disagreeing with dissent’s reliance on OMB interpretation of damages provision and stating that Court does “not find its unelaborated conclusion persuasive”). In addition, a few courts have rejected particular aspects of the OMB guidelines and regulations as inconsistent with the statute. See Wrocklage v. DHS, 769 F.3d 1363, 1368-369 (Fed. Cir. 2014) (interpreting when records are “disclosed”); Scarborough v. Harvey, 493 F. Supp. 2d 1, 13-14 n.28 (D.D.C. 2007) (personal/entrepreneurial distinction); Henke v. Commerce, No. 94-0189, 1996 WL 692020, at *2-3 (D.D.C. Aug. 19, 1994) (same), aff’d on other grounds, 83 F.3d 1445 (D.C. Cir. 1996); Kassel v. VA, No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); Saunders v. Schweiker, 508 F. Supp. 305, 309 (W.D.N.Y. 1981) (same); Metadure Corp. v. United States, 490 F. Supp. 1368, 1373-74 (S.D.N.Y. 1980) (subsection (a)(2)); Fla. Med. Ass’n v. HEW, 479 F. Supp. 1291, 1307-11 (M.D. Fla. 1979) (same); Zeller v. United States, 467 F. Supp. 487, 497-99 (E.D.N.Y. 1979) (same).
Computer Matching and Privacy Protection Act
The Computer Matching and Privacy Protection Act of 1988 amended the Privacy Act to add several new provisions. See 5 U.S.C. § 552a(a)(8)-(13), (e)(12), (o), (p), (q), (r), (u) (2018). These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities, provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated, and require that agencies engaged in matching activities to establish Data Protection Boards to oversee those activities. These provisions became effective on December 31, 1989. OMB’s guidelines on computer matching should be consulted in this area. See, e.g., OMB 1989 Guidelines, 54 Fed. Reg. at 25,818-29, https://www.justice.gov/paoverview_omb-89-cma. Subsequently, Congress enacted the Computer Matching and Privacy Protection Amendments of 1990, Pub. L. No. 101-508 § 7201, 104 Stat. 1388, 1388-334, which further clarified the due process provisions found in subsection (p). See also OMB CMPPA Guidelines, 56 Fed. Reg. at 18,599, https://www.justice.gov/paoverview_omb-91-cma. Although there has not been significant litigation on this provision to date, in one recent case, the court considered the requirements of the computer matching amendments and concluded that the agency had not met them. See Calvillo Manriquez v. DeVos, 345 F. Supp. 3d 1077, 1098 (N.D. Cal. 2018) (concluding that because sharing of data between the SSA and the Dep’t of Educ. was “a matching program as defined by the Privacy Act, the agencies must comply with the requirements. . . [and] [i]t is undisputed that the [agency and SSA] did not comply with the requirements above and thus violated the Privacy Act”).
The highly complex and specialized provisions of the Computer Matching and Privacy Protection Act of 1988 and the Computer Matching and Privacy Protection Amendments of 1990 are not further addressed herein. Additional guidance on these provisions can be found in the OMB 1989 Guidelines and OMB CMPPA Guidelines, cited above.
Next Section: Judicial Redress Act