Amend the U.S. Privacy Act to Provide Further Privacy Protections to European and Other Non-US Persons
I had the pleasure of participating recently at a Georgetown Law Center conference called “Privacy Act @40.” My panel was on “Looking Ahead,” and my comments focused on new ways that the United States is (and can) extend appropriate privacy rights to citizens of other countries.
Today, just a couple of weeks later, Google has announced that it now favors new legislation in the U.S. to extend the Privacy Act to non-U.S. persons. This announcement is a valuable step. Amending the Privacy Act in this way is the right thing to do and would address a longstanding bone of contention in U.S.-E.U. privacy discussions.
The Privacy Act of 1974
As background, the Privacy Act of 1974 is the principle statute that governs how federal agencies handle personal information. It applies its protections to “U.S. persons” – U.S. citizens and permanent residents in the U.S. The Privacy Act provides a range of rights to individuals, such as to access and amend their records and a range of other “fair information practices,” such as requirements for transparency, data minimization, accuracy, and data security.
Under the E.U. Data Protection Directive, privacy rights apply in the same way to each individual, regardless of nationality. I have long worked with European privacy officials, such as in researching a 1998 book on U.S.-E.U. privacy issues and in helping negotiate the Safe Harbor that now governs data exports from the E.U. to our country. Over and over again, Europeans have said something along these lines: “We provide full privacy rights to U.S. citizens, whenever your data is collected or processed in Europe. Why won’t the U.S. government treat our citizens the same as yours?”
This European concern about lack of protection for their citizens has become more acute after the Snowden leaks and in the course of serious consideration in the E.U. for updating their comprehensive privacy laws. Senior E.U. officials this fall have discussed suspending the Safe Harbor agreement, which could cause major interruptions in cross-Atlantic data flows.
The importance of amending the Privacy Act came up during my work on President Obama’s Review Group on Intelligence and Communications Technology. Our recommendation 14 said: “We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security (DHS), and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons.” The recommendation mentioned how DHS in 2009 issued a Privacy Policy Guidance Memorandum that applies to “mixed systems” of records – systems that collect or use information in an identifiable form and that contain information about both US and non-US persons. It states: “As a matter of DHS policy, any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system by DHS shall be treated as a System of Records subject to the Privacy Act regardless of whether the information pertains to a US citizen, legal permanent resident, visitor, or alien.”
The Obama administration has not made any official announcement about Recommendation 14, although I believe it remains under consideration. That Recommendation shows tangible steps that federal agencies can take under current law, following the practice at DHS. Notably, however, agencies do not have the power to create a private right of action under the Privacy Act. For that, Congress would need to amend the statute. Attorney General Holder spoke in favor of such an amendment earlier this year, and Google has now supported that as well. Based on my experience on this issue with European privacy leaders, including that private right of action would be important to putting this issue to rest.
Presidential Policy Directive 28
Meanwhile, President Obama in January announced what is quite possibly the largest extension in history of privacy protections to non-US persons. It is worth considering Presidential Policy Directive 28 in some detail, because of the precedent it sets for treating US and non-US persons similarly.
This Directive to federal agencies states: “Privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities. The United States shall not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion. Signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions and not for any other purposes.”
Notably for equal treatment of non-US persons, PPD-28 states: “Departments and agencies shall apply the term “personal information” in a manner that is consistent for U.S. persons and non-U.S. persons.” PPD-28 goes on to provide that dissemination, retention, and minimization rules should be consistent for US and non-US persons. There is the possibility of exceptions for national security purposes, but a fair reading of PPD-28 is that it creates a major change in signals intelligence practices. The rigor of its requirements was reinforced in the Interim Progress Report on Implementing PPD-28, released in October, 2014. Implementation is due quickly, under a January, 2015 deadline.
In conclusion, PPD-28 and the DHS Privacy Policy Guidance Memorandum show important progress toward addressing concerns that the United States does not apply privacy protections to non-US persons. The Privacy Act has its weaknesses, as Bob Gellman has recently explained in detail. But that is no reason to exclude Europeans and other non-US persons from the protections that it does supply.
Peter Swire is the Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business. While at the U.S. Office of Management and Budget in 1999-2001, Swire was responsible for coordinating agency compliance with the Privacy Act of 1974.