Laura W. Murphy
Director
STATEMENT
OF
LAURA W. MURPHY
DIRECTOR
AMERICAN CIVIL LIBERTIES
ON
H.R. 338
THE DEFENSE OF PRIVACY ACT
BEFORE
COMMERCIAL AND ADMINSTRATIVE LAW
SUBCOMMITTEE
AND THE CONSTITUTION SUBCOMMITTEE
OF THE HOUSE OF REPRESENTATIVES COMMITTEE ON
THE JUDICIARY
Chairmen Chabot
and Cannon, and Ranking Members Watt and Nadler:
I am pleased to testify today on
behalf of the American Civil Liberties
Americans= right to privacy is in peril. Individuals= personal information, including
medical and financial records, is being collected through an ever expanding number
of computer networks and being stored in formats that allow the data to be
linked, transferred, shared and sold, often without consent or knowledge.
The same technological advances that
have brought this country enormous benefit also make people more vulnerable to
unwanted snooping and accidental disclosure of personal information. The federal government=s increased reliance on computerized
records increases efficiency but also poses significant challenges to privacy.
H.R. 338, the ADefense of Privacy Act,@ would require federal agencies to
issue privacy impact statements with the rules or regulations they
propose. By requiring privacy impact
statements, the bill would encourage agencies to develop a systematic means for
reviewing how a particular regulation would affect individual privacy. In addition, such statements would put the
public on notice about the choices federal agencies are making about the use
and disclosure of individually identifiable information and give the public a
carefully limited chance to participate in those decisions.
The Defense of Privacy Act would
provide an important check and balance on federal agencies= use and disclosure of personal
information inside and outside the government.
The passage of this legislation would be an important step in the effort
to protect privacy, particularly as the federal government relies more and more
on powerful information technology.
The History and Lessons of the AKnow Your Customer@ Banking Regulation
The history of the AKnow Your Customer@ (AKYC@) regulations provides important
background on the need for privacy issues to be considered before a regulation
is adopted.
In 1998, pursuant to the Bank Secrecy
Act and other federal law, each of the bank regulatory agencies published
parallel AKnow
Your Customer@
regulations to facilitate the filing of suspicious activity reports, an element
of the agency=s
broader anti-money laundering initiative.
Although most banking institutions already had adopted KYC programs
voluntarily, the proposed regulation established uniform standards across the
banking industry. Banks were required to
identify customers and their normal and expected transactions, to determine the
customer=s
sources of funds for transactions involving the bank, and to monitor daily
transactions and identify those that appear suspicious. The impact of the regulation, however, would
have been to require banks to track innocent individuals in their day to day
financial transactions and collect and track an enormous amount of personal
financial information through federal databases
In 1999, the Treasury Department was
overwhelmed by almost 300,000 comments on the proposed AKnow Your Customer@ regulations because the agency
failed to consider the privacy implications of tracking customers= routine banking activities and
reporting personal financial information to the government before proposing the
rule. As a result, the agency was forced
to retreat and withdraw the proposed rule.
The KYC experience provides two clear
lessons. First, Americans care about the
privacy of personal information. Out of
the almost 300,000 comments submitted on the proposed KYC regulations, only a
small fraction were in favor the regulation.
Second, federal agencies must consider privacy up front. As demonstrated by the proposed KYC
regulations, because bank regulators failed to consider privacy, the proposed
regulation unraveled, forcing regulators back to the drawing board and wasting
federal resources.
Although
federal laws regulate the use and disclosure of personal information within the
government, privacy continues to be an afterthought in the development of
federal policy. In addition, the public
has little opportunity to comment on - or even understand - the choices
administrators are making about the use and disclosure of individually
identifiable information.
The Defense of Privacy Act would
establish basic checks and balances on federal agencies= decisions to use and disclose
personal information. The legislation=s Aprivacy impact statement@ builds the principles of Fair
Information Practices into the rulemaking process and would enhance individuals= control over personal information
stored in government databases.
The bill would require agencies to
engage in a systematic review of privacy before federal regulations are adopted
and irreversible privacy violations occur.
In addition, it would enhance federal agencies= public accountability for decisions
about the use and disclosure of personal information.
This legislation is modeled after the
Regulatory Flexibility Act (ARFA@).
5 U.S.C. '601
seq. For over twenty years, it
has required agencies to consider the needs and concerns of small business
whenever they engage in rulemaking subject to the notice and comment
requirements of the Administrative Procedure Act (AAPA@) or other federal law. This bill adopts requirements almost
identical to those found in the RFA.
Instead of assessing the impact on small business, however, the agency
analyses would assess the impact of a regulation on individual privacy.
What the bill would do:
Require a systematic review of
privacy issues before a regulation is adopted.
Sections 2(a) and (b) would require
federal agencies to issue initial and final privacy impact analyses whenever
the agency is required under the APA or other federal law to publish a general
notice of proposed rulemaking, including interpretative rules involving tax
laws.
The Ainitial privacy impact analysis@ would be published with the agency=s proposed rulemaking and the public
would have an opportunity to comment on the privacy impact statement and the
underlying regulation. The contents of
the impact analysis would include an assessment of the extent to which the
proposed rule will impact individual privacy interests including: 1) what personally identifiable information
is to be collected, and how it is to be collected, maintained and used; 2)
whether and how individuals can access the personal information that pertains
to them; 3) how the agency prevents the information collected for one purpose
from being used for another purpose; and 4) what security safeguards are in
place to prevent unauthorized disclosure of personal information. Most importantly, the agency must describe
alternatives to the proposed rule which accomplish the policy objective but
minimize impact on individual privacy.
A Afinal privacy impact analysis@ would be issued with the final rule
or regulation. This final privacy impact
statement would include the same categories of information as the initial
impact statement. In addition, the
agency would have to explain the steps it has taken to minimize the Asignificant@ privacy impact on individuals,
including the factual, policy and legal reasons for selecting the alternative
adopted in the final rule and why the other alternatives were rejected. The final privacy impact statement would also
summarize the significant issues raised in the public comments.
Enhance public participation and
agency accountability for individual privacy interests.
Section 2(d) would require the federal
agency proposing a rulemaking that would have a Asignificant
privacy impact on individuals, or a privacy impact on a substantial number of
individuals@
to ensure individuals have been given an opportunity to participate. Agencies could do this by taking steps such
as announcing the rulemaking=s
potential privacy impact in publications with a national circulation, holding
public hearings and conferences, and directly notifying interested individuals.
Section 2(f) would provide
individuals who are Aadversely
affected or aggrieved@
by final agency action to obtain judicial review of compliance with the
procedures for final privacy impact statements.
Section
2(e) would require a periodic review of rules that have a Asignificant
privacy impact on individuals, or a privacy impact on a substantial number of
individuals@
to determine whether a rule can be amended or rescinded to minimize an adverse
privacy impact. Such review is required
to take place within ten years of the date of enactment of the regulation. Agencies are also required to publish plans
for these reviews in the Federal Register and invite public comment on whether
the rule should be rescinded or amended.
What the bill would not do:
The Defense of Privacy Act would take
important steps to protect privacy.
Equally important, however, the legislation would not undermine
government rulemaking process or inhibit important government policy goals.
First, the bill does not create new
substantive legal standards for the use and disclosure of individually
identifiable personal information within the federal government. The Privacy Act and other federal statutes
continue to regulate the use and disclosure of personal information held by
federal agencies. Sections 2(a) and (b)
of the bill simply offer criteria that would be used to measure the privacy
impact of any particular regulation.
Second, the bill does not give an
individual the power to force an agency to adopt a particular policy
alternative. The final privacy impact
analysis requires agencies to articulate the available policy options and state
why one alternative was selected over the others. But, the bill does not require the agency to
adopt the alternative that is least intrusive on privacy.
Third, the bill is not overly
burdensome and would not hinder the efficiency or functioning of federal
agencies. The legislation only applies
to rulemaking, not to the vast amount of administrative action that falls
outside the formal rulemaking process, including adjudication, informal action,
and guidance. Law enforcement agencies
would continue to be able to investigate crimes and track down criminals just
as they do under current law. In
addition, a privacy impact analysis would only be required if a rulemaking is
required in the first place. The APA
includes exceptions that exempt certain agency functions from the rulemaking
process altogether, including when rulemaking procedures are Aimpracticable, unnecessary, or contrary
to the public interest.@ In addition, privacy impact statements could
actually increase efficiency by cutting down on privacy debacles like the
proposed KYC regulation. Lots of
government resources were wasted on that proposed rule because there was little
to no consideration of privacy in the development of the proposed regulations.
Fourth, the bill would not result in
an overwhelming amount of litigation.
Judicial review is limited to review of agency compliance with the
procedures related to the final privacy impact statement. It does not provide individuals a right to
sue over substantive decisions the agency makes in the final regulation. In 1996, the Small Business Regulatory
Enforcement Fairness Act established the same judicial review provisions in the
RFA as are included in this legislation.
Pub.L. 104-121.
Finally, the legislation includes the
same waivers available under the RFA.
Privacy impact statements would not be required when emergencies make
compliance Aimpracticable.@
Conclusion
The ACLU strongly commends Chairman Chabot (R-OH) for introducing this important bill. We urge other Members to join them in support
of a good government measure that would enhance individuals= privacy.