Obama Order on Privacy A Small But Positive Step Toward Better Privacy Oversight
President Obama today issued an executive order establishing a “Federal Privacy Council” made up of the senior privacy officials from each cabinet agency. This is not a breakthrough, but it is a good step toward something that is sorely needed in the United States: the institutionalization of privacy protection.
What the United States really needs is a full-fledged independent privacy enforcement institution or institutions. Of the world’s 27 wealthy OECD democracies, the United States is the only one that doesn’t have some form of independent privacy commissioner (as of 2009 Korea and Japan did not, but I believe have since created such posts).
This new Privacy Council falls far short of that, but truly independent privacy oversight is something that must be created by Congress. And while independent oversight is crucial, there is also an important role for privacy officials inside the executive branch. In 2009 we issued an ACLU report with recommendations for what independent privacy oversight could and should look like in the United States. We called for three major steps:
- Creation of an independent oversight institution for the private sector. This could take the form either of a brand-new independent agency, or statutory expansion of the mission of the FTC to give it the full powers of a full-fledged privacy commission.
- Creation of an independent oversight institution to cover the government. For government privacy, we called for the existing Privacy and Civil Liberties Oversight Board (PCLOB) to be strengthened and expanded; currently its mandate only extends to agencies fighting terrorism. That should be expanded to cover all government privacy issues, and given the staff and budget to match (this is an agency that should occupy a large building here in Washington). Unfortunately, that has not yet happened—and Congress has actually take one step in precisely the wrong direction by enacting a measure to weaken the PCLOB.
- Supplement the PCLOB with strong internal privacy officers. Independent oversight is crucial, but oversight officials within an executive agency can also supplement the role of independent officials. Because agency privacy officials report to the agency head and face internal pressures, they are not likely to go running to the media when they disagree with policy. But as trusted insiders, they can play an important role representing privacy interests in internal deliberations. As Bill Clinton’s White House Privacy Counselor Peter Swire put it, when you’re trusted on the inside “you can block a lot of dumb proposals.”
President Obama’s action today pushes the ball forward on this last front, raising the importance of these “Senior Agency Officials for Privacy” (SAOPs) who will make up the Federal Privacy Council. This is a designation that was created in 1998 by President Clinton, who issued a memorandum requiring all agencies to identify a senior official to “assume primary responsibility for privacy policy.” A 2005 OMB memorandum further cemented the role. But under these orders, any senior official could be designated SAOP, including those with other primary responsibilities such as being an agency’s Chief Information Officer. As a result, privacy has sometimes been an afterthought for those ostensibly in charge of it. Obama’s order directs the OMB director to “issue a revised policy on the role and designation” of the SAOPs, to “provide guidance” on the SAOP’s “responsibilities at their agencies, required level of expertise, adequate level of resources, and other matters as determined by the director.” We’ll have to see what emerges from OMB, but this language ordering a “revised” role suggests that the president intends for the role of SAOP to become more formal, rigorous, and important.
The creation of the Council could be helpful as well. Joining privacy officials from different agencies into a formal structure can help make those officials become more effective defenders of privacy within their agencies. In addition to promoting collaboration and the sharing of lessons and best practices, as the EO points out, the strengthening of a privacy officer peer group can help shame weak officials into standing tougher for privacy. These kinds of human factors are not to be underestimated.
One problem with the new order is that it contains no transparency requirements. One of the functions of the Privacy Council is to “develop recommendations” for OMB on federal “privacy policies and requirements.” It would be nice if the EO required the council to make such recommendations public, and perhaps to solicit input from the public on what the recommendations should look like. It is true that trusted insider privacy officials can be a good complement to outside independent oversight structures—but right now independent structures are still absent or inadequate.
It’s important to institutionalize privacy because even with the world’s greatest laws on the books protecting privacy, without actual institutions to support and enforce them, such laws tend to wither away over time in the great ongoing evolutionary swirl of law and practice. We’ve seen this, for example, with the great-on-paper but now-very-weakened Privacy Act of 1974. Laws without institutions to enforce them and defend them are like no laws at all—especially a law governing something like privacy, where the pressures for violation are strong and constant.
We are starting to see the beginnings of the formation of a real institutional privacy infrastructure emerge in the U.S. The FTC is stepping up their involvement in privacy, and the PCLOB has played an important role in the ongoing debate over NSA spying. Again, today’s executive order doesn’t represent any kind of breakthrough in the protection of privacy in the United States, but it is a significant incremental advance in the construction of a much-needed institutional infrastructure for the protection of privacy. President Obama is to be commended for taking these steps. But, we have far to go.