Lawmakers and privacy advocates on Tuesday called on Congress to update the 1974 law that deals with how the federal government gathers, shares, and protects Americans’ personal information, saying the statute has not kept pace with technological changes and provides inconsistent protections.
“Despite dramatic technological changes over the last four decades, much of the Privacy Act remains stuck in the 1970s,” Sen. Daniel Akaka, D-Hawaii, chairman of the Senate Homeland Security’s Oversight of Government Management, the Federal Workforce and the District of Columbia Subcommittee, said during a hearing on the issue. “As a result, the act is difficult to interpret and apply and it provides inconsistent protection to the massive amount of personal information in the hands of the government.”
Akaka has introduced legislation that would revamp the 1974 Privacy Act. Among other things, the bill would update definitions of what information is collected and what can be labeled as available for “routine use” and thus subject to less restriction on its dissemination. In addition, it would create the new position of federal chief privacy officer, require tighter controls over accessing and maintaining data, and increase penalties for misuse of personal data held by agencies.
Akaka also has offered an amendment to cybersecurity legislation that is being debated on the Senate floor this week that aims to enhance privacy protections for information held by the government—for example, by requiring federal agencies to notify Americans when their personal data has been compromised by a security breach. It also includes provisions from his privacy bill, such as requiring the creation of a federal chief privacy officer.
Akaka and others noted several examples of security breaches involving federal agencies, including one earlier this year involving a contractor for the Federal Retirement Thrift Investments Board, which handles retirement accounts for federal workers. Earlier this year, personal information affecting more than 123,000 participants, including Akaka, was compromised after a contractor handling that data was hit with a cyberattack. Akaka noted that the board did not have a breach notification policy in place at the time.
Chris Calabrese, legislative counsel to the American Civil Liberties Union, said that federal agencies are exploiting the loopholes in the Privacy Act by labeling almost all information as “routine,” which means it can be disclosed without having to get a user’s consent. In addition, he noted that the law does not cover information held by private contractors, a concern given that many federal agencies are increasingly using databases controlled by private companies. In addition, Calabrese and others argued for more stringent rules on notifications to people about data breaches. Current rules give “too much discretion to agencies on whether to disclose breaches,” he said.
His concerns were echoed by Greg Wilshusen, director of information security issues at the Government Accountability Office. He argued that without updates to the privacy act and proper implementation by federal agencies of privacy and security protections, “Americans’ personally identifiable information remains at risk.”
Ohio State University law professor Peter Swire, who served as the White House privacy adviser during the Clinton administration, argued for the creation of a federal chief privacy officer. He was the last person to hold such a position and said that the post is necessary to help coordinate privacy policies across federal agencies and at the international level.
Absent legislation to update the Privacy Act, one immediate step Congress could take to improve the protections for information held by the government would be to confirm five pending nominees to the Privacy and Civil Liberties Oversight Board, Swire said. The board was created by Congress to ensure that Americans' privacy and civil liberties are not compromised given the new tools authorized to combat terrorism in the aftermath of 9/11.
The Senate Judiciary Committee in May approved the five nominations to the board, but they are still pending before the full Senate.