WASHINGTON — Government officials and advocacy groups are ramping up efforts to rewrite the Privacy Act, claiming that the 1974 law regulating how government agencies manage citizens’ personal information has fallen out of step with more than three decades of technological innovation.
“I think we all know that that law is severely outdated,” said Leslie Harris, president and CEO of the Center for Democracy and Technology here at the digital-rights group’s office.
Today’s event closely follows the release of a report on modernizing federal privacy policies from the Information Security and Privacy Advisory Board (ISPAB), a panel within the Commerce Department comprised of government officials and representatives of the nonprofit, academic and private sectors that advises senior administration and agency personnel on security and privacy issues.
The groups’ recommendations are similar. Both call on Congress to modernize the definition of personal information to account for the ways data is collected, stored and used in the digital age, and for agencies across the federal government to elevate citizen privacy to a higher priority.
“No longer are we in an era of flat files, as we were in 1974,” said ISPAB Chairman Dan Chenok, referring to the musty reams of paper that filled the filing cabinets of yesteryear. “We’re really in an era of relational databases.”
“The fundamentals of the law were correct,” said CDT Vice President Ari Schwartz, who also serves on ISPAB. The Privacy Act, which has only been updated once to account for computerized databases, doesn’t require notification and protections of the scale necessary to cope with a breach of a modern database where hundreds of millions of records could be compromised.
“In 1974 there was no such thing as a single database that had that much information,” Schwartz said. “The idea of a terabyte of information didn’t exist in 1974.”
The move in Congress to update the Privacy Act would be unlikely to couple with efforts currently underway to impose more forceful requirements for how Web companies handle personal information for the purposes of advertising and other forms of consumer profiling.
Broadening the privacy debate to areas that would span the jurisdictions of multiple committees would create the sort of omnibus bill that would be nearly impossible to get through, given the crowded legislative agenda and competing interests that would be involved, said Evan Cash, an aide to Sen. Daniel Akaka, D-Hawaii, chairman of the Subcommittee on Governmental Management.
“At this point, I think we’re looking at it from a standalone point from how do we fix the Privacy Act,” said Cash, adding that Akaka is planning some form of legislation that would modernize federal computing policies.
One aspect of any such legislation would have to deal with the new computing technologies that have reshaped the way businesses are approaching the datacenter. Distributed computing technologies such as virtualization and cloud computing — areas which Chenok noted are “very much at the forefront of the agenda of this administration” — raise a host of privacy questions about how data are stored and classified that weren’t on the table when the Privacy Act was written, or when and it was updated in 1988.
At a recent conference in Baltimore, Federal CIO Vivek Kundra said his staff was working with members of Congress to update the legal framework for moving government data to the cloud.
But it’s not just government computing facilities that are in question. Federal agencies routinely tap into commercial databases, just as commercial entities have access agreements with each other to pool data.
“That’s the most efficient way to do things technologically,” said Chenok. “It happens in the private sector all the time.” But the Privacy Act doesn’t account for the practice — or even apply to most forms of electronic data in use today, leaving the vast majority of the consumer information that is mined government agencies outside the scope of the bill.
In addition to new storage and computing models, the government will also have to update its privacy policies for a host of Web 2.0 tools that are beginning to percolate through the bureaucracy, the groups said this morning.
The requirements the Privacy Act established for notifying consumers about how their data are being collected have also fallen out of date, Schwartz said. Many of those policies were written for legacy systems no longer in use, making them virtually indecipherable even to the IT staff inside the agencies.
“We have a problem with notices today that even the experts can’t figure them out, let alone the individuals whose information is being collected,” Schwartz said.
The ISPAB report (PDF) calls for the Office of Management and Budget to hire a full-time chief privacy officer to spearhead privacy efforts across the agencies. It also recommends that each of the 24 major federal agencies create an in-house position of chief privacy officer.
ISPAB’s report, while it contains several recommendations for steps Congress should take to update the Privacy Act, was drafted for OMB Director Peter Orszag, with copies circulated to Kundra and Kevin Neyland, the acting administrator of the Office of Information and Regulatory Affairs.
CDT went a step farther, drafting a mock bill — the so-called E-Privacy Act — to update the 1974 statute. The group posted its proposed legislation at ePrivacyAct.org, where it has set up a wiki inviting comments and changes to the draft bill’s language.