Recently, President Obama released a package of cybersecurity reform proposals. Along with these proposals, Obama also unveiled a new executive order: “Establishment of the Federal Privacy Council.” The council will be composed of senior privacy officials from at least 24 federal agencies, including Cabinet-level departments and NASA and the Office of Personnel Management, and “may also include other officials from agencies and offices, as the Chair may designate.”
The new council is tasked with developing, coordinating and sharing ideas and best practices for federal programs to protect privacy and implement “appropriate privacy safeguards” throughout the administration.
Although the council’s mission is important, this move seems incomplete. First, such a concerted effort to improve privacy protections throughout the federal government should have begun years ago. If privacy and security protections for sensitive personal data had been prioritized, there might not have been the problems caused by the hacker attack last year against the Office of Personnel Management, which did not use encryption or other such security technology to protect the information (including fingerprints) of the millions of current and former federal employees affected.
The OPM security breach occurred nine years after an unencrypted laptop and hard drive containing sensitive data on 26.5 million current military personnel, veterans, and their spouses were stolen from a Department of Veterans Affairs’ employee’s home. That security breach led to a push for the use of encryption throughout the federal government, yet encryption did not reach OPM’s attacked database. The George W. Bush administration should have created such a council then, and the Obama administration should have done so when the previous administration did not.
(It is notable that the Bush administration created the Privacy and Civil Liberties Oversight Board, but that board was originally handicapped by being part of the White House and then, after becoming an independent oversight agency within the executive branch, spent years with empty seats so that it could not do important work. Recently, the board finally hired a computer scientist to be a technology adviser, so there can be an in-house expert on how surveillance technology works. The new hire, Steve Bellovin, is co-director of Columbia’s Cybersecurity and Privacy Center.)
Second, there should also be a legislative requirement for this federal privacy council, so that it can have more authority. For example, the Department of Homeland Security’s Privacy Office was the first privacy office required by law. It was created by the Homeland Security Act of 2002, under Section 222, as amended. The DHS Privacy Office must file annual reports on its work, which includes conducting privacy impact assessments of security and surveillance programs.
Third, as a colleague at the ACLU also highlighted, what the United States lacks is an independent privacy enforcement agency with the power to subpoena to compel evidence and the power fine and otherwise punish offenders in the public and private sectors. Or have one independent privacy commission to investigate the public sector and one for the private sector. Such privacy commissions have long been useful for protecting individuals in Canada, the United Kingdom, Germany, Australia, Malaysia and myriad other countries (pdf). Although the Federal Trade Commission and the PCLOB have some authority over public and private sector entities, their powers are not broad enough to give U.S. citizens and residents the kind of privacy and civil liberty protections guaranteed to citizens and residents of other countries with fully independent and powerful privacy agencies.
While the new federal privacy council is a good step toward improving privacy and data security protections throughout the administration, it falls short in several key areas. Hopefully, the Obama administration and Congress will work to improve privacy protections for Americans in the ways I outlined above.