Options for Promoting Privacy on the National Information Infrastructure. 1. Creation of a Federal Entity with Regulatory Authority.


Regulatory bodies are established to respond to complex issues of national importance. Typically, regulatory entities operate as quasi-legislative, quasi-judicial organizations empowered both to promulgate and enforce rules governing conduct within their sphere of jurisdiction.

Regulatory agencies may exercise broad powers. They are able to initiate, monitor, and coordinate the regulation of one or more sectors of the economy based on detailed experience with its particular characteristics. They control private conduct by promulgating and implementing regulations and by imposing sanctions on those who violate such rules and regulations. Often regulatory agencies are authorized to investigate and disclose information about private actors. Their sphere of influence may extend to both the public and private sectors as well as to the domestic and international arenas.

There are some regulatory agencies known as "independent agencies" that are isolated from the integrated administrative structure of the executive branch.255 Neither the President nor any cabinet secretary has direct supervisory authority for such agencies. Independent regulatory agencies are generally headed by three or more commissioners or board members, appointed by the President and confirmed by the Senate for fixed terms. Typically, such members may be removed from office only for cause.256 To further isolate independent agencies from political influence, membership qualifications or the partisan political balance of the agency may be established by law. Although agency adjudications are subject to judicial appeal, an independent regulatory agency is generally free to set its own agenda within the constraints of its organic statute.

Regulatory agencies may be placed within executive branch departments but remain "independent" if the head of the agency can not be terminated at will. The Federal Energy Regulatory Commission, for example, resides within the Department of Energy.257

Executive branch regulatory agencies also have broad powers to establish rules of conduct applicable to particular sectors. Executive branch agencies are less isolated from political pressure, however, because the agency head may be removed from office by the President at will. Executive branch agencies may be established by Congress, as well as by executive order, presidential reorganization plan, or departmental order so long as it is based on the requisite legislative imprimatur.

Regulatory agencies -- independent or otherwise -- are powerful and have the ability to change practices swiftly through rulemaking and adjudication. Creation of a regulatory agency to deal with privacy concerns is likely to respond to many of the objections listed in Section IV. It would reflect an omnibus rather than a sectoral approach to privacy, and would establish privacy as one of the primary missions of a federal agency. Such an agency's regulatory mandate would likely be proactive, based on a legislative articulation of fair information practices. Regulatory agencies usually have adequate tools, especially adjudicatory tools, to enforce regulations within their jurisdiction. Finally, especially in the case of an independent agency, the entity would have some protection from the ebb and flow of politics.

On the other hand, there are several significant drawbacks to creation of a new independent regulatory agency.

First, a centralized approach is inconsistent with our traditional sectoral approach to privacy protection. A one-size-fits-all alternative may not be sufficiently responsive to the sector specific implication of a particular information practice. Privacy today has become a complicated matter and is expected to become increasingly so with the continued expansion of the GII. Different areas of information privacy raise very different concerns and priorities. They also require different types of expertise to address them in a meaningful manner. The agencies currently involved with privacy issues are dealing with specific areas of privacy that these agencies are uniquely qualified to handle (e.g. privacy issues arising in consumer transactions, in telecommunications, in law enforcement, in government records, etc.).

Second, independent regulatory authority is already vested in and exercised by a number of federal bodies. For example, the FTC's mandate is to protect consumers against unfair and/or deceptive commercial practices. The FCC has regulatory authority with respect to telecommunications, just as the Federal Reserve has rulemaking authority with respect to banking matters. Creating a separate privacy entity could produce confusing overlap, possible duplication of efforts, or even inconsistent rules and regulations.

Third, regulatory agencies with quasi-judicial and quasi-legislative authority tend to be expensive, and there is no reason to believe that this would not be the case here. Complex information issues arise across an increasingly diverse range of the public and private sectors. As such, a privacy entity tasked with regulating the privacy universe might be called upon simultaneously to regulate banks (because of financial records), private mail services (because they may possess transactional data), the telecommunications industry (because of electronic surveillance), the medical community (because of medical records), and catalog companies (because of targeted mail and transactional data). It would take a significant -- and expensive -- bureaucracy to carry out such a mandate.

A somewhat less costly alternative might be to house broader privacy responsibilities in one or more existing independent agencies. Some of these agencies are already involved with a variety of privacy issues both in-house and in interactions with the private sector and the international communities. As such, these agencies already have some knowledge of, and experience in, dealing with certain kinds of privacy issues. Additionally, it may well be easier and less costly to create an entity within an already existing organizational framework.

Placement of a privacy entity in an existing agency, however, has an additional drawback. No existing federal agency is dedicated exclusively to, or focused exclusively on, privacy; indeed, their primary mission is something other than privacy. As such, privacy would have to compete with other agency priorities for funding and personnel. The competing responsibilities of the larger organization could well dilute the effectiveness of the privacy entity.

Fourth, creation of a privacy entity with significant regulatory authority goes against the grain of a smaller government that is favored by the American public today. As President Clinton and Vice President Gore stated in connection with the National Performance Review:

The answer for every program cannot always be another program or more money. It is time to radically change the way the government operates -- to shift from top-down bureaucracy to entrepreneurial government that empower citizens and communities to change our country from the bottom up.258

Creation of a new government agency with regulatory authority is the antithesis of bottom up governance, and its likely that any effort to create a new regulatory body to enforce fair information practices would face considerable public resistance at this time.

255. Kenneth Culp Davis & Richard J. Pierce, Jr. I Administrative law 46 (3d ed. 1994). For example, The Federal Trade Commission Act created the Federal Trade Commission to prevent unfair methods of competition and unfair or deceptive business practices. 15 U.S.C. §§ 42-58 (1994). Likewise, The Commission on Civil Rights Act of 1983 established the Commission on Civil Rights. 42 U.S.C. § 1975 (1994).

256. For example, members of the National Labor Relations Board may be removed only for "neglect of duty or malfeasance in office, but for no other cause." 29 U.S.C. § 53(a) (1994).

257. Department of Energy Organization Act, Pub. L. No. 95-91, § 204, 91 Stat. 565, 571-72.

258. National Performance Review, From Red Tape to Results: Creating a Government that Works Better & Costs Less, (1993), available at National Performance Review Reports (visited Apr. 4, 1997) <http://www.npr.gov/library/nprrpt/annrpt/redtpe93l>.