Congress passed the Privacy Act39 after the Watergate break-in, and against its backdrop of governmental misuse of personal information.40 The Act restricts the collection, use, and dissemination of personal information by federal agencies. The Privacy Act first limits federal collection of personal data to information that is "relevant and necessary" to accomplish a purpose of the agency.41 Federal agencies must also establish safeguards to ensure the security and confidentiality of records.42 Unless a proposed disclosure falls within enumerated exceptions, the Privacy Act prohibits disclosure of that information without the prior written consent of the data subject.43
The Privacy Act generally applies only to federal records that are retrieved by name or other personal identifier.44 It protects U.S. citizens and permanent residents, but does not apply to foreign visitors, undocumented aliens, corporations, or other organizations.45 Under the Privacy Act, individuals have the right to access agency records containing information about themselves,46 and the right to request amendment of information that is inaccurate, irrelevant, untimely, or incomplete.47 The Act provides civil remedies including injunctive relief for most violations,48 and criminal penalties for knowing and willful violations of the Act.49
The Act permits agencies to disclose records without consent when the disclosure is "compatible" with the purpose for which the information was collected.50 Federal agencies have been repeatedly criticized for over-broad application of this "routine use" exception.51 Critics contend that agencies have ignored the requirements of a close nexus between the purpose of information collection and its proposed routine use.52 Court attempts to close this loophole have had mixed results. One commentator notes that [t]he Act has produced mechanisms for coping with paperwork, instead of the altered behaviors of bureaucrats and individuals that were anticipated" and that "it became clear from several years of experience, the compromises and exceptions of the 1974 Act erected the facade of a major bill of rights for individuals, against the reality of a 'paper tiger' privacy statute."53
39. The Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896, 5 U.S.C. § 552a (1994).
40. See Bennet, supra note 27, at 72-73 ("The Privacy Act would not have been passed in 1974 had it not been for Watergate. Its enactment was seen as part of a wider effort to open up the executive establishment and cleanse the government of the murky and conspiratorial influences of the Nixon White House."); James T. O'Reilly, Federal Information Disclosure § 20.01, at 20-5 (2d ed. 1995) ("Computerization had an essential role in passage of the Privacy Act because record retention systems were less threatening to the public and Congress when hand-held index cards required hours of search and retrieval.")
41. 5 U.S.C. § 552a(e)(1).
42. 5 U.S.C. § 552a(e)(10).
43. 5 U.S.C. § 552a(b).
44. The provisions relating to disclosure of Social Security Numbers, contained in Section 7 of the Act, however, apply to federal, state, and local government agencies. 5 U.S.C. § 552a (note).
45. Office of Management and Budget, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28951 (1975).
46. 5 U.S.C. § 552a(d)(1).
47. 5 U.S.C. § 552a(d)(2).
48. 5 U.S.C. § 552a(g).
49. 5 U.S.C. § 552a(I).
50. 5 U.S.C. §§ 552a(a)(7) & (b)(3).
51. See Privacy Protection Study Commission, the Privacy Act of 1974: An Assessment 91-93 (1977); Committee on Government Operations,Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by Congress, H. Rep. No. 98-455, at 41-5 (1983); Bennett, supra note 27, at 108-09; David Flaherty, Protecting Privacy in Surveillance Societies 323-24 (1989).
52. Schwartz & Reidenberg, supra note 9, at 96-98.
53. O'Reilly, supra note 40, at 20-1 & 20-5.