Options for Promoting Privacy on the National Information Infrastructure. 2. Creation of a Federal Entity without Regulatory Authority


Several of our trading partners have demonstrated that a privacy entity need not have regulatory authority to be effective.

Non-regulatory agencies can be created either through Congressional action or by Executive Order. For example, the United States Office of Consumer Affairs (OCA) was created by Executive Order.259 The National Telecommunications and Information Administration (NTIA) as originally created by Executive Order to serve as the Executive Branch agency responsible for advising the President on telecommunications policies.260 Both the Office of National Drug Control Policy and the Domestic Policy Council were originally created by Executive Order.261

There is a great deal of flexibility with respect to the functions that such agencies may perform, their placement in the government, and the formalities needed to establish such entities.262 Non-regulatory agencies reside either in the Executive Office of the President or in an existing executive branch agency, although in some cases they have been established in the legislative branch.263 A federal agency could have as much or as little independence as Congress or the President were willing to bestow. Likewise, the size of such an agency could be tailored to the functions assigned to it. This flexibility probably decreases the time needed to get such an entity operational.

Even without regulatory authority, federal offices can be quite influential. An entity with advocacy, ombudsman, representational, coordination and/or advisory responsibilities could still contribute significantly to the debate about information privacy in the digital environment. The "bully pulpit" role can extend to the private sector and into the international arena as well. Moreover, when an entity is established to serve as a focal point for government action in an area of serious public concern, it can be well positioned to achieve uniformity of approach among disparate agencies and to provide a single point of contact in the United States for dealing with state and foreign governments as well as international organizations.

On the other hand, offices created by Executive Order can be eliminated or moved to less visible positions as easily as they can be created. Lacking de jure authority, the influence of an office is dependent on the office-holder's connections with the President. And where office holders are appointed by and accountable to the President and serve at the pleasure of the President, they may be seen as lacking sufficient independence.

A non-regulatory privacy entity could have all, or some, of the functions described below.

Coordination. A privacy entity could coordinate domestic privacy policy as it applies to the public sector, the private sector, or both. A privacy coordinator could be tasked with ensuring that federal agencies protect privacy in consistent ways with respect to data held by the government. For example, many federal agencies collect debts owed to the government, an activity that relies on significant information about an individual's location and assets; a coordinating entity could ensure that agencies collect debts in ways that reflect an appropriate respect for privacy. A federal privacy coordinator might also have the task of coordinating federal agency privacy initiatives that affect the private sector to avoid duplicative efforts or unnecessary burdens on the privacy sector. In this task, a privacy coordinator might also help to ensure that important problem areas do not fall between the cracks at the federal level.

There appears to be little down-side to better coordination of privacy initiatives at the federal level, although coordination could probably be improved without creating a new entity.

Representation. A federal privacy entity might also represent the President's views on privacy both domestically and internationally. Domestically, a federal representative or spokesperson might work with state and local government representatives. Likewise, a privacy spokesperson could serve as the U.S. representative in international privacy disputes. This might help alleviate a current deficiency cited by numerous countries and international organizations: the lack of a single U.S. point of contact on privacy matters. Currently, if a foreign office wants to understand U.S. privacy policies, it must query literally dozens of federal agencies. A federal privacy representative could serve as a centralized location to which foreign governments could look when dealing with information privacy issues, which might well facilitate international relations with respect to transborder data flows.264 Finally, a privacy representative could fulfill a public speaking role to raise awareness of and promote the use of fair information practices in the public and private sectors.

Again, there appears to be little down-side to more coherent representation in addressing this increasingly global issue.

Advocacy. A federal privacy advocate might be given broad authority to advocate and promote the use of fair information practices by federal, state, and local governments, and the private sector. A number of our trading partners have adopted this approach by establishing data commissioners. A federal privacy advocate would have responsibility for articulating the privacy implications of proposed policy or legislation and would be, in effect, a privacy lobbyist. In the course of investigating citizen complaints, data commissioners typically perform a range of functions, including advocacy. For example, some conduct audits, provide advise to business and government, and make recommendations for improved data protection techniques.265 As advocates, the data commissioners might be called upon to testify about proposed regulations and legislation that will impact privacy values.

One drawback of this approach, however, is that industry might perceive a privacy "advocate" as having a predetermined bias in weighing privacy values with data flow values. This perception might diminish industry's recently demonstrated willingness to exchange ideas and information freely with federal representatives and privacy advocates.

Ombudsman. A federal privacy entity could itself act as the plaintiff's lawyer for a citizen whose privacy has been unfairly or unreasonably invaded. It could press individual cases or litigate on behalf of groups that have been harmed.266 In fulfilling an ombudsman function, the entity might simply advise parties on how to resolve their dispute, act as a prosecutor, or be the actual decision maker (as in binding arbitration). Again, our trading partners have followed this model where data commissioners act as agents of the legislature, and mediate relations between data subjects and data users.267

In a country with the population of the United States, the number of anticipated complaints would be extremely high, and the ombudsman role, if not limited, could quickly absorb all the resources of a privacy entity. Even if the entity could choose which disputes to handle, the mere processing of the requests would likely be time consuming and costly. Additionally, any entity that precluded or decreased access to the courts runs contrary to the U.S. tradition of self-help and judicial enforcement and could well prove counterproductive by reducing the likelihood that unfair information practices are prosecuted.

Advice. A privacy entity could perform an advisory function in the public sector, the private sector or both. Such an advisory role could be confined to coordinating domestic policy or could extend to the international arena. Advisory commissions can be composed of governmental or non-governmental representatives who are tasked to study a particular federal issue. They may be temporary or permanent. At the government level, advisory committees often consist of a special purpose inter-agency task force, consisting of representatives of agencies that play a major role in the development and implementation of federal policy in a particular area. The President's Information Infrastructure Task Force is an example of this type of advisory organization. To the extent that specific issues can be identified for inter-agency consideration, interagency task forces can be effective.

Education. A privacy entity could be created to conduct (or fund) research designed to assist policy makers and educate consumers and businesses about personal privacy. Such an entity might issue periodic reports on the state of privacy in the United States and propose solutions for any problems identified. Most privacy organizations in other countries prepare such reports. For example, the French National Commission on Informatics and Freedoms submits an annual report to the President and to Parliament. The Data Protection Commission in Germany publishes an annual report to the national legislature, and the British Data Protection Registrar reports annually to the House of Commons.

Public education efforts, aimed at both business and consumers, might facilitate a market-based response to those who ignore reasonable consumer expectations about the use of personal data. And, in the event that market based solutions fail, the research would be available to inform the development of legislative or regulatory responses.

Education and research efforts of this sort are both useful and worthy. But it must be recognized that agencies with privacy responsibilities are already undertaking research of this sort to fulfill their statutory obligations. For example, the FTC's Privacy Initiative has, to date, involved a significant research and education function. With this research in hand, the FTC is in a better position to pursue its consumer protection mission in cooperation with business and consumer advocates. Likewise, the NTIA is currently collecting valuable information about effective self-regulation that will inform government privacy policy in the telecommunications sector. A centralized privacy think tank would likely duplicate or replace research and education programs currently underway. To the extent that additional funding and personnel are devoted to privacy, they may be better applied to roles not currently filled by government agencies with specific sectoral responsibility and expertise.

259. Exec. Order No. 12160, 44 Fed. Reg. 55787 (1979) ("Providing for Enhancement and Coordination of Federal Consumer Programs").

260. Exec. Order No. 12546, 43 Fed. Reg. 13349 (1978) ("Relating to the Transfer of Telecommunications Functions"). The NTIA Organization Act of 1992 subsequently codified these responsibilities. Pub. L. No. 102-538, 106 Stat. 3533, as amended by Pub. L. No. 103-66, Title VI, § 6001, 107 Stat. 379-87.

261. See Exec. Order No. 12590, 52 Fed. Reg. 10021 (1987) ("National Drug Policy Board"); Exec. Order 12859, 58 Fed. Reg. 44101 (1993) ("Establishment of Domestic Policy Council").

262. For example, although OCA and NTIA can perform advisory and educational functions in both the domestic and international arena, OCA focuses on both the public and private sectors, whereas NTIA focuses primarily on the private sector.

263. The now-defunct Office of Technology Assessment (OTA) was located in the legislative branch.

264. Formal international negotiations are usually in the province of the State Department, which in turn coordinates the participation of relevant executive branch agencies.

265. Id.

266. The Equal Employment Opportunity Commission, for example, investigates discrimination; makes determinations based on gathered evidence; attempts conciliation when discrimination has taken place; files lawsuit; and conducts voluntary assistance programs for employers, unions, and community organizations.

267. Bennet, supra note 44, at 160.