The eighth principle of the Privacy Act holds that an institution should be accountable for its personal-data record-keeping policies and practices, or, more specifically, for adherence to the other seven information policy principles. Under the Privacy Act, a Federal agency can be held accountable for its record-keeping policies and practices in several ways. The individual can hold the agency accountable through exercise of his rights to see, copy, and challenge the contents of a record about himself, to review an agency's accounting of disclosures made of a record about him, and to sue for any damages he incurs as a consequence of agency misconduct. In addition, agency employees are subject to criminal sanctions for particular violations of the law's requirements 32
The access, correction, and amendment procedures have been discussed. They appear to work reasonably well, although they have not been widely used. As previously noted, the agencies regard the Act's accounting of disclosures requirement as the most burdensome of the Act's provisions. It represents 26 percent of the operating costs of the Act33 and requires extra effort by agency employees on an almost daily basis. The Social Security Administration, which keeps its accounting of disclosures manually, has stated that to perform the accounting effectively it would have to totally redesign its computer system. In addition, few individuals have asked for an accounting of the disclosures made of a record about them, perhaps because they do not know they have a right to do so. Even when an individual does ask, however, he will not learn about internal agency disclosures, as no accounting need be kept of them.
The civil remedies provided by the Act are similarly ineffective from the individual's point of view. The vast number of systems involved,34 the need to establish willful or intentional behavior on the part of the agency, and the cost and time involved in bringing a law suit, often make enforcement by the individual impractical. Moreover, an individual must show actual injury in all cases except the ones that can be brought to force an agency to allow an individual to see and copy, or correct or amend, a record.
The criminal penalties also require a showing of willfulness and apply only to unauthorized disclosures, failures to publish annual system notices, and obtaining a record from an agency under false pretenses. The circumstances in which an individual can bring suit, his possible reward for doing so, and the instances in which a court can order an agency into compliance with the Act are all too limited to provide an effective accountability mechanism. Consistent with its recommendations in other areas, the Commission believes that a suit should be permitted to force compliance with the requirements of the Act absent a demonstration of injury to, or adverse effect on, the individual and that a court should be able to order an agency to comply.
In many cases, it is simply too difficult to show injury or adverse effect as a result of a violation of the Privacy Act. In the case of a violation of the notice requirements, for example, such a showing is most likely impossible. Even in the case of inaccurate information, it can be difficult to demonstrate actual injury. Hence, the Commission believes an individual should be granted standing without the requirement to show injury. While it could be argued that this will encourage frivolous law suits, experience to date indicates that it is not likely to do so. Moreover, this approach should increase agency accountability and provide agencies with increased incentives to comply with the Act in order to avoid law suits by individuals.
Under the Privacy Act contractors and grantees are not directly liable for violations (although they are subject to the Act's criminal penalties) and the government may indemnify them for any civil liability resulting from their performance of a contract. This defeats the intent of the Act. If the Act's protections are so important that the government is waiving its sovereign immunity and thus subjecting itself to civil liability, it would seem reasonable for the same standard to apply to contractors and discretionary grantees, as discussed earlier. Therefore, the Commission believes that contractors and grantees which fall within the scope of the Act should be made civilly liable under the Act in the same manner that the government makes itself civilly liable; and no official or employee of any Federal agency should include or authorize to be included in any contract or grant any provisions indemnifying the contractor or grantee from civil liabilities under the Act.
In a related area, the Commission's mandate specifically required an examination of "whether the Federal government should be liable for general damages incurred by an individual" when an agency violates his rights under the Act. (Section 5(c)(2)(B)(iii) of Public Law 93-579] This required consideration of whether the current liability standard in the statute which limits recovery to "actual damages" should be broadened. To reach a judgment on the appropriate recovery standard, the Commission needed to answer two questions: (1) what the definitions of actual and general damages are or ought to be; and, (2) what the costs and benefits of each would be were it to be the Act's standard for recovery against the government.
Traditionally, damages have been divided into two classifications, general and special. Compensation for any injury done to an individual is available under a claim of general damages. An individual can make claims for losses due to pain and suffering, for example, even though it is impossible to fix a precise dollar value to such an injury. Special damages, on the other hand, only compensate for injury that has caused clear economic loss to the individual. The Commission has found that there is no generally accepted definition of "actual damages" in American law, but the Commission has concluded that, within the context of the Act, the term was intended as a synonym for special damages as that term is used in defamation cases. For that reason, the Commission believes the phrase "actual damages" should be discarded in favor of the more traditional and clearer term, special damages.
In addition, special damages in defamation cases are more limited than in other situations; the injuries clearly covered by them are loss of specific business, employment, or promotion opportunities, or other tangible pecuniary benefits. Injuries not provided for are those which may be labeled intangible: namely, loss of reputation, chilling of constitutional rights, or mental suffering (where unaccompanied by other secondary consequences).
The legislative history and language of the Act suggest that Congress meant to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety of extending the standard of recovery. It has determined that the arguments in favor of extending recovery to general damages, within dollar limits, appear stronger than the arguments against such extension.
The restriction on recovery articulated in the "actual damage" standard of the Privacy Act reflects the ancient limitation on governmental liability embodied in the principle of sovereign immunity. Arguments in support of this limitation of liability focus primarily on the need to protect the public purse and the problems involved in making the government fully responsible for the vast scope of its operations, which it has no practical means of controlling. One set of counter-arguments to this position derives from notions of fairness, which require both that wrongdoers be responsible for their wrongdoing and that those who benefit from governmental activity be asked to pay the price of their enjoyment, instead of letting that cost fall wholly on the small group of injured parties. Another counter-argument derives from basic notions of social utility. If the costs of government information practices are borne by the government, it is in a better position to decide whether the benefits of the activity outweigh their costs. In other words, restricting liability only restricts the incentive for government to reform its practices.
If the rights and interests established by the Privacy Act are worthy of protection, then recovery for intangible injuries such as pain and suffering, loss of reputation, or the chilling effect on constitutional rights, is a part of that protection. There is evidence for this proposition both in the cases which have already been brought under the Act and in common law privacy cases. Thus, to protect individuals under the Privacy Act more fairly and effectively, while ensuring that recovery does not become too burdensome, and to clarify the meaning of the Act, the Commission recommends:
That the Privacy Act of 1974 permit the recovery of special and general damages sustained by an individual as a result of a violation of the Act, but in no case should a person entitled to recovery receive less than the sum of $1,000 or more than the sum of $10,000 for general damages in excess of the dollar amount of any special damages.
In addition to the individual's enforcement opportunities and the modest oversight role assigned to the Office of Management and Budget (OMB) [Section 6 of Public Law 93-579], the Act also requires that reports on new or materially altered record systems be sent to OMB and both Houses of Congress [5 U.S.C. 552a(o)], and to the Privacy Protection Study Commission. (Section 5(e)(2)(A) of Public Law 93-579] None of these bodies, however, has had the staff nor the consolidated expertise necessary to evaluate each report submitted. Furthermore, there is no agreement on how to assess the potential impact of a proposed system change along the lines called for in the Act, that is:
the probable or potential effect . . . on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the constitutional principles of federalism and separation of powers.[5 U.S.C 552a(o)]
Currently, although this requirement has had the healthy effect of forcing agencies to examine the need for, and the details of, the particular system, the kind of information needed to evaluate it is not always supplied nor is it always presented in enough detail to permit an in-depth and independent evaluation of the system in question.
Given this weak enforcement framework and the flexibility of interpretation many provisions of the Act allow, there are few incentives for more than minimal compliance with most of its provisions. For example, there is a universal lack of post-award monitoring of contractor performance; and as previously noted, many agencies have not established any effective internal compliance monitoring procedure. This can be partly explained by the fact that Congress appropriated no additional funds for Privacy Act implementation. While many of the requirements of the Act represent procedures or steps that the agencies should have been following anyway, there is still cost associated with them.35 In addition, attention to information policy issues is not usually a priority concern of agency personnel. While many employees view the Privacy Act and the issues it raises as important, a sizeable number still see the Act as a nuisance and an impediment to the performance of their agency's missions and functions.