It is time for federal chief privacy officers
As the Biden administration organizes a new government, we have an opportunity to institutionalize privacy as a top priority across government. The mounting threats to privacy and cybersecurity are serious. New, more powerful surveillance capabilities continue to appear in a relentless stream: “modernized” biometric collection programs; advanced uses of artificial intelligence; acquisition of sensitive information from data aggregators; and broader sharing of intelligence information — to name only a few. Unsurprisingly, the increased collection, sharing, and retention of personal information exacerbates cybersecurity risks, as illustrated by the data breach of U.S. Customs and Border Protection’s travelers photo database. In many respects, privacy and cybersecurity are inextricably intertwined.
Among the organizational changes the Biden administration should consider is the establishment of agency Chief Privacy Officers (CPOs). The CPO should be a full-time position reporting directly to the agency head and responsible for the agency’s privacy policies and practices. Each CPO must also be empowered with authority to oversee and address all privacy issues across the agency, including the power to investigate and enforce compliance. While some agencies have a Senior Agency Official for Privacy, or Civil Liberties and Privacy Officer, current officials often lack the tools to oversee the full range of privacy issues, and many are low on the organization chart. By creating and elevating the CPO role, agency heads will better ensure privacy issues are seen, heard, and prioritized, thereby increasing the likelihood that they are handled appropriately and consistently across the federal government.
The modern privacy officer is a policymaker. Today, a hodge-podge of laws like the E-Government Act of 2002 and Privacy Act of 1974 require existing privacy officials to assess an agency’s creation of databases, collection of personal information, and compliance with Freedom of Information Act responses. The roles and responsibilities created by these authorities unfortunately fail to reflect a modern reality: agency policy decisions beyond the collection or release of personal information significantly impact privacy. The CPO’s chief task is to facilitate the agency’s mission while serving as an advocate for the proper treatment of the personal data of the public.
Agencies organize privacy roles inconsistently. Some, like the Department of Justice, assign responsibility to an Office of Privacy and Civil Liberties reporting to the deputy of the agency, while others, like the Department of Treasury, place their Privacy Office four layers below the deputy in an office of Privacy, Transparency, and Records. In other agencies, privacy is often relegated to the Chief Information Officer. In most instances, these are part-time assignments: at FBI, the senior privacy officer serves in several different capacities within the General Counsel’s Office overseeing compliance, ethics, contracting, asset forfeiture, and privacy (without even a website). This disparate positioning of privacy responsibilities across government creates inefficient reporting structures, ineffective control mechanisms, and a general lack of authority over privacy and civil liberties issues, ultimately leading to inadequate oversight within the agencies and government-wide.
By establishing CPOs that report directly to agency heads, each agency head can proactively address important privacy and civil liberties issues as they develop in policymaking, operational, and compliance activities. For instance, if FBI’s privacy and civil liberties unit were provided enough authority and oversight, it may have been proactively informed about surveillance of Black Lives Matter activists last year. If appropriately empowered, it could have conducted an initial privacy and civil liberties assessment and reported those findings to the FBI director, particularly since the Privacy Act and FBI procedures bar investigations solely based on First Amendment-protected activities.
As a member of the Privacy and Civil Liberties Oversight Board, I have seen first-hand how disempowered, insufficiently staffed, and under-resourced privacy offices impede timely and comprehensive oversight. While the Intelligence Community privacy and civil liberties officials with whom I have worked are very knowledgeable and talented, some offices have only one or two people responsible for the entire agency’s protection of privacy and civil liberties. At one agency, for example, we have been informed in two successive years that the privacy officer would be on leave for three weeks in December, thereby delaying our oversight investigations until the new year. At DOJ, the privacy and civil liberties officer, who previously sat with the Deputy Attorney General’s Office, is now a subway ride away and has held acting status for more than four years. Empowering privacy officers with permanence, proximity, and sufficient resources is critical to effective oversight, whether by Congress or my board.
Incoming agency heads now have an important opportunity to evaluate the structure of their agencies. The creation or elevation of CPOs reporting to agency heads and empowering those officers to oversee all privacy policies and practices across the agency are first steps towards a whole of government approach for ensuring that privacy gets the attention it rightly deserves.
Travis LeBlanc is a board member of the United States Privacy and Civil Liberties Oversight Board, an independent executive branch agency tasked with ensuring that national security activities appropriately safeguard privacy and civil liberties.