Programs Home : Markle Programs : National Security : Projects : Rules
Health
Projects
National Security
Projects
Program Highlights 1999-2004

RULES GOVERNING ACCESS TO PRIVATE SECTOR DATA

As part of its consideration of how the government can most effectively utilize private sector data while protecting civil liberties, the Task Force thought it would be useful to develop a fuller understanding of the laws that currently apply to the government's access, retention, and use of such data. In particular, we wanted to understand what rules apply to the many different types of information collected by the private sector in the course of ordinary commerce, sometimes referred to as transactional data - data about financial matters, travel, credit card purchases, mailing lists, and so on. By way of comparison, we also wanted to understand the rules that apply to the commercial sector's own use of such information. Accordingly, we developed, through the principal authorship of the Center for Democracy and Technology, two charts (or matrices) that present an overview of the laws covering both governmental and commercial use of transactional data as well as other sorts of data (including telephone and email communications, education records, etc.).

THE CHARTS

The two charts (links provided below) present an overview of the laws, with pop-ups giving greater detail and/or actual statutory language. We looked at 8 potential constraints on access to and use of data that are found, to varying degrees, in U.S. laws. These principles include:

Notice

  • should a person be notified about what information on him/her is being collected or used
  • must the notice be given before or at the time of collection, or can it be given at some later date?

Collection limits

  • must the collection be confined to data relevant to a particular purpose?
  • what are the standards for access or collection?

Retention limits

  • how long can data be kept?

Data quality

  • can an individual insist that data about him/her be accurate?

Access

  • is an individual entitled to see what data is held about her/him?

Not all of these principles are applicable to all kinds of usage, and there are differences between the needs of government users and commercial users of data. In particular, many of the principles apply quite differently in the law enforcement and intelligence contexts than elsewhere. Nevertheless, the charts provide a useful framework for thinking about data access and use.

We have prepared two charts:

  1. Government Access and Use: What laws define the government's power to obtain and use, for law enforcement or intelligence purposes, personally-identifiable information held by commercial entities? This analysis starts from the constitutional principle that (except for the content of wire or electronic communications), information held by third parties is not constitutionally protected. Instead, Congress has enacted statutes setting some rules for government access to or use of some kinds of data.
  2. Commercial Access and Use: What laws govern commercial entities when they seek to obtain and use personally identifiable information (in the absence of consent) for use in risk assessment or other commercial applications?

Explanatory Notes

What's Not Covered

These charts do not offer any judgment as to what kinds of information would be most useful to the government for counterterrorism purposes. Our charts cover, by and large, the kinds of records that are regulated. Many others kinds of data may be unregulated. Some of the regulated records (e.g., cable viewing) are among the least useful for counterterrorism purposes. Other unregulated records may be more useful. Some of the most useful may already be compiled in formats easily accessible to the government. As the Task Force's second report recommends, the government should carefully determine what data would be most useful and where it can be obtained.

The charts do not address government records (driver's license, census, tax, Social Security, immigration, licensing, etc). They also do not cover compulsory reporting situations: i.e., they cover financial records, but not the data that banks are required to report to the government for anti-money laundering purposes (such as Suspicious Activity Reports (SARS)) and how that data might be used for counterterrorism purposes

The charts also do not cover records that are publicly available to any member of the public without a fee, such as telephone directories, material available via Google on the Web, or property ownership records that are available for inspection at government offices and increasingly online from government websites.

The charts do not consider the practical ease or difficulty with which the government can access the data. In the case of the telecom sector, 1994 legislation affirmatively requires telecommunications common carriers to design their systems to ensure real-time government access to content and transactional data on a real-time basis. In all other categories, the government has authority to compel disclosure only of what the commercial entities have collected for business purposes. But increasingly, businesses see an opportunity in compiling and formatting sets of data for easy government access on a subscription basis.

Another question that's not covered is whether the government is required to pay for work done by a company in complying with a compulsory disclosure order. In general, the government must reimburse telephone and Internet companies for the cost of real-time interception.

The categories

The telecom/Internet content category is covered by several different laws, but we folded them into one category. Overall, those laws set high barriers to government access, since constitutionally the content of electronic communications is deemed entitled to full protection from government surveillance without a warrant.

One of the most important privacy laws governing commercial data is the Fair Credit Reporting Act. The Act does not cover only one's credit record. It covers all kinds of data, including data about lifestyle and criminal history records and bankruptcy records, not only when it is used to determine credit worthiness but also when it is used for employment screening and decisions to issue insurance. The world of data warehousing and data use has changed a great deal with computerization, but the credit reporting agencies used to be the main repository for personal information collected and exchanged for a range of very important purposes, and Congress set some fairly strict rules to protect individuals in the use of this data. To convey this, the chart breaks out three categories of data covered by the FCRA.

Also, the old data protection categories along the top of the charts are to some extent outdated by the changes in technology and the business of aggregating data. The charts focus on the government's ability to compel disclosure of data. But there are growing categories of data that the government can purchase - even subscribing to online services that give instant access.

The charts

Task Force member Jerry Berman, at the Center for Democracy and Technology, and his colleagues, CDT executive director Jim Dempsey and CDT staff, first drafted these materials for the Task Force. Other Task Force members, including Stewart Baker and Executive Director Michael Vatis, contributed input.

 
(Advanced Search)
Markle Foundation
10 Rockefeller Plaza, 16th Floor · New York, NY 10020-1903 · 212.713.7600 · Fax 212.713.7649
About Us | Markle Programs | In the News | Collaborators | Resources & Publications | Events
Site Map | Contact | FAQs | Online Privacy Policy | ©2004-2008, The Markle Foundation® | Produced by SwandiveDigital