What are the privacy laws that apply to government use of personal information in the fight against terrorism? In particular, what guidelines apply to the vast and varied information collected by the private sector in the course of ordinary commerce, sometimes referred to as transactional data - data about financial matters, travel, credit card purchases, mailing lists, and so on? How do the rules for use of this information by the private sector for risk assessment, credit decisions or other commercial purposes compare with the rules on the government's use of the information for counter-terrorism purposes?

Use of personal information to make judgments about people involves issues of privacy - or what more accurately are referred to as fair information practices - how can information be used in ways that are fair, given the potential for mistake or abuse?

CDT has been researching the federal privacy laws and how they might affect data access and analysis by government agencies for counter-terrorism purposes. We have compiled this resource to present these laws in a way that will be readily accessible to non-lawyers but also have depth, reflecting the complexities and nuances of the existing "patchwork" approach to privacy.

We have prepared two charts, intended to present an overview of the laws, with pop-ups giving greater detail and/or actual statutory language. We looked at 8 potential constraints on access to and use of data that are found, to varying degrees, in US privacy laws. These principles include:

• Notice - is a person entitled to be told what information is being collected or used, and must the notice be given before or at the time of collection, or can it be given at some later date?
• Collection limits - must the collection be confined to data relevant to a particular purpose and what are the standards for access or collection?
• Retention limits - how long can data be kept?
• Data quality - is there a right to insist that data be accurate?
• Access - are individuals entitled to see what data is held about them?

Not all of these principles are applicable to all kinds of usage, and there are differences between the needs of commercial users and government users of data - the principles apply quite differently in the law enforcement and intelligence contexts - but they do provide a framework for thinking about data access and use.

We have prepared two charts:

1. Commercial Access and Use: What laws govern commercial entities when they seek to obtain and use personally-identifiable information (in the absence of consent) for use in risk assessment or other commercial applications?
    
2. Government Access and Use: What laws define the government's power to obtain and use, for law enforcement or intelligence purposes, personally-identifiable information held by commercial entities? This analysis starts from the constitutional principle that (except for the content of wire or electronic communications), information held by third parties is not constitutionally protected. Instead, Congress has enacted statutes setting some rules for government access to or use of some kinds of data.
    

Red Light, Yellow Light, Green Light

The charts use colors to roughly describe the level of protection: red for high privacy protection, yellow for modest privacy protection, and green for little or no privacy protection. The colors are judgmental and some of our characterizations were close calls, but we hope they help present a comprehensible picture.

What's Not Covered

Our charts do not offer any judgment as to what kinds of information would be most useful to the government for counter-terrorism purposes. Our charts cover, by and large, the kinds of records that are regulated. Many others kinds of data may be unregulated. Some of the regulated records (e.g., cable viewing) are among the least useful for counter-terrorism purposes. Other unregulated records may be more useful. Some of the most useful may already be compiled in formats easily accessible to the government. Further careful study is needed of what data would be most useful and where it can be obtained.

We have not addressed government records (driver's license, census, tax, Social Security, immigration, licensing, etc). We also do not cover compulsory reporting situations: i.e., we cover financial records, but not the data that banks are required to report to the government for anti-money laundering purposes and how that might be used for counter-terrorism purposes

Also, we did not cover records that are publicly available to any member of the public without a fee. Thus, the charts do not cover telephone directories, material available via Google on the Web, or property ownership records that are available for inspection at government offices and increasingly online from government websites.

The charts do not consider the practical ease or difficulty with which the government can access the data. In the case of the telecom sector, 1994 legislation affirmatively requires telecommunications common carriers to design their systems to ensure real-time government access to content and transactional data on a real-time basis. In all other categories, the government has authority to compel disclosure only of what the commercial entities have collected for business purposes. But increasingly, businesses see an opportunity in compiling and formatting sets of data for easy government access on a subscription basis.

Another question that's not covered is whether the government is required to pay for work done by a company in complying with a compulsory disclosure order. In general, the government must reimburse telephone and Internet companies for the cost of real-time interception. Forcing the government to pay for data can be seen as a way of limiting government access.

The categories

The telecom/Internet content category is covered by several different laws, but we folded them into one category. Overall, those laws set high barriers to government access, since constitutionally the content of electronic communications is deemed entitled to full protection from government surveillance without a warrant.

One of the most important privacy laws governing commercial data is the Fair Credit Reporting Act. The Act does not just cover one's credit record. It covers all kinds of data, including data about lifestyle and criminal history records and bankruptcy records, not only when it is used to determine credit worthiness but also when it is used for employment screening and decisions to issue insurance. The world of data warehousing and data use has changed a great deal with computerization, but the credit reporting agencies used to be the main repository for personal information collected and exchanged for a range of very important purposes, and Congress set some fairly strict rules to protect individuals in the use of this data. To convey this, the chart breaks out three categories of data covered by the FCRA.

Also, the old data protection categories along the top of the charts are to some extent outdated by the changes in technology and the business of aggregating data. The charts focus on the government's ability to compel disclosure of data. But there are growing categories of data that the government can purchase - even subscribing to online services that give instant access.

Acknowledgement

The compilation of these charts wass conducted under a grant from the Markle Foundation. For further information, see the Markle Task Force on National Security in the Information Age.