The Privacy Act of 1974

The late 1960’s and early 1970’s was the heyday of legal privacy as we came to know it in the 20th century. From the Supreme Court first came the family planning cases that made contraception legal in 1965, and which continued up to abortion rights and most recently the decriminalization of sodomy law almost always used against same sex relationships.  Next came a decision that required law enforcement to obtain a warrant for tapping a phone line for content and the subsequent Congressional action to instantiate that decision; those laws are the foundation for the current Electronic Communications Privacy Act.  Consumer protection privacy laws were continuing apace with rules that required companies that kept “scores” on individual’s credit to allow the individual access and the right to correct the record in the event of misidentifications or mistake.   Another flavor of this era is the law that produced one of our better known sectoral laws, FERPA, or the one that protects education records. Often overlooked is the plainly named Privacy Act of 1974.

The Privacy Act protects the records about individuals that various federal agencies collect. Here’s the rule: one agency cannot share those records with another agency, subject to exceptions, such as law enforcement.  For example, the Department of State has the records of my successive passports, including the photographs.  Were I to become a suspect in a domestic law enforcement case, let’s say violation of federal drug laws, I suspect that with proper procedure the F.B.I. could get my passport photo from State.  Likewise, the applicant of U.S. visa could be obtained by the Department of Justice in an immigration case.  Or by the Department of Justice through the FISA Court in a terrorist investigation.  That exception makes sense, setting aside the issue of the lower standard for the FISA Court, and the very existence of a secret court in a democratic republic, for the momentary sake of argument.

In today’s NYT, there is an article about another of Snowden’s disclosures: facial recognition tools that the N.S.A. operates.

From the perspective of national security, I would think it remiss if the N.S.A. did not use these tools.  Heck, Facebook does, why should our government in service of protecting us from criminal activity not!  The privacy perspective does not change that thought, but it adds process to it.  What is the procedure?  How is it documented?  And how are these actions in accordance with the Privacy Act?

The big question: Is the law enforcement exception handled on a case by case basis, for example are the exceptions made about individuals who have crossed the threshold into becoming suspects under either the criminal procedure of the Fourth Amendment or the FISA court?  Or is State and the N.S.A. and DOJ and any other agency sharing or obtaining whole data bases of information about individuals, including photographs, with each other?

If it is the latter, it rings the same bells of concern that arose when we learned that section 215 of the USA Patriot Act was being used to collect all telephony metadata.   In that case, it is still debatable whether it is a legal act.  If in this case agencies are sharing whole data bases, it would seem a clear violation of the Privacy Act.   Could the EFF or investigative journalists help us find out?