Since 1977, criticism has been directed at the government for its inconsistent application of the “routine use” exemption. A congressional blue-ribbon commission reported that federal law enforcement agencies were creating broadly worded routine uses and engaging in quid pro quo arrangements with other agencies, provided they reciprocated with their own versions.
Almost a decade after this report, a congressional assessment labeled the “routine use” exemption as a “catch-all exemption” to the law. In response, Democratic senators introduced a bill aiming to curb this overuse. The bill proposes a requirement that any routine use of private data be “appropriate” and “reasonably necessary,” which could support plaintiffs in future legal actions against government misuse. Additionally, agencies would be mandated to publicly disclose any intended use of Privacy Act records.
Cody Venzke, a senior policy counsel at the American Civil Liberties Union, commented that the bill would allow Americans to sue states and municipalities, expanding the grounds for action to include potential harms. Venzke expressed frustration with court reactions, as they often fail to take data harms seriously or recognize future risks. The bill also expands Privacy Act protections to include anyone physically present in the United States, not just citizens and legal residents, aligning with current federal surveillance restrictions.
A key provision of the bill addresses the government’s use of “computer matching,” a process where individuals’ private records are cross-referenced between agencies to draw new conclusions. Previously, Congress recognized this loophole in 1988, requesting written agreements and evaluating the impact on individual rights before such processes. The proposed changes would extend these protections to various record systems within a single agency, such as the Internal Revenue Service’s differing record systems, and would potentially impact statistical projects if they affect individuals’ rights or employees’ professional circumstances.
Current Privacy Act penalties for improperly disclosing private records impose minimal fines. The proposed bill raises the fine to $250,000 and introduces possible imprisonment for leaking records for personal, commercial, or malicious reasons.
The bill has received support from civil rights organizations, including the Electronic Privacy Information Center and Public Citizen, both of which are actively involved in litigation against current data practices. Senator Markey emphasized the necessity of updating the Privacy Act in the context of current technological advancements and data access practices.
