Privacy Decisionmaking in Administrative Agencies
Author(s): Kenneth A. Bamberger and Deirdre K. Mulligan
Abstract: Administrative agencies increasingly rely on technology to achieve substantive goals. Often this technology is employed to collect, exchange, manipulate and store personally identifiable information, raising serious concerns about the erosion of personal privacy.
Congress has recognized this problem. In the E-Government Act of 2002, it required administrative agencies to conduct privacy impact assessments (PIAs) when developing or procuring technology systems that handle personal information. Despite this new requirement, however, agency adherence to privacy mandates is highly inconsistent.
In this paper, we ask why. We first explore why both process requirements and traditional means of political oversight are often weak tools for ensuring that policy reflects privacy commitments. We then consider what factors might, by contrast, promote agency consideration of privacy concerns.
Specifically, we compare decisions by two federal agencies – the Department of State and the Department of Homeland Security – to use RFID technology, which allows a wireless-access data chip to be attached to or inserted into a product, animal, or person. These two cases suggest the importance of internal agency structure, culture, and personnel, as well as alternative forms of external oversight, interest group engagement, and professional expertise, as important mechanisms for ensuring bureaucratic accountability to the secondary privacy mandate imposed by Congress.
The analysis speaks to debates in both public administration and privacy protection. It implicates disputes over the efficacy of external controls on bureaucracy, and the less-developed literature on opening the black box of administrative decisionmaking. It further offers insight into pre-conditions necessary to advance privacy commitments in the face of social and bureaucratic pressure to manage risk by collecting information about individuals. Finally, it offers specific proposals for policy reform intended to promote agency accountability to privacy goals.
Keywords: Privacy, Administrative Law, Regulation, Decisionmaking, Accountability, Department of Homeland Security, Department of State, Administrative Agencies, Technology, RFID, Privacy Impact Assessment, PIA, E-Government Act, e-Passport, US-VISIT