First Privacy Officer Calls 'Experiment' a Success

By Sara Kehaulani Goo and Spencer S. Hsu
Washington Post Staff Writers
Thursday, September 29, 2005

Nuala O'Connor Kelly, who won praise for protecting Americans' privacy rights at the Department of Homeland Security but drew criticism for her office's lack of independence, announced she will step down this week after two years as the department's first chief privacy officer.

The ombudsman-like job was created by Congress in 2002 to uphold the Privacy Act within a department that launched a series of ambitious security programs that affect millions of people, including airline travelers, truck drivers and foreign visitors.

Many groups that advocate greater privacy protections feared the chief privacy officer could have become a rubber stamp for the administration's homeland security agenda, but they credited O'Connor Kelly with establishing an office that won respect within and outside the administration.

Former and current colleagues said O'Connor Kelly used a combination of her forceful personality and support of then-Secretary Tom Ridge to ensure that her staff (she oversaw 400 employees) became major players inside the department. She had the general support of, but not the same relationship with, Secretary Michael Chertoff, current and former agency officials said.

"O'Connor Kelly has done a commendable job as Homeland Security's first Chief Privacy Officer considering the limited independence of the job as it was created by Congress," Barry Steinhardt, director of the American Civil Liberties Union's Technology and Liberty Project said in a statement. "But even as strong a privacy officer as O'Connor Kelly could only do so much with the powers that she was given. Her replacement must have a dedicated commitment to ensuring DHS's programs respect a substantial zone of privacy for all Americans, even while they try to enhance our nation's security."

O'Connor Kelly has accepted a position as head of privacy issues for General Electric Co. Her last day at the department is today, she said. The Department of Homeland Security has named Maureen Cooney, O'Connor Kelly's chief of staff, as acting chief privacy officer.

The $140,000-a-year government job, according to O'Connor Kelly, was not an easy one. At times, she was the only woman in a room full of male managers who never had to answer to anyone about the privacy implications of their programs. Creating the office, she said, "was an experiment. Did we succeed? Yes. . . . If the litmus test is the number of people we [ticked] off, then the answer is yes, although that doesn't make it the easiest place to be at times."

Before being named to the job in April 2003, O'Connor Kelly served as legal counsel for DoubleClick Inc., after the Internet company infuriated customers by announcing plans to capture identifying information about computer users who view certain Internet ads.

At the Department of Homeland Security, O'Connor Kelly established the role of the chief privacy officer somewhat like that of an inspector general, but without the legal power and the public platform to criticize her own agency. Instead, she chose to advocate change from within and was aided by her relationship with Ridge, who ensured that the privacy office not only approved various programs but also was involved at the early stages.

Privacy groups said she played a key role in delaying Secure Flight, an airline security program that seeks to know more about airline travelers using commercial databases.

"There was a larger set of skepticism generally about this type of post. It's a unique one in that it's kind of half-inside and half-outside," said Paul Rosenzwieg, senior legal research fellow at the Heritage Foundation. "That's a hard line to walk, and yet I think if you call around to the privacy advocates, no one's going to tell you they were disappointed with her."

Marc Rotenberg, of the Electronic Privacy Information Center, said O'Connor Kelly deserves "high grades," but her office could do better if it had power to issue subpoenas. In the spring 2004, O'Connor Kelly faced her biggest test by launching an investigation into JetBlue Airways Corp., which admitted that it had turned over millions of passenger records to the government for a security project.

O'Connor Kelly's report criticized government managers and required them to go through training. But it did not reveal what Homeland Security's Transportation Security Administration later acknowledged: Almost every other major airline also shared passenger records -- 270 million of them.

Rotenberg said O'Connor Kelly had to rely on goodwill and political pressure to get the TSA to hand over documents. "We've pushed to strengthen the office and give them more independent authority," he said.

C. Stewart Verdery Jr., a former Homeland Security official who worked with O'Connor Kelly, said she played a crucial role last year when the department negotiated an agreement to share airline passenger data with the European Union, which has much stronger privacy protections. "She was a known commodity and the advocacy community respected her," he said.

Ironically, some skeptics note, agreement with European countries means that the department now protects the privacy of European airline passengers more than it does Americans because it calls for specific and limited uses of airline passenger data.

The United States was granted official observer status in 2004 to the International Association of Data Protection and Privacy Officials, a group of government privacy officials, but is not eligible for membership because O'Connor Kelly's office is not seen as sufficiently independent because it reports to the secretary of homeland security.

"Over the long haul, I think that there is certainly merit to looking at the way the rest of the world looks at this issue and making sure we are part of that international conversation," O'Connor Kelly said.

© 2005 The Washington Post Company