After NSA revelations, a privacy czar is needed

The United States has lots of good privacy laws, robust government enforcement and extensive litigation by private lawyers, but the federal government has no uber-guru in charge of U.S. privacy policy. The lack of centralized leadership on this nonpartisan, hot-button issue explains why our country appears to be floundering around the National Security Agency (NSA) leaks and unready to deal with the ubiquitous deployment of technologies such as unmanned aerial drones and facial recognition.

Heightened concerns over government surveillance have complicated efforts to harmonize international privacy rules. The post-Edward Snowden jumbling together of “national security” privacy and “consumer” privacy, along with the siloed nature of U.S. regulation, has made it more difficult for Europeans, and Americans, to understand how the U.S. system works. The absence of a high-level point person also undermines our country’s ability to engage European trading partners who invoke “privacy shortfalls” to deny business opportunities to U.S. Internet companies.

The Information Technology & Innovation Foundation reports that European and other international privacy-based protectionists are threatening to freeze U.S. “cloud” service companies out of at least $22 billion in contracts over the next three years because of the NSA PRISMprogram disclosures. Despite this self-serving response — other countries spy without half our transparency and oversight — there is no good reason President Obama should not today commit to respect and protect the privacy of foreigners whose communications are picked up incidentally, applying the same data “minimization” practices that protect innocent U.S. persons not suspected of terrorism.

Only a White House appointee could prevent the looming digital trade war and data protection train wreck given the disparate interests and agencies involved on the U.S. side. Currently, responsibility for privacy is scattered throughout the administration. Financial information privacy is governed by the 1999 Gramm-Leach-Bliley Act, which is enforced by independent agencies that do not report to the president. The new Consumer Financial Protection Bureau, other banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission and the Federal Trade Commission (FTC) have no obligation to coordinate regulations with the Office of Management and Budget (OMB) or even with each other.

While there is no specific federal cybersecurity law, e-mails and Internet data are protected from snooping and hacking under the 1986 Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. Telephone toll records are subject to certain privacy limits under the 1996 Telecommunications Act, but the Federal Communications Commission is also insulated from presidential review, control or accountability.

The FTC has become the de facto federal privacy agency. It has done a good job with its broad enforcement authority against “acts” and “practices” it deems “unfair or deceptive” — such as baby monitors that broadcast private video to the Internet. But the FTC makes policy by taking enforcement actions and issuing reports. It does not have to explain itself to the president or justify its cost-benefit calculations to the Office of Management and Budget or the public.

The Department of Health and Human Services, which is responsible for medical privacy under the 1996 Health Insurance Portability and Accountability Act, is the only federal agency with formal authority over privacy matters that reports to the president.

The importance of presidential control can be seen in Obama’s decision, after the Snowden leaks, to appoint a distinguished ad hoc group to judge the impact that the NSA’s terrorist surveillance technologies have on privacy. Such a group sounds reasonable — but on the recommendation of the 9/11 Commission, Congress passed legislation creating a Privacy and Civil Liberties Oversight Board to handle precisely such oversight. The president sidestepped that body because, as of 2008, Congress took the board out of the White House and made it “independent” of the president. Understandably, the president wants to maintain authority over privacy matters that involve delicate and complex trade-offs for society.

The net effect is international misunderstandings galore and insufficient clarity about the balancing and compromises that governments around the world must consider on behalf of their citizens.

A good start to untangling all this would be establishing a senior White House privacy position that answers to the president but is also responsive to Congress. This office would coordinate the numerous U.S. data protection agencies and agendas, and represent the United States internationally. It would have to cover both commercial and national security privacy because these issues have become interrelated in the public mind.

OMB is the place to appoint such a czar. It, uniquely, has the clout and crosscutting perspective to exercise effective authority on behalf of the president. Moreover, it already holds significant statutory responsibility for data protection, information security and the Privacy Act. Only a new coordinator could synthesize — and, possibly, rationalize — the extensive array of privacy standards that govern different industry sectors and federal agencies. The OMB coordinator would have the mission to promote privacy policies that respect human dignity and also advance society’s interest in innovation and economic growth. And when the next privacy issue arises, or even before it does, there would be a champion for new ideas and public engagement.

A privacy and data protection coordinator would primarily be a privacy architect and spokesperson. Answering to the president would ensure continued progress and meaningful accountability on the privacy concerns that are increasingly central at home and abroad.