Collapse to view only § 2000ee-2. Privacy and data protection policies and procedures
- § 2000ee. Privacy and Civil Liberties Oversight Board
- § 2000ee-1. Privacy and civil liberties officers
- § 2000ee-2. Privacy and data protection policies and procedures
- § 2000ee-3. Federal agency data mining reporting
§ 2000ee. Privacy and Civil Liberties Oversight Board
(a) In general
(b) FindingsConsistent with the report of the National Commission on Terrorist Attacks Upon the United States, Congress makes the following findings:
(1) In conducting the war on terrorism, the Government may need additional powers and may need to enhance the use of its existing powers.
(2) This shift of power and authority to the Government calls for an enhanced system of checks and balances to protect the precious liberties that are vital to our way of life and to ensure that the Government uses its powers for the purposes for which the powers were given.
(3) The National Commission on Terrorist Attacks Upon the United States correctly concluded that “The choice between security and liberty is a false choice, as nothing is more likely to endanger America’s liberties than the success of a terrorist attack at home. Our history has shown us that insecurity threatens liberty. Yet, if our liberties are curtailed, we lose the values that we are struggling to defend.”.
(c) PurposeThe Board shall—
(1) analyze and review actions the executive branch takes to protect the Nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties; and
(2) ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism.
(d) Functions
(1) Advice and counsel on policy development and implementationThe Board shall—
(A) review proposed legislation, regulations, and policies related to efforts to protect the Nation from terrorism, including the development and adoption of information sharing guidelines under subsections (d) and (f) of section 485 of title 6;
(B) review the implementation of new and existing legislation, regulations, and policies related to efforts to protect the Nation from terrorism, including the implementation of information sharing guidelines under subsections (d) and (f) of section 485 of title 6;
(C) advise the President and the departments, agencies, and elements of the executive branch to ensure that privacy and civil liberties are appropriately considered in the development and implementation of such legislation, regulations, policies, and guidelines; and
(D) in providing advice on proposals to retain or enhance a particular governmental power, consider whether the department, agency, or element of the executive branch has established—
(i) that the need for the power is balanced with the need to protect privacy and civil liberties;
(ii) that there is adequate supervision of the use by the executive branch of the power to ensure protection of privacy and civil liberties; and
(iii) that there are adequate guidelines and oversight to properly confine its use.
(2) OversightThe Board shall continually review—
(A) the regulations, policies, and procedures, and the implementation of the regulations, policies, and procedures, of the departments, agencies, and elements of the executive branch relating to efforts to protect the Nation from terrorism to ensure that privacy and civil liberties are protected;
(B) the information sharing practices of the departments, agencies, and elements of the executive branch relating to efforts to protect the Nation from terrorism to determine whether they appropriately protect privacy and civil liberties and adhere to the information sharing guidelines issued or developed under subsections (d) and (f) of section 485 of title 6 and to other governing laws, regulations, and policies regarding privacy and civil liberties; and
(C) other actions by the executive branch relating to efforts to protect the Nation from terrorism to determine whether such actions—
(i) appropriately protect privacy and civil liberties; and
(ii) are consistent with governing laws, regulations, and policies regarding privacy and civil liberties.
(3) Relationship with privacy and civil liberties officersThe Board shall—
(A) receive and review reports and other information from privacy officers and civil liberties officers under section 2000ee–1 of this title;
(B) when appropriate, make recommendations to such privacy officers and civil liberties officers regarding their activities; and
(C) when appropriate, coordinate the activities of such privacy officers and civil liberties officers on relevant interagency matters.
(4) Testimony
(e) Reports
(1) In generalThe Board shall—
(A) receive and review reports from privacy officers and civil liberties officers under section 2000ee–1 of this title; and
(B) periodically submit, not less than semiannually, reports—
(i)(I) to the appropriate committees of Congress, including the Committee on the Judiciary of the Senate, the Committee on the Judiciary of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Homeland Security of the House of Representatives, the Committee on Oversight and Government Reform of the House of Representatives, the Select Committee on Intelligence of the Senate, and the Permanent Select Committee on Intelligence of the House of Representatives; and(II) to the President; and
(ii) which shall be in unclassified form to the greatest extent possible, with a classified annex where necessary.
(2) ContentsNot less than 2 reports submitted each year under paragraph (1)(B) shall include—
(A) a description of the major activities of the Board during the preceding period;
(B) information on the findings, conclusions, and recommendations of the Board resulting from its advice and oversight functions under subsection (d);
(C) the minority views on any findings, conclusions, and recommendations of the Board resulting from its advice and oversight functions under subsection (d);
(D) each proposal reviewed by the Board under subsection (d)(1) that—
(i) the Board advised against implementation; and
(ii) notwithstanding such advice, actions were taken to implement; and
(E) for the preceding period, any requests submitted under subsection (g)(1)(D) for the issuance of subpoenas that were modified or denied by the Attorney General.
(f) Informing the publicThe Board—
(1) shall make its reports, including its reports to Congress, available to the public to the greatest extent that is consistent with the protection of classified information and applicable law; and
(2) shall hold public hearings and otherwise inform the public of its activities, as appropriate and in a manner consistent with the protection of classified information and applicable law, but may, notwithstanding section 552b of title 5, meet or otherwise communicate in any number to confer or deliberate in a manner that is closed to the public.
(g) Access to information
(1) AuthorizationIf determined by the Board to be necessary to carry out its responsibilities under this section, the Board is authorized to—
(A) have access from any department, agency, or element of the executive branch, or any Federal officer or employee of any such department, agency, or element, to all relevant records, reports, audits, reviews, documents, papers, recommendations, or other relevant material, including classified information consistent with applicable law;
(B) interview, take statements from, or take public testimony from personnel of any department, agency, or element of the executive branch, or any Federal officer or employee of any such department, agency, or element;
(C) request information or assistance from any State, tribal, or local government; and
(D) at the direction of a majority of the members of the Board, submit a written request to the Attorney General of the United States that the Attorney General require, by subpoena, persons (other than departments, agencies, and elements of the executive branch) to produce any relevant information, documents, reports, answers, records, accounts, papers, and other documentary or testimonial evidence.
(2) Review of subpoena request
(A) In generalNot later than 30 days after the date of receipt of a request by the Board under paragraph (1)(D), the Attorney General shall—
(i) issue the subpoena as requested; or
(ii) provide the Board, in writing, with an explanation of the grounds on which the subpoena request has been modified or denied.
(B) Notification
(3) Enforcement of subpoena
(4) Agency cooperation
(5) Access
(h) Membership
(1) Members
(2) Qualifications
(3) Incompatible office
(4) Term
(A) Commencement
(B) Reappointment
(C) Vacancy
(D) ExtensionUpon the expiration of the term of office of a member, the member may continue to serve for up to one year after the date of expiration, at the election of the member—
(i) during the period preceding the reappointment of the member pursuant to subparagraph (B); or
(ii) until the member’s successor has been appointed and qualified.
(5) Quorum and meetings
(i) Compensation and travel expenses
(1) Compensation
(A) Chairman
(B) Members
(2) Travel expenses
(j) Staff
(1) Appointment and compensation
(2) Appointment in absence of chairman
(3) Detailees
(4) Consultant services
(k) Security clearances
(1) In general
(2) Rules and procedures
(l) Treatment as agency, not as advisory committeeThe Board—
(1) is an agency (as defined in section 551(1) of title 5); and
(2) is not an advisory committee (as defined in section 1001(2) of title 5).
(m)There are authorized to be appropriated to carry out this section amounts as follows:
(1) For fiscal year 2008, $5,000,000.
(2) For fiscal year 2009, $6,650,000.
(3) For fiscal year 2010, $8,300,000.
(4) For fiscal year 2011, $10,000,000.
(5) For fiscal year 2012 and each subsequent fiscal year, such sums as may be necessary.
(Pub. L. 108–458, title I, § 1061, Dec. 17, 2004, 118 Stat. 3684; Pub. L. 110–53, title VIII, § 801(a), Aug. 3, 2007, 121 Stat. 352; Pub. L. 114–113, div. M, title III, § 305, Dec. 18, 2015, 129 Stat. 2913; Pub. L. 115–118, title I, § 108, Jan. 19, 2018, 132 Stat. 15; Pub. L. 117–263, div. F, title LXVIII, § 6801, Dec. 23, 2022, 136 Stat. 3586; Pub. L. 117–286, § 4(a)(259), Dec. 27, 2022, 136 Stat. 4334.)
§ 2000ee–1. Privacy and civil liberties officers
(a) Designation and functionsThe Attorney General, the Secretary of Defense, the Secretary of State, the Secretary of the Treasury, the Secretary of Health and Human Services, the Secretary of Homeland Security, the Director of National Intelligence, the Director of the Central Intelligence Agency, the Director of the National Security Agency, the Director of the Federal Bureau of Investigation, and the head of any other department, agency, or element of the executive branch designated by the Privacy and Civil Liberties Oversight Board under section 2000ee of this title to be appropriate for coverage under this section shall designate not less than 1 senior officer to serve as the principal advisor to—
(1) assist the head of such department, agency, or element and other officials of such department, agency, or element in appropriately considering privacy and civil liberties concerns when such officials are proposing, developing, or implementing laws, regulations, policies, procedures, or guidelines related to efforts to protect the Nation against terrorism;
(2) periodically investigate and review department, agency, or element actions, policies, procedures, guidelines, and related laws and their implementation to ensure that such department, agency, or element is adequately considering privacy and civil liberties in its actions;
(3) ensure that such department, agency, or element has adequate procedures to receive, investigate, respond to, and redress complaints from individuals who allege such department, agency, or element has violated their privacy or civil liberties; and
(4) in providing advice on proposals to retain or enhance a particular governmental power the officer shall consider whether such department, agency, or element has established—
(A) that the need for the power is balanced with the need to protect privacy and civil liberties;
(B) that there is adequate supervision of the use by such department, agency, or element of the power to ensure protection of privacy and civil liberties; and
(C) that there are adequate guidelines and oversight to properly confine its use.
(b) Exception to designation authority
(1) Privacy officers
(2) Civil liberties officers
(c) Supervision and coordinationEach privacy officer or civil liberties officer described in subsection (a) or (b) shall—
(1) report directly to the head of the department, agency, or element concerned; and
(2) coordinate their activities with the Inspector General of such department, agency, or element to avoid duplication of effort.
(d) Agency cooperationThe head of each department, agency, or element shall ensure that each privacy officer and civil liberties officer—
(1) has the information, material, and resources necessary to fulfill the functions of such officer;
(2) is advised of proposed policy changes;
(3) is consulted by decision makers; and
(4) is given access to material and personnel the officer determines to be necessary to carry out the functions of such officer.
(e) Reprisal for making complaint
(f) Periodic reports
(1) In generalThe privacy officers and civil liberties officers of each department, agency, or element referred to or described in subsection (a) or (b) shall periodically, but not less than annually, submit a report on the activities of such officers—
(A)
(i) to the appropriate committees of Congress, including the Committee on the Judiciary of the Senate, the Committee on the Judiciary of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Oversight and Government Reform of the House of Representatives, the Select Committee on Intelligence of the Senate, and the Permanent Select Committee on Intelligence of the House of Representatives;
(ii) to the head of such department, agency, or element; and
(iii) to the Privacy and Civil Liberties Oversight Board; and
(B) which shall be in unclassified form to the greatest extent possible, with a classified annex where necessary.
(2) ContentsEach report submitted under paragraph (1) shall include information on the discharge of each of the functions of the officer concerned, including—
(A) information on the number and types of reviews undertaken;
(B) the type of advice provided and the response given to such advice;
(C) the number and nature of the complaints received by the department, agency, or element concerned for alleged violations; and
(D) a summary of the disposition of such complaints, the reviews and inquiries conducted, and the impact of the activities of such officer.
(g) Informing the publicEach privacy officer and civil liberties officer shall—
(1) make the reports of such officer, including reports to Congress, available to the public to the greatest extent that is consistent with the protection of classified information and applicable law; and
(2) otherwise inform the public of the activities of such officer, as appropriate and in a manner consistent with the protection of classified information and applicable law.
(h) Savings clause
(Pub. L. 108–458, title I, § 1062, Dec. 17, 2004, 118 Stat. 3688; Pub. L. 110–53, title VIII, § 803(a), Aug. 3, 2007, 121 Stat. 360; Pub. L. 113–126, title III, § 329(b)(4), July 7, 2014, 128 Stat. 1406; Pub. L. 115–118, title I, § 109, Jan. 19, 2018, 132 Stat. 15; Pub. L. 117–263, div. F, title LXVIII, § 6811(d), Dec. 23, 2022, 136 Stat. 3601.)
§ 2000ee–2. Privacy and data protection policies and procedures
(a) Privacy Officer
Each agency shall have a Chief Privacy Officer to assume primary responsibility for privacy and data protection policy, including—
(1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of information in an identifiable form;
(2) assuring that technologies used to collect, use, store, and disclose information in identifiable form allow for continuous auditing of compliance with stated privacy policies and practices governing the collection, use and distribution of information in the operation of the program;
(3) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as defined in the Privacy Act of 1974 [5 U.S.C. 552a];
(4) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government;
(5) conducting a privacy impact assessment of proposed rules of the Department on the privacy of information in an identifiable form, including the type of personally identifiable information collected and the number of people affected;
(6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of section 552a of title 5, 11 1
1 So in original.
internal controls, and other relevant matters;(7) ensuring that the Department protects information in an identifiable form and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction;
(8) training and educating employees on privacy and data protection policies to promote awareness of and compliance with established privacy and data protection policies; and
(9) ensuring compliance with the Departments 2
2 So in original. Probably should be “Department’s”.
established privacy and data protection policies.(b) Establishing privacy and data protection procedures and policies
(1)3
3 So in original. No par. (2) has been enacted.
In general(c) Recording
(d) Inspector General review
(e) Report
(1) In general
(2) Internet availability
(f) Definition
(Pub. L. 108–447, div. H, title V, § 522, Dec. 8, 2004, 118 Stat. 3268; Pub. L. 110–161, div. D, title VII, § 742(b), Dec. 26, 2007, 121 Stat. 2032.)
§ 2000ee–3. Federal agency data mining reporting
(a) Short title
(b) DefinitionsIn this section:
(1) Data miningThe term “data mining” means a program involving pattern-based queries, searches, or other analyses of 1 or more electronic databases, where—
(A) a department or agency of the Federal Government, or a non-Federal entity acting on behalf of the Federal Government, is conducting the queries, searches, or other analyses to discover or locate a predictive pattern or anomaly indicative of terrorist or criminal activity on the part of any individual or individuals;
(B) the queries, searches, or other analyses are not subject-based and do not use personal identifiers of a specific individual, or inputs associated with a specific individual or group of individuals, to retrieve information from the database or databases; and
(C) the purpose of the queries, searches, or other analyses is not solely—
(i) the detection of fraud, waste, or abuse in a Government agency or program; or
(ii) the security of a Government computer system.
(2) Database
(c) Reports on data mining activities by Federal agencies
(1) Requirement for report
(2) Content of reportEach report submitted under subparagraph (A) 2
2 So in original. Probably should be “paragraph (1)”.
shall include, for each activity to use or develop data mining, the following information:(A) A thorough description of the data mining activity, its goals, and, where appropriate, the target dates for the deployment of the data mining activity.
(B) A thorough description of the data mining technology that is being used or will be used, including the basis for determining whether a particular pattern or anomaly is indicative of terrorist or criminal activity.
(C) A thorough description of the data sources that are being or will be used.
(D) An assessment of the efficacy or likely efficacy of the data mining activity in providing accurate information consistent with and valuable to the stated goals and plans for the use or development of the data mining activity.
(E) An assessment of the impact or likely impact of the implementation of the data mining activity on the privacy and civil liberties of individuals, including a thorough description of the actions that are being taken or will be taken with regard to the property, privacy, or other rights or privileges of any individual or individuals as a result of the implementation of the data mining activity.
(F) A list and analysis of the laws and regulations that govern the information being or to be collected, reviewed, gathered, analyzed, or used in conjunction with the data mining activity, to the extent applicable in the context of the data mining activity.
(G) A thorough discussion of the policies, procedures, and guidelines that are in place or that are to be developed and applied in the use of such data mining activity in order to—
(i) protect the privacy and due process rights of individuals, such as redress procedures; and
(ii) ensure that only accurate and complete information is collected, reviewed, gathered, analyzed, or used, and guard against any harmful consequences of potential inaccuracies.
(3) Annex
(A) In generalA report under subparagraph (A) 2 shall include in an annex any necessary—
(i) classified information;
(ii) law enforcement sensitive information;
(iii) proprietary business information; or
(iv) trade secrets (as that term is defined in section 1839 of title 18).
(B) AvailabilityAny annex described in clause (i)— 3
3 So in original. Probably should be “subparagraph (A)—”.
(i) shall be available, as appropriate, and consistent with the National Security Act of 1947 [50 U.S.C. 3001 et seq.], to the Committee on Homeland Security and Governmental Affairs, the Committee on the Judiciary, the Select Committee on Intelligence, the Committee on Appropriations, and the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Homeland Security, the Committee on the Judiciary, the Permanent Select Committee on Intelligence, the Committee on Appropriations, and the Committee on Financial Services of the House of Representatives; and
(ii) shall not be made available to the public.
(4) Time for reportEach report required under subparagraph (A) 2 shall be—
(A) submitted not later than 180 days after August 3, 2007; and
(B) updated not less frequently than annually thereafter, to include any activity to use or develop data mining engaged in after the date of the prior report submitted under subparagraph (A).2
(Pub. L. 110–53, title VIII, § 804, Aug. 3, 2007, 121 Stat. 362.)