Limited and Open Government

Proposal: The Privacy Protection Act

The Problem

We produce an inordinate amount of data — on our computers, using our phones, or with our “smart” home devices like Alexa, Ring doorbells, security cameras, and more. Even our own DNA reveals profound information about us.

This information is frequently used in ways that individuals did not intend nor authorize. Government uses our driver license data for facial recognition and cancer research; our movements and social media posts for “live time” surveillance; our blood for health analysis; our DNA for identifying relatives in criminal investigations; our face or fingerprint to access the entire contents of our mobile devices; our private health information to monitor potential drug abuse; and more.

This intrusion into privacy changes the relationship between government and citizen, and often happens without oversight or public buy-in, let alone explicit consent by those whose information it is.

A Solution

We propose a two-part reform to holistically address this privacy problem.

Part one

This first phase entails setting up a process whereby information can be gathered, use of private information can be scrutinized, and recommendations made regarding policy reforms for phase two.

  1. The Legislature should create and fund the State Privacy Officer, within the State Auditor’s office. The position would be appointed by the Auditor. 
  2. The Auditor will assemble a Personal Privacy Oversight Committee, composed of 7-8 volunteer tech/privacy experts/advocates, along with 1-2 law enforcement representatives. This will be done on an ad-hoc basis for the short term by the Auditor. This should be formalized in statute later, to give the committee oversight authority and legitimacy to ensure government agencies/entities respond.
  3. The responsibilities of the State Privacy Officer shall include:
    1. Develop guiding standards, for use by the Officer and the Personal Privacy Oversight Committee, regarding privacy law, technology, and data security.
      1. Provide information to private citizens, civic groups, government entities, and other interested parties about government use of technology, privacy concerns, and data security standards.
      2. Provide relevant information on the State Auditor’s website in a form that is easily accessible.
      3. Provide education and training to government agencies regarding:
        1. the implication of using certain technologies and civil liberties concerns
        2. standards for collecting and storing PII
        3. data security standards and best practices
        4. the purpose and process of the Personal Privacy Oversight Committee
    2. Field requests from individuals to review a government agency/entity’s use of technology/software/process that implicates privacy. If a request merits review, produce an analysis regarding: 
      1. details of the technology/software/process
      2. what data is being used
      3. how the data is secured/stored
      4. who it is shared with
      5. whether a person can (or, in the Officer’s determination given the circumstances, should be able to) opt in or out, and have informed consent
      6. how such information is de-identified or anonymized, and whether better processes are needed
      7. comparable or related technology/software/processes that could possibly be used to better protect privacy
      8. an initial finding regarding whether the present technology/software/process adequately protects individual privacy
        1. The Officer shall make the finding pursuant to “the right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures” as described in Article I, Section 14 of the Utah Constitution, and any relevant case law.
    3. If the finding in (3)(b)(viii) is against the use of the technology/software/process, refer it to the Personal Privacy Oversight Committee for further review and recommendations.
    4. Require government agencies/entities, including local governments, to provide an analysis of any PII (personally identifying information) they collect/store, and with that information perform an analysis to determine if the agency/entity is adequately protecting information. 
      1. If not, issue recommendations to the local legislative body for needed reforms.
      2. Each year the Officer shall do this for at least 10 agencies/entities or local governments.
  4. The responsibilities of the Personal Privacy Oversight Committee shall include:
    1. Review proposed uses of technology/software/processes that the State Privacy Officer has flagged for committee review and analysis.
    2. Provide any reports/analyses each year to the Legislative Management Committee for referral to the Judiciary Interim Committee, which should hold a hearing each fall to review such reports and take any action as it may deem necessary.
    3. For 2021 only, the committee shall review the following uses of technology and provide any recommendations for legislative reforms regarding their use in their first annual report to the Legislature:
      1. Use of video and audio feeds for synthesis/analysis to facilitate surveillance (past or present) by law enforcement using:
        1. public sources (911 calls, traffic cameras, body cameras, drones, etc.)
        2. private sources (CCTV, doorbell cameras, etc.)
      2. Bulk analysis of social media feeds to recommend action/intervention by law enforcement.
      3. Use of biometrics by law enforcement 
        1. Compelling a person to provide access to their entire digital life via a facial or fingerprint scan.
        2. Facial recognition technology, both using government databases and social media photos of people.
        3. Using public/private DNA databases to search for the identity of unknown people. 
      4. Review data-sharing agreements among state agencies with third party participants, including but not limited to: federal agencies, private entities, nonprofit organizations, and public colleges and universities. 
  5. A government agency/entity may not use a technology/software/process that the Personal Privacy Oversight Committee has recommended against using unless the relevant legislative body enacts a law specifically authorizing its use.
    1. For state agencies/entities, the use must terminate by May 1 unless specifically authorized by the Utah Legislature.
    2. For local governments, the use must terminate within 60 days unless specifically authorized by the county or city council.
  6. Each favorable recommendation of a technology/software/process by the Committee shall sunset within two years, at which point the State Privacy Officer shall perform a review to determine if anything has changed about the use of the technology/software/process (additional data being used, more expansive use, etc.). If so, the Committee shall flag it for committee review and analysis.

Part two

Have the Judiciary Interim committee hold 1-2 interim meetings in fall 2021 regarding the Personal Privacy Oversight Committee’s recommendations.

In the 2022 session, have an omnibus privacy reform bill that enacts necessary reforms, restricting government use of private information to better protect privacy and ensure information is used consistent with the purposes for which it was created (so as to prevent “scope creep” and surveillance where it was never expected or authorized).