A view from DC: CalPrivacy examines the surveillance landscape

The agenda for the most recent meeting of the California Privacy Protection Agency Board, which started yesterday and continues today, included a curious item labeled as an informational session, "The Private to Federal Pipeline: How Federal Agencies Use Private Data and How States Can Protect Americans."

The information session was the only agenda item for the first day of the meeting. As it turned out, it was a lengthy and detailed multi-speaker presentation about the gray areas between private and public uses of Americans' personal data. As the background document for the session explained, "The overall aim is to give a grounded account of how provider-held data moves from ordinary product use into investigative pipelines, and the legal and policy tensions that arise along the way."

It was a remarkable session not just because CalPrivacy lacks any oversight authority over governmental use of personal data, "investigative pipeline" or otherwise, but because it so overtly recognized the potential role of state privacy enforcers to build a bulwark against federal abuses of power. In so doing, the discussion reflected the unprecedented times in which we live. Though still a surprising agenda item, it can be said that such a session was more at home within California's unique independent privacy agency than it would have been in the fluorescent halls of an attorney general's office, which even more directly represents the investigative powers of the state.

The session featured a diverse slate of speakers, including representatives from the Center for Democracy and Technology, the National Advertising Initiative and the American Civil Liberties Union, among others. Copies of speakers' slide decks are available in the online meeting materials, where a link to a video recording should soon be posted.

Over the course of the session, members of the CalPrivacy Board collectively expressed renewed anxiety as speakers described a variety of technical measures in the current marketplace, from the complexity of the mobile advertising ecosystem to the potential intrusiveness of software development kits to the many methods of inferring geolocation data. To illustrate how it all feeds into the so-called surveillance pipeline, Richard Salgado, a government access expert, presented a data-driven account of the expanding use of FISA orders and how these data requests work in practice.

Perhaps the most remarkable speaker on the agenda was Rebecca Kelly Slaughter, a former — or current-in-exile, depending on whom you ask — commissioner at the U.S. Federal Trade Commission. She titled her presentation, "Privacy in Peril: When Unchecked Commercial Surveillance and Unbalanced Executive Power Collide." Slaughter sees these two seemingly disparate trends — the widespread amassing of personal data in the commercial context and the centralization of executive power — as directly related, mutually reinforcing and together representative of a "qualitatively new privacy threat." 

Ever self-conscious of her own status as an embodiment of the shifting role of independent administrative agencies in the U.S., Slaughter shared her perspective on just why independent agencies are so vital to democracy. She portrayed the FTC and the Privacy and Civil Liberties Oversight Board as parallel in their roles, two agencies meant to serve as two independent checks on commercial and governmental surveillance, respectively.

In Slaughter's telling, for-cause removal protections serve a vital purpose for both agencies. At the FTC, they ensure decisions are made on the merits because "the mere possibility of removal distorts institutional judgment." They also contribute to public confidence in the agencies' missions. As Slaughter put it, "Without independent commissioners, the public cannot know if powerful actors are escaping accountability via political favoritism."

The presentation concluded with a return to the role of the states, as promised in the title of the information session. Slaughter called for coordinated state enforcement to take on national-scale actors and extolled privacy enforcers to pursue "data brokers, surveillance advertisers and platform abuses."

On the legislative front, she reaffirmed the importance of private rights of action as an "essential backstop when federal watchdogs are dismantled" and asked policymakers to continue to lean-in to data minimization requirements, including with bans on secondary uses of personal data and stricter retention limits, cutting data flows off at the source. As she put it, "You can't strong arm data that doesn't exist."

Slaughter's status as FTC commissioner will be decided along with the future administrative structure of the FTC in the pending Supreme Court case, Trump v. Slaughter.

Meanwhile, whether the information session translates into an enforcement philosophy for CalPrivacy, perhaps with a renewed focus on drying up the commercial sources of personal data, remains to be seen. 

Please send feedback, updates and pipeline schematics to cobun@iapp.org.