New nomination to US privacy oversight board, just ahead of cybersecurity fights in Congress

With the recent re-nomination of David Medine as chairman, the long-dormant US Privacy and Civil Liberties Oversight Board (PCLOB) may finally come to life.

The renewal of the Board and its mandate comes not a moment too soon. A strong, independent oversight body is necessary to protect digital rights as Congress is likely to consider cybercrime and cybersecurity issues, such as a proposed amendment to the highly controversial federal Communications Assistance for Law Enforcement Agencies (CALEA), which would require all communications providers to install backdoors in their products and services.

The PCLOB is a Congressionally-mandated body that sits within the executive branch.It arose out of the 2004 final report of the National Commission on Terrorist Attacks Upon the United States — better known as the 9/11 Commission. As information gathering and sharing between government agencies intensified, the Board was created to ensure the protection of privacy and civil liberties. As Thomas H. Kean, chairman of the Commission, explained: “We thought everything with a national security label on it was going to pass… So we felt very strongly that there had to be some voice for civil liberties in the debate.”

Despite this urgency, the Board didn’t convene for the first time until 2006. Only a year later, one of its five members resigned, criticizing the board for lacking independence from the executive branch.

In response to these criticisms, the PCLOB was reconstituted in 2007 as an independent agency with the authority to obtain information on its own. In its new form, Congress stipulated that, for the purpose of enforcing its mandate, that the Board shall:

“have access from any department, agency, or element of the executive branch, or any Federal officer or employee of any such department, agency, or element, to all relevant records, reports, audits, reviews, documents, papers, recommendations, or other relevant material, including classified information consistent with applicable law,”

And yet, despite being voted into existence twice by Congress, the second time with an even wider mandate and broader powers, the Board’s mandate has gone unfulfilled. The Bush and Obama administrations dragged their feet in nominating board members, and the Senate repeatedly allowed those nominations that have occurred to expire.

David Medine, the current nominee for chairman, was first nominated by the Obama administration in 2012, alongside Jim Dempsey, the vice-president for public policy at the Center for Democracy and Technology, and three others. While the Senate approved the four board nominees, they did not consider Medine, forcing Obama to re-nominate him after the recent elections. Absent a chairperson, the Board remains ineffectual — in large part because it can’t hire staff without one.

Medine has extensive experience as a lawyer dealing with privacy and data security concerns: between 1995 and 2000, he was the lead Federal Trade Commission staffer on internet privacy issues and represented the US at the OECD on privacy and data security issues — as well as a sitting member of the Communications, Privacy, and Internet Law Practice Group.

However, the majority of his past work experience has been in the context of the private sector, leaving open questions about how he would address questions on individual privacy and civil liberties. Furthermore, Medine would chair a board that includes members who have publicly disavowed international human rights frameworks, such as Rachel Brand, who–in her nomination hearing in front of the Senate Judiciary Committee–responded to committee member Chuck Grassley’s question on the role of international law by affirming her unqualified support for US interpretations of privacy and civil liberties through the prism of national security.

Around the globe, legislative bodies are drafting laws to deal with a new world of big data and digital privacy. As it often has, the United States may serve as a trendsetter for many of these laws, both through example as well as by pushing other countries to bring their own legislation in line with US standards when entering into trade agreements. A resurrected PCLOB has the potential to influence Europe’s ongoing Data Protection Reform efforts, and other digital privacy legislation around the globe, by ensuring that US legislation is implemented in a way that respects the digital rights of US citizens. This is especially timely, given that right now many US companies — and US government staffers — are in the EU, actively lobbying against the DPR.

But filling the empty seats on the PCLOB is only a start. President Obama has requested a grossly inadequate $1,000,000 for the Board to oversee the vast, multibillion dollar US national security apparatus. With 2013 sure to witness big fights around data privacy, location privacy, and cyber security, there’s a long way to go to ensure that the digital rights of users are not sacrificed to the demands of the US national security apparatus.