Back More
Salem Press

Table of Contents

Privacy Rights in the Digital Age

Privacy Act of 1974, 5 U.S.C. § 552a

by Daniel J. Metcalfe

A privacy protection and government access statute that was enacted by the U.S. Congress in 1974 as a post-Watergate government reform measure to regulate the federal government's collection, maintenance, use, and dissemination of information about individuals (sometimes referred to as fair information practices). It took effect on September 27, 1975, and was the first such comprehensive privacy protection law enacted anywhere in the world. With respect to access to government records, it heavily overlaps the Freedom of Information Act (FOIA), though in contrast to that statute, it affords rights only to U.S. citizens (plus persons holding lawful permanent residency [LPR]), and it applies only to records about such individuals that are located within formal systems of records maintained by federal executive branch agencies; record retrieval according to an individual's name or personal identifier is a key jurisdictional element of it as well. Consequently, if access to a record is properly requested under the Privacy Act as well as under FOIA, it can be withheld only if it is exempt from disclosure under both statutes. Generally speaking, and apart from the Privacy Act's special systemwide exemptions for all records of the Central Intelligence Agency (CIA) and certain law enforcement files, the Privacy Act's access exemptions are narrower than those of FOIA; they do not include business information, most privileged information, and (ironically) the disclosure of information that would invade another person's personal privacy interests.

The heart of the Privacy Act, though, is the additional rights and protections that it provides to the individuals to whom agency records pertain. The first of these is a disclosure prohibition that bars agencies from disclosing Privacy Act–protected information—that is, records within systems of records that are retrieved through use of a citizen's or LPR's name or identifier—without that individual's written consent or unless one of several disclosure prohibition exceptions applies. (Note that disclosure in this context does not mean just disclosure to the public or disclosure outside the executive branch, as under FOIA; rather, it includes disclosure to another federal agency and even disclosure within the agency that is holding the information.) The major such exceptions to this prohibition are disclosure within an agency on an official need-to-know basis; disclosure required by a FOIA request that the agency has received; disclosure to a congressional committee; disclosure in compliance with a federal court order; and disclosure made in accordance with a specific routine use of that information, compatible with the purpose for which the information was obtained (for example, routine Justice Department sharing of judicial nominations information with the White House), that formally has been established (i.e., in a published systems notice) for that system of records. (These are highly technical terms of art created exclusively for the Privacy Act as part its unique record-keeping requirements.) In addition, because even intra-agency disclosure is regulated, the Privacy Act calls for the use of strict security measures and training of agency personnel in order to protect the confidentiality of all covered information.

Next is the right to request amendment of records, correction of records, and/or expungement/expunction of records based on a showing that they are not accurate, relevant, timely, or complete. Agencies are required to have formal administrative processes by which individuals can obtain such relief, which usually is preceded by the individual obtaining access to the records (in whole or in part) in order to learn their contents. Also, as an alternative to amendment and correction, a dissatisfied individual is entitled to submit a brief counterstatement to a record, which the agency is required to attach to it (either physically or electronically) so that the challenged record will not be used or disseminated elsewhere without that accompaniment. And in all cases, an individual can request an accounting of any record dissemination.

Then there are the Privacy Act's “fair information practices” provisions, which largely pertain to the collection and maintenance of personal information. As for the former, agencies are required, wherever practicable, to collect such information from the individual directly, rather than from third-party sources, and to notify individuals before they supply personal information to the government of the consequences of doing so or not doing so, as the case may be. As for record maintenance, the Privacy Act has two provisions that even after forty years remain relatively little known but which nonetheless contain potent agency obligations. The first, found in subsection (e)(5) of the act, requires agencies to “maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure [sic] fairness to the individual in the determination.” The second, which is found in subsection (e)(7) and is potentially even broader in its sweep, commands that an agency shall “maintain no record describing how any individual exercises rights guaranteed by the First Amendment [to the U.S. Constitution] unless expressly authorized by statute,” consented to by that individual, or deemed relevant to “an authorized law enforcement activity.” This latter provision means, for example, that when considering an application for a career employment position, a federal hiring official cannot indulge in the now-commonplace private-sector practice of “doing an Internet search” on the applicant and jotting down on the application any pertinent information found; such a step, taken as part of a corrupt hiring scheme during the George W. Bush administration, became the basis of more than $500,000 in damages and attorney's fees paid by the government in the case of Gerlich v. Department of Justice in 2014.

Civil damages are indeed available as an enforcement mechanism under the Privacy Act, wherever a violation of its disclosure prohibition or a fair information practices provision is shown to have been “intentional or willful” and to have had a demonstrable “adverse effect” on an individual. And as with FOIA, court-awarded attorney's fees are available to successful Privacy Act litigants as well. Beyond that, the Privacy Act has an even more powerful enforcement mechanism: It contains criminal penalties, at the misdemeanor level, that can be imposed against federal employees for willful violation of its provisions. There have been more than a dozen such criminal prosecutions over the years, most often where the violator acted with a commercial motive.

Last, the Privacy Act is long overdue for legislative reform and updating, especially considering that it was drafted by Congress quite hurriedly in the wake of President Nixon's resignation in 1974 and contains both inconsistences and an outdated focus on information in paper (rather than electronic) form. Over the years, it has been amended significantly only once—by the insertion of several “computer matching” provisions in 1988. FOIA, by comparison, has been amended many times. Oversight of the Privacy Act's government-wide implementation has suffered from gross inattention since the mid-1980s. Under subsection (v) of the act, the lead agency responsible for oversight is the U.S. Office of Management and Budget (OMB), which is part of the executive office of the president. But historically that obligation has been honored more in the breach by OMB, leaving it to the U.S. Department of Justice to fill the gap with government-wide guidance and assistance to federal agencies as a function ancillary to its advisory role under FOIA.

Further Reading

1 

Bloomberg BNA. “DOJ Settles, Turns Page on ‘Dark Chapter’ in Politicized Honors Program Hiring Dispute.” Daily Labor Report 53, no. 1 (March 19, 2014).

2 

Coles, Todd R. Comment, “Does the Privacy Act of 1974 Protect Your Right to Privacy? An Examination of the Routine Use Exemption [sic].” American University Law Review 40, no. 957 (1991). http://aulawreview.com/pdfs/40/40–3/coles.pdf.

3 

Gellman, Robert. “Willis Ware's Lasting Contribution to Privacy: Fair Information Practices.” IEEE Security & Privacy 12, no. 51 (2014). http://doi.ieeecomputersociety.org/10.1109/MSP.2014.82.

4 

Hammitt, Harry A., et al., eds. Litigation under the Federal Open Government Laws. Washington, DC: Electronic Privacy Information Center, 2010. http://epic.org/bookstore/foia2010/.

5 

Metcalfe, Daniel J. “The Nature of Government Secrecy.” Government Information Quarterly 26, no. 305 (2009). https://www.wcl.american.edu/faculty/metcalfe/nature.pdf.

6 

Susman, Thomas M. “The Privacy Act and the Freedom of Information Act: Conflict and Resolution.” Journal of the Marshall Law Review 21, no. 703 (1988). http://repository.jmls.edu/cgi/viewcontent.cgi?article=2035&context=lawreview.

See also: Driver's Privacy Protection Act of 1994 (DDPA); Electronic Communications Privacy Act (ECPA); Family Educational Rights and Privacy Act of 1974 (FERPA); Financial information, privacy right to; Freedom of Information Act (FOIA); Health Insurance Portability and Accountability Act (HIPAA); Mug shots

Citation Types

MLA 9th
Metcalfe, Daniel J. "Privacy Act Of 1974, 5 U.S.C. § 552a." Privacy Rights in the Digital Age, edited by Christopher T. Anglim & JD, Salem Press, 2016. Salem Online, online.salempress.com/articleDetails.do?articleName=PRDA_0165.
APA 7th
Metcalfe, D. J. (2016). Privacy Act of 1974, 5 U.S.C. § 552a. In C. Anglim & JD (Ed.), Privacy Rights in the Digital Age. Salem Press. online.salempress.com.
CMOS 17th
Metcalfe, Daniel J. "Privacy Act Of 1974, 5 U.S.C. § 552a." Edited by Christopher T. Anglim & JD. Privacy Rights in the Digital Age. Hackensack: Salem Press, 2016. Accessed May 30, 2026. online.salempress.com.