The Presidential Advisory Committee on Electoral Integrity and Personally Identifiable Information, by Bernard W. Bell
The Presidential Advisory Commission on Electoral Integrity (“the PACEI” or “the Commission”), created by President Trump to study state voter registration and voting procedures used in federal elections, Executive Order No. 13,799, 82 Fed. Reg. 22,389 (May 11, 2017), has begun its work in controversy and litigation. This post focuses on the Commission’s power to receive state voter rolls from state election officials. The issue was recently discussed, albeit somewhat obliquely, in Electronic Privacy Information Center v. Presidential Advisory Comm’n on Election Integrity, — F. Supp. 3d —, 2017 WL 3141907 (D.D.C. July 24, 2017) (EPIC v. PACEI), appeal filed, Dkt No. 17-5171 (D.C. Cir.).
Federal elections are administered by state officials, and thus registration and voting records are maintained by state agencies. Almost immediately after the PACEI filed its charter as an advisory committee, on June 23, 2017, the Commission’s Vice Chairs, Vice President Mike Pence and Kansas Secretary of State Kris W. Kobach, decided to seek each of the 50 states’ and the District of Columbia’s voter rolls. During a June 28 teleconference, the Vice Chairs advised Commission members that they would request records from state election officials. The members discussed the request “for several minutes,” and the “request was modified in response to some of [their] comments.” Lawyers’ Commission for Civil Rights Under Law v. Presidential Advisory Comm’n on Election Integrity, — F. Supp. 3d — , 2017 WL 3028832, at *3 (D.D.C. July 18, 2017) (quoting Declaration of Kris W. Kobach). However, the decision to make the request was not subjected to a vote. Id.
Later on the same day, Vice-Chair Kobach sent a letter to each state’s Secretaries of State seeking the state’s voter rolls. An example of the letter said in relevant part:
I am requesting that you provide to the Commission the publicly available voter roll data for North Carolina, including, if publicly available under the laws of your state, the full first and last names of all registrants, middle names or initials if available, addresses, dates of birth, political party (if recorded in your state), last four digits of social security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, cancelled status, information regarding any felony convictions, information regarding voter registration in another state, information regarding military status, and overseas citizen information. (Emphasis added.)
The request is expressly limited to “publicly available” information, but much of the information specified is probably not publicly available in many states. And much of the information requested is either provided by individuals as a condition of being able to exercise the franchise, a fundamental right, or reflects the exercise of that fundamental right.
The E-Government Act of 2002, Pub. L. 107–347, specifies the process federal agencies must follow in initiating any “new collection of information that—(I) will be collected, maintained, or disseminated using information technology; and (II) includes any information in an identifiable form permitting the physical or online contacting of a specific individual.” In particular, the agency must conduct a “privacy impact assessment” that is reviewed by the agency’s Chief Information Officer, and, if practicable, made available to the public. Section 208(b).
District Judge Kollar-Kotelly of the D.C. District Court recently held, at least preliminarily, that the PACEI need not comply with section 208(b) of the E-Government Act because the Commission is not an agency for purposes of the statute, and thus may request state voter rolls without conducting a privacy assessment. EPIC v. PACEI, 2017 WL 3141907, at *11-*13.
Because the Executive Order creating the PACEI specifies that it is “solely advisory”— t is to submit a report to the President—the Commission lacks the power to take any of the actions or exercise any of the authority typical of an administrative agency, either in terms of providing benefits or regulating individuals, business entities, or the general public. Given the Commission’s limited role and its relationship to the President, Judge Kollar-Kotelly’s holding that the PACEI is not an agency for purposes of the Administrative Procedure Act’s (APA) definition of “agency” is defensible as a reasonable application of precedent. Main Street Legal Services, Inc. v. National Security Council, 811 F.3d 542, 543 (2d Cir. 2016); Armstrong v. Exec. Office of the President, 90 F.3d 553, 558 (D.C. Cir. 1996) (citing Meyer v. Bush, 981 F.2d 1288 (D.C. Cir. 1993). (The APA’s definition of agency is critical because an action to enforce the E-Government Act requirements must be brought under the APA.)
On July 26, after Judge Kollar-Kotelly’s decision, Vice-Chair Kobach sent state Secretaries of State another letter renewing the Commission’s request for voter roll information.
There are, of course, many questions regarding whether states can, pursuant to their own state law, provide the records the Commission seeks. But Judge Kollar-Kotelly’s decision points to an anomaly regarding the Commission’s ability to receive the information.
Creation and maintenance of a system of personal records entails risks to the subjects of those records and should entail certain concomitant responsibilities. Those essential responsibilities are captured by the Fair Information Practices, initially outlined by the Secretary of Health Education and Welfare’s Advisory Committee on Automated Personal Data Systems in 1973. The Privacy Act of 1974 was designed to impose these responsibilities on all federal agencies that maintained personal files on individuals.
Under the Fair Information Practices principles, entities that collect and maintain personally identifiable information have eight general obligations. First, they must notify potential subjects of the records regarding collection, use, dissemination, and maintenance of personally identifiable information (“PII”). Second, they must involve the individuals in the process of using PII, including enabling such individuals to access and correct the records as well as seek redress for misuse of PII. Third, they must articulate the purposes for which they intend to use the PII collected. Fourth, they must limit collection of PII to information directly relevant and necessary to accomplish the specified purpose(s) and retain it only so long as necessary to fulfill the specified purposes. Fifth they must limit the use of PII to the purposes specified and share the information with others only for compatible purposes. Sixth, they must ensure that PII is accurate, relevant, timely, and complete. Seventh, they must protect PII from loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. Eighth, they must audit the use of PII to demonstrate compliance with privacy principles.
Fulfilling these responsibilities is especially important when the information collected is not publicly available. But there responsibilities are also important even when the information collected is publicly available.
Whether or not government records can be obtained by members of the public, the Commission, like other government entities, should have a clear view of the purposes for which they will collect any information. Absent some compelling reason for secrecy, government entities should make public their plans for using PII, sharing it with other entities, combining it or matching it with other data, and protecting it from misuse. In the case of the PACEI, for example, the Commission should tailor its collection of voter’s personal information to the purposes for which it is seeking the information. Does the Commission need the voting records of every registered voter in every state for the last 10 years to serve its purposes? Will the data requested be useful if the data provided by various states is not uniform? Perhaps the Commission should have started by seeking information regarding the scope of voter data that states make publicly available.
The Commission may be seeking the voter roll data solely for historical purposes, namely to assess whether everyone who was registered to vote and who in fact voted in particular federal elections was eligible to do so. In effect, they may merely be “auditing” publicly-available state voting records. This limited purpose might make compliance with some of the Fair Information Practice principles less critical than it would be for agencies that maintain records for purposes of regulation or providing benefits. For example, the need to allow access to and the power to correct records is less critical when documents are used for historical purposes. However, concerns about excessive collection of information, lack of transparency regarding the use of sensitive personal information, indiscriminate use and sharing of information, and the security of the information, inter alia, do not necessarily disappear. While Vice-Chair Kobach’s July 26 letter seeks to address some of these concerns, particularly regarding the security of the information and the public dissemination of the information, it certainly does not comprehensively discuss the relevant concerns.
Given the implications of maintaining and using personal data, the power to create and maintain such a database, either directly or through some other entity, should be held only by entities specifically authorized by Congress to do so and limited by the general obligations of the E-Government Act and at least some of the provisions of the Privacy Act.
Indeed, more broadly, the President’s position within the Executive Branch of the federal government is supervisory. While the President has broad powers to direct subordinates in positions created by Congress with defined statutory authorities, the President has largely not been accorded powers to run domestic programs directly. The creation and maintenance of personal records does not seem an appropriate function for institutions, such as advisory bodies in the Office of the President, that do not directly administer federal programs. And the protections afforded citizens by the APA and other constraints on agency action are important in terms of collection and maintenance of government records, constraints which may not be available with respect to entities closely associated with the President, given the APA’s inapplicability to such entities.
And of course, in the election context, the President even lacks supervisory authority over the entities that conduct elections, namely state election authorities.
In short, the PACEI should be allowed to collect state voter information only if (1) it is authorized by Congress to do so, and (2) it complies with the E-Government Act and aspects of the Privacy Act that constrain the use and dissemination of personally identifiable information.
Bernard W. Bell is a Professor of Law and Herbert Hannoch Scholar at Rutgers Law School.