Closing out our discussion of the Review Group recommendations in Chapter IV, let's consider the latter two recommendations of the chapter: Recommendations #14 and #15.
Recommendation #14 is, to me anyway, one of the real mysteries of the entire report. And I'm afraid my efforts to assess it have not led me far down the path to much understanding of what it would mean in practice. It states in its entirety: "We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security, and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons." The explanatory text is spare---not quite three pages---and adds only a bit of history of DHS's Privacy Act policies and facts that CIA, FBI, and NSA all apply the Privacy Act to US persons data already. It concludes that "This reform is manageable based on the DHS experience. It will both affirm the legitimate privacy rights of citizens of other nations and strengthen our relations with allies."
I am far from an expert on the Privacy Act, which generally and with important exceptions, limits the authority of the government to disclose---including to other agencies---records containing personally identifying information about individuals and gives those individuals access to the records about them. The case for this recommendation is that it would undoubtedly increase US standing in data discussions with European countries and would send a strong message that the US takes privacy seriously, including the privacy of non-nationals. That's an important message.
The hard question is what the costs of sending this message would be to a group of agencies that are all about collection of material and dissemination of that material to intelligence consumers. That is, how much would application of the Privacy Act to non-US persons affect business in practice, and how disruptive would those effects be? On this question, I have gotten frankly mixed signals. I have spoken to a bunch of people in and out of government about this, and nobody seems to quite know. The administration is studying the issue feverishly, I think, and there's a lot of uncertainty about what it would mean. Some folks I've spoken with suggest that the Privacy Act, because of the exceptions, doesn't significantly hamper information sharing between agencies concerning US persons, and they are thus sanguine about the impact of extending it to non-US persons. Others warn that DHS's experience actually created big interagency headaches; they note that application of the Privacy Act there required a great deal of internal executive negotiation over data sharing that should have been routine. I don't have a bottom line on this question, and would love to hear from readers who have more granular thoughts on what application of the Privacy Act to non-US persons would mean in practice.
I do have one strong instinct on this subject, but it operates at a higher level of altitude than this specific recommendation: I don't see any good reason for US policy not to be based on reciprocity with governments who complain about our behavior. That is, I see no reason for the US to eschew collection against European nationals whose governments do not offer reciprocal protections for US citizens. I am willing to entertain mutual restraint, but I don't think the US should play handmaiden to European hypocrisy. I would therefore tend to favor, if the administration is inclined to embrace this recommendation, embracing it selectively for those countries that are willing to offer similar legal protections to US nationals. That, however, is a principle of more general application to international privacy debates.
Finally, Chapter IV closes out with one of the few recommendations in the report that would actually loosen existing collection rules. Specifically, the Review Group suggests giving NSA "a limited statutory emergency authority to continue to track known targets of counterterrorism surveillance when they first enter the United States" until the FISC has an opportunity to issue a surveillance order. The recommendation responds to the problem of "roamers"---legitimate non-US person targets overseas who suddenly show up in the United States and therefore cease to be legitimate 12333 or 702 targets any more. Currently, surveillance has to stop until the FISC can issue an order. The Review Group proposes a brief bridging period. This seems entirely sensible to me, and I suspect the administration will see it as useful as well.