States Use Sensitive Data Safeguards to Fight Federal Data Collection
While there are state and federal protections for sensitive data, a comprehensive privacy framework at the federal level is needed to ensure all modes of data sharing are transparent, legal and regulated, panelists said Wednesday. They spoke during a Center for Democracy and Technology (CDT) webinar about the federal government’s recent attempts to access state data.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Federal access to the state is not unlimited,” said Frank Torres, fellow at the Leadership Conference’s Center for Civil Rights and Technology. “There are some safeguards that were put in place, and for good reason.” At the federal level, this includes the Privacy Act, the Paperwork Reduction Act and the E-Government Act, as well as the Constitution's expectation of privacy. There must be “a compelling government interest" for disclosure of data, he said.
Maine State Auditor Matthew Dunlap said there are legal protections besides what is available at the federal level, including state statutes to town ordinances. “Where the rubber hits the road on a lot of these data-protection issues is: what does the state statute say about it?”
Quinn Anex-Ries, senior policy analyst on CDT’s Equity in Civic Technology team, agreed. When the federal government makes data requests, it's important "that a state is doing their own due diligence to make sure that any access they're providing aligns with any legal protections that might pertain to that information."
Nicole Schneidman, counsel and head of the tech & data governance team at Protect Democracy, noted that this isn't the first time the federal government has demanded data from states. During the first Trump administration, the Presidential Advisory Commission on Election Integrity was established via executive order to address the alleged issue of non-citizens voting and requested all 50 states submit information associated with state voter rolls.
Since that request included vast amounts of sensitive information, there was broad rejection from the states, Schneidman noted. “Really what summed up the pushback at that time is a statement from" Mississippi's then-attorney general, "who suggested that the commission could ... go jump in the Gulf of Mexico in response to this demand."
But she said that example is different from the sweeping push for data seen recently, which started with the March executive order on information silos (see 2505290019). “There's some notable language regarding ensuring basically every head of every federal agency takes every measure possible to seek all data associated with any state program that receives any federal funding."
Resistance From States, Privacy Groups
Some states are fighting back, including a coalition suing over the federal government’s attempts to collect state-level data from Supplemental Nutrition Assistance Program (SNAP) participants (see 2507280065).
Vermont Rep. Angela Arsenault (D) noted that in her state, Gov. Phil Scott (R) turned over that data to the federal government even though Attorney General Charity Clark (D) wanted to resist (see 2508070013). “The pushback [against the governor’s decision] was rather immediate" and showed people value their privacy, she said. In addition, “maybe [it] hints at a lack of understanding on the governor's part of just how sensitive this information is and what it could be used for in the hands of the federal government.”
Anex-Ries said a similar fight is happening in Kansas, where the attorney general has sued the governor for refusing to give the federal government SNAP data. “This is a kind of live wire issue in states right now as different officials figure out how to respond, especially given … the huge unknowns we have about how this data is going to be used.”
Other lawsuits have been filed about the legality of the federal government’s data requests outside the states suing, including a lawsuit led by the Electronic Privacy Information Center that also concerns collection of SNAP data (see 2509020057).
Dunlap said that “when you have [a] vast trove of data about everything [and every] single individual in the system, how you use it is really a policy decision.” He added, “In the context of privacy … the best way to protect people's privacy is to not have their data in the first place.”
Arsenault said there are primary and secondary impacts of the data collection. For example, with the collection of SNAP data, “we're talking about people getting the help they need to buy food for their families” that may be impacted.
But the secondary effect is distrust, she said. “Between Vermonters and now our state government, folks who are already very wary of what's happening at the federal level … are now going, ‘Wait a minute, what? You did what? You gave them what kind of information and why?’”
Torres said there’s concern that the data will be used for mass surveillance. “We've already seen federal agencies like ICE and DHS, who sought access to and [obtain] ... tax records, housing benefits, education files and now SNAP data from the states, [use it] to locate and deport immigrants,” he said. “It could really have a chilling effect on individuals seeking public services -- which they are likely legally entitled to -- but knowing that their data could be used or weaponized against them may mean that people avoid accessing essential services.”
Another chilling effect is whether a person has the right information or resources to meet a requirement for services, Dunlap said. He gave the example of someone being born in a rural area of the country having a hard time obtaining a Real ID, as they may not have a birth certificate, even though they were born in the U.S.
What 'We Desperately Need'
Schneidman said there are various ways to address all these issues through policy -- but a comprehensive privacy law is what “we desperately need.” However, states can’t wait on Congress, she added. Instead, they should start creating legislation that says, “if you even think about sharing this [data] outside of this jurisdiction, you need to abide by these requirements.”
“A lot of our privacy laws in this country are very focused on commercial data collection use” and often “intentionally carve out government collection and sharing with other government entities,” she added, but the latter subject also needs to be addressed.
“As one of those … state-level legislator[s], yes, please, reach out to your state legislators,” Arsenault said. “We need to hear from folks … to know that this is something people care about.”
Dunlap added that the federal Privacy Act of 1974 specifically “needs to be updated to cover exactly this sort of situation, to make it clear that we need to enforce things like the purpose limitation, we need to enforce things like consent, we need to have more transparency.”
“We're all in this together,” he said. “We don't expect our own government to weaponize our individual data that they require us to give to access certain programs that we're legally entitled to," and "then use that data for other purposes that actually harm us.”