National Security & the Privacy Act of 1974

The Privacy Act of nineteen seventy-four, five U.S.C.

five fifty-two-a, is the foundational federal-government privacy law, and the exam's first point is its scope: it regulates how federal agencies collect, use, and disclose records about individuals, not the private sector. It applies to U.S.

citizens and lawful permanent residents. It's a Fair Information Practices statute in government form: agencies must limit collection to what's relevant and necessary, maintain accurate records, let individuals access and amend records about themselves, and disclose records only under defined conditions. So when a scenario involves a federal agency's database of people, the Privacy Act is your anchor, and a distractor that uses it against a private company is wrong, that's not its job.

Two structural ideas matter here. The Privacy Act attaches when records are kept in a system of records, meaning they're retrieved by a personal identifier like a name or Social Security number. For each such system, the agency must publish a System of Records Notice, a SORN, describing what it holds and the routine uses for which it may disclose the data, disclosure outside those published routine uses generally needs the individual's consent or a statutory exception.

Pulling in the opposite direction is the Freedom of Information Act, FOIA, which gives the public a right to access government records. The two laws meet at FOIA's privacy exemptions, which let an agency withhold records whose release would be a clearly unwarranted invasion of personal privacy. The exam likes that tension: transparency versus individual privacy.

National-security surveillance runs on a separate track. The Foreign Intelligence Surveillance Act, FISA, authorizes electronic surveillance and collection for foreign-intelligence purposes, overseen by a specialized court, the FISA Court. The most-discussed authority is Section seven-oh-two, which lets the government target non-U.

S. persons reasonably believed to be located abroad to acquire foreign intelligence, without an individual warrant for each target. The privacy controversy, and the reason Section seven-oh-two reverberates in the privacy world, is incidental collection: communications of Americans who are in contact with foreign targets get swept in.

That same concern drove the European Schrems decisions about transatlantic data transfers. For the CIPP/US, know that Section seven-oh-two targets foreigners abroad and that the incidental-collection problem is its flashpoint.

Two acts and one tool round this out. The USA PATRIOT Act, passed after September eleventh, broadened government surveillance and information-sharing powers, including expanded access to records. Later, the USA FREEDOM Act reined some of those powers back, ending the bulk collection of telephone metadata in its original form and adding transparency.

The tool to know is the national security letter, an N-S-L: a demand that lets certain agencies obtain specific categories of records, like subscriber or transactional information, from companies without prior court approval, frequently accompanied by a gag order barring the recipient from disclosing it. N-S-Ls sit at the heart of the privacy debate because they combine government access with secrecy and limited oversight.

Here's why a U.S. privacy professional must understand national-security surveillance even though it feels far from daily compliance: it directly shapes whether data can flow from Europe to the United States.

European courts have repeatedly scrutinized U.S. surveillance authorities, especially Section seven-oh-two and executive-order collection, and concluded that for years they gave Europeans too little protection and no real redress.

That reasoning struck down the old Privacy Shield transfer framework in the Schrems Two decision. In response, the U.S.

added new safeguards, limits framed around necessity and proportionality and a new redress mechanism, which underpin the twenty twenty-three E-U-U-S Data Privacy Framework that now permits many transfers again. So when a multinational asks whether it can send personal data to the U.S.

, the answer runs straight through the surveillance laws in this lecture, a connection the exam may draw to test whether you see the whole board.

Let's lock in the reasoning. If a federal agency is handling records about individuals, the Privacy Act of nineteen seventy-four governs, and watch the SORN-and-routine-use structure plus the FOIA counterweight. If the scenario is intelligence surveillance aimed at foreign targets, you're in FISA and Section seven-oh-two, with incidental collection as the privacy theme.

National security letters are the no-warrant, often-gagged demand for records. The single most common distractor applies the Privacy Act of nineteen seventy-four to a private company, it only binds federal agencies, the private sector lives under the sectoral and state laws from earlier domains. Recap: Privacy Act for agencies, FISA and Section seven-oh-two for foreign intelligence, the PATRIOT and FREEDOM Acts, and N-S-Ls.

Now go test yourself, then on to civil litigation and regulatory demands.