NASA v. Nelson

• Background |
• EPIC's Interest |
• Legal Documents |
• Resources |

Summary

The Supreme Court ruled that the government did not violate an employee’s privacy rights when it performed intrusive background checks in its role as an employer. Justice Alito's majority opinion found that whatever the scope of the constitutional right to personal privacy, it did not prevent the government from investigating employees. Acting as an employer, the government had a legitimate interest in asking open-ended questions regarding past criminal history, drug use and other sensitive issues. Additionally, the Privacy Act provided sufficient protection from public disclosure of this private information. The Court stated that the fear of a data breach or other unintentional public disclosure of private information was not, by itself, proper grounds for challenging government collection of that information. Justice Scalia concurred in the judgment, arguing that the case could be easily decided because a "federal constitutional right to 'informational privacy' does not exist."

Top News

• EPIC to DC Circuit: Informational Privacy is a Constitutional Right: EPIC has filed a "friend of the court" brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breach case. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that "when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained." In a 2011 case NASA v. Nelson, EPIC urged the Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government. (May. 18, 2018)
• DC Circuit Sets Briefing Schedule in Information Privacy Case: The D.C. Circuit has set the briefing schedule for the OPM Data Security Breach case, concerning a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC recently informed the Court that it will file an amicus brief, which will now be due on May 17, 2018. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies. (Mar. 26, 2018)
More top news »
EPIC to File Brief in D.C. Circuit on Right to Information Privacy » (Mar. 15, 2018)
EPIC has informed the D.C. Circuit Court of Appeals that it will file an amicus brief in the OPM Data Security Breach case. The case concerns a pair of data breaches in 2015 that affected 22 million federal employees, their friends, and family members. EPIC has long warned that federal agencies collect far too much personal data that they fail to protect. In the 2012 case NASA v. Nelson, concerning repeated data breaches at the space agency, EPIC urged the Supreme Court to recognize a right to "informational privacy" that would limit data collection by federal agencies.
Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million » (Sep. 20, 2017)
A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm.
Supreme Court of India Rules Privacy is a Fundamental Right » (Aug. 24, 2017)
India's Supreme Court has ruled that privacy is a fundamental right under the Indian Constitution. In a unanimous ruling, the Court explained the "right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution." The Court also recognized that "Informational privacy is a facet of the right to privacy" and modern privacy risks are caused by both the public and private sector. The ruling may impact significant cases pending in India, including a challenge to Aadhaar, India's massive biometric identification system, and WhatsApp's privacy policy change. In 2009 NGOs and privacy experts set out the Madrid Privacy Declaration, which affirmed privacy as a fundamental human right. In 2010, EPIC urged the US Supreme Court to recognize the right of "informational privacy." EPIC explained that the Whalen decision and a famous German census case, "influenced international privacy jurisprudence, resulting in the widespread recognition of the right to informational privacy." EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.
Appeals Court Considers Case that Aligns Privacy and FOI » (Jul. 13, 2017)
The Ninth Circuit U.S. Court of Appeals heard oral arguments today in an open government case with implications for informational privacy. A group of anonymous medical employees challenged the release of personal information sought under a state public records act. EPIC filed a "friend-of-the-court" brief in the case arguing that withholding personal information is consistent with open government and constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T.
EPIC Urges Court to Protect Individual Privacy in Releases of Government Docs » (Mar. 16, 2017)
EPIC has filed a "friend-of-the-court" brief in an open government case with implications for informational privacy. A group of anonymous medical employees challenged the release of personal information sought under a state public records act. EPIC argued that withholding personal information is consistent with open government and constitutionally required. "Open government laws and privacy laws are complimentary: the aim is to maximize both the public's access to information about the government and to safeguard personal privacy to the greatest extent feasible," EPIC wrote. EPIC has argued for similar privacy protections in ATF v. Chicago, Chicago Tribune v. University of Illinois, Ostergren v. Cuccinelli, NASA v. Nelson, and FCC v. AT&T.
White House Issues Data Breach Guidance for Federal Agencies » (Jan. 4, 2017)
The White House Office of Management and Budget has released guidance establishing common standards and practices for how federal agencies manage data breaches. The Data Breach Memorandum sets out a risk-based framework for evaluating data breaches and requires each agency to develop a data breach response plan. Not all breaches will trigger individual notification under the guidance. The new guidance comes four months after a House Government and Oversight Committee report criticized the Office of Personnel Management about the 2015 data breaches that compromised the records of 22 million federal employees and family members. EPIC testified in 2009 and 2011 in support of strong data breach notification laws, filed comments with the Office of Personal Management recommending limits on data collection, and has urged the Supreme Court to recognize a right of "information privacy" that would limit the ability of the federal government to collect personal information.
EPIC Urges OMB to Strengthen Privacy Act Safeguards » (Nov. 7, 2016)
EPIC has submitted comments on Circular A-108, guidelines proposed by the Office of Management and Budget for federal agency compliance with the Privacy Act. EPIC warned that agencies frequently misuse exceptions to the Privacy Act to circumvent important safeguards required by law. EPIC urged the OMB to "strengthen its guidance on federal agency implementation of the Privacy Act" and to limit the 'routine use' exemption. EPIC regularly comments on privacy safeguards for federal databases and has urged Congress to modernize the Privacy Act.
Canadian High Court Holds Internet Use Protected by Constitutional Privacy Right » (Jun. 13, 2014)
The Supreme Court of Canada has ruled that police conducted an unconstitutional search when they used an IP address to obtain subscriber information from an Internet Service Provider without legal authorization. The Court also found Canada’s personal information protection law does not require ISPs to disclose subscriber information to law enforcement. In its analysis, the Court described information privacy as "control over, access to and use of information." The Court stressed that "anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable searches and seizures." Two recent opinions from the European Court of Justice have firmly established the right of information privacy law in EU law. EPIC has urged the US Supreme Court to recognize the right of information privacy and also to safeguard the right of anonymity. For more information, see EPIC: NASA v. Nelson, EPIC: Watchtower Bible v. Stratton, EPIC: Internet Anonymity and EPIC: Search Engine Privacy.
NASA Suffers More Data Breaches » (Nov. 27, 2012)
NASA has announced that the theft of an unencrypted laptop has compromised the personal information of a "large number" of NASA employees and contractors. A similar theft earlier this year exposed the data of thousands of Kennedy Space Center employees. The federal agency said that by the end of the year all NASA laptops must have full-disk encryption. The recent developments follow a 2010 United States Supreme Court case, NASA v. Nelson, in which a federal contractor challenged NASA's overly broad collection of personal information. EPIC filed an amicus curiae brief in support of the contractor Robert Nelson, arguing that there were insufficient legal protections and that NASA's systems are vulnerable to data breaches. Robert Nelson is among the employees and contractors who this week received a notice from NASA about the data breach. For more information, see EPIC: NASA v. Nelson and EPIC: Privacy Act.
Supreme Court Affirms Right to Informational Privacy, But Says Privacy Act Safeguards Sufficient for NASA Records » (Jan. 19, 2011)
The Supreme Court has issued a decision in NASA v. Nelson, a case brought by NASA scientists who argued that the government's invasive background checks violated the Constitution. The Supreme Court found that the inquiries implicate "a privacy interest of Constitutional significance" but that the requests were reasonable and that the information would be protected under the Privacy Act. Writing in concurrence, Justice Scalia said the Court's opinion "will dramatically increase the number of lawsuits claiming violations of the right to informational privacy." EPIC authored a amicus brief, cosigned by 27 technical experts and legal scholars, which highlighted problems with the Privacy Act, including the "routine use" exception, security breaches, and the agency's authority to carve out its own exceptions. For more information, see EPIC: NASA v. Nelson and EPIC: Workplace Privacy.  
Supreme Court to Hear Arguments in NASA Privacy Case » (Oct. 4, 2010)
On October 5, 2010 the Supreme Court will hear arguments in a case that will determine whether public contract employees have a right to limit the government's collection of their personal information. The case, NASA v. Nelson, was brought by a NASA scientist who argued that the Constitution grants a right to privacy from invasive government background checks. NASA claims that the Privacy Act provides sufficient legal protections. EPIC authored a "friend of the court" brief in the case, cosigned by 27 technical experts and legal scholars. EPIC's brief highlights exceptions in the Privacy Act, claimed by the federal agency, that place the scientists' personal information at risk. For more information, see EPIC: NASA v. Nelson and EPIC: Workplace Privacy.
EPIC Urges Supreme Court to Protect NASA Scientists' Privacy » (Aug. 9, 2010)
EPIC filed a "friend of the court" brief in the United States Supreme Court, urging the Justices to protect the privacy of scientists working at NASA's Jet Propulsion Laboratory. Twenty-seven legal and technical experts signed the brief. In NASA v. Nelson, the Court has been asked to determine whether the scientists' right to "informational privacy" prohibits NASA from collecting information concerning the individuals' medical records as a condition of employment. The agency admits that the scientists perform unclassified, non-sensitive work. EPIC's brief argues that compelled disclosure would risk exposing sensitive, personal health information that is insufficiently protected by NASA. For more information, see EPIC NASA v. Nelson.

Questions Presented

(1) Whether the government violates a federal contract employee's constitutional right to informational privacy when it asks in the course of a background investigation whether the employee has received counseling or treatment for illegal drug use that has occurred within the past year, and the employee's response is used only for employment purposes and is protected under the Privacy Act.

(2) Whether the government violates a federal contract employee's constitutional right to informational privacy when it asks the employee's designated references for any adverse information that may have a bearing on the employee's suitability for employment at a federal facility, the reference's response is used only for employment purposes, and the information obtained is protected under the Privacy Act.

Background

The issue presented in Nelson is whether federal contract employees have a constitutional right to keep some personal information private when undergoing a background check. Contract employees (Plaintiffs), including scientists, engineers and administrative support personnel at the Jet Propulsion Laboratory (JPL), filed suit against the National Aeronautics and Space Administration (NASA), the California Institute of Technology (Caltech), and the Department of Commerce on August 30, 2007.

The Plaintiffs alleged that the Government's new requirement that all employees and contractors with "long-term access to federal facilities" submit to in-depth background investigations violated the Administrative Procedure Act, their constitutional right to informational privacy, and the Fourth Amendment. The Plaintiffs were employed by Caltech, and were not government employees. Rather, they were "low risk" contract employees that did not work with classified material. Caltech operates the JPL pursuant to a contract with NASA.

The new background check policy requires every JPL employee to submit to a National Agency Check with Inquiries (NACI), which is the same background investigation required of government civil service employees. An individual subject to the NACI must complete a form that asks for (1) background information, including residential, educational, employment and military histories, (2) the names of three references that "know you well," and (3) disclosure of any illegal drug use within the past year, along with any treatment or counseling received for such use. All of this information is then checked against four government databases. The individual is also required to sign an authorization form allowing the government to collect further information, including soliciting "any adverse information" about the applicant from the applicant's references, employers and landlords. Such information may include "violations of law," "financial integrity," "abuse of alcohol and/or drugs," "mental or emotional stability," "general behavior or conduct," or "other matters."

NASA civil servant employees, but not its contract employees, have been required to complete the NACI since 1958. However, the President issued an order in 2004 requiring that all federal employees, including "contractor employees," submit to uniform testing. Such requirements became applicable to JPL employees on January 29, 2007. Caltech initially opposed the change, but was forced to comply based on its contract with NASA. On its own accord, Caltech made it a policy that all employees who did not submit the NACI would no longer be employed.

The Plaintiffs moved for a preliminary injunction on September 24, 2007, seeking to avoid termination for not complying with NASA's requirements by October 5, 2007. The lower court denied the motion, finding statutory support for the background investigations in the Space Act of 1958, which allowed NASA to establish requirements as deemed "necessary in the interest of national security." The court further found that NASA's form was narrowly tailored to further the government's legitimate security interest. Lastly, the court did not find that the investigation was a "search" under the Fourth Amendment.

In response, the Plaintiffs filed an emergency motion to stay the order, and the U.S. Court of Appeals for the Ninth Circuit granted a temporary injunction. The Ninth Circuit found that the information sought raised serious privacy concerns and that it was questionable as to whether the forms were narrowly tailored to meet a legitimate government interest. The Ninth Circuit also found that because Plaintiffs were not "sensitive" employees, but "low-risk" employees, the NASA did not have authority over them under the Space Act. Additionally, the court found that the questions on NASA's form implicated informational privacy rights because the questions were "open-ended," and "designed to elicit a wide range of adverse, private information that 'is not generally disclosed by individuals to the public.'" 512 F.3d 1134, 1145. However, the court did agree that the government's actions in this instance were not "searches" within the meaning of the Fourth Amendment.

Shortly after it issued its decision, the Ninth Circuit vacated its opinion and filed a superseding one. In the superseding opinion the court held that the Space Act did grant the NASA authority to require the investigations at issue. However, the court still held that plaintiffs could move forward with their informational privacy claims, finding that questions asking about treatment and counseling received for drug treatment in the questionnaire and the written inquiries submitted to third parties "require the disclosure of information and each presents a ripe controversy." 530 F.3d 865, 878.

The Supreme Court previously held in Whalen v. Roe, the Supreme Court recognized the right to informational privacy as, "the individual interest in avoiding disclosure of personal matters." 429 U.S. 589, 599, 97 S. Ct. 869, 876 (1977). This right was later cited in Nixon v. Administrator of General Services, finding that government officials, including the President, do not wholly give up their constitutional privacy rights in matters of personal life unrelated to acts done in their public capacity. 433 U.S. 425, 457 (1977).

On June 4, 2009, the Ninth Circuit denied a request for rehearing en banc, and the appellees petitioned for a writ of certiorari, which was granted on March 8, 2010. The petition asked the Supreme Court to further define what is included in the right to informational privacy. The petition also asked specifically whether an employee has an expectation of privacy in questions relating to counseling and treatment for illegal drug use or adverse information that may come from references.

The case was argued on October 5, 2010. The Supreme Court issued its decision on January 19, 2011, reversing the Ninth Circuit and remanding to the lower court.

The Aftermath

The Supreme Court ruled in NASA v. Nelson that the government did not violate an employee’s right of informational privacy when it performed intrusive background checks. Justice Alito's majority opinion found that whatever the scope of the constitutional right to personal privacy, it did not prevent the government from investigating employees. Specifically, the Court found that the government had a legitimate interest in asking open-ended questions regarding past criminal history, drug use and other sensitive issues. Additionally, the Privacy Act provided sufficient protection from public disclosure of this private information. The Court stated that the fear of a data breach or other unintentional public disclosure of private information was not, by itself, proper grounds for challenging government collection of that information. Justice Scalia concurred in the judgment, arguing that the case could be easily decided because a "federal constitutional right to 'informational privacy' does not exist."

The Plaintiffs NASA v. Nelson, joined by EPIC and others, argued that the Privacy Act would not sufficiently protect the information collected from JPL contractors from data breach and other threats to their personal information. The Court dismissed these arguments in its 2011 opinion. Then, in 2012 Wired reported that Hackers Seized Control of Computers in NASA's Jet Propulsion Lab, exposing sensitive files and data. Then, in 2015, the government revealed that the Office of Personnel Management, which collects and stores the sensitive background check files at issue in NASA v. Nelson had been compromised by a sophisticated attack that exposed tens of millions of sensitive records, including background check files, social security numbers, and fingerprint records.

EPIC's Interest in NASA v. Nelson

EPIC has a particular interest in protecting individuals’ right to informational privacy. EPIC supports the right of individuals to keep confidential their personal health information. EPIC has filed several amicus briefs concerning the critical importance of limiting the collection and disclosure of sensitive medical data. This right is particularly important in light of the incomplete privacy protections provided by statute and the substantial risk of data breaches. EPIC argued in its brief that NASA may not compel rocket scientists to disclose personal health information as a condition of employment.

The Ninth Circuit’s determination in the present case protected the informational privacy of scientists working at the Jet Propulsion Laboratory. Now that the Court has overruled the Ninth Circuit, government scientists must disclose sensitive, personal information that is insufficiently protected by the Privacy Act and at substantial risk of disclosure.

Legal Documents

Supreme Court

• Supreme Court Opinion (PDF)
• Audio Recording of Oral Argument (MP3)
• Transcript of Oral Argument (PDF)
• "Friend of the Court" Brief for EPIC (PDF)
• Brief for Petitioner (PDF)
• Brief for Respondents (PDF)
• Reply Brief for Petitioner (PDF)
• NASA v. Nelson Docket
• Grant of Certiorari (PDF)
• Questions Presented (PDF)

Certiorari-Stage Documents (PDFs)

• Petition for Certiorari
• Brief in Opposition
• Petitioner's Reply

• Opinion Below (Denial for Panel Rehearing and Rehearing en Banc)
• Superseding Opinion
• Initial Opinion
• Order Granting Injunction Pending Appeal

Resources

Supreme Court Precedent

• Whalen v. Roe, 429 U.S. 589, 97 S. Ct. 869 (1977)
• Nixon v. Administrator of General Services, 433 U.S. 425, 97 S. Ct. 2777 (1977)

Circuit Court Opinions on Informational Privacy

• Borucki v. Ryan, 827 F.2d 836 (1st Cir. 1987)
• Barry v. City of New York, 712 F.2d 1554 (2d Cir. 1983)
• United States v. Westinghouse, 638 F.2d 570 (3d Cir. 1980)
• Greenville Women’s Clinic v. Comm’r, S. C. Dep’t of Health & Env’t Control, 317 F.3d 357 (4th Cir. 2002)
• Plante v. Gonzalez, 575 F.2d 1119 (5th Cir. 1978)
• J.P. v. DeSanti, 653 F.2d 1080 (6th Cir. 1981); Lambert v. Hartman, 517 F.3d 433 (6th Cir. 2008)
• Denius v. Dunlap, 209 F.3d 944 (7th Cir. 2000)
• Tucson Woman’s Clinic v. Eden, 379 F.3d 531 (9th Cir. 2004)
• Mangels v. Pena, 789 F.2d 836 (10th Cir. 1986)
• Tavoulareas v. Washington Post, Co., 724 F.2d 1010 (U.S. App. D.C. 1984)

Law Review Articles and Books on Informational Privacy

• Protecting Privacy in Surveillance Societies (1998), David H. Flaherty
• At-Home Spying: Privacy Wanes as Technology Gains; Surveillance may be legal, but is that the only standard?, Gary T. Marx, Commentary, Los Angeles Times, May 28, 2002
• Privacy in Context: Technology, Policy, and the Integrity of Social Life Helen Nissenbaum (2010)
• Cyberspace Privacy: A Primer and Proposal, Jerry Kang, 26 Hum. Rts. 3 (1999)
• Informational Privacy in Cyberspace Transactions, Jerry Kang, 50 STAN. L. REV. 1193 (1998)
• Examined Lives: Informational Privacy and the Subject as Object, Julie E. Cohen, 52 Stanford Law Review 1373 (2000)
• Privacy As Intellectual Property, Pamela Samuelson, 52 Stanford Law Review 1125 (2000)
• The Big Picture, Peter G. Neumann, Communications of the ACM, Sept. 2004
• Our Vanishing Privacy and What You Can Do To Protect Yours, Robert Ellis Smith (1993)
• Privacy on the Line: The Politics of Wiretapping and Encryption, Whitfield Diffie & Susan Landau (1998)

Webpages

• Law Memo: NASA v. Nelson
• SCOTUSblog: NASA v. Nelson
• SCOTUSWiki: NASA v. Nelson
• Electronic Frontier Foundation: NASA v. Nelson