This article was authored by Christopher S. Yoo, John H. Chestnut Professor of Law, Communication, and Computer & Information Science and the founding director of the Center for Technology, Innovation and Competition (CTIC) at the University of Pennsylvania, and Kellen McCoy, a member of the J.D. class of 2021 at the University of Pennsylvania Carey Law School.
This article first appeared in the Regulatory Review's series on "Improving the Accessibility and Transparency of Administrative Programs" that focuses on the ACUS Recommendations adopted at the December 2020 Plenary Session. Reposted with permission. The original may be found here, and the Regulatory Review's entire series may be found here.
During the rulemaking process, commenters sometimes submit confidential commercial information (CCI) or personal information (PI) into public dockets. The agencies receiving these submissions face a quandary. On the one hand, principles of openness and transparency call for agencies to disclose all materials they receive to the greatest extent possible. On the other hand, the need to protect privacy has never been more apparent.
Unfortunately, the law does little to help agencies strike the proper balance between these two considerations. Agencies are increasingly realizing that the absence of clear guidance may be preventing them from receiving the information they need to fulfill their administrative duties. In response, the Administrative Conference of the United States (ACUS) recommended in 2013 that “agencies develop a written policy for treatment of protected or privileged materials, including indexing, in public rulemaking dockets.”
Seven years later, ACUS adopted a new recommendation implementing that call to action. The new recommendation provides agencies with guidance on when they should withhold CCI (such as trade secrets) and PI (such as Social Security numbers, financial information, or other personal identifiers).
In addition, the new ACUS recommendation also discusses how agencies can withhold such material while still complying with disclosure statutes and the Administrative Procedure Act (APA). It also explains how agencies can discourage the submission of CCI and PI in the first place by putting the public on notice that agencies will generally make comments part of the public record.
ACUS’s new recommendation was supported by a report to which we both contributed. Our analysis drew from four major sources of information. First, we conducted personal interviews and roundtables with administrative officials to explore current agency practices. Second, we sent a survey to ACUS members to gather more systematic information. Third, we analyzed the major statutes that govern disclosure and withholding of CCI and PI. Finally, we reviewed publicly available agency materials, such as notices of proposed rulemaking (NPRMs), system of record notices (SORNs), and agency comment web portals, to determine what those materials revealed about agency practices.
The interviews and roundtables revealed instances of frustration with current CCI and PI withholding practices. For example, one agency official protested that businesses now often claim that all information they submit is confidential. Because the law limits agencies’ ability to rely on material that has not been publicly disclosed, regulators confronting broad assertions of confidentiality can struggle to justify what they know, based on the claimed confidential information, to be the kind of agency rule that would best serve the public interest.
Agency officials also revealed that the public often experiences frustration too, pushing back with Freedom of Information Act (FOIA) requests and filing other litigation when agencies seek to rely on CCI or PI in rulemaking. The agencies we examined had disparate screening practices—some agencies did not screen for protected materials at all, while others had adopted robust screening processes.
The survey responses echoed our conversations with agencies. A majority of agency respondents reported excluding PI or CCI from their public rulemaking dockets 10 to 20 percent of the time, and a majority of agencies reported that they actively screen for PI and CCI.
The means that agencies use to screen for PI, CCI, and other protected materials vary widely. Some agencies use staff, while others use contractors or even artificial intelligence tools. And when agencies withhold protected information, they were fairly evenly split over whether they usemethods such as redaction, aggregation, and anonymization. Another notable survey finding was that only six agencies reported having established processes for challenging decisions about disclosure, and only four agencies had any established process for challenging withholding.
We also analyzed seven major mandates that govern withholding and disclosure—the E-Government Act of 2002; Executive Order 13,563; the Sunshine Act; FOIA (specifically exemptions four and six); the Privacy Act of 1974; the Trade Secrets Act; and relevant provisions of the APA.
Our exploration of these regimes and the judicial decisions interpreting them revealed that, in many instances, commenters submitting PI about themselves amounts to de facto consent, although some statutes still bar disclosure of particularly sensitive information. Such waivers, however, do not arise when a commenter submits PI about a third party.
On the issue of CCI, a 2019 U.S. Supreme Court decision identified two conditions for determining when information is confidential and should not be disclosed. First, whether the information is “closely held” and not shared freely, and, second, whether it is disclosed “only if the party receiving it provides some assurance that it will remain secret.”
Another critical issue is whether agencies clearly explain their practices to participants in public rulemaking proceedings. We examined the disclosures of policies in venues for official agency information, including NPRMs, SORNs, and websites that agencies use to accept comments, such as Regulations.gov.
Our research revealed that the disclosures in NPRMs and SORNs, and on public comment websites, are hardly uniform. For example, not every agency includes a notice about disclosure policies nor about whether comments are screened or automatically disclosed. More coordinated language and fulsome disclosure upfront would help reduce the amount of screening needed later.
In the late 1990s, committee recommendations on protected information assumed that commenters would rarely submit CCI or PI. These recommendations have changed dramatically over the past twenty years as agencies frequently confront the problem of what to do with protected information in their rulemaking dockets.
ACUS’s new recommendation provides agencies with a framework for providing the greatest possible governmental transparency consistent with protecting the public’s interest in privacy and business confidentiality.