As part of the rulemaking process, agencies create public rulemaking dockets, which consist of all rulemaking materials agencies have: (1) proactively published online or (2) made available for public inspection in a reading room. Public rulemaking dockets include materials agencies generate themselves and comments agencies receive from the public. Their purpose is to provide the public with the information that informed agencies’ rulemakings.[1]
The Administrative Conference has issued several recommendations to help agencies balance the competing considerations of transparency and confidentiality in managing their public rulemaking dockets.[2] This project builds on these recommendations.
The scope of the Recommendation is limited to personal information and confidential commercial information that agencies have decided to withhold from their public rulemaking dockets, which this Recommendation calls “protected material.” The Recommendation specifies how agencies should consider handling protected material. For purposes of this Recommendation, personal information is information about an individual including his or her education, financial transactions, medical history, criminal or employment history, or similarly sensitive information, and that contains his or her name, or the identifying number, symbol, or other identifying particular assigned to the individual.[3] Confidential commercial information is commercial information that is customarily kept private, or at least closely held, by the person or business providing it.[4] Other types of information, such as national security information and copyrighted materials, are beyond the Recommendation’s scope. The Recommendation is also limited to addressing procedures for protecting materials that agencies decide warrant protection. It is not intended to define the universe of protected materials. In particular, the Recommendation does not address any issue that may arise if agencies choose to rely on protected material in explaining their rulemakings, whether in notices of proposed rulemaking, regulatory impact analyses, or otherwise.
Agencies accept public comments for their public rulemaking dockets primarily through Regulations.gov, their own websites, and email. Regulations.gov and many agency websites that accept comments expressly notify the public that agencies may publish the information submitted in public comments.[5] When people submit comments to agencies, however, agencies typically do not immediately publish the comments. Instead, agencies generally take time to screen comments before publishing them. Most agencies perform at least some kind of screening during this period.
For all agencies, whether to withhold or disclose protected material is governed by various laws: some mandate disclosure, some mandate withholding, and some leave agencies with substantial discretion in deciding whether to disclose. Although a full description of those laws is beyond the scope of this Recommendation, a brief overview of at least some of this body of law helps to identify the issues agencies face.
The Administrative Procedure Act requires agencies to “give interested persons an opportunity to participate in rulemaking through submission of written data, views, or arguments.”[6] The United States Court of Appeals for the D.C. Circuit has interpreted this provision to ordinarily require that agencies make publicly available the critical information—including studies, data, and methodologies—underlying proposed rules.[7]
The Privacy Act and the Trade Secrets Act place limits on the disclosure norm discussed above. Generally, the Privacy Act prevents agencies from disclosing any information about a person, such as medical records, educational background, and employment history, contained in agencies’ systems of records, without that person’s written consent.[8] The Trade Secrets Act generally prevents agencies from disclosing trade secrets and other kinds of confidential commercial information, such as corporate losses and profits.[9]
Both the Privacy Act and the Trade Secrets Act have exceptions. For the Privacy Act, the main exception relevant to this Recommendation is for information required to be released under the Freedom of Information Act (FOIA).[10] The Trade Secrets Act only has one exception, which covers any materials authorized to be disclosed by statute (including FOIA) or regulation.[11] Whether a particular piece of personal or confidential commercial information meets one of these exceptions often involves a complex determination that depends upon the exact type of information at issue and its contemplated use, and agencies must determine the applicability of the exceptions on a case-by-case basis. For example, whether FOIA authorizes disclosure of confidential commercial information may turn in part on whether agencies in receipt of the information assured submitters that the information would be withheld from the public.[12] If agencies offer assurances that they will not disclose confidential commercial information, agencies and submitters may rely on those assurances as a defense against compelled disclosure under FOIA. In many cases, agencies assure companies that they will not disclose such information in order to encourage companies to submit it.
Particular cases are governed by specific requirements of law, not broad categorical labels. But agencies often consider certain categories of personal information and confidential commercial information to be protected material (e.g., trade secrets, social security numbers, bank account numbers, passport numbers, addresses, email addresses, medical information, and information concerning a person’s finances).
There are many ways protected material may arrive at the agency in a rulemaking. A person might submit his or her own information, intentionally or unintentionally, and then ask the agency not to disclose it. A third party might submit another person’s information, with or without that person’s knowledge. A company might submit a document containing its own confidential commercial information, intentionally or unintentionally, with or without the agency’s prior assurance of protection. Or a company might submit another company’s or person’s information. Depending on the information in question and the manner in which it was submitted, there may be issues of waiver of statutory protection. Such questions, like all questions regarding the substance of the laws governing protected material, are beyond this Recommendation’s scope, but they illustrate the various considerations that agencies and the public often face in the submission and handling of such material.
This Recommendation proposes steps agencies can take to withhold protected materials from their public rulemaking dockets while still providing the public with the information upon which agencies relied in formulating proposed rules.[13]
RECOMMENDATION
Recommendations for All Agencies
1. To reduce the risk that agencies will inadvertently disclose protected material, agencies should describe what kinds of personal and confidential commercial information qualify as protected material and should clearly notify the public about their treatment of protected material. An agency’s notifications should:
a. Inform members of the public that comments are generally subject to public disclosure, except when disclosure is limited by law;
b. Inform members of the public whether the agency offers assurances of protection from disclosure for their confidential commercial information and, if so, how to identify such information for the agency;
c. Provide guidance to the public concerning the submission of protected material that pertains to third parties, including instructions that the disclosure of some protected material may be prohibited by law;
d. Advise members of the public to review their comments for the material identified above in (c) and, if they find such material, to remove any such material that is not essential to the comment;
e. Inform members of the public that they may request, during the period between when a comment is received and when it is made public, that protected material they inadvertently submitted be withheld from the public rulemaking docket;
f. Inform members of the public that they may request, after the agency has published any comment, that protected material pertaining to themselves or to their dependents within the comment be removed from the public rulemaking docket; and
g. Inform members of the public that the agency reserves the right to redact or aggregate any part of a comment if the agency determines that it constitutes protected material, or may withhold a comment in its entirety if it determines that redaction or aggregation would insufficiently prevent the disclosure of this material.
2. Agencies should include the notifications described in Paragraph 1, or a link to those notifications, in at least the following places:
a. Within the rulemaking documents on which agencies request comments, such as a notice of proposed rulemaking or an advance notice of proposed rulemaking;
b. On agencies’ own comment submission forms, if agencies have them;
c. Within any automatic emails that agencies send acknowledging receipt of a comment;
d. On any part of agencies’ websites that describe their rulemaking process or within any rules on rulemakings they may have, as described in Recommendation 2020-1, Rules on Rulemakings; and
e. Within any notices of public meetings pertaining to a rule.
3. The General Services Administration’s eRulemaking Program Management Office should work with agencies that participate in Regulations.gov to include or refer to the notifications described in Paragraph 1 within any automated emails Regulations.gov sends acknowledging receipt of a comment.
4. If a submitter notifies an agency that the submitter inadvertently included protected material in the submitter’s comment, the agency should act as promptly as possible to determine whether such material warrants withholding from the public rulemaking docket and, if so, withhold it from the public rulemaking docket, or, if already disclosed, remove it from the public rulemaking docket. If an agency determines that such material does not qualify as protected, it should promptly notify the submitter of this finding with a brief statement of reasons.
5. Agencies should allow third parties to request that protected material pertaining to themselves or a dependent be removed from the public rulemaking docket. Agencies should review such requests and, upon determining that the material subject to the request qualifies as protected material, should remove it from the public rulemaking docket as promptly as possible. If an agency determines that the material does not qualify as protected, it should promptly notify the requestor of this finding with a brief statement of reasons.
Recommendations for Agencies that Screen Comments for Protected Material Before Publication in the Public Rulemaking Docket
6. Agencies that screen comments for protected material before publication in the public rulemaking docket, either as required by law or as a matter of discretion, should redact the protected material and publish the rest of the comment. Redaction should be thorough enough to prevent the public from discerning the redacted material, but not so broad as to prevent the public from viewing non-protected material.
7. If redaction is not feasible within a comment, agencies should consider presenting the data in a summarized form.
8. If redaction is not feasible across multiple, similar comments, agencies should consider presenting any related information in an aggregated form. Agencies should work with data science experts and others in relevant disciplines to ensure that aggregation is thorough enough to prevent someone from disaggregating the information.
9. If the approaches identified in Paragraphs 6–8 would still permit a member of the public to identify protected material, agencies should withhold the comment in its entirety. When doing so, they should describe the withheld material for the public in as much detail as possible without compromising its confidentiality.
10. When deciding whether and how to redact, aggregate, or withhold protected material, agencies should explore using artificial intelligence-based tools to aid in identifying protected material. Agencies should consult with private sector experts and technology-focused agencies, such as the General Services Administration’s Technology Transformation Service and the Office of Management and Budget’s United States Digital Service, to determine which tools are most appropriate and how they can best be deployed given the agencies’ resources.
Recommendations for Agencies that Offer Assurances of Protection from Disclosure of Confidential Commercial Information
11. Agencies that offer assurances of protection from disclosure of confidential commercial information should decide how they will offer such assurances. Agencies can choose to inform submitters, directly upon submission, that they will withhold confidential commercial information from the public rulemaking docket; post a general notice informing submitters that confidential commercial information will be withheld from the public rulemaking docket; or both.
12. Such agencies should adopt policies to help them identify such information. Agencies should consider including the following, either in tandem or as alternatives, as part of their policies, including within any rules on rulemakings they may have, as described in Recommendation 2020-1, Rules on Rulemakings:
a. Instructing submitters to identify clearly that the document contains confidential commercial information;
b. Instructing submitters to flag the particular text within the document that constitutes confidential commercial information; and
c. Instructing submitters to submit both redacted and unredacted versions of a comment that contains confidential commercial information.
[1] The public rulemaking docket is distinguished from “the administrative record for judicial review,” which is intended to provide courts with a record for evaluating challenges to the rule, and the “rulemaking record,” which means all comments and materials submitted to agencies during comment periods and any other materials agencies considered during the course of the rulemaking. See Admin. Conf. of the U.S., Recommendation 2013-4, The Administrative Record in Informal Rulemaking, 78 Fed. Reg. 41,358 (July 10, 2013).
[2] Recommendation 2011-1, Legal Considerations in e-Rulemaking, advises agencies to allow submitters to flag confidential information, including trade secrets, and advises agencies to devise procedures for reviewing and handling such information. Admin. Conf. of the U.S., Recommendation 2011-1, Legal Considerations in e-Rulemaking, ¶ 1, 76 Fed. Reg. 48,789, 48,790 (Aug. 9, 2011). Recommendation 2013-4, supra note 1, ¶ 11, advises agencies to develop guidance on managing and segregating protected information, such as confidential commercial information and sensitive personal information, while disclosing non-protected materials; see also Admin. Conf. of the U.S., Recommendation 89-7, Federal Regulation of Biotechnology, 54 Fed. Reg. 53,494 (Dec. 29, 1988); Admin. Conf. of the U.S., Recommendation 82-1, Exemption (b)(4) of the Freedom of Information Act, 47 Fed. Reg. 30,702 (July 15, 1982); Admin. Conf. of the U.S., Recommendation 80-6, Intragovernmental Communications in Informal Rulemaking Proceedings, 45 Fed. Reg. 86,408 (Dec. 31, 1980).
[3] See Privacy Act of 1974 § 3, 5 U.S.C. § 552a(a)(4).
[4] See Food Mktg. Inst. v. Argus Leader Media, 139 S. Ct. 2356, 2363 (2019); see also Exec. Order No. 12,600, Predisclosure Notification Procedures for Confidential Commercial Information, 52 Fed. Reg. 23,781 (June 23, 1987).
[5] See Christopher Yoo, Protected Materials in Public Rulemaking Dockets 24 (Nov. 24, 2020) (report to the Admin. Conf. of the U.S.), https://www.acus.gov/report/final-report-protected-materials-public-rulemaking-dockets.
[6] 5 U.S.C. § 553(c).
[7] Portland Cement Ass’n v. Ruckelshaus, 486 F.2d 375, 393 (D.C. Cir. 1973). In addition to these public transparency requirements, there are a number of federal record-retention requirements of which agencies should be aware. See, e.g., 44 U.S.C. § 3301.
[8] 5 U.S.C. § 552a(b).
[9] 18 U.S.C. § 1905.
[10] 5 U.S.C. § 552a(b)(2).
[11] See CNA Fin. Corp. v. Donovan, 830 F.2d 1132, 1137–43 (D.C. Cir. 1987).
[12] See Food Mktg. Inst., 139 S. Ct. at 2361.
[13] Permitting the submission of anonymous and pseudonymous comments is one way that some agencies attempt to reduce the privacy risks commenters face when submitting protected material. Issues regarding the submission of anonymous and pseudonymous comments are being considered in an ongoing project of the Administrative Conference titled Mass, Computer-Generated, and Fraudulent Comments and are beyond the scope of this Recommendation.
Citation: Admin. Conf. of the U.S., Recommendation 2020-2, Protected Materials in Public Rulemaking Dockets, 86 Fed. Reg. 6614 (Jan. 22, 2021).