Executive Order on Feds' Data Sharing Raises 6(b) Questions

CPSC's duties under CPSA 29(e) and (f) likely will be key in its review of how and if it can ensure 6(b) protection in complying with an executive order for government-wide access to agencies' information. The mandate (bit.ly/3E8CduL) includes all "unclassified…records, data, software systems, and information technology systems."

There are two purposes: a focused one of "enhancing the Government's ability to detect overpayments and fraud" and a broader one of "eliminating bureaucratic duplication and inefficiency." The latter is more likely to affect CPSC, and an accompanying factsheet (bit.ly/41Pli9T) says the order "promotes inter-agency collaboration."

There are allowances for access being "consistent with law" and an option for "providing access to an equivalent dataset [that] does not delay access."

Those allowances raise 6(b) and 29(e) and (f). The latter two originate in Section 207 of the 2008 CPSIA and govern CPSC's sharing of data with agencies at all levels from local to international. The process is for CPSC to set agreements with the other agencies. It does not share information without certified assurance against public disclosure including 6(b) protection as well as against use for anything other than consumer protection and law enforcement.

A full explanation of the protocols is in a 2023 directive (bit.ly/4l17Six) from then-Chairman Alexander Hoehn-Saric. It has an eight-step process overseen by the General Counsel office for sharing information consistent with 6(b) and 29(e) and (f). It also gives lists of duties for various agency offices.

However, such a process – in which CPSC defines what is shared and to whom – is different from that envisioned in the executive order, which speaks of "authorizing and facilitating both the intra- and inter-agency sharing and consolidation of unclassified agency records." CPSC would be less able to control or even know who is accessing its information.

Nonetheless, there might be access limits. On one hand, a goal of the order is to remove "unnecessary barriers to Federal employees accessing Government data and promoting inter-agency data sharing." Elsewhere, it speaks more narrowly of ensuring "Federal officials designated by the President or Agency Heads (or their designees) have full and prompt access to all unclassified agency records, data, software systems, and information technology systems." However, that narrower access is in the context of "identification and elimination of waste, fraud, abuse" not the broader goal of "eliminating bureaucratic duplication and inefficiency."

As for datasets, CPSC already makes those available as a means of releasing incident data consistent with 6(b) and privacy restrictions. For example, it has done so for years with voluntary standards committees and more recently to comply with a 2023 court ruling under which it now must make more data available for public review of rulemakings.

A question is what type of timeframe is meant in the executive order's requirement that a dataset "not delay access." Also a question is what resources CPSC would need if it were to provide datasets across all 6(b) protected records as opposed to the limited sets for work on standards and rules.

The 2023 court finding was in Washington, D.C., U.S. appeals court, which vacated CPSC's rule on custom window coverings over the availability of data used as justification (PSL, 9/18/23). A few months later (PSL, 2/26/24), then-Executive Director Austin Schlick said CPSC not only was making retroactive data available for public comment on that rule, but that the process going forward would be to provide similar data for all proposed rules. Making such data public requires time to process it for disclosure compliance, he said.