U.S. Supreme Court Justice Louis Brandeis, writing in 1928, gave us this farsighted warning: “Experience should teach us to be most on our guard to protect liberty when the government’s purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.”
The current “insidious encroachment” of the privacy rights of pilots is the growing computer matching of the FAA airman records with the computer records of other federal and state agencies, all for the admittedly “beneficent purpose” of aviation safety. And as Justice Brandeis warned, it is being done by zealous, well-meaning men and women. In 2002, the Office of Inspector General (OIG) for the Department of Transportation (including the FAA) and the OIG for the Social Security Administration conducted a joint investigation called “Operation Safe Pilot.” The investigation was designed to uncover efforts by medically unfit individuals to obtain FAA medical certificates, clearly a “beneficent” purpose. The FAA provided the DOT OIG with a computer listing of the names, dates of birth, Social Security numbers, and genders of some 45,000 FAA-certificated pilots in Northern California. The list was turned over to the SSA OIG, which cross-checked the information against the information in the Social Security databases of persons awarded disability benefits. The SSA OIG provided the DOT OIG with the matches of pilots who were awarded disability benefits.
The cross-check identified a pilot who was medically certificated by the FAA and received disability benefits from the SSA. The pilot had never disclosed to the FAA that he was diagnosed with HIV and was taking antiretroviral medication. The pilot chose to withhold the information because of the “social stigma” associated with HIV and his sexual orientation, fearing discrimination in employment, housing, and other aspects of his life. When his condition worsened, he applied to Social Security for long-term disability benefits, believing that the medical information disclosed in his application would be held confidential and would only be used for the determination of his eligibility. He was awarded the benefits. As a result of the cross-check, government agents interviewed the pilot. He acknowledged having withheld his medical condition from the FAA and was criminally prosecuted on three counts of making false statements to a government agency. He pled guilty to one count and was sentenced to two years of probation and fined $1,000.
The Privacy Act of 1974 prohibits federal agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency” without the consent of “the individual to whom the record pertains,” unless the disclosure falls within one or more enumerated exceptions to the act. The law also creates a private cause of action against an agency for its willful or intentional violation of the act that has “an adverse effect on an individual,” and allows for the recovery of “actual damages” sustained as a result of such a violation.
The pilot sued the government, alleging that the FAA, DOT, and SSA willfully and intentionally violated the Privacy Act by exchanging his records. He claimed that this caused him “to suffer humiliation, embarrassment, mental anguish, fear of social ostracism, and other severe emotional distress.” At the trial level, the pilot lost his case on technical grounds, and not on the basis that the government did not violate the law. His case was dismissed because the trial court held that the act does not allow for recovery of damages for embarrassment, mental anguish, et cetera—the kind of damages the pilot was alleging. The pilot took his case to a higher court, and in a 2010 appeal, a federal appellate court reversed that decision, holding that embarrassment, mental anguish, et cetera, are actual damages allowed under the act. The case was remanded back to the trial court for further proceedings—a further decision in this case should address the anti-computer-matching provisions of the Privacy Act, and give us a better understanding of pilots’ privacy rights.
A decision may help us with another “insidious encroachment”—in 1991 the FAA changed the medical application form to include an “express consent” provision to access an airman’s motor vehicle driving record. The FAA did so in order to avoid the privacy restrictions of the National Driver Registration Act as well as the Privacy Act. Without an airman’s express consent (it must be signed), the FAA and the National Driver Register would be unable to run a computer match, as they do, on every FAA medical certificate applicant against the National Driver Registry and the states’ driving records. The “consent” is fiction—it is not at all voluntary. If an airman does not consent (sign the application), the airman does not get a medical certificate. This may be another well-intentioned violation of the Privacy Act, and a continuing violation of the privacy of hundreds of thousands of unsuspecting pilots.
It is difficult to argue against the “beneficent” purposes of these particular computer-matching efforts of the government, and the good intentions. It is not difficult to argue that if the government is allowed to expand its computer matching against all of the databases it maintains, it would be able to produce quite a dossier on individual pilots and others. That is exactly what the Privacy Act was intended to prevent.
John S. Yodice serves as legal counselor to AOPA and IAOPA.