Private markets for individual data have received significant and sustained attention in recent years. But data markets are not for the private sector alone. In the public sector, the federal government, states, and cities gather data no less intimate and on a scale no less profound. And our governments have realized what corporations have: It is often easier to obtain data about their constituents from one another than to collect it directly. As in the private sector, these exchanges have multiplied the data available to every level of government for a wide range of purposes, complicated data governance, and created a new source of power, leverage, and currency between governments.
This Article provides an account of this vast and rapidly expanding intergovernmental marketplace in individual data. In areas ranging from policing and national security to immigration and public benefits to election management and public health, our governments exchange data both by engaging in individual transactions and by establishing “data pools” to aggregate the information they each have and diffuse access across governments. Understanding the breadth of this distinctly modern practice of data federalism has descriptive, doctrinal, and normative implications.
In contrast to conventional cooperative federalism programs, Congress has largely declined to structure and regulate intergovernmental data exchange. And in Congress’s absence, our governments have developed unorthodox cross-governmental administrative institutions to manage data flows and oversee data pools, and these sprawling, unwieldy institutions are as important as the usual cooperative initiatives to which federalism scholarship typically attends.
Data exchanges can also go wrong, and courts are not prepared to navigate the ways that data is both at risk of being commandeered and ripe for use as coercive leverage. I argue that these constitutional doctrines can and should be adapted to police the exchange of data. I finally place data federalism in normative frame and argue that data is a form of governmental power so unlike the paradigmatic ones our federalism is believed to distribute that it has the potential to unsettle federalism in both function and theory.
Introduction
The last two decades have witnessed an explosive growth in private markets for individual data. Firms gather more and more data directly from individuals, but they have also developed refined systems to buy and sell data from one other, accelerating aggregation and facilitating the power that comes uniquely from large aggregations of data. But data markets are not for the private sector alone.
In the public sector, the federal government, states, and cities gather data no less intimate and on a scale no less profound, both directly from individuals and, like private firms, indirectly from other levels of government. Our governments, in short, have realized what corporations have: It is often easier to obtain data about their constituents in compilations ready made than it is to collect it piecemeal from those people themselves. As in the private sector, these exchanges have multiplied the data available to every level of government for a wide range of purposes, created a new source of leverage and tension between levels of government, and deeply complicated data use and governance.
This Article exposes this substantial and rapidly expanding intergovernmental marketplace in individual data. 1 In sectors ranging from policing, immigration, and national security to employment and social services to public health, our levels of government have dramatically expanded their capacity to acquire and use personal data collected (frequently for different purposes) by their sister governments. They buy or trade for discrete datasets in one-off transactions; they exchange data on a recurrent or annual basis in repeat transactions; and they erect programs to continuously pool data and make it available to officials at all levels of government at any time. Data increasingly sits at the heart of the most significant collaborations — and most significant disputes — between the federal government, states, and cities.
These cross-governmental data exchanges — and their diffusion of information about the wages we earn, the illnesses we contract, and our interactions small and large with government officials — hold far-reaching significance for both privacy and federalism. The basic importance of these transfers for privacy is apparent: The easy movement of data between governments propels its aggregation and expands the knowledge each government has about our lives. Intergovernmental data markets, however, introduce unique privacy risks that reach beyond mere aggregation. In this system, data collected by one government is often used by another and, contrary to widely accepted fair information principles, without notice to the data subject and for uses that diverge from those that justified its initial collection.2 When data moves across governmental boundaries, moreover, access proliferates and multiplies opportunities for insecurity and misuse. One government’s conscientious data collection policy, meanwhile, can easily be compromised by data exchanges that, as is commonly the case, impose inadequate restrictions on the recipient government — as when data collected by a friendly city about its immigrant members to administer public benefits is ultimately used by federal officials to enforce immigration laws. Likewise, one government’s flawed data collection can be easily amplified by data exchanges — as when a city that disproportionately polices a minority population infuses its biased data into a cross-governmental database. These transactions, in short, add a federalism inflection to government data collection, use, and management that has been largely overlooked in the privacy literature.
But the widespread growth of intergovernmental data exchange is no less consequential for federalism. As this Article will argue, we have incompletely understood a significant number of contemporary federalism projects and disputes because we have missed a common thread: that they are, at their core, about data. Because our paradigms for understanding federalism are intimately tied to the types of power we assume our federalist system to be distributing and balancing between levels of government — and because data functions differently than the forms of power conventionally believed to be so disbursed — recognizing the centrality of data power to current federalism interactions has significant descriptive, doctrinal, and normative implications.3 Data programs are also, for reasons I develop, frequently shielded not just from public view, but also from scholarly critique.
The story, though, begins with data’s unnoticed presence at the heart of a staggering number of federal-state interactions, as a quick review of front-page federalism news reveals. From President Trump’s effort to aggregate state voting data to “investigat[e] voter fraud”;4 to the development of facial recognition technology using hundreds of millions of state DMV photographs;5 to the Census Bureau’s attempt to circumvent the Supreme Court’s decision prohibiting it from asking about immigration status on the census questionnaire by seeking the same information from states and cities;6 to the tit-for-tat skirmish between the Trump Administration and then–Governor of New York Andrew Cuomo over the state’s participation in the Global Entry Program;7 to the states withholding vaccination information because of skepticism about how the federal government will handle it,8 data is the common thread — and it is both a spur to collaboration and a source of considerable tension.
In perhaps no area is this more true than in the immigration context, where the federal government has for decades made the acquisition of data about noncitizens from state and local law enforcement a centerpiece of its immigration enforcement strategy. A cornerstone of President Obama’s immigration policy, the controversial Secure Communities program, sought biometric data on immigrant arrestees from cities and states in exchange for federal policy commitments. When the federal government reneged on the deal, opting to simply requisition state data without recompense, cities and states accused the Administration of unlawful commandeering.9 And the recently concluded “sanctuary city” litigation that pit immigrant-friendly localities against federal immigration officials was centrally about a federal law that forces cities and states to surrender the data they gather about their residents to federal officials.10
But as in private-sector markets, this Article argues, most data exchange between governments never makes front-page news or sees the inside of a courthouse. Most of the data our governments trade is uncontroversial — too uncontroversial. Our governments have developed complex systems, often outside public view, for transferring their data to one another and aggregating it for their joint use. Because we have not noticed that data moves so easily between governments, we have likewise not seen the parallels in efforts across policy areas to form what I call “data pools.” Although federalism traditionally divides power between governments, these data pools aggregate power and diffuse access.
Data pooling occurs in many policy areas. Against a chorus of calls in the summer of 2020 to reduce funding to the police, the public paid far less attention to another intergovernmental source of police power: their data. The National Crime Information Center (NCIC) and its network of linked databases is a massive effort to aggregate federal, state, and local data on arrests, fingerprints, and criminal history.11 Nor are most Americans aware that their wage history, employment status, and biographical data are shared by states with the federal government and pooled in the National Directory of New Hires.12 Or that “fusion centers” — institutions that gain legal authority from an amalgamation of federal and state sources — were erected throughout the country after 9/11 to improve terrorism-related information sharing, but now have remits that extend far beyond national security.13 Of particular inter-est in the wake of the COVID-19 pandemic, data pooling is essential to the disease surveillance system run by the CDC — a system that operates with minimal statutory oversight and gathers a mishmash of diagnoses from thousands of local health departments.14 Using previously uncompiled legal documents from a range of governmental institutions, Part I provides an account of the types and forms of these data programs.15
The scale of intergovernmental data exchange alone makes its practices worth excavating. But appreciating how our governments come to possess their data is also, I argue, key to understanding how that data is regulated and even what institutions make those regulatory decisions. Part II turns to the unorthodox law and policymaking processes that facilitate data exchange and, in turn, establish the rules that govern our data.
Programs that are jointly administered by federal and state governments can have significant institutional complexity, but we can at least begin to understand their contours by consulting the often sweeping federal statutes that initiate them. Because the federal government substantially funds many joint initiatives and can preempt conflicting state policy, Congress assumes a role as federalism’s first among equals, sketching the outlines of joint programs in the first instance and deciding the terms on which states can enlist. So central is Congress’s role in structuring conventional federal-state projects that Professor Abbe Gluck has urged us to see state power in our system of government coming not by constitutional right, but “by grace of Congress.”16
But the reasons for Congress’s central role in so many other federal-state initiatives are diminished in the data context. Data — and the power that derives from it — does not originate in Congress. It is gathered diffusely, by institutions across every level of government. The states and federal government thus engage on more level terrain when initiating and designing joint data programs. Nor do we have a tradition of conceptualizing intergovernmental data sharing as the surrender of a vital governmental asset, which would subject it to the kind of strict alienation controls that require legislative involvement — like those on public funds, which must be legislatively appropriated, and public lands, which can be surrendered only by specific authorization.17
Data sharing, I show, happens in a field of striking legislative minimalism. Data exchanges are rarely detailed in congressional legislation; indeed, some appear to occur without any statutory authorization at all. Even the federal government’s comprehensive privacy statutes, which could in principle restrain the dispersion or use of data, either directly or by operation exempt intergovernmental data exchange from their portfolio of constraints.
In Congress’s absence — and without the coordinating effect of major federal legislation — the decisions our governments make to share data, the use and privacy restrictions they place on it, and the institutions they erect to govern data pools have arisen organically (though not necessarily thoughtfully, equitably, or democratically) through negotiation between governments, instead of through delegation from the top. Federal-state data collaborations are largely a form of federalism that, contrary to the usual trend, occurs outside Congress.
That does not mean they exist without law. I show that the rules governing data exchanges are set out in conceptually challenging legal devices that I have elsewhere called “intergovernmental agreements” — a kind of domestic treaty between the federal government and states or cities.18 But intergovernmental agreements are only the beginning. Where data exchange becomes regularized into routine flows or permanent data pools, our governments have collaborated to craft bespoke administrative structures to oversee them — structures I call “cross-governmental bureaucracies.” These range from the formally chartered to the highly informal, are neither wholly federal nor wholly state in legal character, and are not fully domesticated by either federal or state law. They exist instead in a kind of interstitial space between and across governments that bends our conventional federalism paradigms.19 Only by beginning to untangle the legal and institutional dynamics in these interstitial spaces can we know how decisions about our data are made and how to affect them.20
But data exchanges and data pooling can also go wrong, just like any other effort at intergovernmental engagement. Part III explores how federalism doctrine should apply to data transactions. When the federal government and the states form joint initiatives, three doctrines comprise their basic “rules of engagement”: the anti-commandeering rule prohibits the federal government from mandating state participation; the anti-coercion rule prohibits it from coercing their participation; and the Pennhurst21 clear statement rule requires that conditions of federal grant funds be clearly stated.
These doctrines, however, arose in contexts in which our governments were joining together, trading, and leveraging governmental powers more conventional than data. The anti-commandeering rule, for instance, turned back the federal government’s effort to force states to “enact or administer a federal regulatory program” — to effectively requisition their administrative and regulatory power by mandating its application to federal ends.22 The anti-coercion rule most famously prevented the federal government from inducing states to participate in a new grant program by threatening to withdraw far larger funds from an existing program — from flexing its monetary power to coerce state involvement.23 And the Pennhurst clear statement rule has, likewise, only ever been invoked to police the conditions placed on federal grant monies.
But the federal government has sought to commandeer state data, as the “sanctuary city” litigation highlights; it has leveraged data to coerce state participation in ostensibly voluntary programs, in ways that mirror its use of money to the same ends; and it has hidden implied terms in the documents that memorialize federal-state data initiatives in just the way that Pennhurst prohibits for federal-state grant programs. Courts have yet to recognize, as a general matter, that the forms of power our governments seek and trade in joint initiatives are evolving, but the constitutional principles these rules enact are, I argue, conceptually adaptable to that evolution, at least as it applies to data. Data federalism, however, also provides impetus to reflect on the limits of existing constitutional doctrine to confront the full set of structural problems cross-governmental coordination can raise.
Finally, as I discuss in Part IV, intergovernmental data exchange has important implications for how we theorize today’s federalism — as it relates to data and beyond. Federalism is a system of governance that divides power, but most doctrine and some academic commentary still assume that power allocation to be fixed by the Constitution. And even the scholars who have emphasized that the power distribution in our system is negotiated rather than fixed have focused on intergovernmental transfers of a small set of conventional governmental powers — money, regulatory authority, and administrative capacity.24 The widespread exchange of another form of power, data, shows that power in a federalist system is doubly dynamic: both its distribution and its forms change over time. Each form of power, in turn, will have its own interplay with the federal-state dynamic.
Data, for instance, has unique properties that invert some of the core assumptions about how federalism affects the distribution of power. In contrast to money — perhaps the most frequently transacted form of governmental power in our system — data is nonrival and can be accessed by any number of users without being diminished. When governments share data, they also retain access. Transactions in data thus do not relocate power from one government to another, but instead duplicate the power of one government in another — making federalism, in this context, a power multiplier rather than a power divider. I canvass how this and other unique features of data complicate our assumptions about how federalism works.
But data exchange has other implications for contemporary federalism theory. The fact that, as the Article shows, data exchange, pooling, use, and governance largely happen outside Congress and in federalism’s interstitial spaces does not just challenge the dominant understanding of how intergovernmental collaborations come to life; it also complicates how those collaborations gain legitimacy, are subjected to legal constraint, and advance democratic norms. And although data federalism strikes a contrast to the usual cooperative federalism programs structured by detailed federal statutes, the issues that arise in data’s governance are present in some form even in those conventional areas. Congress can address only so many contingencies; our governments collaboratively fill in the rest. Unpacking the stakes of governance in this interstitial space therefore begins to make the institutional control over data more legible and offers a searchlight with which we may notice similar practices elsewhere.
I. The Intergovernmental Data Market
This Part elaborates the circumstances under which our domestic governments exchange data. The goal is not to offer an exhaustive account, but to provide a picture of the variety, frequency, and significance of intergovernmental data exchange.25 A small but important federalism literature has framed ordinary “cooperative federalism” programs, in which the federal government and states join together their separate resources to achieve common ends, as, in important respects, intergovernmental transactions.26 Governmental resources are not just combined in the context of these programs; they are also traded. Most commonly, the federal government trades money, typically in the form of grants, for state administrative capacity, which states offer by committing to implement a policy program within federal parameters.27
Data transactions can resemble those more conventional, if still understudied, exchanges of governmental goods. Our governments trade data for grant funds, data for policy commitments, and data for administrative capacity. But they also trade data for other data, forming a data pool. In these transactions, which look unlike any other coordinated federalism program, data contributions are the price each government pays for access to a broader multigovernmental data pool.
Regardless of the structure of the intergovernmental transaction, data has distinctive properties as a form of governmental power and resource for intergovernmental trade, which help explain why the trade in governmental data has become so robust, so rapidly. First, data is nonrival.28 Whereas resources like money and administrative capacity are depleted by use, data can be used and shared without being depleted. Access to data can be multiplied at minimal cost, reducing the barriers to data exchange. Data is also a complementary good — it becomes more valuable as it is aggregated with other specific pieces of data.29 This helps explain the advent of data pooling programs. Placing data into a common pool, where it can be matched with data gathered by other levels of government about the same person, maximizes the value of each piece of data relative to simply trading data in distinct sets. Finally, data is nonfungible, and governments often seek to expand data supplies not because they lack for data generally but because they need more specific data about more specific people or problems.30
Because data transactions are generally not structured by Congress, searching for these programs in the U.S. Code alone would not reveal the full scope of this market. This account thus draws on a range of legal sources, from statutes and regulations to intergovernmental agreements, to letters between governments and grant documents. Data, it shows, is a mobile source of governmental power around which our domestic governments have developed complex and novel forms of intergovernmental exchange.
A. Discrete Transactions
Some intergovernmental data transactions are discrete. They are much more like a simple exchange of goods than the broadscale data pooling programs discussed below. They can be very narrow, limited to information about just one person or event, as when federal and state law enforcement agents agree to share data they gather about a target being investigated for both federal and state crimes.31 Or they can stretch more broadly, encompassing information about a set of activities or group of people, as when state and federal police departments form joint policing task forces to collaboratively investigate an area of criminal activity (drug-, firearm-, and terrorism-related crimes are the most common) and share their corresponding information.32
But discrete data exchanges are not always modest in scope. Two recent federal requests for state data had a breathtaking sweep. In 2017, President Trump inaugurated a “Presidential Advisory Commission on Election Integrity,” with a mandate to investigate voter fraud by assessing, among other things, instances of improper registration and double voting.33 Because the states administer federal elections, the Commission sought vast stores of state registration and voting data, including each registrant’s first and last name, address, date of birth, political affiliation, voting history, and the last four digits of their social security number.34 The Commission requested data covering every registered voter — an estimated 200 million people.35 The Commission was ultimately disbanded when states refused — as is their constitutional entitlement, as I argue in Part III — to supply the requested data.36
In the lead-up to the 2020 Decennial Census, the Department of Commerce, which oversees the Census Bureau, announced its intention to disaggregate its population count according to citizenship status.37 One express goal, President Trump explained in a memorandum, was to exclude noncitizens from the constitutionally required count of “persons” used to apportion seats in the House of Representatives.38 To count the number of citizens and noncitizens, the Bureau initially sought to add a citizenship question to its flagship Census Questionnaire, distributed to households across the country.39 After the Supreme Court effectively blocked that effort, President Trump issued an Executive Order instructing the Department of Commerce to gather granular citizenship data through state and federal “administrative records” — general data used for other purposes across governments.40 To meet that directive, the Census Bureau requested sweeping access to state DMV records, including, for each person in the database, “name, address, date of birth, sex, race, eye color[,] and citizenship status.”41 Like the ill-fated Election Commission, the Census Bureau’s efforts met resistance from some states, which expressed skepticism about such a large-scale transfer of a sensitive state database.42
B. Repeat Transactions
Data exchange in repeat transactions has also reached an eye-popping scale. In virtually every ongoing federal-state policy program — from large-scale ones like Medicaid, supplemental nutrition assistance, and housing support, to smaller, targeted initiatives — data exchange is embedded in the program’s design and participation is often predicated on a state’s willingness to contribute program-relevant data. This data facilitates eligibility determinations,43 the distribution of federal funds,44 financial auditing,45 and enforcement of the contract-like commitments that legally structure cross-governmental programs. Some federal programs also encourage or mandate intrastate information sharing between two separate federal-state programs as a condition of participation.46
In addition to conditioning participation in cooperative programs on a state’s willingness to supply program-related data, the federal government has also conditioned participation in one cooperative program on a state’s willingness to contribute unrelated data to another program. For instance, a Department of Defense appropriations statute conditioned significant federal funding for public schools on the schools’ provision of the “names, addresses, and telephone listings” of students to the Department for defense recruitment purposes.47
Finally, the states and federal government exchange data outside jointly administered programs to support initiatives that each level of government pursues individually. For instance, they exchange large quantities of financial information to facilitate each government’s tax administration.48
C. Data Pooling Programs
The most significant forms of intergovernmental data exchange, however, occur under the auspices of permanent data pooling programs, through which data is aggregated across levels of government for officials in each level to access. Many are striking in scope. The National Directory of New Hires, for instance, contains information on almost all American employees.49 Private employers provide each new hire’s name, address, Social Security number, and wages to state agencies, which in turn pass that information on to the federal government for inclusion in the database.50 The database’s primary use is to facilitate wage withholding for individuals who have failed to pay child support.51 But it is now also used to verify eligibility for a suite of public benefits programs whose benefits are conditioned on employment.52 The CDC’s National Notifiable Diseases Surveillance System, likewise, consolidates reams of information about a large variety of suspected and confirmed diseases first identified by thousands of local and state public health agencies.53
Likely the nation’s largest information pooling system is the National Crime Information Center (or NCIC) and its complex of crime-related databases, which anchors the intergovernmental exchange of information for day-to-day policing. Any person who has been subject to a traffic stop — or seen one in a movie — knows about the NCIC in practice if not in name. When police officers run a name, driver’s license, or license plate, they search the NCIC, a sprawling repository of information about crime across levels of government to which “virtually every criminal justice agency nationwide” has access and contributes data.54 The NCIC supports “millions of transactions each day.”55 And a survey of states estimated that the entire sweep of networked criminal history databases contains files on 110 million people.56
The NCIC pools cross-governmental crime-related information in twenty-one categories — ranging from stolen property to wanted persons to parolees to lists of suspected gang members.57 But it is also networked — in the kind of untidy way that reflects accretion over time — with many other large intergovernmental data initiatives. The Interstate Identification Index, accessed through the NCIC interface, collects arrest and criminal histories as well as fingerprints.58 The International Justice and Public Safety Network, somewhat incongruously shortened to Nlets (a too-popular-to-change acronym tracking an earlier iteration of the organization’s name), allows officers who use the NCIC to contact the originating state to verify information.59 Nlets is a private organization owned by the states and is furtive about its work, but several state participants have said publicly that it conducts almost 1.5 billion transactions annually.60 And the Combined DNA Index System contains over twenty million DNA profiles from missing persons, crime victims, crime scenes, arrestees, and persons convicted of crimes, among others.61 The NCIC databases have also developed interfaces with databases managed by the Department of Homeland Security (DHS) for the purpose of exchanging immigration-related “biometric and biographic data.”62 The National Instant Criminal Background Check System facilitates background checks — run either by the federal government or by an administering state — on prospective firearm purchasers, and can query the NCIC, Interstate Identification Index, and immigration databases, as well as the System’s own index of people ineligible to purchase a firearm under either federal or state law.63 This criminal justice data ecosystem can be accessed both by criminal justice agencies across levels of government and by non–criminal justice agencies and, in some cases, by private firms.
But the NCIC is not the only sprawling intergovernmental data ecosystem created to facilitate crime-related information exchange. The National Commission on Terrorist Attacks upon the United States (or 9/11 Commission) made a series of recommendations to improve terrorism-related information sharing between the federal government and the states.64
In contrast to the NCIC, which is managed by the FBI but composed largely of state and local data, cities and states have contributed significant physical infrastructure to this vertical information sharing initiative by helping to erect “fusion centers.” There are now seventy-nine such institutions.65 Rather than share information through technological systems alone, fusion centers also facilitate information exchange by co-locating governmental personnel — literally placing representatives from agencies across levels of governments together — from obvious agencies like local police departments, the FBI, and DHS, to less obvious ones like local health, fire, and even corrections departments.66 Officials are then cross-authorized to access the information in each other’s possession and directed to work jointly to analyze and investigate relevant leads.67 This gives the staffers at fusion centers access to enormous stores of unclassified and classified data held by participating governments.68
Although instituted as a response to terrorism-related information sharing needs, states and cities have leveraged fusion centers to support other, more localized objectives. In a 2018 report, DHS indicated that just one of the seventy-eight surveyed fusion centers focused exclusively on counterterrorism efforts, while fifty had “primary missions” focused on counterterrorism, as well as “All-Hazards” and “All-Crimes.”69 What states and local governments characterize as “All-Hazards” or “All-Crimes” can vary widely. An earlier report analyzing the missions of seventy-eight fusion centers found that sixty-seven included gang-related work; sixty-six included narcotics; fifty-one included healthcare and public health; forty-four worked with corrections, parole, or probation; and forty-two included identify theft and document fraud, among many more areas of focus.70 In essence, the federal government gets antiterrorism support from fusion centers, while cities and states get extensive federal data to support day-to-day criminal and non–criminal justice functions.
Some data pooling efforts are more tailored, focusing on a particular objective or group of people. The National Practitioner Data Bank collects information from state medical licensing boards on malpractice and disciplinary actions for a range of medical practitioners.71 And the National Adult Mistreatment Reporting System is a voluntary database in which all fifty states pool information about the perpetrators of elder abuse.72
But a narrower focus does not necessarily mean a more modest impact. The FBI pools “hundreds of millions of photos” from state DMVs for use in facial recognition searches.73 And the National Instant Criminal Background Check System (NICS), which, as noted above, conducts gun-purchase background checks, processed over 27.5 million transactions in 2016 alone.74 Nor do area-specific data pools always act in isolation. The suite of federal trusted traveler programs, for instance, “allows for expedited processing of preapproved, low-risk travelers at certain ports of entry” provided that the traveler undergo vetting against several intergovernmental data pools.75
D. Data Sharing Mandates
Although most cross-governmental data sharing happens voluntarily and is often given in exchange for something of value — whether money, policy commitments, or other data — the federal government has sought to mandate data sharing in some high-profile cases, including by creating the impression that states have agreed to share when they have not. Constitutional federalism principles generally prevent the federal government from commandeering state resources or policy apparatuses.76 But there has long been a suggestion, never directly addressed by the Supreme Court, that there may be an “information sharing exception” to the anti-commandeering rule.77 The federal government does not frequently test that possibility, but it has attempted to do so in the immigration context under both Democratic and Republican administrations, finding creative ways to effectively compel cities and states to share sizable amounts of immigration-related data.
Because cities and states have many more interactions with community members than do federal immigration agents, federal immigration policymakers across administrations have sought to obtain information from state and local police to assist their immigration enforcement efforts. Through formal and informal programs, federal agents have sought readouts of day-to-day law enforcement encounters, biometrics on arrestees, names of individuals in state and local custody, lists of individuals on probation, data from DMV offices about noncitizen drivers, and information about appearances in state and municipal courts.78 DHS’s express goal is to leverage the many ways that cities and states track those who interact with their criminal justice systems to locate and detain individuals on immigration grounds.79
The Secure Communities program, started in 2008, sought to encourage states to forward arrestees’ biometric data — typically fingerprints — so that federal officials would know when a person of interest was in state or local custody.80 As is common of intergovernmental data programs (and is discussed in greater detail below), Secure Communities was initiated not through legislation but through ostensibly voluntary agreements.81 Those agreements contained termination provisions allowing either party to end their participation at will.82 When several states exercised those termination rights, however, the federal government announced its view that the program was not voluntary after all and that it would “terminate all existing Secure Communities” agreements but continue to take state data without them.83
Another immigration-related data sharing effort induces states to surrender their data nonconsensually in even more creative fashion. Initiated by statute, that program, best known by its place of codification at 8 U.S.C. § 1373, prohibits states from “in any way restrict[ing]” their employees or officials “from sending to, or receiving from, [the federal government] information regarding the citizenship or immigration status, lawful or unlawful, of any individual.”84 It does not direct states to share data; it instead restricts their ability to prevent their employees from sharing data.85 A state that does not consent to its data being shared with the federal government, in short, is powerless to stop an employee from responding to a federal request to do just that.
But with the rise of “sanctuary cities” — which generally refuse, unless forced, to turn over information to federal immigration officials — the federal government has deployed still more strategies to mandate the sharing of information related to immigration. The federal government, in particular, has aggressively sought information about when noncitizens who are incarcerated in state or local facilities will be released, which it uses to schedule concurrent immigration enforcement efforts. To obtain that nonpublic information from jurisdictions that decline to provide it voluntarily, Immigration and Customs Enforcement (ICE) then began issuing subpoenas demanding the information it once sought voluntarily and threatening information custodians (sheriffs and wardens) with judicial proceedings for contempt if they declined.86 This tactic, though rare, has been used in other areas as well.87
As this Part makes evident, our domestic governments are bartering, exchanging, and aggregating data of intimate character on a sweeping scale. Because data is an increasingly potent source of governmental power — and because intergovernmental trade allows our governments to gain access to information more efficiently than direct collection from individuals — the very presence of this market is important. It reveals a powerful pathway to governmental data access. Moreover, because constraints on how data is used are often shaped by the processes through which that data is acquired, this market also raises potent questions about how data that moves across governmental boundaries is governed.
II. Governance in the Intergovernmental Data Market
Federalism facilitates the intergovernmental data market. As a system of government that, at its most basic, is composed of autonomous levels of government, federalism affords our domestic governments the power to both collect data from their constituents and participate in data transactions with their sister governments. But federalism does not provide ready descriptive or normative frameworks for thinking about what happens to our data next. When data moves between governments, how is that data managed? What legal constraints do our governments impose on data access, use, management, and security, both as a condition of sharing that data, and after it comes under the control of another government? What rights, entitlements, and even basic information do individuals have about their data as it changes governmental hands? What institutions — federal, state, or both — make those judgments?
As this Part shows, once data is on the move, our conventional governmental separateness gives way to a system of intensely complex power amalgamation between levels of government. For in addition to separating power between governments, federalism can also facilitate the reintegration of the power each government independently possesses. The idea that power dispersed among governments can become integrated — as when any level of government through exchange or pooling joins the data it has gathered with the data gathered by a sister government — though a departure from the usual way we think about federalism, is not a novel idea. Writing about the often-analogous separation of powers among the federal government’s coordinate branches, Justice Jackson reminded us in his famous Youngstown concurrence that “[w]hile the Constitution diffuses power the better to secure liberty, it also contemplates that practice will integrate the dispersed powers into a workable government.”88 What is novel is understanding, as this Part elaborates, the specific predicates of just such a workability determination: a detailed understanding of how powers are drawn together across governments and how, once integrated, they are institutionally and procedurally organized.
As in the private sector where, as Professor Julie Cohen has noted, “perhaps the most noteworthy attribute of the personal data economy has been its secrecy,” understanding how data that moves between governments is governed requires significant legal and institutional excavation because, as I show, data exchange programs are generally not organized by clearly legible and transparent forms of law and policymaking, like, most obviously, congressional statutes.89 Although many forms of intergovernmental interaction are initiated by Congress — think of the major “cooperative federalism” programs from the New Deal to present90 — Congress rarely structures, and is sometimes totally absent from, the intergovernmental data market. There is no section of the U.S. Code that sets the rules of the federal or state governments’ participation in data exchange or specifies how the resulting data stores should be managed. Many statutes cited by federal and state officials as authority for the data sharing programs barely contemplate them. Others do so in broad and sweeping terms, providing little guidance or limitation — especially with respect to data privacy. And what scholars call “omnibus” privacy statutes — which are designed to protect the data originator’s interests across agencies and policy areas — either explicitly or implicitly exempt from their strictures intergovernmental data exchange. This leaves federal agencies and their state counterparts to decide what data to share, on what terms to share it, which protections to include, whether to create ongoing exchange programs, and how to govern them, often without express statutory authorization.91
I show that in this field of striking legislative minimalism, our governments nevertheless rely on formal legal devices to structure data programs. But they are the nonstandard lawmaking devices that I have elsewhere called “intergovernmental agreements” — something of a treaty for domestic federalism, which sets forth the legal terms and conditions of the data transactions, but also memorializes some of the only legal restrictions on how that data will be used.92 These devices, however, are not the end of the data exchange governance, but the beginning, for our governments increasingly place their data into pools that must be jointly managed on an ongoing basis. The legal framework for this joint management is similarly opaque, resting on a multiplicity of authorities, crisscrossing federal and state governments, and resulting from organic structural negotiations between governments over time. They thus require something of an institutional reconstruction to see even their most basic contours. Drawing together a range of public and nonpublic sources, I sketch the outlines of several different such institutions, which I call “cross-governmental bureaucracies.” Given how little we have previously known about these institutions, my goal is not to evaluate their workability or desirability — that must come in program-by-program and institution-by-institution increments. My goal is instead to provide a general roadmap for locating and peering into the unorthodox forms these institutions take.
These cross-governmental bureaucracies have a blended legal character, spanning governmental boundaries just like the data they manage. They are flexible, negotiated, and innovative, but also transient in form and function and concerningly independent from their sources of authority and accountability. They give us a sense of the kind of infrastructure that federalism can facilitate when it reintegrates, in Justice Jackson’s terms, forms of power that were once diffused across governments.
A. Statutory Minimalism
Perhaps the defining structural feature of intergovernmental data markets is that — contrary to the conventional understanding of cooperative federalism and intergovernmental projects — they are largely unregulated by Congress.
Take, as an example, the controversy that erupted in 2019 over the FBI’s facial recognition database. Over several years, the FBI had developed the capacity to conduct facial recognition searches on hundreds of millions of state-collected photographs.93 The searchable photos were pooled from federal and state law enforcement sources like mug shots but also from civil sources like driver’s license photos. The origin of this data pool remains murky. What is clear is that the effort scaled up when the FBI began entering into intergovernmental agreements with states to secure ongoing access to their DMV photos.94 The FBI then searched those photographs — both for its own investigations and on behalf of city and state law enforcement agencies — using experimental technology that tries to match photographs of unknown persons to those in existing databases.95 Existing facial recognition technology, meanwhile, has many known defects. When a federal agency vetted vendors of facial recognition technology, for instance, it found a significant rate of false positives that disproportionately affected women, people of color, the young, and the elderly.96
What’s most striking for our purposes about this behemoth data pool is the bipartisan surprise and alarm expressed in Congress and state legislatures after the program was publicized in a series of Government Accountability Office reports97 and, then, on the front page of The Washington Post.98 It was clear that few legislators knew about it and fewer, it seemed, thought they had authorized it.99 Many expressed deep concerns: about the sheer size of the database, about its experimental technology, and about its use of civil information for criminal purposes without ordinary safeguards like the existence of “reasonable suspicion.”100 In the wake of the Post’s reporting, the House Oversight and Reform Committee — one of the most powerful investigative committees in Congress — held a pair of tense hearings, during which members from both parties pressed the FBI and expert witnesses on the program’s source of authorization.
Much of the attention was trained on how the FBI gained such broad access to so many state DMV databases. When queried about its authority to use state (civil) DMV licensing photographs to conduct federal (criminal) investigations, the FBI’s representative tentatively identified a federal statute enacted to protect the privacy of state DMV records, the Driver’s Privacy Protection Act of 1994.101 That statute was enacted in response to the advent of a lucrative revenue stream for states in selling DMV data, including photographs, to marketers, insurers, and other private companies.102 The Act requires states to obtain express consent before selling or sharing an individual’s data.103 But it also sets out several exemptions to that consent requirement, including allowing DMVs to share information with “any . . . entity acting on behalf of a Federal, State, or local agency in carrying out its functions” without an individual’s consent.104 Seizing on that exception from the consent requirement, the FBI argued to Congress that the Act allows the sharing of driver’s license photos when they are “utilized for law enforcement purposes.”105 In essence, the FBI appeared to be saying that, because the Act does not prohibit DMVs from sharing information (without consent) with the FBI, it should be understood to affirmatively authorize such transfers. One member of Congress described that as a “very shaky legal ground” for a program that gives the FBI “ubiquitous access to” DMV photos “across 50 states.”106 Indeed, it is black-letter admin-istrative law that an agency “has no power to act . . . unless and until Congress confers power upon it.”107 Reading the absence of a prohibition as a conferral of authorization turns that basic principle on its head.108
The same question could be asked of the states — had they authorized the transfer of DMV data to the FBI? Republican Congressman Jim Jordan asked exactly that, inquiring whether the “state legislature and the Governor actually [had] pass[ed] legislation saying it was okay for the FBI to access every single person in their state who has a driver’s license.”109 As one expert explained: “No, and that is the problem. This was all in secret, essentially.”110 Congressman Jordan captured the terrain well: “So some unelected person at the FBI talks to some unelected person at the state level and they say yes, go ahead . . . [h]ere is [data from] 10 million folks . . . [.]”111
That a complex data sharing initiative as significant as this one could spring into being without a structuring federal statute is surprising, but it is quite ordinary in this context. And even where Congress has more explicitly authorized the data sharing in question, it rarely provides the kind of detailed roadmap that is standard for other cooperative federalism programs. Indeed, Congress has in all but a few cases declined to make the kind of normative trade-offs or institutional design choices that sensitive data pools require — instead leaving those decisions to federal and state administrative actors.112
1. Data Sharing Statutes. — The National Crime Information Center is a textbook example of how Congress approaches intergovernmental data pools. As described above, the NCIC compiles information from a network of databases from all fifty states, dozens of federal agencies, and thousands of local criminal justice agencies into the Interstate Identification Index — a massive database that is searched millions of times a day by officials across the country. Though the data comes from nearly all state and local governments, the NCIC is overseen by the FBI and its Criminal Justice Information Services Division, which is the Bureau’s largest division, eclipsing even its core enforcement departments.113
Despite the scale of the NCIC, and the enormous sensitivity of the personal data compiled within its databases, it is hard to identify a federal statute that appears to contemplate data collection of this magnitude. The FBI routinely cites as authorization for the NCIC a 1924 appropriations statute allocating funds for the Attorney General to “acquire, collect, classify, and preserve identification, criminal identification, crime, and other records” and “exchange such records” with “authorized officials of the Federal Government, . . . the States, . . . Indian tribes, cities, and penal and other institutions.”114 The NCIC is, of course, not mentioned by name, nor could it have been in the contemplation of the Congress that crafted that statute. Today’s twelve-million-transaction-per-day digital juggernaut bears little resemblance to the exchange of carbon copies that the 1924 Congress funded. In the early years of the NCIC, many pushed Congress to comprehensively regulate its content, security, privacy, and management structure. But the only legislative success was narrow: a law focused on inducing states to send not just arrest information to the system, but also the final disposition of the individual’s case.115 (Arrest information alone can create the misleading impression that a person who was released without charge or acquitted has a criminal history.) One-off provisions of federal law have subsequently directed that new data be added to the NCIC,116 additional federal departments be given access,117 and state efforts to achieve “full participation” be funded.118 But Congress has not stepped in to comprehensively regulate.119
This is not an ordinary case of broad congressional delegation to a federal agency. When Congress steps back in this federalism-rich area, the President is not the only political or administrative actor to step in. The architecture of the NCIC, from its high-level design — what information it contains, which governmental entities contribute to it, and for what purposes it can be accessed — to its detailed operational and privacy rules, is set out in intergovernmental agreements and a cross-governmental bureaucracy, which I describe below.
Congress has used a similarly light touch with other sweeping intergovernmental data programs.120 And these programs, thus, follow a similar pattern: Without Congress, federal agencies and state governments develop their own cooperative structures and governance approaches.
As we saw with the facial recognition collaboration between the FBI and state DMVs, states likewise frequently embark on large data sharing programs without legislative authorization. As Professor Christopher Slobogin documents with respect to fusion centers, in “most states, fusion centers are not explicitly authorized by statute” but instead purport to “derive their authority from general statutes creating state police agencies or memoranda of understanding among partner agencies.”121
2. Privacy Statutes. — Given the significant privacy issues raised by intergovernmental data exchange, one might expect that any gaps present in these programs’ authorizing statutes would be filled by the federal government’s data privacy statutes. In fact, the two main federal privacy statutes have remarkable blind spots to intergovernmental data sharing.
Together, the Privacy Act of 1974122 and the E-Government Act of 2002123 establish the transstatutory privacy regime for personal data held by the federal government.124 Those Acts set out high-level information management directives, but also permit significant agency discretion by instructing agencies to identify and mitigate privacy risks themselves, rather than attempting to predict and manage them legislatively.
The Privacy Act prohibits, subject to exceptions discussed below, the dissemination of an individual record without the written consent of the record’s subject.125 It makes agencies account for their disclosures.126 It instructs them to allow individuals to correct inaccuracies in governmental records.127 It requires them to collect only information “relevant and necessary” to accomplish the purposes specified in statutes and executive orders.128 And, where the information may adversely determine an individual’s rights or benefits, it tells agencies to “collect information to the greatest extent practicable directly from the subject.”129
Recognizing that rigid rules can be circumvented by technological advances, however, the Acts generally stop there and try to mitigate additional privacy risks by imposing procedural requirements on agencies. To that end, agencies must publish a “system of records notice,” or SORN, when describing new (or revising old) “system[s] of records” — that is, a notice that describes the system’s use and governing practices.130 They must also conduct a “Privacy Impact Assessment” before initiating most efforts to collect individual information.131 By statutory mandate and long-standing federal guidance, the Assessments must specify what information will be collected and its intended use, outline who will have access to it, identify its privacy and security risks, and set forth mitigation measures.132
Many commentators have highlighted the gaps, enforcement problems, and design flaws in this regime.133 What is important for our purposes is that it is virtually ignorant of, and only minimally re-strains, intergovernmental data exchange. SORNs and Privacy Impact Assessments, for instance, require agencies to specify the source of the information they are seeking to gather, but this requirement can be discharged by simply enumerating — as most do — a long list of potential sources that includes state, local, tribal, and territorial governments.134 The public disclosures rarely specify what data the federal government obtains from each of these sources, nor do they normally cross-reference the contract-like agreements that lay out their terms.
Moreover, the Privacy Act’s flagship consent requirement — that an agency may not disseminate a record without the consent of the record’s subject — has several limitations and exceptions that constrain its reach to intergovernmental data sharing. The most relevant limitation of the consent requirement is its application only when the federal government is the party surrendering data. When a federal agency shares records with state and local governments, the Privacy Act requires it to obtain consent from the data’s subject (with the exceptions discussed below). When the federal government receives information, however, the Privacy Act imposes no similar requirement. Consistent with the Privacy Act, then, the federal government can — and does — obtain large quantities of information from cities and states for reasons that depart from the purposes for which the data was collected and without the consent of the data’s subject.135 The legislative history does not disclose the rationale behind this exception, but it is in tension with one way of understanding the objective of the Act: to ensure that the federal government uses information only for the purposes for which it was collected and about which the subject has notice.136 And certainly the federal government could say to states: we would like you to share your data, but please gain the consent of the data’s subject first.
The Act’s consent requirement also has two exceptions that limit its applicability to data that moves across governmental boundaries. The first exception is for “routine uses.” Agencies, in short, are excused from obtaining a subject’s consent when disseminating a record for uses “compatible with the purpose for which it was collected,” as long as those routine uses are disclosed in advance.137 Federal agencies have generally conceptualized their “routine uses” very broadly.138 And they have smoothed the way for data sharing with states and local governments without the subject’s consent by simply announcing in advance that the data’s “routine uses” encompass use by state and local agencies.139 The Act does not specifically authorize that practice, but it is now well entrenched that “routine uses” of federal data for Privacy Act purposes can include uses by federal agencies as well as state and local ones.
The second exception that limits the applicability of the Privacy Act here is the Act’s exemption for information sharing for purposes of “civil or criminal law enforcement activity.”140 Because many of the largest data pooling programs are related to law enforcement in at least some way, the Privacy Act’s hands-off approach to those initiatives allows administrative actors to essentially self-regulate.
There is no inherent difficulty in legislatively regulating the privacy aspects of information sharing. Indeed, two exceptions to the general trend of statutory minimalism prove that it can be done. The Computer Matching and Privacy Protection Act of 1988141 requires federal agencies to establish data sharing agreements when they consult either federal or state databases to cross-check information.142 But the scope of the statute is limited, applying only when an agency is verifying a person’s eligibility for federally funded public benefits.143 Still, these mandated agreements are unusual because Congress has said specifically what they must include.144 As discussed below, intergovernmental agreements are the standard legal device used to structure data exchange programs, and most are far more fluid and informal than these congressionally mandated agreements.
Another sector-specific statute, the DNA Identification Act of 1994,145 takes a rare heavy hand in structuring the intergovernmental exchange of DNA for law enforcement purposes. It mandates that the FBI certify state laboratories that place DNA in the national database.146 It limits access to the information in the database (though it allows access by any “criminal justice agenc[y] for law enforcement identification purposes”).147 And it creates criminal penalties for the mishandling of DNA information.148
Most states do not have omnibus privacy frameworks, but even the few states that have passed comprehensive privacy statutes seem to follow Congress’s lead and ignore intergovernmental information sharing.149 California’s data privacy law is notable because it is so comprehensive. But even that law authorizes cross-governmental information sharing in broad terms, providing that information may be shared without the data subject’s consent or notice “if required by state or federal law.”150 This deference to federal information sharing requirements is striking in light of the constitutional framework I discuss below, which protects state governments from just that kind of federal mandate, in the data world and beyond.151
B. Contractual Lawmaking
The fact that intergovernmental data transfers and data pooling programs operate largely without Congress’s constraint is surprising. These complex initiatives are subject to the same normative trade-offs, pressures from organized interest groups, and ambitions of efficiency and efficacy as any other large-scale intergovernmental program. They could not occur without some form of legal structuring to plan and organize them. The legal instruments that play that role here are not uncommon, but they are unfamiliar. States, cities, and the federal government transfer, exchange, and pool data — and establish the institutions to manage those data flows — in quasi-contractual ways, using legal instruments that I have previously called “intergovernmental agreements.”152
These are formal written agreements entered into by the federal government and a counterparty state or city. They have “will” and “shall” clauses, conditions and attestations, terms stipulating their effective period and how they can be terminated, signature lines, and sometimes a bit of fuddy language about consideration.153 But they serve purposes that ordinary contracts do not. They “speak not just inwardly to their governmental counterparties but also outwardly to the shared constituents of those governments” because they contain rules that define the entitlements of both their governmental parties and “polities they jointly govern.”154 They perform, in short, both the commitment-making function of contracts and the lawmaking function of ordinary statutes.
Intergovernmental agreements serve a range of important and still not fully understood functions in the ordinary warp and weft of governance in our federalist system, but given Congress’s light touch in managing data, their role is particularly vital here. In more familiar federalism programs, intergovernmental agreements are an important step in the program’s execution. After the basic terms of a federal-state program — say, Medicaid — are worked out in Congress, and the implementing agency promulgates regulations in the Federal Register setting out the detailed conditions of state participation, the agency forges an agreement with the state or city counterparty.155 Tactically, that agreement often serves as a further round of administrative law and policymaking.156 It can more specifically articulate the terms of the federal government’s offer; reflect a state’s regulatory plan for meeting those terms; and indicate the federal government’s assent to it.157 More theoretically, even the most mundane intergovernmental agreements also perform a significant constitutional function. Because Congress may not commandeer states into joining its programs, intergovernmental agreements memorialize the state’s voluntary choice to participate in them.158
The intergovernmental agreements used to structure data programs serve all of those functions and then some. Most distinctively, in Congress’s absence, they perform significant legislative functions, rather than primarily administrative ones. They distribute roles and responsibilities among participating governments, specifying what each gives and gets.159 They erect program architectures, defining goals, creating institutions, and specifying processes for data pooling programs. And, most profoundly, they serve as the legal instrument, and their negotiation as the legal process, through which coordinating governments make core normative trade-offs. How did the facial recognition program discussed at the beginning of this Part come to be without affirmative action by Congress and state legislatures? Through twenty-one negotiations between the FBI and state public safety agencies and DMVs, and the enactment of twenty-one separate intergovernmental agreements.160
The same is true of the NCIC — and has been for decades. After early efforts to regulate a young NCIC failed in the early 1970s,161 the Department of Justice entered into individual agreements with each state, in which the state indicated (and DOJ approved) how it planned to approach its own data gathering, privacy, and security issues and what data it would send to the central database.162 Where centralized structuring proved elusive, the parties shifted to a strategy of lawmaking by mutual agreement. These original agreements continue to be cited as part of the program’s law today. They have also been supplemented by a growing network of additional agreements that govern new aspects of the program as it evolves.163
This pattern is also reproduced in fusion centers, the federal-state-local centers designed to co-locate intelligence analysts from across levels of government and “fuse” together their respective antiterrorism and criminal information. The agreements that establish these centers are not usually disclosed publicly, but those that are look like charters of sorts, constituting and envisioning what form these novel joint institutions will take. The agreement between the City of Las Vegas, State of Nevada, FBI, DHS, and various other agencies creating the Las Vegas fusion center — styled the Southern Nevada Counter Terrorism Center — announces the “intent of the Participating Agencies to centralize and co-locate” staff and to “establish a framework for the organization” of the Center.164 It then envisions its own governance structure in the form of a cross-governmental Board of Governors, with particular composition, voting rights, and decisionmaking processes.165
Intergovernmental agreements also sit at the foundation of the less formal data sharing programs. In the early 2000s, Kansas set up the Crosscheck program, designed to allow participating states to exchange voter registration data, identify individuals registered in multiple states, and prevent voter fraud.166 This perilously informal program was structured through intergovernmental agreements, whose slapdash creation ultimately precipitated the program’s downfall.167 The agreements omitted security protocols for the sensitive data (which included Social Security numbers) that Crosscheck transmitted between states, articulating security commitments at only the highest level of generality.168 The program was halted in 2019 by a lawsuit that alleged that Kansas had failed to adopt even minimal security procedures like encryption, password protection, multi-factor authentication, and a secure file-transfer protocol.169 The district court noted pointedly that “no provision of the Memorandum of Understanding” facilitating the program “restricts unsecured transmissions.”170
Information exchange that arises as an adjunct to federal-state programs and through one-off transactions is likewise structured through intergovernmental agreement.171 In 2020, when the Census Bureau sought state data to make its citizenship tabulations, it entered into agreements with state DMVs, each reflecting different terms and conditions, specifying what data each state would send and at what price, what privacy protections the Bureau would afford, and under what conditions the data could be shared further.172
Understanding the outsized significance of intergovernmental agreements in the data sharing context deepens our understanding of their significance — and their complexity. As structuring devices for evolving intergovernmental programs that transact in novel governmental powers — especially those enabled by technological advancement — they offer valuable flexibility. As lawmaking devices for protecting core liberties in the interstitial spaces between governments, especially when Congress has stayed its hand, they raise serious concerns. In the data sector, these agreements follow, perhaps even more universally, the trend common to other intergovernmental agreements: they are not ordinarily made public, and their custodians sometimes go to significant lengths (as I can attest) to keep them from disclosure.173 They also lack an accepted and accessible process for creation. Moreover, because intergovernmental agreements are often made by the parties who want to use the data, rather than the parties whose data it is, it will come as no surprise that they have great potential to underprotect privacy interests. Most significantly, though, they can serve as institution-creating documents — as charter-like instruments, which I explore next.
C. Cross-Governmental Bureaucracy
In the absence of a legislative guide, intergovernmental agreements can serve as something of an enabling act for cross-governmental data programs. And the larger, more sustained, and more permanent the program, the more infrastructure it requires. This section describes the unorthodox forms of ongoing management our levels of government have devised, in intergovernmental agreements and atop them, to manage and oversee joint data programs on a day-to-day basis. This is not a thorough catalog of the administrative structures that guide these data pools. My goal in this first look is instead to excavate examples that reflect the possibilities, drawbacks, and complexities of these institutions. They are flexible, enabling different governments to participate in common governing projects. They are innovative, using governing forms and processes without parallel in either federal or state administrative apparatuses. But they also, in many cases, have an independence that is striking, and not for the good. Although it is administrative law 101 that agencies are creatures of legislative (and in some state governments, constitutional) delegation, the institutions I discuss below generally lack a close tether to ordinary sources of political authority and accountability. And they are frequently opaque. They decline to publicize their inner workings, and tracing the authority under which they make policy is extremely challenging and in some cases not possible.
What is clear is that these unorthodox institutions further emphasize both the novelty and complexity of data pooling programs. Scholars have emphasized the increasing interdependence between the federal government and the states for some time.174 These institutions give us a taste of what that integration looks like not just in theory, but on the ground.
1. Neither “Federal” nor “State”: Fusion Centers. — As entrée into these institutions, consider the claim made repeatedly by the small group of scholars who write about fusion centers that they are “state-run” agencies.175 This claim is often made despite the absence of any clear reasoning to that effect or citation to a credible legal document substantiating that status. The available legal sources, instead, point in many directions. It is true that fusion centers are not part of the federal administrative apparatus and that they have no federal enabling acts or other legislative charters. But nor are they ordinarily supported by specific legislation in the states; their state participants instead draw their authority from “general statutes creating state police agencies or memoranda of understanding among partner agencies.”176 And in authorizing the Department of Homeland Security to provide support to them, Congress defines “fusion centers” as though the federal government is a constitutive member, not a mere advisor on the outside, as a “collaborative effort of 2 or more Federal, State, local, or tribal government agencies that combines resources, expertise, or information.”177
They are, moreover, staffed by personnel from federal, state, and local governments and funded jointly by all participating governments.178 The federal government, as a consequence of this funding and the access that fusion centers have to federal data, has asserted the right to regulate certain fusion center operations.179 Whereas many fusion centers are physically housed within state and local law enforcement agencies, over forty percent, an annual survey of these centers reports, are “colocated” in field offices of the FBI.180 The closest things many fusions centers have to founding documents are the often-undisclosed intergovernmental agreements that structure them.181 These are not, in short, obviously state institutions or obviously state run.
Their frequent characterization as creatures of state government, then, appears to stem from a category problem: Even as our governments co-manage joint assets — like data pools — and integrate their governance more than ever before, we still strive to assimilate their actions into a frame of separate federal and state governance. Agencies are either state agencies or federal agencies. Fusion centers, along with the other formal and informal administrative structures I describe below, however, invite us to imagine a new category of cross-governmental institutions — ones that sit in federalism’s interstitial spaces.
2. Formal Structure: The NCIC’s Governance Multiplicity. — The National Crime Information Center is powered by no fewer than three distinctive multi-governmental bureaucracies, each serving a different function and reflecting a different set of institutional arrangements, revealing the flexibility and innovation (whether successful or not) of these governance institutions.
(a) Day-to-Day Management. — The FBI characterizes the NCIC’s day-to-day governance as a “shared management concept,” but that bureaucratic term masks an extraordinarily detailed set of arrangements.182 The FBI maintains the database, but it “share[s] responsibility for the operation and management of all systems” with “local, state, tribal, and federal data providers and system users.”183 This shared oversight is operationalized by an intergovernmental board, the Criminal Justice Information Services (CJIS) Advisory Policy Board (itself supervising five additional “working groups”).184 The Advisory Policy Board has thirty-five members, who range from heads of state and local criminal justice agencies to delegates from contributing federal agencies to representatives of nongovernmental criminal justice associations.185 The working groups have representatives from all fifty states and many local jurisdictions.186
The Board plainly possesses significant functional power. Its members, after all, generate, contribute, and use the data that is the lifeblood of the NCIC and can choose to withdraw their participation at any time. But, as is characteristic of administrative law in the cross-governmental space, the Board’s formal power is less clear. For separation-of-powers reasons, advisory committees adjuncted to federal administrative agencies are ordinarily confined to issuing nonbinding guidance.187 And within the federal administrative state, the Advisory Policy Board’s formal role appears to be limited to just that: providing nonbinding advice to the FBI Director, who may theoretically accept or disregard it.188
But its name notwithstanding, the CJIS Advisory Policy Board is not an ordinary federal advisory committee. Unlike ordinary federal advisory committees, the Board has an independent and nonfederal source of authority: the intergovernmental agreements that structure the NCIC. The intergovernmental agreement that all NCIC users (including all state and local law enforcement agencies) must sign “incorporate[s] by reference” the “Minutes of the CJIS Advisory Policy Board meetings,” the “bylaws for the CJIS Advisory Policy Board and Working Groups,” and NCIC Standards “as recommended by the CJIS Advisory Policy Board.”189 The agreements that structure participation in the NCIC, in other words, commit its users to following the Advisory Policy Board’s guidance, whatever its status as independent federal agency action.190
(b) Access for Non–Criminal Justice Purposes. — The NCIC’s governance is further complicated by a second bureaucracy that oversees a precise, but significant, function of the NCIC: the exchange of criminal justice data for purposes unrelated to criminal law enforcement, like civil background checks, housing applications, and vetting for public sector employment. Not all states that use the NCIC endorse access to it for purposes outside of the criminal justice context. The states that do wish to share their NCIC data for non–criminal justice purposes have, thus, enacted an interstate compact to govern their exchange of data for those purposes specifically.191 The National Crime Prevention and Privacy Compact was approved and joined by Congress in 1998 and became effective the following year when the first states ratified it.192 Today, it has thirty-four members.193
The Compact, in turn, established a governing council comprised of state representatives and federal agencies.194 Significantly, unlike the CJIS Advisory Policy Board, the Council is vested with binding administrative authority — though the basis of this authority is again hard to assimilate into an ordinary federal (or, for that matter, state) administrative law frame. The Compact itself is the instrument that allows the Council to “promulgate rules and procedures” governing the exchange of information for non–criminal justice purposes.195 And although the Council does not identify as, and almost certainly could not be considered, a federal agency (since it is comprised largely of nonfederal representatives), the Compact directs the Council to borrow the federal government’s administrative infrastructure, promulgating the rules it issues in the Federal Register.196 The Compact further provides that disputes between its parties, over its meaning or concerning “any rule or standard” it promulgates, must be heard in the first instance by the Council itself through a “hearing” after which a decision may follow only by “a majority vote of the members of the Council.”197 (I am not aware of any efforts to seek judicial review of rules made by the Compact Council, nor is it obvious what law would govern such a challenge.) It also vests judicial oversight over any appeal in the federal courts, but does not specify — and there do not appear to be any cases testing — what law would apply to an administrative challenge in such a setting.198
(c) Telecommunications and Verification. — Completing the dizzying network of intergovernmental bureaucracies that oversee the exchange of criminal justice information is the secretive Nlets telecommunications network. Nlets allows states to directly access the state-level databases that feed into the NCIC in order to verify the information obtained through NCIC searches and conduct other state-to-state data transfers and comparisons.199 It also allows some participants to access additional databases not present in the NCIC.200 Nlets is not housed in either the state or federal government, but is instead a private not-for-profit organization founded by the states and governed by participating law enforcement agencies.201 It is already challenging to conceptualize government-owned corporations as legal institutions when they exist within the boundaries of a single government. Those challenges are multiplied when, like Nlets, they exist between and across governments. The most significant consequence of Nlet’s distinctive public/private form is the organization’s highly furtive behavior — it does not disclose comprehensive information about its activities, funding, or policies and publicly discusses its activities at only the highest level of generality. It acts, in short, like a private entity, not a government institution, though it serves as gatekeeper to a sweeping amount of government data.
3. Informal Administration: Street-Level Bureaucracy and Immigration Data. — But data of significance and in significant volumes often moves between federal, state, and local custody not through centrally managed programs, but at the periphery: through line-level implementers, or what Michael Lipsky calls “street-level bureaucrats.”202 Since Lipsky’s pathmarking manuscript on the policymaking power of these actors, administrative law scholars have trained significant attention on how frontline government officials exercise discretion and on the “agency behavior” that discretion “add[s] up to” “when taken in concert.”203 This section illustrates the ways that street-level bureaucrats use their discretion over the data they manage to jointly initiate and oversee data transactions with their counterparts in other levels of government.204 Line-level actors can, in effect, forge intergovernmental data sharing programs through informal relationships with their counterparts in other governments.
This process is particularly vivid in the immigration context. Because the number of federal immigration enforcement agents is dwarfed by the number of state and local police, the collaboration of local law enforcement is an enticing force-multiplication strategy for federal policymakers.205 Across at least three presidential administrations, the federal government has placed access to the immigration information held by state and local police at the core of its immigration strategy. But as discussed above, states and cities have increasingly resisted formal proposals to collaborate on both normative grounds (out of a desire to protect members of their communities regardless of immigration status) and efficacy grounds (arguing that community members will be less cooperative with local police if they fear federal immigration consequences). As local elected officials have held back cooperation, federal immigration agents have shifted their strategy to forging data exchange projects with line-level bureaucrats instead.
These line-level data sharing initiatives can take many forms. The previously mentioned “sanctuary city” litigation is at bottom about immigration-related data sharing. The statute the federal government is seeking to enforce — and whose constitutionality is under challenge — is 8 U.S.C. § 1373. It prohibits states from, in turn, prohibiting their employees from sharing information with ICE.206
Section 1373 does not stand up its own data exchange program. Rather, it intervenes in local and national street-level bureaucracies to encourage the agents on each government’s margin to develop information-exchange initiatives of their own. By making it unlawful for states or cities to prohibit their officers from sharing information with ICE, § 1373 detaches local police from the immigration-related information controls of their state and city administrators and policymakers, instead empowering the individual employee to write data policy on her own. In turn, it encourages ICE to go directly to the street-level officials rather than negotiating an information-exchange program with state or local policymakers.207 As discussed below, that process is often conducted by federal decisionmakers who are bureaucratically congruent to their state targets: by low-level ICE agents and field offices who have relationships with the individual state and local police officers that § 1373 empowers to share information. Important information initiatives and projects, thus, can be the brainchild of street-level bureaucrats on both sides.
Information about immigration enforcement, including how federal agents collaborate with local police, is not routinely made public. But documents obtained by the American Immigration Council through the Freedom of Information Act provide a window into at least some of these initiatives. A compilation of initiatives proposed by the ICE Atlanta Field Office (under pressure to meet annual deportation targets) and approved for use in the field reveals the breadth and creativity of programs conceived by ICE field agents and their local criminal justice counterparts to share immigration-related information.208
Seeking information from police encounters that do not result in arrest, Atlanta field agents proposed, for instance, an initiative to join local police at traffic checkpoints — fixed locations used to randomly stop vehicles and administer DUI tests. In the proposal, when local police find evidence of a traffic or criminal violation at the checkpoint, vehicles are then sent to a “secondary location” at which ICE is also present to “interview all individuals we deem necessary.”209
ICE agents have also found other ways to obtain data from local police encounters that do not result in arrest. For instance, ICE sought to form a task force with a local police department to mine notes from such encounters, arguing that “[t]here are a tremendous number of local law enforcement encounters that occur on a daily basis where the individual is the subject of a traffic ticket or warning or a field interview and is not taken into custody.”210 The Field Office explained that, if it could “look at the data from these types of encounters and run them through our databases,” it was “likely to identify a number of aliens.”211 It observed that the “average midsize police department issues between 250 and 400 traffic tickets per week and completes 50+ field interview cards,” which “is a lot of data that is being collected that ICE could look into.”212
Understanding that police are not the only local law enforcement officials who may have immigration-related information, the Field Office also sought to direct information requests to other relevant local officials. For instance, it proposed asking the probation and parole departments in local counties to share information on current and former foreign-born individuals on probation, which officers would then vet for individuals eligible for deportation.213 And it suggested contacting Georgia’s county solicitors (who prosecute county-level misdemeanor offenses) to obtain “current rosters for their General Sessions Court Cases” to “vet the lists for any foreign born criminal aliens and . . . try to apprehend” them.214
Finally, the Field Office proposed several initiatives that would tap a long-standing conduit of state information to federal officials: the state DMV. It proposed working with the Georgia DMV’s License & Theft Division to use the state’s facial recognition technology to “screen potential fraud cases” (of interest because of the assumption that non-citizens may use fraudulent documents when applying for a license) to identify individuals wanted by ICE.215 It suggested obtaining a “list of temporary driver licenses issued to foreign-born applicants.”216 And it advocated soliciting a list of individuals whose license applications were denied “due to lacking proof of residency” to develop a “foreign-born target base” to “be vetted further” for individuals with past criminal convictions.217
These structures reveal that intergovernmental data sharing is not a simple exchange of governmental goods. It precipitates a subsequent process of intergovernmental data oversight and, in some cases, the creation of integrated governmental institutions to manage data on an ongoing basis. Much about these institutions remains to be discovered. What is clear is that a person who wants to know how “the government” stewards her data — because she is concerned about her privacy, or worried about her data’s security, or believes her data is incomplete or misleading, or thinks it was obtained or is being used unlawfully — would face an almost insurmountable task. She would have to peer into institutions that traverse governmental boundaries; see the logic of institutions that do not coherently divulge how they function or even sometimes what they do — a logic that the officials who inhabit these institutions may not fully know themselves; consult structuring agreements that are not always disclosed and are never easy to locate; and query decisions not fully domesticated by either federal or state law.
These intergovernmental practices thus raise challenging questions about the institutions that govern us. Ordinarily, questions of institutional design and federal-state interaction would find outer guideposts in the Constitution. The next Part considers the structural constitutional issues that arise from data sharing, but also explores the limits of existing constitutional doctrine to confront the full scope of federalism-inflected problems these arrangements produce.
III. Doctrine for the Intergovernmental Data Market
The transactions documented in Part I resemble in important ways other, now-familiar forms of intergovernmental negotiation. Our governments routinely establish “cooperative federalism” programs by trading governmental assets, typically money and administrative capacity.218 Constitutional doctrines derived from the text and function of the Spending Clause, the Tenth Amendment, and structural federalism principles set forth the “rules of engagement” for these initiatives.219 Most importantly, they ensure that federal-state collaborations are created voluntarily by both governmental parties.
Those rules of engagement are the most obvious source of constitutional guardrails for data federalism, but they require adaptation. Does the anti-commandeering rule, which prohibits the federal government from requiring states to “enact or administer a federal regulatory program,” also disallow federal efforts to require data sharing?220 Do doctrines that structure how the federal government and states negotiate spending programs — like the anti-coercion rule and the Pennhurst clear statement rule — regulate the formation of data programs too, even if they entail no expenditure of funds?
The task of deciding how, and whether, these rules apply to data transactions has generally confounded the few courts to have attempted it. And, because the roadmap is so thin, even colorable constitutional claims are not pressed in many data-related disputes. This Part begins by setting forth that roadmap — understanding the ways data trans-actions complicate the straightforward application of these doctrines and arguing that they should apply nonetheless.
But those doctrines, in the end, police only one form of structural harm that can arise in intergovernmental data programs — harm related to the voluntariness of the government-government relationship. As Part II illustrates, however, there are many structural problems that can arise not because of tension between governments at a program’s conception, but because of the institutions they readily and voluntarily create: institutions that can escape accountability and transparency, avoid legal oversight, and empower governments at the expense of their constituents, among many other potential concerns. Even fully applying the anti-commandeering, anti-coercion, and Pennhurst clear statement rules to data sharing will leave many of the unusual structural arrangements precipitated by data federalism untouched by constitutional doctrine. I therefore conclude by reflecting on the limits of existing federalism doctrine to address the full scope of structural problems data federalism may raise.
A. The Constitutional Significance of Data Transactions
To see some of the potential constitutional stakes of data federalism, consider the federal government’s efforts to obtain the data cities and states collect about their immigrant populations. Sanctuary cities generally decline federal invitations to share immigration-related data. But — as discussed above — 8 U.S.C. § 1373, a law enacted by the Clinton Administration and enforced by every administration through the Trump presidency, and the portfolio of increasingly aggressive tactics used to enforce it, try to prohibit states from choosing to withhold that information. The law plainly tries to take, without consent, immigration-related data from states and cities. Ordinarily, federal directives to states would raise questions of unconstitutional commandeering. But in one of its early commandeering cases, the Supreme Court suggested that the rule may have an “information-sharing exception,” which would exempt data transactions from its protections.221 Some of the few courts to address data transactions, moreover, have embraced that exception — seemingly offering the federal government carte blanche to requisition state data even as those courts concede that it may not take other state assets.222
When states and cities have expressed an unwillingness to share immigration-related data with the federal government, the federal government has used aggressive tactics that in the context of state-federal grant programs would be scrutinized as unconstitutional coercion and deception. Consider the Secure Communities program, a DHS initiative designed to allow the agency access to an enormous quantity of state and local data about noncitizens. It would be difficult to overstate the significance of Secure Communities to federal immigration enforcement and, by the same token, to state and local interactions with immigrant communities. As elaborated above, the program, which was established in 2008, had two central components. First, it had a data sharing component, in which the federal government obtained data from state and local governments regarding individuals arrested by state and local police and checked that data against federal immigration data-bases.223 Second, it had a prioritization component, in which the federal government prioritized removable individuals with serious criminal records for enforcement action over removable individuals without a criminal history. The formal, written agreements that initiated the program traded one component (the federal prioritization commitment) for another (the state and local arrestee data).224
The data sharing initiative was initially portrayed by DHS as entirely voluntary, a characterization heavily emphasized by the Obama Administration during President Obama’s first year in office. But when state and local jurisdictions — cities and counties like San Francisco, California and Arlington County, Virginia, as well as the states of Illinois, New York, and Massachusetts — sought to exercise the termination clauses in their formal agreements (which allowed either party to withdraw with thirty days’ notice225), then–DHS Secretary Janet Napolitano terminated all of the agreements.226 She did not, however, scuttle the program. Instead, she announced that it would continue involuntarily going forward. “We don’t consider Secure Communities an opt-in, opt-out program,” she said during a press conference.227
That is the kind of language that would immediately trigger talk of federal overreach in a more traditional federal-state program. But states did not press this claim in court. One reason perhaps is the federal government’s deliberate efforts to ward off such a challenge. Perhaps not wanting to bet on the potential information sharing exception to the anti-commandeering rule, DHS tried to head off a charge of commandeering by pointing out that states were not required to send any new information to DHS — or, indeed, to send any information directly to DHS at all — because of the technical way the data sharing component of Secure Communities actually worked. States sent arrestee biometric data, as they long have, to the National Crime Information Center as part of its voluntary program for sharing general policing data with the FBI and jurisdictions across the country. The FBI, in turn, operationalized Secure Communities by forwarding that data to DHS. It is true, DHS conceded, that states and cities had no say in whether the FBI forwarded their data to DHS. But, DHS maintained, they were not being commandeered because the data was supplied to the FBI willingly and “no agreement with the state is legally necessary for one part of the federal government to share it with another part.”228
But what about the other constitutional doctrines that courts have used to protect states and localities when entering into cooperative federalism programs? The anti-coercion rule, which arose in the context of federal-state grant programs, prohibits the federal government from using financial inducements that “pass the point at which ‘pressure turns into compulsion’” to secure state participation in grant programs.229 And the Pennhurst clear statement rule requires the federal government to state “condition[s] on the grant of federal moneys . . . unambiguously” so that states can “knowingly accept[] the terms” of the joint program.230
The effort to operationalize Secure Communities by leveraging the preexisting NCIC program mirrors almost exactly the constellation of inducements that the Supreme Court found to be unconstitutionally coercive in its most recent anti-coercion case, challenging the Affordable Care Act’s Medicaid expansion.231 The Medicaid expansion offered states additional funding for Medicaid — an enormous and decades-long program that had become deeply embedded in state governance — in exchange for their commitment to expand their programs to cover incremental populations. But the additional funding to cover new populations was not the only inducement for participating in the expansion. “Instead of simply refusing to grant the new funds to States that will not accept the new conditions, Congress . . . also threatened to withhold those States’ existing Medicaid funds,” a condition that an unusual seven-Justice coalition found unconstitutional.232
But, if we substitute data for money, that is just what DHS did in linking Secure Communities to the NCIC: It conditioned continued state access to a deeply-rooted, long-standing data pool — described as the “lifeblood of law enforcement” — on states’ agreement to participate in the new and incremental Secure Communities program.233 By connecting the NCIC and Secure Communities, the federal government essentially said: “If you do not agree to your data being used for Secure Communities, you cannot participate in the NCIC either.” As The Washington Post correctly observed at the time, the “only way a local jurisdiction could opt out of [Secure Communities] is if a state refused to send fingerprints to the FBI.”234 Or, in DHS’s words, “a jurisdiction cannot choose to have the fingerprints it submits to the federal government processed only for criminal history checks.”235
DHS’s retroactive recharacterization of Secure Communities as part of the NCIC also draws attention to a potential Pennhurst problem: Was it “unambiguous” when states agreed to participate in the NCIC that the NCIC may later be used to advance initiatives like Secure Communities?236
The rub is that to even get into court, an anti-coercion or Pennhurst claim would require a city or state challenger to convince the judge that those rules apply beyond the context of federal grant programs — that they apply when the federal government is using data, not money, as coercive leverage, and including deceptively ambiguous terms in data sharing agreements, rather than grant conditions.
Because money was central to the origination of those doctrines, states, cities, and courts have hesitated to invoke and enforce structural constitutional rules in the data context, even where — as in the Secure Communities and sanctuary cities contexts — it is apparent that states and cities are not sharing their data voluntarily. That hesitation is not surprising, at least as a descriptive matter, given that the process of adapting old rules to new technologies can be halting in many contexts. As I show in the next section, however, most of the justifications for declining to apply structural constitutional rules to intergovernmental data exchange do not withstand scrutiny.
B. Data Federalism’s Rules of Engagement
A literal doctrine parser could find ammunition for excluding data transactions from the anti-commandeering, anti-coercion, and Pennhurst clear statement rules. When the anti-commandeering rule was first described in the mid-1990s, it involved the federal government’s effort to compel state legislative and executive action — to effectively requisition states’ administrative and regulatory power by mandating they be used to federal ends.237 Those cases left uncertain the degree to which the federal government could forcibly commandeer other forms of state power or other kinds of state assets.
The anti-coercion and Pennhurst clear statement rules, meanwhile, suffer from a different problem. They originated in disputes involving programs enacted pursuant to the Constitution’s Spending Clause, which governs how the federal government makes expenditures. And the Court has yet to apply them in cases where the federal government uses other forms of power as leverage or attaches ambiguous conditions to programs centered on exchanges of nonmonetary powers, leaving open whether they apply to transactions involving data.
In answering these questions, I do not argue from constitutional first principles. If there is an area of constitutional doctrine that cannot be methodologically pigeonholed, it is federalism doctrine. The opinions that form the core of these doctrines cite originalist sources, textualist support, intertextual logic, structural inference, and — like so many federal separation-of-powers cases — practice over time. In this initial effort to situate data federalism in constitutional doctrine, I take these doctrines on their own terms and ask whether their basic logic can apply to data and data transactions. This initial analysis of data federalism is thus in the spirit of common law constitutionalism.238
1. The Anti-commandeering Rule. — The anti-commandeering rule bars the federal government from requisitioning elements of state and local government for use in federal programs.239 Since the rule’s origination in a pair of Rehnquist Court opinions, New York v. United States240 in 1992 and Printz v. United States241 in 1997, however, courts and commentators have flirted — with little reflection or specific justification — with a so-called “information-sharing exception” to the rule, which would allow state data, unique among other assets, to be taken on command.242 But Parts I and II show that there is little basis for distinguishing data from other assets in this way, and thus no principled reason to exempt it from the anti-commandeering rule’s sweep.
The proposed exception stems from an aside by Justice Scalia in his majority opinion in Printz, the second canonical anti-commandeering case. In the first anti-commandeering case, New York, Congress had instructed each state to enact a regulatory program to dispose of the low-level radioactive waste produced within the state.243 If a state refused, the federal government required the state government to “take title” to the relevant waste, in effect absolving private producers of liability for the dangerous refuse by transferring it to the state.244 The Court concluded that both the initial instruction and the penalty impermissibly “‘commandeer[ed]’ state governments into the service of federal regulatory purposes” by “command[ing] state legislatures to legislate” according “to Congress’ instructions.”245
When Printz arose five years later, the Court applied the anti-commandeering rule to a different congressional effort to command assistance from state governments. There, instead of directing state legislatures to enact law, Congress instructed state administrative officials to help operationalize a federal program by performing a series of federally prescribed administrative tasks, including searching state databases.246 The Court held that Congress could not “compel[] [the] enlistment of state executive officers for the administration of federal programs,” just as it could not so compel state legislatures.247
But Justice Scalia, writing for the Court, reserved judgment about programs that “require only the provision of information to the Federal Government” because such programs “do not involve the precise issue before us here, which is the forced participation of the States’ executive in the actual administration of a federal program.”248 Printz did not clarify what features might distinguish the commandeering of information from the commandeering of state executive apparatuses. But the Court’s impetus for making that reservation provides a clue. The Court’s observation about data commandeering responds to an argument in the federal government’s brief: that it would be disproportionate to strike down federal programs that required only “limited local assistance” in the form of “the collection, reporting, and dissemination of information” on commandeering grounds.249 Such programs, the federal government reasoned, “enlist local officials in limited, nonpolicymaking aspects of the implementation of federal law,” and so are unlikely to “undermine the functioning of the States.”250
The federal government’s argument, in short, was that forced data sharing could not significantly affect our system of federalism because it is by its nature limited and has no meaningful effect on policymaking. In her concurring opinion, Justice O’Connor echoed that claim, noting that the Court was right to “refrain[] from deciding whether other purely ministerial reporting requirements imposed by Congress on state and local authorities pursuant to its Commerce Clause powers are similarly invalid.”251 In dissent, Justice Stevens picked up the same thread, arguing that the “enactment of statutes that merely involve the gathering of information . . . do not raise even arguable separation-of-powers concerns.”252
Professor Robert Mikos has offered one persuasive response to this argument — that to commandeer data, the federal government must generally also commandeer state legislative and executive functions, which New York and Printz expressly prohibit. Enforcing federal law, Mikos observes, includes not just policing, prosecution, and punishment, but also investigative tasks like “gathering and reporting information — via inspections, investigations, surveillance, etc. — about regulated activities.”253 Requiring states to gather and report information, at least when that investigative work is performed by administrative officials, thus mandates exactly the enforcement of federal law by state officials that Printz proscribes. Data commandeering, Mikos adds, also imposes substantially the same economic and political costs that troubled the Court in New York and Printz: It requires states to expend resources to collect the data the federal government seeks, and it diminishes their policymaking authority and political accountability by making them complicit in federal programs.254 Some of the courts that have considered the vitality of the information sharing exception since Printz — largely in the high-profile “sanctuary cities” litigation — have, relying in part on the kind of reasoning that Mikos advances, correctly re-jected the government’s arguments that such an exception exists.255 But other courts have accepted them, so there remains work to be done.256
In light of the data sharing practices canvassed in this Article, there are additional reasons there can be no data sharing exception to the anti-commandeering rule.
First, the argument that data is too trivial a resource to be “commandeered” is plainly wrong in light of the breadth and import of data exchange across governments documented in Part I. The data revolution was well underway in 1997, so the dismissive characterizations of data sharing mandates by the Solicitor General and Justices O’Connor and Stevens were out of step even when they were made, and they surely cannot be taken seriously today. The sharing of sensitive data about individuals to further consequential policy programs cannot in almost any case be characterized as a “nonpolicymaking” act. Just the basic decision to share data at all is quintessential policymaking. It is a choice to enable governmental action that requires data aggregation, whether that action is data analytics, tracking and investigation, or verifications and validations. The terms on which governments transfer data only deepen the policymaking character of data sharing. When data is shared, it sheds the protections — against insecurity, inaccuracy, and improper use — that its initial custodian placed upon it, unless those protections are carefully negotiated in the kind of intergovernmental agreement discussed above. The process, then, of structuring data sharing programs is its own policymaking process (a step that mandatory data sharing would almost certainly bypass).257 Both the decision to share and the choice of sharing terms are thus policymaking acts.
Second, seeing how our governments transact in data as a discrete governmental asset — one that can be alienated, transferred, and used to advance a range of policy ends — suggests a simpler reason that the anti-commandeering framework should apply to data mandates. When the federal government tries to mandate data sharing, it is doing something akin to taking other concrete state assets, like money or land.258 It is true that the anti-commandeering cases confront federal efforts to take more abstract state goods — like state legislative and executive authority — but the logic of those cases applies even more strongly to coercive and uncompensated takings of state assets.
Indeed, we could hypothesize that courts have avoided applying the anti-commandeering rule to data not because it represents a more conceptually intricate case of commandeering but because it represents a more conceptually simple one — and sometimes simplifying doctrines to their basics is even more difficult than complexifying them. Data takings are best analogized to a kind of Commandeering 1.0: the snatching up and carting away of a state asset. New York and Printz take commandeering into institutional context and develop a kind of Commandeering 2.0: the direction of state infrastructure to federal ends. If that’s true, we should not need to demonstrate, as Mikos takes great pains to do but everyday litigants may find too resource intensive, that data takings cannot be effectuated without commandeering legislative or executive processes, à la New York and Printz. A more straight-forward showing that the federal government has taken a valuable state asset should be sufficient. In the private sector, we increasingly appreciate that data can act as an asset, a currency, and a discrete source of corporate power.259 Parts I and II of this Article show that the governmental sector should be no different.
Finally, the use of voluntary data sharing agreements documented in this Article reveals that our governments have in most cases over time understood data to be a governmental good that requires voluntary surrender. As many scholars have argued, and courts have agreed, historical practice is relevant to answering questions about how the Constitution distributes power among coordinate branches of the federal government and between the federal government and the states.260 Because “[l]ong settled and established practice is a consideration of great weight in a proper interpretation of constitutional provisions,” we can consult the settled practice between the states and federal government with respect to data sharing.261 This Article provides the historical understanding necessary to conclude that data sharing has been generally viewed by the federal government and the states as a voluntary practice — one requiring the kind of consent that is characteristic of other forms of cooperative endeavor to which the anti-commandeering rule clearly applies.262 Of course, when the Supreme Court has given significant weight to practice over time, it has tended to be persuaded by practices that are centuries — rather than decades — long. But the shorter lifespan of these practices should not weigh against them, for they extend the entire history of data sharing in the computer age.263
Of course, seeing the distinct dynamics of data federalism and the properties that distinguish data from the other forms of power our governments trade does not cut in just one direction. Data’s non-rivalrous character, in particular, could provide fodder for a more potent possible defense of an information sharing exception to the anti-commandeering rule than Justices and commentators have previously offered. Because a state’s access to its own data is not diminished by the federal government’s access to the same data, it could be said that data commandeering has no harm. The problem with that argument, as the “sanctuary cities” cases illustrate so well, is that it conflates the non-rivalrous character of the data itself with the rivalrous character of the data’s governance regimes. A state that collects data about immigrant populations by promising confidentiality, as New York did when it offered driver’s licenses to undocumented populations,264 will find its promises impossible to keep if the federal government requisitions the city’s data for enforcement purposes. Indeed, data’s non-rivalrous character makes the need to safeguard a government’s control over its data governance regimes even more pressing. That is because each new actor or institution that can access data multiplies the risk that a data’s governance regime will be compromised.
Together, then, these arguments suggest that the anti-commandeering rule should, on its own terms, apply to federal efforts to requisition state data.
2. The Anti-coercion & Pennhurst Clear Statement Rules. — If the anti-commandeering rule applies to data transactions, and the federal government may not take state data by force, it seems intuitive that it cannot circumvent the rule by engaging in coercive or deceptive conduct with respect to an ostensibly voluntary transaction in data. But questions about the applicability of the anti-coercion and Pennhurst rules — which would ensure that data exchanges that appear voluntary are, in fact, voluntary — have received essentially no scholarly treatment. And those questions may be the more consequential ones. As Part I shows, most federal-state data programs at least present themselves as voluntary transactions, not mandatory ones. So issues attending the legitimacy of that voluntary character have many more occasions to arise. Indeed, as I discuss in the next section, there are high-profile and ostensibly voluntary data transactions of large scale and consequence that would fail to satisfy the anti-coercion and Pennhurst rules if they did apply here.
The dearth of attention to these questions is perhaps attributable to the assumption that the anti-coercion and Pennhurst rules apply only where the Spending Clause is at issue and federal funds are on offer. This premise looms so large because, as I discuss in Part IV, many assume as a matter of course that all cooperative programs involve the exchange of federal funds. Because we have not seen data collaborations as part of the general sweep of cooperative federalism, it is no surprise that few have thought to ask whether these rules apply to them — much less argue either that they should or should not.
The simple fact that data transactions resemble transactions in funding is strong evidence that the same rules should apply. But before making that argument in depth, and given the absence of any real attention to this issue in the literature, I sketch the most charitable argument that these rules should not apply here — an argument not wholly without merit, even if it is not, in my view, persuasive.
To see the argument that these doctrines should be limited to federal spending and grantmaking, consider first the genealogy of the anti-commandeering rule, on the one hand, and the anti-coercion and clear statement rules, on the other. The anti-commandeering rule arises not from a specific enumerated power, but from the Tenth Amendment and structural federalism principles that apply to the Constitution as a whole.265 The rule operates, as a result, as an external constraint on all federal powers that do not clearly exempt it.266 Whether Congress is using its Commerce Clause power or its foreign affairs power, its naturalization power or its bankruptcy power, it is presumptively constrained by the anti-commandeering rule.
But the anti-coercion and Pennhurst clear statement rules have a different origin. They arose specifically in the context of Congress’s Spending Clause authority to levy taxes and spend the proceeds for the “general Welfare.”267 And it is possible to see them as limitations the Spending Clause places on Congress’s power to spend, not as limitations the Constitution places on the federal government’s relationship to state governments more broadly.
But the anti-coercion and clear statement rules also perform an important state-protective function: By ensuring that states voluntarily agree to joint programs, they safeguard the basic state autonomy to direct their own policymaking, an interest states have whether Congress is proposing a joint initiative pursuant to its spending power or any other constitutional source of authority. The question is thus whether the anti-coercion and Pennhurst rules are triggered only when Congress spends, or are present any time the states and federal government negotiate a cooperative program.
The argument that these rules are rooted primarily in — and should be limited to — contexts in which we are concerned that a federal offer may exceed an enumerated grant of authority traces to South Dakota v. Dole,268 the foundational case setting out the anti-coercion rule. As Dole explains, the Spending Clause is an expansive grant of federal power: Because its language authorizing Congress to spend for the general welfare is so broad, Congress’s power to spend monies “for public purposes” allows it to attain “objectives not thought to be within Article I’s ‘enumerated legislative fields’” by simply imposing substantive conditions on the receipt of federal funds.269 Although Congress could not, for example, require local education departments to adopt a federal curriculum, it could condition federal funds on their adoption of that curriculum. That result is acceptable because a state’s autonomous choice to accept federal funds and use them within federal parameters is viewed as just that — the state’s exercise of its own powers.
However, when the state is coerced, Dole suggests, the state is not meaningfully using its own powers; instead, the state, acting without self-determination, is a compulsory agent of Congress. In Dole’s terms, the states cannot be said to be autonomously choosing to advance Congress’s objectives if the “financial inducement” is “so coercive as to pass the point at which ‘pressure turns into compulsion.’”270 Nor, as Pennhurst elaborates, can the states be said to be acting voluntarily if Congress hides their obligations in grant conditions that are not stated “unambiguously,” so that they can “exercise their choice . . . cognizant of the consequences of their participation.”271 Because “legislation enacted pursuant to the spending power is much in the nature of a contract” — that is, “in return for federal funds, the States agree to comply with federally imposed conditions” — the “legitimacy of Congress’ power to legislate under the spending power thus rests on whether the State voluntarily and knowingly accepts the terms of the ‘contract.’”272 These rules, on this account, perform a federal-limiting function: They prevent Congress from using its Spending Clause power to circumvent its other enumerated powers.
The second function these rules perform, however — the state-protective function — is not rooted in logic specific to the Spending Clause. It is instead rooted in basic principles of constitutional structure and the long-standing practice of voluntary federal-state projects. Even if Congress is acting well within its enumerated powers — say, delegating authority to enforce federal immigration law to the states — the anti-coercion and Pennhurst rules should still safeguard the ability of states to accept such delegations voluntarily. In the first case to actually find a violation of the anti-coercion rule, the Supreme Court’s high-profile decision in NFIB v. Sebelius,273 the Court emphasized this state-protective function far more than it did Dole’s federal-limiting rationale.274 And it eliminated any doubt that the anti-coercion and Pennhurst rules are applicable even where there would otherwise be no question of Congress’s authority to regulate, including outside the Spending Clause context.
NFIB’s analysis makes the broad applicability of these rules clear in two ways. First, the Chief Justice’s opinion for the first time drew a clear thread between the anti-coercion and Pennhurst rules, on the one hand, and the anti-commandeering rule, on the other. The Chief Justice’s opinion grounded all three rules in the “insight”275 from New York that if Congress could “require the States to govern according to Congress’ instructions,”276 the Constitution’s basic “two-government system” would collapse into “one central government.”277 Thus, the state-protective function dictates that the Constitution is violated whether “Congress directly commands a State to regulate or indirectly coerces a State.”278 Congress may not “commandeer[] a State’s legislative or administrative apparatus,” it cannot “exert a power akin to undue influence,” and it may not impose ambiguous conditions.279
The Chief Justice’s analysis is perhaps not earth-shattering, but it has outsized importance for our purposes. It clarifies that the federal government is constrained from commanding, coercing, or manipulating the states no matter what form of federal power undergirds the joint effort on offer. These rules, in short, are functional. Where Congress innovates the methods by which it threatens state autonomy — by suggesting it will withhold data (rather than money) if the states do not do as it instructs, or by hiding terms in contracts for data instead of contracts for funding — these rules stand at the ready.
A second and more interesting conceptual move further emphasizes the point. The Chief Justice’s opinion also foregrounds the analogy between federal-state joint efforts and private contracts, an analogy that the Court has often flirted with.280 This foregrounding is important, but as my earlier work on federalism and contract law argues, it does not go far enough. Spending Clause programs are not just analogous to contracts; they often give rise to actual contracts.281 And, important for our purposes, these contract-like instruments are not limited to the Spending Clause context. The federal government and the states enter into a wide range of intergovernmental agreements on a voluntary basis — mutually assenting to their terms, as any private contracting parties do. Some of those exchanges involve money, but many do not.
This legal reality makes clear why these rules must apply to data. Just as contract law polices the relationship between the parties — almost entirely without respect to what things of value are being exchanged — so too does the law of agreement-making between governments focus on the relationship between the parties, not the powers being exchanged. Whatever the currency offered, the status of each government as voluntary counterparty to the transaction is what matters.
C. Data and the Limits of Existing Constitutional Doctrine
Given the pace of intergovernmental data exchange and the unusual federal-state institutions that have arisen to manage it, it is worth reflecting on the kinds of structural issues that federalism’s rules of engagement do not address in our architectures of data federalism.
First, and most basically, because those doctrines regulate only the bare-bones voluntariness of the government-to-government relationship, they do not address what happens when our governments eagerly participate in joint ventures — when, as Justice Jackson says, they act to reintegrate their dispersed powers. Provided that they are voluntary, current federalism doctrine has little to say about how our governments structure their joint initiatives. But if the Constitution “diffuses power the better to secure liberty,” and it also contemplates that “practice will integrate the dispersed powers into a workable government,” it would be odd for there to be no constitutional significance to how that power is reintegrated beyond the constraints of the anti-commandeering, anti-coercion, and Pennhurst rules.282
Put differently, although the Court frequently says that federalism “protects the liberty of the individual from arbitrary power” by “denying any one government complete jurisdiction over all the concerns of public life,” it has no doctrines that subject aggregations of power that governments freely choose to heightened scrutiny.283 And data management is an area in which the risks to individual liberty from power aggregation are always present in concrete ways. The more data each government can access — and the more of data’s complementary properties each government can exploit — the greater the risk the government violates the privacy of a data subject, improperly surveils her, discloses her data without permission or allows it to be accessed by unauthorized users, uses her data in a discriminatory way, or denies her a right or benefit because of a correctable flaw in her data.
Second, because federalism’s rules of engagement focus on the government-to-government relationship, they do not address the relationship between our governments acting jointly and the polities they cooperatively govern. The Court has repeatedly explained that the “Constitution does not protect the sovereignty of States for the benefit of the States or state governments as abstract political entities, or even for the benefit of the public officials governing the States,” but “for the protection of individuals.”284 And the federalism cases discussed above are concerned about how intergovernmental interactions can enable opportunism by governmental officials by allowing them to circumvent accountability and public oversight. In the anti-commandeering cases, for instance, the Court has been concerned that federal directives to state governments will obscure accountability. But those concerns end where non-coercive collaborations begin, even though our governmental officials can of course use intergovernmental collaboration to shield their activities from accountability as well. It is striking how little public engagement, or stakeholder input, the cross-governmental NCIC bureaucracy allows — more striking because legislative bodies like Congress play such a minimal oversight role. It is instead the governmental officials who benefit most from expanding data stores who are principal decisionmakers making those expansions happen.285 This kind of too-cooperative federalism could easily provide avenues for governmental officials to aggrandize their own power vis-à-vis their constituents.
Finally, although federalism’s rules of engagement regulate aspects of the contractual lawmaking process used to structure data sharing initiatives, they do not address some of the most pressing questions this form of joint governmental lawmaking raises.286 It has no cross-cutting procedural requirements, and the processes used to craft these documents are often shielded from public view. They are not codified, as are ordinary laws and regulations. The role that each government plays in their creation is often obscured by the contractual formalism of the final product. If, as the Court emphasizes, our constitutional federalism structure is intended to provide “two distinct and discernable lines of political accountability: one between the citizens and the Federal Government; the second between the citizens and the States,” and if intergovernmental interactions must allow constituents “some means of knowing which of the two governments to hold accountable for the failure to perform a given function,” then the lack of tools for assessing just those concerns in processes of contractual lawmaking is notable.287
These questions are certainly not ready for judicial prime time. One theme of data federalism is that its practices are still evolving and many are not yet publicly known. It will take time for discrete issues to come to the attention of courts and for the structural constitutional questions they raise to be thoroughly aired. But the possibility that some of the institutions documented in Part II may raise issues of constitutional significance should not be as remote as their novelty might suggest.
IV. Theorizing Data Federalism
A. Data as Power
At its most basic, federalism divides power between levels of government. It invites “power” to act as “the rival of power”288 in order to secure “a healthy balance.”289 Theories of federalism understand what constitutes a “healthy balance” differently — some are skeptical that we are able to measure balance at all — but it remains true that distributing power is not just the objective, but also a defining characteristic of federalism.290 Historically, because the Supreme Court has treated the allocation of power between levels of government as fixed, analyzing the formal powers the Constitution once granted each level of government instead of asking what functional powers each has come to possess today, we have missed opportunities to evaluate how our system actually balances power.291 And even the scholars who acknowledge correctly that governmental power in a federalist system is dynamic, fluid, and negotiated across time tend to focus on intergovernmental exchanges of just a few forms of conventional governmental power — the regulatory power granted to each level of government by the Constitution, the monetary power exchanged in vast sums by our levels of government through federal grant programs, and the administrative power that stems from the capacity of states and cities to implement federal programs and which they offer in trade for federal grants.292
We have largely neglected to theorize the reality that as the technologies of governance evolve, so too do the forms of power our governments give and get from one another. As data has become a significant source of power for governments, it has also become a source of intergovernmental currency, inducement, leverage, and coercion. Intergovernmental data markets thus show that the division of governmental power in our federalist system is doubly dynamic: Not only is the distribution of governmental power always changing, but so too are the forms of power governments use and exchange. This insight challenges and complicates federalism theory in multiple respects, suggesting that it is time to renew conversations about power and federalism.
That federalism conversations have not confronted the flow of terabytes of data between governments suggests that we have missed a significant determinant of whether power is, in fact, balanced between those governments. But we should also take this as a call to do some searching for additional forms of power that our governments use and trade: to develop a more subtle and imaginative understanding of the full portfolio of powers we should be talking about. Of course, it is difficult to imagine any single account of federalism tallying, tracing, and netting out every form of power our governments possess, use, and trade. But it is easy to imagine looking beyond the conventional powers when analyzing intergovernmental interactions in discrete contexts and policy areas.
Understanding that governments trade in powers beyond the traditional set expands our understanding of the techniques that governments can use to influence each other. As I have argued, data can serve significant functions in intergovernmental interactions that current doctrine sees only in money: It can be appropriately leveraged to encourage states to participate in federal programs, but it can also be used as a cudgel to the same end, thus “pass[ing] the point at which ‘pressure turns into compulsion.’”293
But seeing data’s significance to federalism raises a deeper and more important point about federalism’s relationship to different forms of power. Each form of power has discrete properties that differently affect how our governments relate to one another and whether their interactions promote a power-balanced system. Data is a particularly provocative, and especially challenging, case study in these differences because it strikes a stark contrast to the conventional forms of power that are an assumed premise of many federalism accounts.
First, data’s non-rivalrous character makes it a particularly easy asset to transfer between governments. A government can share data without diminishing its own access to that data. As a consequence, unlike other forms of power that our governments bargain over and trade — money, most obviously — intergovernmental data exchange does not shift control over a particular node of power from one government to another. It duplicates that power in the other. Data federalism, then, is not a traditional federalism story of divided power; indeed, federalism in the data world can act as a power multiplier rather than a power divider. Instead of diffusing power to protect individual liberty, it aggregates power and diffuses access. Even the tiniest police department in the tiniest town in America can access the concentrated data power of every police department across the nation. And federalism is the reason. But because the power-distributing function is so core to what federalism does, federalism lacks the analytical tools to explain — much less justify or constrain — that destabilizing result.
Data’s character as a complementary good — each piece of data becomes more valuable when aggregated with other harmonizing data — also shapes how data power is distributed among our levels of government. While data’s non-rival character reduces the costs of sharing, data’s complementary character increases the value of sharing. Those forces together mean that absent external constraints, governments have strong incentives to coordinate with their sister governments to concentrate power and expand access to the joint store, rather than jealously guard their respective powers and pit them against one another to secure balance, as conventional federalism theory suggests.294 Questions about the aggregation of data power are familiar to privacy scholars, but scholars of federalism, too, should take note: If federalism is to encourage the division of power, we have to understand the incentives unique to each form that power takes and tailor our structural interventions to them.
Finally, unlike money, data is nonfungible. Governments do not want data for its own sake; they want data that tells them something about particular people and particular problems. Data, put another way, is most valuable when it is deanonymized and connected to the person who originated it; indeed, this Article has focused on data that contains just that kind of personal identifying information. This fact has many potential implications, but one is particularly significant to the ground-laying work of this Article: As data moves across governmental boundaries, it remains connected to the individual who originated it and the government that collected it. Even governments with only minimal commitments to privacy, then, retain an interest in safeguarding their data as it is put to use by their sister governments, for the originating governments are likely the most salient custodians from the perspective of their constituents. This helps explain why our governments oversee their data pools through intricate multi-governmental administrative structures — why each government continues to want to participate in the governance of the data it shares. And it affirms our need to trace the unusual federalism interactions that we observe today to the specific form of powers they arose to manage.
B. Federalism Outside Congress
Over the last decade, academic accounts of federalism have increasingly rejected the outdated assumption that the federal government and the states operate in separate spheres, instead embracing the premise that the federal government and the states govern together in a much wider range of contexts than was once understood.295 Although even a decade ago many “scholars often wr[o]te as if cooperative federalism d[id] not exist,” today what many call cooperative federalism (but is perhaps better termed joint governance) is not only federalism’s dominant form, but also the literature’s central focus.296 Because the federal government is generally believed to be the dominant player in these joint initiatives, federalism scholars often begin with the federal government to understand how our levels of government together make and implement policy.297 Federalism, Professor Heather Gerken has memorably declared, is “the new nationalism.”298
In this world, much can be learned about the power the states and federal government each exercise, the ends to which they are applying their joint energies, and the institutions that facilitate their partnerships by looking first at the work product of Congress. Indeed, there is a growing scholarly consensus that Congress plays the central role in structuring interactions between the federal government and the states today.299 It is Congress that enacts sweeping policy and regulatory initiatives and Congress that invites states to help implement them. Congress decides what funds to offer states and what admin-istrative commitments to ask for in return. Congress sets out the sites of interaction and processes through which disputes will be resolved.300 These superstatutes — think of the Affordable Care Act, but before that the Clean Air Act,301 the Telecommunications Act of 1996,302 and the Social Security Act of 1935303 — do not just create opportunities for cooperative federalism; they also structure the forms of interaction between the states and federal government and their respective powers across their projects of joint governance. This is a federalism, Gluck has emphasized, that “comes by grace of Congress.”304
Centering contemporary federalism in Congress also has significant normative implications. The influential process school of federalism, first articulated by Professor Herbert Wechsler in the mid-century and since advocated by a wide range of scholars, sees the states’ ability to represent their interests in Congress as a central legitimating force behind cooperative federalism programs.305 Noticing that important cross-governmental initiatives arise outside Congress forces us to find new ways to understand their legitimacy.
This Article contests Congress’s dominance in American federalism. It reveals not only consequential one-off data transactions but also major data pooling programs that are far less disciplined by statute than the usual cooperative federalism programs. Many of the statutes cited as authority for the data sharing programs that I describe here either do not contemplate those programs’ existence or authorize them in such sweeping terms that they permit almost any form of transaction, in almost any volume, on almost any terms. Even federal privacy statutes either directly or by operation exempt intergovernmental data exchange from important restraints.
The intergovernmental data market, in other words, has not “come by grace of Congress” at all. This poses challenges and opportunities for federalism scholarship. It presses us to evaluate how intergovernmental interactions that are not guided by the federal legislature come to be, function on an ongoing basis, and are made (or not) into legitimate forms of public governance.
1. Program Creation Outside Congress. — Consistent with the contemporary focus on Congress, scholars have developed a basic theory about how most joint governance programs come to be. Congress passes a statute, and then delegates — in ways that resemble administrative delegations — powers to state and local governments to implement programs within certain parameters.306 Sometimes federal agencies, too, delegate administrative powers to states through the rulemaking powers accorded them by Congress.307
The initiatives I describe here — the NCIC, the fusion centers, the range of ad hoc immigration-related information sharing initiatives, the CDC’s disease surveillance system, and more — are not programs dreamed up by Congress and then offered to states like contracts of adhesion or take-it-or-leave-it proposals to delegate authority on specified terms. They have come to life (for good or for ill) through flattened models of collaboration between governments outside Congress rather than a hierarchical model of delegation from Congress. The states’ possession of policing data predated the NCIC. The surveillance of disease by local health departments likewise started from below. And the terms of those programs continue to be negotiated by the cities and states who hold the data that powers them.
That, in turn, yields another important feature of this federalism outside Congress: It confounds our expectation about the power differential between the bargaining governments. Cooperative federalism scholarship tends to assume that the federal government is the dominant party in negotiations and the entity that really sets the terms. In the most significant data programs, however, the states hold substantial power. Studying these expectation-undermining programs and institutions yields new lines of inquiry. We can ask, for instance, whether the states can ever coerce the federal government, or whether the federal government can be the recipient of powers delegated from the states, rather than the other way around. And we can observe differences in programmatic structure when the states take the lead, as I discuss next.
2. Program Governance Outside Congress. — The fact that Congress has taken a back seat in these areas does not mean that they are without legal structure. The agreements that structure these arrangements are jointly authored by federal and state governments, and they function as joint lawmaking instruments. Although they are used even in areas where Congress plays a significant role — where they are used to fill statutory gaps and to memorialize states’ voluntary consent to join programs — they play an outsized role in spaces characterized by the absence of clear statutory mandates. They do for data programs, in other words, what Congress did for health care in the Affordable Care Act — provide a structure, a source of authority, and a mechanism to bind the parties. But they gain their authority from the consent of each party, and, like any private-sector contract, must be understood as a product of both parties equally.
But these agreements are only the first layer of interstitial governance. As I explain in Part II, intergovernmental agreements can establish institutions like fusion centers, which are chartered by state and federal officials and use customized models of decisionmaking and information sharing. And they can enable elaborate governance processes, like the NCIC’s advisory regime and its linked organizations, the National Crime Prevention and Privacy Compact Council and the Nlets organization. These negotiated institutions do not follow existing blueprints or models within the federal government or the states, but represent real institutional innovation — innovation that requires significantly more attention than this Article can provide.
The existence of institutions like the NCIC and fusion centers, moreover, should influence the growing body of federalism scholarship that addresses broadscale structural questions — that asks how our federalism has evolved and how it functions today by looking across policy areas to identify patterns and practices.308 With some exceptions, the standard sources for answering those questions are big “cooperative federalism” statutes and the state agencies that implement them. Data pooling programs like the NCIC have, to my knowledge, never been part of those broad federalism conversations, but given that the NCIC serves as the infrastructure between every federal, state, and local law enforcement agency in the United States, it deserves its place alongside more traditional cooperative federalism programs. Including data pooling programs in conversations about joint governance will enrich the conclusions that scholarship can draw.
C. Federalism’s Interstitial Space
The existence of this unorthodox form of joint governance holds promise for American law, but it also raises serious questions of legitimacy and legality. At a very basic level, these institutions and processes plainly look nothing like standard policy creation — and that gap draws into question the legitimacy of the rules that do govern data exchange and pooling. Federal or state statutes can impose meaningful restraints on cooperative federalism efforts. Without those constraints, though, the normative judgments that must be made around data aggregation — related to privacy, security, accuracy, and use — are rarely being made by an accountable political body, if they are being made at all. These decisions are instead made in the shadows and are not generally reported publicly. Information about them must be obtained through FOIA and state sunshine laws, and even then (I can report) the officials addressing the request often seem unable to locate the relevant information on first try. That may be because there is little standardization and only murky lines of authority dictating which officials at which levels of government can release what information publicly.309
In these areas, we also see an unusual degree of influence by mid- and line-level officials — immigration agents, for instance, have built cross-governmental alliances to exchange data assets that might not be possible if Congress or state legislatures had to authorize data transfer in the first instance.310 Indeed, whereas governments jealously safeguard the ability of their agents to spend money without legislative oversight, the same is not true for data.311 Scholars have documented so-called “picket-fence federalism,” in which federal bureaucrats work directly with their state counterparts to advance joint ends.312 But the influence of street-level bureaucrats on intergovernmental data exchange runs far deeper than even these accounts suggest. When not just the head of a state DMV but the frontline employees who receive discrete data requests from similarly low- and mid-level ICE agents are empowered to approve those requests, we can observe several effects.
One is that data exchanges can be negotiated by the very governmental agents that stand to benefit from expanded access to private data — by the entities that are using that data, in many instances to surveil and track the people who originally gave it to the state, without input from the constituents who stand to be harmed. By pressing data sharing decisions deeper into administrative agencies, we draw them further from the policymaking institutions that have a responsibility to balance the need for data against other important values. We should worry that many of these exchanges are conducted without meaningful public oversight — as the example of the facial recognition database makes clear. There are thus scarce opportunities for the individuals whose private data is shared between governments to decide whether access to that data should be expanded or contracted, and on what terms.
More broadly, this means that the institutions that govern data exchange follow a “legal process” for making consequential governmental decisions that is characterized by a highly attenuated relationship to traditional sources of legal authority — thus calling into question not only the democratic legitimacy of the rules that are enacted, but in some cases, the basic procedural legitimacy of those rules themselves. Federalism scholarship and doctrine presume that the lawmaking mechanisms established by the federal government and the states are procedurally and democratically legitimate in a basic sense — that when the states and federal government negotiate over the terms of joint programs, they represent their respective constituencies. The legal process of data exchange at least raises questions about that assumption.
To be sure, we can also see opportunity and possibility in the institutional arrangements that characterize data federalism. Federal and state legislatures are not always best positioned to adapt statutory enabling authority to the needs of modern technologies. Having more flexible ways of allowing the federal government and states to join forces in the use of innovative technologies may help draw the social benefits of those technologies out. Indeed, having more flexible ways to structure any form of policy program could expand our chance of adapting that program to socially beneficial ends. This interstitial federalism creates an entirely new set of institutional possibilities. It allows us to envision new forms of institutions that draw the relevant parties to a common table in a much wider variety of ways.
Those who worry about the overweening power of the federal government may also appreciate the ways that these institutions empower states to be more significant bargaining parties. Why, if the Tenth Amendment reserves to the states all powers not granted to the federal government, should the states not initiate intergovernmental efforts more collaboratively, instead of simply being the beneficiaries of Congress’s largesse?
Conclusion: Beyond Data
My aim in this Article is not to offer the last word on intergovernmental data exchange, but only an early one — to open avenues of future research and analysis. Data is not going away, and the ways it changes governance will only multiply. As data continues to occupy a place at the core of our social, economic, and political lives, it is appropriate that our system of government — our federalism — both shapes and is shaped by it.
But data is not the only new form of power that our governments use, trade, negotiate, and structure institutions around. There are other forms of governmental power that have yet to enter our conversations about federalism but that, like data, could alter how we see our governments interacting. Before the twentieth century, for instance, it should not be surprising that the dominant power our governments bargained over was not money or administrative capacity, but land, a form of power with unique attributes of its own.313 And today, our governments are experimenting with ways to alienate powers we have not traditionally viewed as transferable, like the capacity to exercise legitimate coercive force against their constituents. Our governments have a robust trade in that power as they cross-deputize police and immigration officers and house federal inmates in state prisons and state inmates in federal ones.
And although the unorthodox forms of governance I have canvassed here are particularly pronounced in the data world because of Congress’s light touch, there is reason to believe that they also arise in more traditional areas. Intergovernmental agreements are used to fill in gaps that Congress leaves even in the most comprehensive statutes; I would hypothesize that we would find odd institutions above them even there.
Data federalism, then, is a case study in a federalism that is always evolving: in the powers it distributes, in the ways it facilitates cooperation and incites conflict, and in the tools it provides our governments to jointly address common problems.
* Assistant Professor of Law, University of Chicago Law School. I am grateful for exceptional research assistance from Kenny Chiaghana, Charlotte Mostertz, Jasper Primack, Mikaila Smith, and Amber Stewart, and for the care and insight of the editors at the Harvard Law Review. Thank you also to Emily Buss, Barry Friedman, Aziz Huq, Alison LaCroix, Genevieve Lakier, Ela Leshem, Jonathan Masur, Richard McAdams, Robert Mikos, David Pozen, David Schleicher, Christopher Slobogin, Lior Strahilevitz, and David Strauss for spirited conversations and thoughtful feedback, and to workshop participants at the University of Chicago, Vanderbilt, and the University of Wisconsin’s Public Law in the States Conference. My deepest thanks are, as always, to Alex Hemmer.