New York New York (December 8 2025) – Today, Council Member Jennifer Gutiérrez, Chair of the Committee on Technology, and Council Member Dr. Nantasha Williams, Chair of the Committee on Civil and Human Rights, convened a joint oversight hearing on the City’s data privacy framework: Oversight – Privacy Protection in the Digital Age: Balancing Technological Advancements with Privacy Protections.
The hearing examined whether New York City’s growing use of digital systems — from benefits enrollment to enforcement databases — is matched by safeguards that are mandatory, consistent, and enforceable.
“The City has built an expansive digital government, and with that comes an enormous responsibility,” said Council Member Jennifer Gutiérrez.“We are collecting more data than ever before. The question is whether our privacy protections have kept pace — and today’s testimony makes clear that too much of our system still depends on voluntary compliance and adhoc oversight rather than enforceable standards.”
“Data privacy is civil rights policy,” said Council Member Dr. Nantasha Williams. “When personal information is mishandled or exposed, the people who pay the highest price are people of color, immigrants, survivors, tenants, workers, and young people. When government expands surveillance without equally strong restrictions, accountability, and limits, it concentrates power in dangerous ways. A rights-based system requires enforceable protections, not optional safeguards.”
The Council Members commended the Chief Privacy Office for producing a significant volume of guidance, toolkits, trainings, and public-facing materials, reflecting deep institutional knowledge and commitment. However, they raised serious concerns about the structural limits of the City’s privacy enforcement regime.
Since the privacy function moved under the NYC Office of Technology and Innovation, the Council has heard persistent concerns that the office lacks the same breadth of authority across agencies, that privacy practices vary widely between agencies, and ongoing concerns about the expansion of surveillance and lack of data minimization.
A central issue raised during the hearing was the role of Agency Privacy Officers (APOs). By law, APOs are the individuals empowered to decide what identifying information can be collected, shared, or disclosed within each agency. Despite the magnitude of that authority:
- APOs are not required to meet uniform qualification standards
- Many do not have legal or formal privacy credentials
- The Chief Privacy Officer is not required to review or approve APO appointments
- APOs often spend less than half of their time on privacy responsibilities
“We have frontline officials making life-altering decisions about New Yorkers’ personal data without consistent training, qualifications, or centralized oversight,” said Gutiérrez. “That is not a resilient privacy system — that is a vulnerability.”
The Council also raised alarm about a concerning public data exposure discussed during the hearing, which underscored the limits of the Chief Privacy Officer’s authority. While the office can mediate and advise, it often lacks proactive audit power or the ability to compel compliance before harm occurs.
###