Add Code to establish a City Data and Privacy Office (add Code Chapter 3.39)

The City of Portland ordains.

Section 1. The Council finds:

1. The City of Portland has built a legacy of privacy protections through prior Council actions, including Resolution 37437 (adopted June 19, 2019) establishing Privacy and Information Protection Principles; Ordinances 190113 and 190114 (adopted September 9, 2020) prohibiting the use of face recognition technologies by City bureaus and in public accommodations; and Resolution 37608 (adopted February 1, 2023) establishing a Citywide Surveillance Technology Inventory and privacy review processes; and
2. The City of Portland has a core value of transparency to support accountability and democracy and has adopted the Open Data Resolution 36735 (adopted September 30, 2009) and established an Open Data Policy (Ordinance 188356, May 2017); and  
3. Since these policies were adopted, new generations of surveillance technologies, AI enabled camera networks, automated license plate reader (ALPR) systems connected to nationwide sharing platforms and interconnected "smart city" sensors embedded in traffic systems and public spaces, have expanded the scope and precision of government and commercial monitoring. These systems generate continuous streams of data, often analyzed in real time, and combine disparate sources, from geolocation and license plate scans to facial recognition, enabling the creation of detailed patterns of movement, association, and identity across entire communities; and
4. Data brokers play a central role in this evolving surveillance ecosystem by aggregating and selling personal information from multiple sources, including public records and state and local data streams. These brokers increasingly provide services to federal law enforcement agencies and other entities seeking to circumvent local privacy and sanctuary safeguards, allowing sensitive data originally collected for municipal purposes to be repurposed for unrelated enforcement or profiling activities; and
5. Federal law enforcement agencies exploit these brokered datasets and also access state and national information sharing systems, creating indirect pathways to City originating data that bypass local oversight and frustrate the intent of Portland's privacy principles and sanctuary policy; and
6. Sensitive data most at risk including but not limited to categories defined by the Oregon Consumer Privacy Act, personally identifiable information, biometric identifiers, and geolocation or utility data, which, when aggregated or deanonymized, enable comprehensive surveillance of individuals and households well beyond the original context of collection; and
7. These risks fall disproportionately on marginalized communities, including Black, Indigenous, and other people of color; immigrants; unhoused Portlanders; people living with mental health conditions; and individuals engaged in protest or civic activity, exacerbating inequities and eroding public trust in government; and
8. Enterprise data governance enables organizations to make decisions about data and hold those that work with data accountable to data policies; and  
9. Effective data governance requires knowledge and experience with business needs and strategy, data collection and analysis, data management, data culture change management, and is distinct from information technology expertise; and   
10. To address these emerging threats and close gaps in current protections, Council seeks to establish a City Data and Privacy Office to enable data minimization, strengthen contractual controls, improve data security and advance data governance maturity, while enhancing public transparency and community oversight to prevent the misuse of City originating data and reaffirm Portland's sanctuary and privacy commitments.

NOW, THEREFORE, the Council directs:

1. Add City Code Chapter 3.39 as shown in Exhibit A.