28 March 2012
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
US changes the privacy rules to exemption access to personal data
- USA to give exemptions for the Department
of Home Security from its Privacy Act
- USA to give exemptions for the "Arrival and Departure System" (ADIS) from its Privacy Act
- Did the EU know that the US was planning to introduce these exemptions?
No sooner is the ink dry on the 28 June 2007 EU-USA PNR (passenger name record) agreement than the USA announced changes its Privacy law to give exemptions to the Department of Homeland Security (DHS) and the Automated Targeting System (ATS) from responding to request for personal information held. Both use PNR data gathered on travellers to and from the USA.
The DHS (and
all the agencies that share its data) exemptions are from giving
access to personal data gathered for:
"immigrant and non-immigrant pre-entry, entry, status management and exit processes"
which will include PNR data on EU citizens.
The scope covers:
security, law enforcement, immigration and intelligence activities".
The proposed change also covers revealing other agencies to whom the data is passed to and/or data provided by "foreign governments": US Department of Homeland Security: Notice of proposed rulemaking, 15 August 2007
The new exemptions relate to the new "Arrival and Departure System" (ADIS) that the USA is to introduce. ADIS is intended to authorise people to travel only after PNR and API (Advance Passenger Information) data has been checked and cleared by US agency watchlists:
"The Department of Homeland Security (DHS) is republishing the Privacy Act system of records notice for the Arrival and Departure Information System (ADIS) in order to expand its authority and capability to serve additional programs that require information on individuals throughout the immigrant and non-immigrant pre-entry, entry, status management, and exit processes....
The Department of Homeland Security Arrival and Departure Information System (ADIS) consists of centralized computerized records and will be used by DHS and its components. ADIS is the primary repository of data held by DHS for near real-time immigrant and non-immigrant status tracking through pre-entry, entry, status management, and exit processes, based on data collected by DHS or other Federal or foreign government agencies and used in connection with DHS national security, law enforcement, immigration, intelligence, and other DHS mission-related functions, and to provide associated testing, training, management reporting, planning and analysis, or other administrative uses. The information is collected by, on behalf of, in support of, or in cooperation with DHS and its components and may contain personally identifiable information collected by other Federal, state, local, tribal, foreign, or international government agencies."
And why are these exemptions needed:
is claiming exemption from certain requirements of the Privacy
Act for ADIS. Information in ADIS relates to official DHS national
security, law enforcement, immigration, and intelligence activities.
These exemptions are needed to protect information relating to
DHS investigatory and enforcement activities from disclosure
to subjects or others related to these activities. Specifically,
the exemptions are required to preclude subjects of these activities
from frustrating these processes; to avoid disclosure of activity
techniques; to protect the identities and physical safety of
confidential informants and of immigration and border management
and law enforcement personnel; to ensure DHS's ability to obtain
information from third parties and other sources; to protect
the privacy of third parties; and to safeguard classified information.
Disclosure of information to the subject of an inquiry could
also permit the subject to avoid detection or apprehension."
As the exemptions are to be applied to everyone going to or leaving the USA under ADIS people travelling from the EU (and their PNR and US-VISIT history) fall within its ambit.
Targeting System to be exempt too
There are also to be changes to the rules under the US Privacy Act to exempt Automated Targeting System (ATS): Privacy Act of 1974: Implementation of Exemptions; Automated Targeting System (31 July 2007, pdf). Although created to combat terrorism the ATS covers "other crime" and indeed any:
"activity in violation of US law".
The ATS has a number of "modules" covering cargo and customs. The one directly relevant to EU travellers is ATS-Passenger (ATS-P):
"ATS-Passenger (ATS-P), one of six modules contained within ATS, maintains Passenger Name Record (PNR) data (data provided to airlines and travel agents by or on behalf of air passengers seeking to book travel) that has been collected by CBP as part of its border enforcement mission. ATS-P's screening relies upon information from the following databases: Treasury Enforcement Communications System (TECS), Advanced Passenger Information System (APIS), Non Immigrant Information System (NIIS), Suspect and Violator Indices (SAVI), and the Visa databases (maintained by the Department of State) with the PNR information that it maintains."
The use of PNR data is explicit. In addition ATS-P sources include APIS which gathers and evaluates passenger data prior to departure - when ADIS takes over to authorise boarding - and the "Non Immigrant Information System (NIIS)" which also covers all EU visitors.
The latest report on the ATS is the: Privacy Impact Assessment for the Automated Targeting System, 3 August 2007 (pdf). This says the ATS applies the "same methodology to all individuals", that is, everyone arriving and leaving the USA, and is looking for "suspicious or unusual behaviour". Thus:
"Every individual is subject to inspection under U.S. law, so, all individuals are always at risk of referral to secondary inspection"
"Secondary inspection" means being checked against the agencies' watch and "lookout" lists.
Data on the ATS is generally kept for 15 years when it is deleted except where a person has been linked "law enforement lookout records", DHS enforcement activities or investigations.
Did the EU know the US was going to make these changes?
When the agreement was signed in June the Council and the Commission made great play over the extension of protections in the US Privacy Act to travellers from the EU. The text from the EU-US PNR agreement (28 June 2007) says:
"IV. Access and Redress: DHS has made a policy decision to extend administrative Privacy Act protections to PNR data stored in the ATS regardless of the nationality or country of residence of the data subject, including data that relates to European citizens. Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless of their nationality or country of residence, for providing redress to persons seeking information about or correction of PNR."
Certainly the report from the EU's Article 29 Data Protection Working Party report: Opinion 5/2007 on the follow-up agreement (17 August 2007) makes no reference to this proposed exemptions.
Tony Bunyan, Statewatch editor, comments:
"The adoption of these two exemptions will seriously diminsh any rights EU citizens have to find out what data is held on them and who it is held by.
Did the Council
and the Commission, who negotiated the agreement, know the US
was planning to introduce them, and if not why not?"
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.