What the Passenger Name Record Report Really Says
The DHS Privacy Office works overtime to ensure privacy protections at the department for Americans and those who travel to the U.S. News of our efforts doesn’t always get out. Recently, my office issued the Passenger Name Record (PNR) Data Report (download PDF), a public document that is a requirement of the joint U.S./EU agreement on PNR. In fact, I encourage you to check out a previous Leadership Journal where I discussed this. On December 18, I pointed out that the department, including U.S. Customs and Border Protection (CBP), actually complied with the agreement and privacy documentation issued by my office. Any statements to the contrary are mischaracterizations. I invite you to read the report for the truth.
Yes, the Privacy Office review did find areas for operational and policy improvement – I would be remiss in my statutory duties had I overlooked areas where privacy protections could be better integrated into DHS operations. Specifically, CBP needs to improve its handling of Freedom of Information Act/Privacy Act requests, a key component of redress generally, and with respect to PNR data. I note, however, that for every recommendation made in the report, there was a concrete and actionable response that CBP began to implement before the report was even issued. As with any program, improvements can always be made and so is the case here. CBP did not fail in meeting its commitments to the Agreement and Letters between DHS and the Council of European Union. CBP actively contributed to the review, opening itself up to criticism while still trying to operationally meet the requirements of the 2007 Agreement and Letters. Moreover, CBP and the Privacy Office have been working together closely to improve CBP’s handling of FOIA and Privacy Act requests. I am proud of my office’s hard work and I commend CBP for its efforts and its improvements.
The other half of the story is the one that has been ignored, so I will make it quite clear. The U.S. has upheld its commitments, but the Europeans, to date, have not. On July 25, 2008, the European Commission vice president wrote to Secretary Chertoff suggesting the first review take place in "late 2008" and that questionnaires be exchanged beforehand. The Secretary confirmed our intent to participate in order to review "the effective operation and privacy protection" of both U.S. and European systems.
My report was originally intended to provide the basis for a Joint Review in December 2008, which the European Commission unfortunately postponed for unknown reasons. The Joint Review is meant to illustrate the effective oversight and to promote further transparency of activities in both the U.S. and the EU. This is particularly important given that the EU is now considering use of PNR as a screening tool, and some Member States have already begun national PNR programs.
Only through effective oversight and real transparency, here and in Europe, can we truly gauge the effectiveness and impact on individual freedoms resulting from any single approach.
Hugo Teufel III
Chief Privacy Officer
Labels: information sharing, international partners, privacy