An Explanation of the DHS Privacy Policy Behind Review Group Recommendation #14

Benjamin Wittes, in his post Assessing the Review Group Recommendations: Part IV, questioned Recommendation #14 of the Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, remarking that he “would love to hear from readers who have more granular thoughts on what application of the Privacy Act to non-US persons would mean in practice.” Recommendation #14 reads:

We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security [DHS], and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons.

I decided to respond to Mr. Wittes’ request since my team and I issued the DHS policy at the heart of Recommendation #14 during my tenure as DHS’s Chief Privacy Officer. The policy in question is Privacy Policy Guidance Memorandum (PPGM) 2007-1, “DHS Privacy Policy Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. Persons”, issued January 19, 2007, and revised on January 7, 2009.  The policy is simple and straightforward, and administratively extends Privacy Act coverage to non-US persons in “mixed systems of records”; that is Privacy Act systems containing the personal data of US and non-US persons. Under the Privacy Act of 1974, the government is required to publish in the Federal Register notices of its “systems of records”, groups of records in which information about individuals is retrieved by an individual’s name or some other unique individual identifier.  Absent consent of the individual, an agency may not release an individual’s Personally Identifying Information (“PII”), unless one of twelve statutory exemptions applies.  5 U.S.C. § 552a(b)(1)-(12).  Additionally, individuals have the right to see what information an agency has on them, and they may petition to have the information corrected if it is not accurate, relevant, timely, or complete.  The concern is that the coercive power of government may be brought to bear on the individual based on faulty information. Significantly, the Privacy Act provides wide latitude for law enforcement (LE) and intelligence community (IC) use of PII, and these agencies may exempt themselves from certain aspects of the Privacy Act, though they must still publish notices of all of their systems of records. Underlying the Privacy Act is the Fair Information Practice Principles (FIPP), also known as the Fair Information Practices.   Most, if not all, privacy laws around the world are based on a version of the FIPPs and I recommend Bob Gellman’s excellent paper, Fair Information Practices: A Basic History, for those wanting to better understand the FIPPs, the differences in various expressions of the FIPPs, and the significance of FIPPs globally. The specific FIPPs upon which the Privacy Act is based are found in the July 1973 report of the Secretary's Advisory Committee on Automated Personal Data Systems, U.S. Department of Health, Education & Welfare titled, Records, Computers and the Rights of Citizens Report of the Secretary’s Advisory Committee on Automated Personal Data Systems, Chapter III, Safeguards for Privacy:

• There must be no personal-data record-keeping systems whose very existence is secret;
• There must be a way for an individual to find out what information about him is in a record and how it is used;
• There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent;
• There must be a way for an individual to correct or amend a record of identifiable information about him; and
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

By its plain language, the Act applies only to US persons and legal permanent residents.  Other than exemptions (6) and (7)(c) of the Freedom of Information Act (FOIA), 5 U.S.C. § 552(b)(6), (7)(C), there is no US law of general application that provides any privacy protection to PII of non US-persons. From the agency’s standpoint, there is no obligation to publicize the existence of the system containing non-US PII, no limitation on the use of non-US PII, and no requirements for security or integrity of that PII.  For the non-US person, there is no opportunity to see what information an agency has on him or her, other than through a FOIA request, and no means of redress, that is, amending the agency’s records if the information is not accurate, relevant, timely, or complete. But with a mixed system of records that contains US and non-US person PII, a non-US person will have notice of the system and the intended uses of the PII.  The non-US person will not, however, have the opportunity for redress, a core FIPP.  DHS PPGM 2007-1 administratively extends the Privacy Act to provide non-US persons the ability to obtain information that the agency has on them and then to petition to amend that information. The policy formalized the Department's existing practice with respect to systems such as US-VISIT and DHS TRIP.  Further, the policy supported larger U.S. Government efforts to achieve an agreement with the European Union on Passenger Name Records.  What the policy cannot do is extend the jurisdiction of federal courts to hear disputes from non-US persons against the agency for failing to amend records about the person. As I wrote earlier, the DHS policy is straightforward.  And it isn’t new.  The Office of Management and Budget, in its 1975 Circular A-108, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28,948, 28951 (July 9, 1975), noted that “agencies are encouraged to treat [mixed systems] as if they were, in their entirety, subject to the Act.”  DHS simply implemented OMB guidance, although thirty-two years later. Why follow the Review Group’s Recommendation?  Privacy matters.  This isn’t 1974, when there was little in the way of cross-border data flows, and even long distance telephone calls within the US were uncommon.  In the 40 years since the Act’s passage, we have become a global information society, and we routinely are in contact with friends and colleagues around the world, by air travel, phone, email, social media, and instant messaging.  Increased transparency and accountability builds trust, not just with those who visit the US, but also with their governments.  This increased trust affects cross-border exchanges of data for commercial and security service purposes.  Seriously.  Privacy matters. Finally, I note that during my tenure at DHS there were efforts from within the DHS LE community to rescind the policy.  My office worked closely with LE and IC stakeholders to ensure their concerns were addressed (and this coordination is why we amended the policy in early January, 2009).  When pressed for a specific objection, the only clearly articulated objection from the LE community was that they were unable provide the names of foreign nationals suspected of a crime to the media or members of Congress.  It would strain credulity to say that a perceived inability to divulge a foreign suspect’s identity to the media or Congress impaired the component’s operational capabilities.  When appropriate and compatible with the purpose for collecting the information, we worked with components to include press notification as a routine use in the components’ systems of records notices.  As for congressional notification, anyone familiar with the Privacy Act will observe that the Act allows for notification to any committee of competent jurisdiction. Hugo Teufel III is an attorney focusing on privacy and civil liberties matters, with both public and private sector experience. He is also a judge advocate with the District of Columbia Army National Guard. From 2006 until 2009, Mr. Teufel served as the Chief Privacy Officer for the US Department of Homeland Security.  He was primarily responsible for privacy policy at the Department, reporting directly to the Secretary and Deputy Secretary.  Mr. Teufel was also a principal of the High Level Contact Group, a joint US/EU effort on transatlantic exchanges of data.  Mr. Teufel graduated from the Washington College of Law of the American University and was the Senior Articles Editor of The Administrative Law Journal.  He also holds a Master’s degree in National Security and Strategic Studies from the Naval War College.