Passenger Records and the Institutional Mechanisms of Privacy Protection
A small detail on the EU-US agreement over the transfer of air passenger name records (PNR), and a non-related statement by
EU commissioner Frattini told the press yesterday that under the new PNR agreement, the passenger data will be accessible to other
Institutionally, the EU has adopted the German idea of a special privacy and data protection commissioner within government agencies or companies. This officer has to be independent from executive orders, because his or her job is exactly to provide control over the way the agency or company handles personal data of citizens, customers, or employees. The public data protection commissioners in
The Department of Homeland Security was the first government agency in the
Congress has repeatedly tried to increase the independence of the DHS CPO. This was done again in the 2007 spending bill for the Homeland Security Department. Section 522 states that
None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section.
This is a complicated way (because it's a spending bill) of saying that only the privacy officer can edit the reports about how the department obeys privacy rules. Now, president Bush, when he signed the bill yesterday, attached a signing statement to it, which gives himself the authority to make changes to the agency's privacy office annual and other reports. Bush directs that
"the executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch."Do not assume that the DHS privacy officer has been a sharp watchdog yet. For example, the report on privacy protection of passenger name record information, published by his office in September 2005, basically says "everything is great and data is protected perfectly". So Bush is just insisting on his last word as the commander-in-chief.
It becomes clearer if you look at the big picture: The EU allows the DHS to transfer passenger data to other agencies if they have a comparable level of data protection. The other departments and agencies do not have privacy officers who could ensure this level of protection is really enforced. The DHS privacy officer does not have a level of independence comparable to his European colleagues. But even if he wants to report breaches of the weak privacy protection levels in US government agencies, President Bush and the White House can do the final editing of the reports and tell the privacy officer to shut up. So, the EU is giving its citizens' data away, and what it gets in return is no more than a "trust us" from the
The idea of having an independent privacy commissioner was one way of substituting this “trust me” model with institutionalized checks and balances. This is what democracy is all about, compared to authoritarian systems: Not having to trust the government, but instead controlling it.