Passenger Records and the Institutional Mechanisms of Privacy Protection

A small detail on the EU-US agreement over the transfer of air passenger name records (PNR), and a non-related statement by US president George W. Bush, taken together give a nice highlight on the institutional mechanisms of privacy protection.

EU commissioner Frattini told the press yesterday that under the new PNR agreement, the passenger data will be accessible to other US agencies involved in counter-terrorism and law enforcement "on the condition that these have a comparable level of data protection". This formulation of course is absurd if you allow the basically unlimited transfer of data, as the core idea of data protection consists in the protection against further transfer. (It is also interesting, because under the 1995 EU data protection directive, data transfers to third countries are only allowed if there is an "adequate" level of protection.) But let us accept it for the moment. What could be a comparable level of protection?

Institutionally, the EU has adopted the German idea of a special privacy and data protection commissioner within government agencies or companies. This officer has to be independent from executive orders, because his or her job is exactly to provide control over the way the agency or company handles personal data of citizens, customers, or employees. The public data protection commissioners in Europe are also independent because they are elected by the national parliaments. The model has become quite popular in the last ten years. Many US-based corporations now also have their chief privacy officers (CPOs) which basically fulfill the same task.

The Department of Homeland Security was the first government agency in the US that ever got a chief privacy officer. The position was institutionalized with the Homeland Security Act of 2002 (section 222) which established the department. By doing this, the Bush government tried to attenuate the harsh criticism from privacy advocates against the surveillance and data-mining programs concentrated in the DHS. But the DHS chief privacy officer is not independent. He (currently Hugo Teufel, III) is nominated by the secretary for homeland security and is reporting to the executive branch it is supposed to control, not to Congress. At the annual international conferences of privacy and data protection commissioners, the DHS privacy officer therefore was never really recognized as "one of them", and was not allowed to participate as a peer in the internal meetings of national commissioners.

Congress has repeatedly tried to increase the independence of the DHS CPO. This was done again in the 2007 spending bill for the Homeland Security Department. Section 522 states that

None of the funds made available in this Act may be used by any person other than the Privacy Officer appointed under section 222 of the Homeland Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made to, delay, or prohibit the transmission to Congress of any report prepared under paragraph (6) of such section.

This is a complicated way (because it's a spending bill) of saying that only the privacy officer can edit the reports about how the department obeys privacy rules. Now, president Bush, when he signed the bill yesterday, attached a signing statement to it, which gives himself the authority to make changes to the agency's privacy office annual and other reports. Bush directs that

"the executive branch shall construe section 522 of the Act, relating to privacy officer reports, in a manner consistent with the President's constitutional authority to supervise the unitary executive branch."

Do not assume that the DHS privacy officer has been a sharp watchdog yet. For example, the report on privacy protection of passenger name record information, published by his office in September 2005, basically says "everything is great and data is protected perfectly". So Bush is just insisting on his last word as the commander-in-chief.

It becomes clearer if you look at the big picture: The EU allows the DHS to transfer passenger data to other agencies if they have a comparable level of data protection. The other departments and agencies do not have privacy officers who could ensure this level of protection is really enforced. The DHS privacy officer does not have a level of independence comparable to his European colleagues. But even if he wants to report breaches of the weak privacy protection levels in US government agencies, President Bush and the White House can do the final editing of the reports and tell the privacy officer to shut up. So, the EU is giving its citizens' data away, and what it gets in return is no more than a "trust us" from the US government. It reminds me of a recent statement by the German Ministry of Finances in the SWIFT affair. When asked by a conservative (!) member of parliament about the possibility of the US using the finacial data for economic espionage, the spokesman replied: Yes, they had discussed this with their American counterpart, but the US government would not see this danger.

The idea of having an independent privacy commissioner was one way of substituting this “trust me” model with institutionalized checks and balances. This is what democracy is all about, compared to authoritarian systems: Not having to trust the government, but instead controlling it.