On his third working day as U.S. President, Donald J. Trump signed two executive orders relating to immigration and border protection. One of these, entitled "Enhancing Public Safety in the Interior of the United States," included a provision that will significantly affect the privacy practices of U.S. agencies with regard to the personal data of noncitizens. This represents a significant policy change in how the U.S. federal government promises to treat the personal information collected on noncitizens through programs outside of the intelligence community, including visas, refugee databases, and immigration records.
Some have speculated that this order could “wreck Privacy Shield,” or affect the so-called Umbrella Agreement, which governs information sharing by law enforcement across the Atlantic, but an analysis of this executive order in relation to the Judicial Redress Act shows that Umbrella should be unaffected and that there is nothing that would directly affect Privacy Shield. For now.
Under the Privacy Act of 1974, federal agencies must meet certain minimum privacy requirements if they maintain searchable databases that include the personal data of U.S. persons. Though not required by the text of the law, many agencies have extended their interpretation of the Act to apply to records of non-U.S. persons when they are mixed in a single database with those of U.S. persons (known as “mixed systems of records” or just “mixed systems”).
The executive order requires agencies to reverse any such broad interpretations of the Privacy Act:
The Executive Order applies only to federal administrative agency privacy policies, so its direct effect is limited to weakening privacy protections for non-U.S. persons whose personal data is stored in mixed systems of records. This significant policy change will allow the federal government to more readily share this data between agencies as well as to publicly release names of non U.S. persons.
The Privacy Act of 1974 provides protections for the personal information of citizens and lawful permanent residents (LPRs) held by federal agencies in a “system of records,” that is, in a database searchable by name or other identifier (5 U.S.C. § 552a, as amended). Specifically, any federal agency that collects, maintains, or uses personal information about citizens or LPRs in a system of records may not disclose this information “by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” This provides a basic right of consent before information collected by the federal government may be used or shared in a way inconsistent with the purpose for which it was collected. (The Act also provides 12 exemptions under which agencies may release personal information in lieu of obtaining consent.)
Individuals covered under the Act also have a right to access their records and to request correction if the records are inaccurate. Together, these provisions make up the rules that the executive order describes as “protections of the Privacy Act regarding personally identifiable information.”
Because only U.S. citizens and LPRs are covered individuals under the Act, all others do not have the same statutory rights with respect to federal collection, storage, and use of their personal information. Categories of people who do not count as citizens or LPRs include: undocumented aliens, nonresident aliens (including travelers, students, and temporary workers), refugees and asylees, as well as individuals who fall under special provisions such as Deferred Action for Childhood Arrivals (DACA) or the Violence Against Women Act (VAWA). (EU citizens are still protected under the Judicial Redress Act, as explained below.) However, the Privacy Act’s distinction between the rights of U.S. and non-U.S. persons has not stopped federal agencies from voluntarily adopting policies that extend basic privacy protections to these individuals.
Enhanced protections from the executive branch
In 1975, the OMB issued Circular A-108, implementing the Privacy Act and providing comprehensive guidance on its requirements. By its plain language, the Act applies to any system of records with personally identifiable information (PII) of U.S. citizens and LPRs (collectively, “U.S. persons”). But many federal agency databases store PII of both U.S. persons and non-U.S. persons, so the OMB’s guidance included a recommendation for what to do in these “mixed” cases: “Where a system of records covers both [U.S. persons] and [non-U.S. persons], only that portion which relates to [U.S. persons] is subject to the Act, but agencies are encouraged to treat such systems as if they were, in their entirety, subject to the Act.”
The original language refers to “citizens” and “nonresident aliens,” but agencies implementing the guidelines have generally quoted the OMB using the above language.
At the time, the Department reasoned that this extension of privacy protections to non-U.S. persons would benefit the United States in two ways. First, it addressed concerns that U.S. partners had raised in negotiations for information sharing agreements, which at that time included a negotiation with the EU over the sharing of Passenger Name Records. Second, the policy change acknowledged that privacy between countries is rooted in reciprocity, reasoning that if the U.S. made efforts to protect foreign citizen data, others would make efforts to protect the personal information of U.S. citizens.
From 2006 through 2009, the Chief Privacy Officer at DHS was Hugo Teufel III, a member of the Trump Administration’s DHS transition team, who further explained the DHS policy changes in a 2014 post on Lawfare. His post describes the problems inherent in a pure implementation of the Privacy Act, without enhanced protections for non-U.S. persons:
But with a mixed system of records that contains U.S. and non-U.S. person PII, a non-U.S. person will have notice of the system and the intended uses of the PII. The non-U.S. person will not, however, have the opportunity for redress. … DHS PPGM 2007-1 administratively extends the Privacy Act to provide non-US persons the ability to obtain information that the agency has on them and then to petition to amend that information.
From DHS to all agencies
In late 2013, President Obama commissioned what became the Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies. The group recommended that, “the U.S. Government should follow the model of the Department of Homeland Security, and apply the Privacy Act of 1974 in the same way to both U.S. persons and non-U.S. persons.”
Partially implementing these recommendations, President Obama released Presidential Policy Directive PPD-28 in January 2014, calling on the U.S. intelligence community to implement “appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides.”
As a result, the DHS policy for mixed systems of records has been adopted by most agencies that maintain mixed systems, and has been codified in dozens of Systems of Records Notices published in the Federal Register, as required under the Privacy Act. The practice has also extended to the intelligence community, though the Privacy Act exempts data collected for purposes of foreign intelligence. The Office of the Director of National Intelligence explained, “All agency policies implementing PPD-28 now explicitly require that information about a person may not be disseminated solely because he or she is a non-U.S. person. … Intelligence Community personnel are now specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports.”
A limited, but helpful, policy
The extension of privacy rights to personal information of non-U.S. persons in mixed systems does not, of course, confer all the benefits of the Privacy Act on non-U.S. persons. Although they benefit from the transparency, notice, and access to records provisions of the Privacy Act, they are unable to seek a judicial remedy in U.S. courts for violations of these rights, though even U.S citizens have generally relied exclusively on administrative procedure under the Privacy Act and have rarely sought judicial review.
In reporting on this matter, the IAPP spoke with Mary Ellen Callahan, CIPP/US, a former Chief Privacy Officer at DHS. She says the Department made every attempt under its mixed records policy to treat non-U.S. persons the same as U.S. persons throughout the administrative process. This included seriously considering their complaints and adjusting inaccuracies in their records. However, Callahan says, the lack of a formal judicial process became a major sticking point in negotiations with officials from the European Union and other countries, who asked for the same rights to judicial process for their citizens that U.S. citizens enjoyed.
EU citizen data still protected
Under the Judicial Redress Act of 2015 (JRA), citizens of European Union member states currently receive the same Privacy Act protections as U.S. citizens. The JRA extends the definition of covered individuals under the Privacy Act to the citizens of any “covered country” designated by the U.S. Attorney General (“with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security”). As the name of the Act implies, the JRA provides the right to judicial redress in U.S. courts to citizens of covered countries.
The Attorney General must determine that a country has met certain minimum requirements before designating it as covered under the JRA. This remains a discretionary function; the JRA does not mandate that an Attorney General extend these protections. On January 17, 2017, with only a few days left in her tenure, Attorney General Loretta Lynch designated the European Union as a covered country under the JRA. (The AG also individually designated all EU member states except Denmark and the United Kingdom as covered countries under the JRA, awaiting notice from the EU that these countries have decided the Umbrella Agreement’s application to them.)
This was in keeping with Article 19 of the EU-U.S. Umbrella Agreement, signed in December, which requires the parties to provide specific judicial redress rights to each other’s citizens.
President Trump’s executive order mandates that agencies limit Privacy Act protections exclusively to citizens and LPRs. By its language, it appears to be limited to federal agency privacy policies, making it unlikely that it will affect existing protections under the JRA. However, if the administration were to pursue a broader policy to exclude non-U.S. persons from Privacy Act protections, the President could instruct the Attorney General to remove the existing covered country designation for the EU and its member states. To do so, the JRA requires the Attorney General to officially find that the covered country: (a) no longer effectively shares information with the United States for law enforcement purposes, (b) no longer has appropriate privacy protections for such shared information, (c) fails to permit the transfer of personal data for commercial purposes between the territory of the covered country and the territory of the United States, or (d) impedes the transfer of information (for purposes of reporting or preventing unlawful activity) to the United States by a private entity or person. 5 U.S.C. § 552a note.
Implementation of the executive order
The specific motivations behind the Trump administration’s modification of federal agency privacy practices are not clear. However, the context of the modification, in an executive order otherwise focused on strengthening immigration enforcement, provides some clues. As Hugo Teufel explained in his 2014 Lawfare post, when opponents of his mixed system of records policy were “pressed for a specific objection, the only clearly articulated objection from the [law enforcement] community was that they were unable provide the names of foreign nationals suspected of a crime to the media or members of Congress.”
The executive order falls squarely within the power of the President, as it merely instructs the executive branch to eliminate policies that went beyond Congressional authorization under the Privacy Act. However, in order to implement the executive order, federal agencies will need to publish a modified Systems of Records Notice in the Federal Register for each mixed system that is currently providing Privacy Act protections to non-U.S. persons. In addition, agencies will need to implement technical controls to distinguish between those records with Privacy Act protections (including U.S. citizens, LPRs, and citizens of designated countries under the JRA) and those without these protections. In some cases, including traveler visa records, the personal information of citizens and non-citizens are both contained within individual records.
Once implemented, this executive order will have an immediate impact on the privacy of non-U.S. and non-EU persons whose data are stored in federal agency mixed records systems. If agencies do not treat them as covered individuals under the Privacy Act, the Act’s limitations on the dissemination of their personal information will not apply. Further, agencies will be unable to respond to requests from these individuals to modify or delete inaccurate information in their records and individuals will need to rely solely on FOIA requests in order to obtain copies of their own records.
Even though this policy change will not directly affect Privacy Shield or the EU-U.S. Umbrella Agreement, the action may still cause friction for these important cross-border data agreements. Privacy Shield will face its first annual review this year. In a statement provided to TechCrunch, a European Commission spokesperson confirmed that Privacy Shield “does not rely on the protections under the U.S. Privacy Act” and that the Umbrella Agreement is secure based on the additional protections of the Judicial Redress Act.
President Trump’s executive order will impact the rights and remedies available to non-Europeans whose data is included in U.S. federal agency databases. In addition, the perception of an administration that is less concerned with the privacy of non-U.S. persons could significantly impact the privacy of Americans abroad. International privacy agreements are built on reciprocity, as DHS explained in PPGM 2007-1: “If DHS wants foreign partners to afford protections to data collected about U.S. citizens, a positive commitment to honor privacy protections for non-U.S. persons, as demonstrated through application of the Privacy Act to mixed systems, will improve the chances for success. In short, DHS wants to be in a position to be able to say ‘we’ll give your people the same privacy you give our people.’ To do otherwise, would put the Department in an untenable position of seeking a double standard.”
If you want to comment on this post, you need to login.