Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Use of passenger data breaks privacy laws, says US watchdog


The US Government Accountability Office, the investigative arm of Congress, on Friday confirmed that the Transportation Security Administration (TSA) had violated privacy laws in using personal information to test a passenger-screening programme.

The programme, known as Secure Flight, is a security measure brought in under the Transportation Security Act to check the names of airline passengers against lists of terrorist suspects. The first version of the screening programme, CAPPS II, was cancelled last year amid growing concerns that it would not protect Americans’ privacy or security.

The latest controversy was unearthed by the Government Accountability Office (GAO), which on Friday reported to Congress that the TSA had obtained over 100 million records from databases legitimately held by three commercial data companies, covering details such as names, addresses and phone numbers.

However, the TSA requested records not only in relation to 43,000 names obtained from airline data records, but also in relation to 200,000 other versions of those names. This meant that the 100 million records returned on the 243,000 names related to a large number of people who had not actually flown in June 2004 – the month advertised by the TSA as the one in which it would be collecting data.

In addition, while the TSA had advised the public that it would be collecting data on travellers flying in June 2004, the report said it was in violation of the US Privacy Act because it also collected and stored commercial data records, even though the agency had said in its privacy notices that it would not do so.

The Privacy Act is designed to ensure that there are no secret government systems for gathering personal data, and that any data collected is restricted to that which is strictly necessary.

The Act also requires: that individuals can see what information is kept about them, and can challenge the accuracy of that information; that personal data collected for one purpose cannot then be used for another purpose without consent; and that if any data are disclosed, the individuals involved will be able to find out to whom, when and why they were disclosed.

According to the GAO report, the agency’s privacy notices, which were meant to inform travellers of how their information is used, did not state what data would be collected, whose data would be collected or how the public could access and amend their data.

When it was revealed in June that the TSA had collected these personal records, the agency took steps to retrospectively amend its privacy notices to inform the public of what happened.

According to the American Civil Liberties Union, these steps represented too little, too late.

"Lawmakers must undertake a full investigation into TSA's data mismanagement," Timothy Sparapani, an ACLU lawyer said on Friday. "TSA has shown it cannot securely, and honestly, manage sensitive personal information for proposed screening programs. If the agency is allowed to move forward with Secure Flight, Americans’ private information will be at risk."

Senators Susan Collins (Republican) and Joseph Lieberman (Democrat) of the Senate Committee on Homeland Security and Governmental Affairs also criticised the TSA, sending a letter to the head of the Department of Homeland Security, Michael Chertoff, to express their concerns.

“We understand that, in response to GAO’s assertions, TSA took corrective actions to inform the public of its actual test protocols through updated privacy notices," wrote Senators Collins and Lieberman. "However, that action does not excuse TSA’s failure to meet basic Privacy Act requirements in carrying out this program.”

The letter continued: “Given fundamental concerns surrounding the government’s use of personal information and the unfortunate history of TSA’s passenger prescreening program, careless missteps such as this jeopardise the public trust and DHS’ ability to deploy a much-needed, new system.”

It will also be of little comfort to European legislators who, in December 2003, after lengthy negotiations, finally approved an agreement formalising the transfer of US-bound airline passenger data to US Customs.

The agreement was made in the face of strong opposition from the European Parliament, which was concerned both with the terms of the agreement and the fact that US laws do not meet general EU data protection requirements.

The agreement is already the subject of a referral to the European Court of Justice.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.