Judge Seeborg granted some of the government’s motions for summary judgment and some of ours, ordered US Customs and Border Protection (CBP) to conduct further searches and disclose any non-exempt responsive records they find, and ordered the parties to confer on the remaining unresolved issues.
We’re still studying the order, which we received notice of late yesterday. But here are some key aspects of the ruling — including some issues of first impression for any Federal court — and some issues it raises:
1. Federal agencies can retroactively exempt themselves from access and other requirements of the Privacy Act.
Judge Seeborg held that regulations issued by DHS in 2010 to exempt Automated Targeting System (ATS) records and records of Privacy Act and FOIA processing could be used as the basis for withholding information that Mr. Hasbrouck first requested in 2007 and 2009.
So far as we know, this is the first time that any Federal agency has claimed the authority to issue Privacy Act exemptions applicable to previously-made requests for information.
Under Judge Seeborg’s interpretation of the law, nobody has any “vested” interest in Privacy Act rights of access to information about them being kept by the government, even if they have relied, to their prejudice, on the expectation of being able to obtain that information. In Judge Seeborg’s view, no Privacy Act exemption rule is ever truly “retroactive” if a court hasn’t yet ordered that records be handed over.
If this interpretation is adopted by other courts, nobody will be able to rely on the Privacy Act, and there will be no incentive for Federal agencies to bother to respond to Privacy Act requests or appeals or to reveal which records systems they plan to exempt. In this case, as with many other requests for ATS records, they ignored Mr. Hasbrouck’s requests and appeals for years. Even if an agency is sued, it can still wait until it is about to be ordered by a court to disclose what records it has been keeping — at which point it can issue new rules exempting those records from disclosure.
We strongly doubt that this is what Congress intended the Privacy Act to mean. If other courts adopt Judge Seeborg’s interpretation of the Privacy Act, Congress should amend the law to prohibit retroactive exemptions and guarantee that individuals will always retain at least those rights with respect to personal information that they had when that information was first provided to or obtained by the government.
2. Federal agencies are not required to disclose how personal information about innocent citizens is indexed or retrieved.
The Privacy Act requires that, even if all the personal information in a particular system is exempt from disclosure, any Federal agency maintaining a system of records about U.S. citizens much publish a notice in the Federal Register including “the policies and practices of the agency regarding storage [and] retrievability… of the records”.
The Privacy Act was enacted in 1974, when the “retrievability” of records would have depended primarily on the sequence in which physical folders were arranged in a set of file cabinets. Today, however, “policies and practices … regarding storage [and] retrievability” are much more complex and sophisticated. To understand the potential for use and misuse of a system of records, people need to know how the data is structured, how and by which fields it is indexed, and what data mining tools exist in the software.
Our case is, again on this issue, one of first impression as to exactly what is required to be included in the required System Of Records Notice (SORN), particularly with respect to indexing and data mining capabilities.
Unfortunately, Judge Seeborg has ruled that the list of personal identifiers by which data can be retrieved would be exempt from disclosure under the Freedom Of Information Act (FOIA) as sensitive information about law enforcement techniques that “could reasonably expect to risk circumvention of law”.
That’s perhaps arguable, although we are dubious. But we believe that Judge Seaboard has clearly erred in failing even to consider in his ruling our argument that the express requirement of the Privacy Act that this information be published in the Federal Register — a requirement from which the agency cannot exempt itself under the Privacy Act — takes precedence over any arguably applicable FOIA exemption.
If this aspect of Judge Seeborg’s opinion is widely adopted, it will mean that US citizens have no way to know what data mining capabilities are included in government databases of personal information, or which “personal identifiers” (telephone numbers, credit card numbers, IP addresses, etc.) are being used to retrieve records and as the basis for “risk assessments” or other government actions affecting us.
3. FOIA is not a substitute for the Privacy Act.
This lawsuit was brought under both the Privacy Act and the Freedom Of Information Act (FOIA). These laws are not the same, and do not provide individuals with the same privacy or data protection rights. Some of the essentials of fair information practices are incorporated only into the Privacy Act, and not FOIA.
All this is especially important for foreigners, who have no rights at all under the Privacy Act. The US government has been trying to persuade foreigners and foreign governments that even though they have no rights under the Privacy Act, FOIA provides an adequate substitute. But it doesn’t, as this case shows.
This case should be an object lesson that when the Privacy Act does not apply — whether because of agency self-exemption, as in this case, or because the individuals whose rights are at stake are not US citizens — FOIA does not provide a substitute for the rights that would otherwise be protected by the Privacy Act.
For example, FOIA provides no right to any accounting of disclosures of records to third parties. Because these systems of records have been (retroactively) exempted from the Privacy Act, nobody has any right to know with what other government agencies or third parties the DHS has “shared” its records of our travels. Similarly, FOIA provides no right to any notice of the existence or attributes of new systems of government records of personal information about individuals.
4. This case is not over.
Judge Seeborg’s ruling yesterday dismisses essentially all of our Privacy Act claims and some of our FOIA claims. Important factual and legal issues remain, however, including in particular what, if any, access logs exist for DHS databases of travel records including Passenger Name Record (PNR) data.
The DHS has claimed to the European Union that all access to these records is logged in such a manner as to make it possible to audit compliance with US-EU agreements on use of this data. But the DHS has claimed in response to our lawsuit that no logs exist that could be used to determine who has retrieved records about a particular person. Without such a capability, logs would be useless for audit purposes.
We will be conferring with the government’s lawyers, as directed by Judge Seeborg, concerning the additional searches for and production of records by the government which the court has ordered.