On Friday, December 19th, the Privacy Office of the U.S. Department of Homeland Security released A Report Concerning Passenger Name Record Information Derived From Flights Between The U.S. and the European Union.
This is a very important report for both US and European travelers, but not for the reasons the DHS claims:
The authors of the report conclude that DHS handling of Passenger Name Record (PNR) data is in compliance with both US law (particularly the Privacy Act) and the DHS-EU agreement on USA access to, and use of, PNR data related to flights between the EU and the USA.
In fact, the report contains multiple admissions that support exactly the opposite conclusion: The DHS has complied with neither the agreement with the EU, nor US law (especially, but not only, the Privacy Act), in its use of PNR data concerning US citizens as well as Europeans and other foreigners.
The DHS has legal obligations to US citizens and residents under the Privacy Act, and commitments to travelers from the EU under the PNR agreeement, to allow individuals timely access to PNR data about them held by the DHS. According to the report:
DHS policy allows persons (including foreign nationals) to access and seek redress under the Privacy Act to raw PNR data maintained in ATS-P.
Despite this, the DHS Privacy Office has now reported that:
- Requests for PNR data have typically taken more than a year to answer — many times longer than the legal time limits in the Privacy Act and Freedom of Information Act: “The requests for PNR took more than one year to process.”
- When individuals have requested “all data” about them held by the DHS, often they have not been given any of their PNR data: “If an individual requests ‘all information held by CBP’ the FOIA specialist generally does not search ATS because PNR was not specifically requested.”
- Because of this, the vast majority of requesters who should have received PNR data did not: “The PNR specific requests are a small percentage of the total requests based on the statistics provided to the Privacy Office, but if ATS-P were searched in all cases in which an individual asks for ‘all information held by CBP,’ the percentage would increase more than seven [sic]”
- PNR data has been inconsistently censored before it was released: “The requests for PNR … were inconsistent in what information was redacted.”
- A large backlog from the initial requests for PNR data remains unanswered, more than a year later: “Management noted that they have been understaffed and are bringing on new staff to reduce the backlog and period of time it takes to respond to requests. Additionally, management stated that part of the delayed response was due to the large number of requests initially submitted for PNR.”
To understand the full meaning and significance of the report, let’s quickly review the history of US government use of PNR data: