Most people think of communications between attorneys and their clients as being among those having the highest level of legal “privilege” against compelled disclosure to the government.  And it is widely believed that the US lacks a Federal “shield law” protecting journalists against being forced to reveal confidential sources.

The assumptions are, in some situations and with respect to certain information, well founded. But a recent Federal decision by the 5th Circuit Court of Appeals has belied those assumptions and created a situation — at least in the 5th Circuit — in which attorney-client communications have significantly less protection at borders and ports of entry than information in the possession of journalists and others involved in communicating information to the public.

This makes it more important than ever for all travelers — including lawyers who assume that the information in their possession is best protected under the attorney-client privilege, and individuals who don’t think of themselves as journalists — to be familiar with the protections of the Federal Privacy Protection Act of 1980 (42 US Code §2000aa), and to proactively assert their protected status and their rights under this law if their data or devices are searched or seized

Here’s what was decided in this recent case about attorney-client communications, and what protections travelers still have pursuant to the Privacy Protection Act:

The plaintiff in Malik v. DHS, Adam Malik, is an immigration lawyer in the Dallas area and a former employee of the Department of Homeland Security (DHS). While he was on a flight from Costa Rica to Dallas/Ft. Worth Airport (DFW) in 2021, he was “flagged” by the DHS to be subjected to a more intrusive than routine search on arrival in the US.

Neither the District Court nor the Circuit Court decisions say how Mr. Malik was picked out for especially adverse treatment before his flight even reached the US, but presumably this was done on the basis of passenger name record (PNR) and/or Advanced Passenger Information (API) data transmitted to DHS by the airline and/or the computerized reservation system that hosts its reservation database.

The PNR and/or API data may have matched data in a TECS alert, or may have matched an entry on a blacklist (“watchlist”) or another rule in the Automated Targeting System (ATS) algorithm. It will be no surprise to those familiar with the overwhelming anti-Muslim bias in the DHS watchlist that Mr. Malik is a naturalized US citizen originally from Pakistan.

When Mr. Malik arrived at US customs and immigration, DHS agents seized his cellphone over his objections that it contained  privileged communications with his legal clients, “bypassed the phone’s security features,” and copied all the data stored on it. This process took months before the data was copied and the phone returned to Mr. Malik, but the DHS made no attempt to obtain a warrant or a subpoena for any of the data on the phone.

The District Court dismissed Mr. Malik’s complaint, finding that the warrantless search of Mr. Malik’s phone was “reasonable” and did not violate the 4th Amendment because “the Government’s investigation into an international arms dealer with known ties to the Dallas area supported the search of Mr. Malik’s cell phone.” It’s not clear what this means. It could mean nothing more than guilt by association, such as that a phone number showed up both in Mr. Malik’s PNR and in the contacts of some other suspected individual, perhaps because they used the same travel agency or had stayed in the same hotel at different times. Or perhaps the suspect was, or had once been, a client of Mr. Malik, or had considered contacting Mr. Malik in his professional capacity.

In a decision earlier this month, the  5th Circuit upheld the dismissal of Mr. Malik’s complaint. The 5th Circuit found that only a “minimal” level of “reasonable suspicion”, which could be less than “probable cause”, is required for even “advanced” and more time-consuming and intrusive searches at international borders or ports of entry, even when those searches involve privileged attorney-client communications.

That’s a reason for attorneys or anyone who normally keeps privileged or sensitive data on their phone — as almost all travelers do — to wipe their phone before crossing borders or carry only a “burner” phone on which they store only minimal data.

But it’s also noteworthy that Mr. Malik’s complaint didn’t include a claim under the Privacy Protection Act. Perhaps he wasn’t aware of that law, or didn’t realize that it applies to him as a person who distributes information to the public, including through articles on his website.

We’ve discussed how the Privacy Protection Act applies to travelers at airports and borders before, and this law has received rare attention recently in connection with raids by Kansas police on a local newspaper office and the newspaper publisher’s home.

As we’ve noted before, the Privacy Protection Act isn’t limited to “journalists”. It protects your data if you “have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication.” If you intend to post some of your photos or descriptions of events on social media, for example, your documents and digital materials are protected by this law.

The Privacy Protection Act precludes the use of mere “reasonable suspicion” as the basis for a search of this sort of journalistic data, as the 5th Circuit has now upheld as the basis for a border search of privileged attorney-client communications. Even if the government suspects that a journalist has committed a crime, “probable cause” is required for any search or seizure of “documentary” or “work product” materials.

The Privacy Protection Act has an an exception for some searches at borders and international ports of entry, but only when those searches are carried out “in order to enforce the customs laws of the United States.” There doesn’t appear to have been any basis to suspect Mr. Malik of any violation of customs laws, so that exception wouldn’t have applied in his case.

One reason Privacy Protection Act claims aren’t more common is that ignorance of the law on the part of police who carry out prohibited searches and seizures is a defense to claims under this act. So it’s up to you to put police on notice of this law and that you “have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication” (such as, most commonly, social media posts). We encourage all travelers to keep a copy of the Privacy Protection Act and the applicable regulations and guidelines in a README filedme in the root and home directories on each of your devices, and carry a copy of the Privacy Protection Act and show it to any government agent who tries to search or seize any of your documents, data, or electronic devices.