ENDitorial : PNR & Institutional Mechanisms of Privacy Protection

By EDRi · October 11, 2006

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

A small detail on the EU-US agreement over the transfer of air passenger
name records (PNR), and a non-related statement by US president George W.
Bush, taken together give a nice highlight on the institutional mechanisms
of privacy protection.

EU Commissioner Frattini told the press on 6 October 2006 that under the new
PNR agreement, the passenger data will be accessible to other US agencies
involved in counter-terrorism and law enforcement “on the condition that
these have a comparable level of data protection”. This formulation of
course is absurd if you allow the basically unlimited transfer of data, as
the core idea of data protection consists in the protection against further
transfer. It is also interesting, because under the 1995 EU data protection
directive, data transfers to third countries are only allowed if there is an
“adequate” level of protection. But let us accept it for the moment. What
could be a comparable level of protection?

Institutionally, the EU has adopted the German idea of a special privacy and
data protection commissioner within government agencies or companies. This
officer has to be independent from executive orders, because his or her job
is exactly to provide control over the way the agency or company handles
personal data of citizens, customers, or employees. The public data
protection commissioners in Europe are also independent because they are
elected by the national parliaments. The model has become quite popular in
the last ten years. Many US-based corporations now also have their chief
privacy officers (CPOs) basically fulfilling the same task.

The Department of Homeland Security was the first government agency in the
US that ever got a chief privacy officer. The position was institutionalized
with the Homeland Security Act of 2002 (section 222) which established the
department. By doing this, the Bush government tried to attenuate the harsh
criticism from privacy advocates against the surveillance and data-mining
programs concentrated in the DHS. But the DHS chief privacy officer is not
independent. He (currently Hugo Teufel, III) is nominated by the Secretary
for Homeland Security and is reporting to the executive branch it is
supposed to control, not to Congress. At the annual international
conferences of privacy and data protection commissioners, the DHS privacy
officer therefore was never really recognized as “one of them”, and was not
allowed to participate as a peer in the internal meetings of national

Congress has repeatedly tried to increase the independence of the DHS CPO.
This was done again in the 2007 spending bill for the Homeland Security
Department. Section 522 states that:
“None of the funds made available in this Act may be used by any person
other than the Privacy Officer appointed under section 222 of the Homeland
Security Act of 2002 (6 U.S.C. 142) to alter, direct that changes be made
to, delay, or prohibit the transmission to Congress of any report prepared
under paragraph (6) of such section.”

This is a complicated way (because it’s a spending bill) of saying that only
the privacy officer can edit the reports about how the department obeys
privacy rules. Now, President Bush, when he signed the bill,
attached a signing statement to it, which gives himself the authority to
make changes to the agency’s privacy office annual and other reports. Bush
directs that: “the executive branch shall construe section 522 of the Act,
relating to privacy officer reports, in a manner consistent with the
President’s constitutional authority to supervise the unitary executive

Do not assume that the DHS privacy officer has been a sharp watchdog yet.
For example, the report on privacy protection of passenger name record
information, published by his office in September 2005, basically says
“everything is great and data is protected perfectly”. So Bush is just
insisting on his last word as the commander-in-chief.

It becomes clearer if you look at the big picture: The EU allows the DHS to
transfer passenger data to other agencies if they have a comparable level of
data protection. The other departments and agencies do not have privacy
officers who could ensure that this level of protection is really enforced.
The DHS privacy officer does not have a level of independence comparable to
his European colleagues. But even if he wants to report breaches of the weak
privacy protection levels in US government agencies, President Bush and the
White House can do the final editing of the reports and tell the privacy
officer to shut up. So, the EU is giving its citizens’ data away, and what
it gets in return is no more than a “trust us” from the US Government. It
reminds me of a recent statement by the German Ministry of Finances in the
SWIFT affair. When asked by a conservative (!) member of the Parliament
about the possibility of the US using the finacial data for economic
espionage, the spokesman replied: Yes, they had discussed this with their
American counterpart, but the US Government would not see this danger.

The idea of having an independent privacy commissioner was one way of
substituting this “trust me” model with institutionalized checks and
balances. This is what democracy is all about, compared to authoritarian
systems: Not having to trust the government, but instead controlling it.


(Contribution by Ralf Bendrath, EDRi member Netzwerk Neue Medien e.V.,