A story published this week in the New York Times highlights some of the key privacy concerns many Europeans have with U.S. data collection practices, particularly those followed under the justification of preventing terrorism. The article focuses on the experiences of European Parliament member Sophie In 't Veld, who became so frustrated at her inability to learn exactly what information U.S. government agencies were holding on her that she filed a lawsuit in federal court with the assistance of the Electronic Frontier Foundation. The lawsuit, naming both the Department of Homeland Security and Department of Justice as defendants, was dismissed after DHS asserted that it had performed an adequate search as In 't Veld requested (and as it is obligated to due under FOIA under which she sued), leaving the plaintiff in a situation where she believes (correctly or not) that there is more data about her on file within U.S. federal agencies than has been disclosed, and where the government isn't necessarily disagreeing, but basically says it provided enough information to comply with the request.
This case serves as perhaps the highest profile example of the practical impact of the different philosophical approaches in the U.S. and in Europe regarding the privacy of personal information. Such differences have led to the failure to reach agreements on financial information sharing intended to help combat terrorism by identifying its sources of funding. The collection and maintenance of airline passenger data for comparison to a variety of terrorist watchlists has historically been another sticking point between the U.S. and European Community countries, although the question at issue now is not so much that the data is being collected, but that individual who can presumably demonstrate that they are not terrorists have little or no visibility into the data being stored about them. U.S. authorities have consistently defended its anti-terrorism efforts since 9-11 and before, but in keeping with conventional "ask first" privacy practices that are the rule in Europe, Europeans believe that the U.S. should have to do more to prove that its data collection and use for anti-terrorism purposes are actually necessary, rather than individuals having to prove the practices cause them harm.
On its face, In 't Veld's desire to know what data the U.S. government has stored about her seems quite reasonable, not just because of her repeated experience of being selected for secondary security screening while traveling, but also because the ability for individual to find out what information is stored about them and how it is used is one of the core privacy principles embedded in all of the major privacy frameworks. This principle of access was articulated as one of the five fair information practices included in a landmark 1973 report from the Department of Health, Education, and Welfare entitled "Records, Computers and the Rights of Citizens" and was later reflected in U.S. legislation including the Privacy Act of 1974 and international privacy frameworks such as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It should be noted that neither of these important privacy drivers are relevant to In 't Veld and her requests to U.S. government agencies, as the OECD Guidelines are just that — guidelines, without the force of law — and the Privacy Act's provisions for records on individuals only applies to U.S. citizens and permanent resident aliens (5 U.S.C. §552a(a)(2)).
Friday Squid Blogging: Squid Bikes
4 hours ago