Information sharing actions in the name of national security test international privacy laws

The Secure Flight program recently implemented under the authority of the Transportation Security Administration (TSA) is raising a number of privacy issues not just in the United States, but also in foreign countries whose privacy laws may run counter to the information sharing required by the program. Secure Flight requires air carriers to collect a variety of personal information about passengers in advance of travel, in order to facilitate the comparison of ticketed passengers to terror watch lists such as the no-fly list. It is intended both to reduce the number of false positives (that is, individuals mis-identified as being on a watch list, due to factors such as name similarities) and to improve the efficiency of the matching process, which ostensibly will help avoid false negatives such as the recent high-profile incident on Christmas Day in which a known person of interest was permitted to board a U.S.-bound Northwest Airlines flight and attempt to carry out an act of terrorism. The program pre-dates this latest incident by several months, and while no one has yet suggested that the Secure Flight program would have prevented the incident, the program is receiving a lot of attention due to the timeliness of its rollout.

One consequence of the Secure Flight program is the requirement for foreign air carriers to share passenger list data with the United States (currently this applies to flights landing in or taking off from the U.S., but is intended to include flights entering U.S. airspace, whether or not they have a termination point here). Carriers based in other countries have complained that sharing personal passenger information with the U.S. may be prohibited by non-U.S. national data privacy laws. For instance, while overflights from Canadian and Mexican points of termination are not currently subject to Secure Flight, a Canadian air carrier association is arguing that providing the data required under Secure Flight violates the Personal Information Protection and Electronic Documents Act (PIPEDA). This conflict between U.S. national security intentions and international privacy laws is not new; a similar program initiated in 2004 for sharing passenger name records between European Union countries and the U.S. required extensive negotiations in order to settle on a set of data elements acceptable to the European Union and its data protection provisions and extend certain provisions of the U.S. Privacy Act (which explicitly applies only to U.S. citizens and permanent resident aliens) to non-U.S. passenger name record data. The specifics of personal data protection laws vary greatly among different countries, but in the case of those in the European Union, under OECD privacy guidelines for transborder flows of personal data and the 1995 Data Protection Directive (95/46/EC), countries are only allowed to send personal data to other countries with comparable data protection laws. With passenger name records, legal arguments continued for several years until a compromised was reached in 2007, but this agreement only covers personal data in passenger name records; sharing of personal data more broadly with the U.S. remains legally problematic for organizations in many foreign countries.