5 Takeaways from the New DHS Privacy Guidance
Written by Natasha Duarte
In January, the White House issued an executive order directing agencies to exclude non-U.S. persons from protections under the Privacy Act of 1974. The Privacy Act gives individuals the right to access and correct their personally identifiable information (PII) in records held by government agencies, and it limits agencies’ ability to disclose such information without consent.
As we wrote in January, the executive order was a blow to fundamental fairness and human dignity. But it also created a practical problem: government databases often include the PII of U.S. persons and non-U.S. persons, and it’s not always possible to ascertain a person’s immigration status. For this reason, the Department of Homeland Security (DHS) extended Privacy Act protections to all records held in these “mixed systems,” regardless of whether the record belonged to a U.S. person or a non-U.S. person.
To comply with the new executive order, DHS released new policy guidance on April 27. The new policy acknowledges that DHS can no longer extend statutory Privacy Act protections to non-U.S. persons, but it also explains what the agency must do to continue to protect the privacy of non-U.S. persons. It’s still early to tell how the policy will work in practice, but here are a few takeaways:
I. Applying weaker privacy standards to non-U.S. person puts the privacy rights of U.S. persons at risk.
The new DHS policy highlights the difficulty and impracticality of applying different privacy standards to U.S. persons’ and non-U.S. persons’ records. It notes that DHS extended Privacy Act protections to all individuals in the first place “because of inherent difficulties in determining a person’s current immigration status, which may change over time through naturalization or adjustment.” Agents often don’t have enough information to determine a person’s immigration status, and if a non-U.S. person becomes a permanent resident or citizen, all of her records must be treated in accordance with the Privacy Act. Thus, the new policy increases the risk of disclosure of U.S. persons’ PII in violation of the Privacy Act and creates additional burdens for agencies.
The policy reveals a deep disconnect between the White House’s agenda and the reality of governmental operations. But it is also promising that the DHS Privacy Office is insisting on the application by DHS officials of Fair Information Practice Principles to protect the privacy and dignity of all people, regardless of citizenship status. We hope to see robust enforcement and oversight of this privacy guidance.
II. Non-US persons still have a right to basic privacy protections for their personal information.
The new DHS policy makes it clear that the agency will treat “all persons, regardless of immigration status, consistent with the Fair Information Practice Principles (FIPPs).” In other words, DHS agents must take steps to protect everyone’s privacy, regardless of whether the Privacy Act applies. Because the FIPPs are principles, not statutory requirements, privacy protections for non-U.S. persons will be less certain than before. But even the former DHS policy of extending Privacy Act rights to non-U.S. persons whose data are in a mixed system of records did not, and could not, extend to them a right to enforce those Privacy Act rights in court. DHS’s guidance on applying the FIPPs offers some cause for optimism:
When DHS decides to collect PII—including that of non-U.S. persons—the agency must clearly state the purposes for which it intends to use the information. Any future use or disclosure of the PII must be tied to the purpose for which it was collected. This prevents the agency from collecting information for one purpose and using it for an unrelated purpose, or from collecting information just because it may be useful for some undetermined reason in the future.
DHS may not have enough information to determine a person’s immigration status for Privacy Act purposes, and the new policy wisely cautions against collecting additional information to make that determination. It states that the executive order does not require DHS to collect new information “targeted at determining citizenship status.” Collecting this information would create additional privacy and security risks and divert limited resources from other priorities.
Privacy Impact Assessments
The E-Government Act of 2002 requires agencies to publish Privacy Impact Assessments (PIAs) when they collect PII, regardless of whether it pertains to U.S. persons or non-U.S. persons. PIAs provide notice to individuals whose information may be collected and state the purpose of collection and intended uses.
PIAs can provide a basis for holding DHS accountable if its use and disclosure of information deviates from the purpose of collection – but only if the new FIPPs-based policy is effectively enforced. Consistent with the previous DHS policy, non-U.S. persons don’t have a judicial cause of action under the Privacy Act. The DHS Inspector General and Chief Privacy Officer must ensure that agents follow the new policy when handling non-U.S. persons’ PII.
III. DHS has more discretion to share non-U.S. persons’ information with third parties.
The Privacy Act prohibits agencies from disclosing individuals’ PII without written consent unless one of twelve Privacy Act exceptions applies. Under the new policy, DHS agents are not required to invoke a Privacy Act exception or get consent before sharing non-U.S. persons’ records. Instead, the new policy relies on the FIPPs and limits the sharing of non-US persons’ PII to purposes that are “compatible with the purposes for which the information was originally collected.” When a third party requests a non-U.S. person’s records under FOIA, DHS will balance “the public’s right to know about the functions and operations of the [g]overnment” with the privacy interests of the individual whose information the request seeks.
However, the policy notes that non-U.S. persons may have a “reverse FIOA” cause of action under the Administrative Procedure Act (APA) to sue an agency to prevent the disclosure of records that would result in a privacy invasion.
IV. Non-U.S. persons no longer have a right to correct their personal information.
Without Privacy Act protections, non-U.S. persons can only access their records through FOIA requests. While there is a presumption of openness under FOIA, robust oversight and enforcement are needed ensure that DHS officials don’t abuse the FOIA exemptions to withhold requesters’ records.
Non-U.S. persons no longer have the ability to request that their records be corrected under the Privacy Act. However, the new policy asserts DHS’s commitment to maintaining accurate records and states that DHS may update records when it becomes aware that they are inaccurate. Non-U.S. persons may be able to alert DHS to inaccurate records by filing a FOIA request.
V. Non-U.S. persons covered under the Judicial Redress Act retain certain administrative and judicial Privacy Act rights that other non-immigrants lack.
In 2015, Congress passed the Judicial Redress Act (JRA), which extends some Privacy Act protections to citizens of most European Union countries. The JRA applies to information shared with the U.S. government from a designated country for law enforcement purposes (“covered records”). The new DHS policy confirms that, with respect to covered records, individuals covered by the JRA enjoy the same administrative and judicial Privacy Act rights that they enjoyed before the January 25 Executive Order was issued.