* Legal Counselor, U.S. Mission to the European Union, Brussels. The views expressed here are the author’s and not those of the US Department of State.
International Data Privacy Law, Volume 2, Issue 3, August 2012, Pages 192–193, https://doi.org/10.1093/idpl/ips010
16 May 2012Kenneth Propp, John W. Kropf, Guide to U.S. Practice on Global Sharing of Personal Information, American Bar Association, 2012, ISBN, 978–1–61438–308–6, International Data Privacy Law, Volume 2, Issue 3, August 2012, Pages 192–193, https://doi.org/10.1093/idpl/ips010
Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term SearchOver the past decade, the growing interest of the US Government in access to personal information under European control, ranging from airline passenger (PNR) to financial transaction (SWIFT) data, has moved centre-stage in relations between the United States and the European Union. The United States has been assailed by some in Europe as a ‘Wild West’ of privacy regulation, and its negotiations with the EU to enable transfers of such personal data for counter-terrorism and other law enforcement purposes have repeatedly proven contentious and controversial.
John Kropf's Guide to U.S. Practice on Global Sharing of Personal Information provides a valuable perspective on these trans-Atlantic privacy disputes. Kropf is a well-placed observer, having served until recently as the deputy chief privacy officer at the US Department of Homeland Security (DHS) and as its senior adviser on international privacy policy. The DHS, created by the US Congress in the wake of the September 11, 2001 attacks and charged with protecting the security of US borders, has been at the forefront of recent US efforts to collect personal information from abroad. Kropf's book combines succinct analysis of the principles and practices that guide the United States in its extensive network of international agreements relating to the sharing of personal information with a comprehensive selection of these texts; a CD version is also helpfully included in the book.
Kropf describes a substantial recent expansion of US Government efforts to negotiate such international agreements. He rightly attributes this phenomenon to an inter-connected set of factors: the growing power and sophistication of information technology, a concomitant rise in the volume of cross-border information sharing both directly between governments and between governments and the private sector, and the widespread adoption and growing complexity of national privacy laws across the globe. For the United States, the experience of foreign-led terrorist attacks on US soil created an additional imperative—to collaborate more systematically and thoroughly with other governments to exchange information that could help prevent future 9/11-type events.
Kropf begins with a short history of the Fair Information Practice Principles (FIPPs), effectively illustrating how they provide the common thread linking US and international privacy practice. First devised by a US government advisory committee in 1973 in the wake of revelations of Watergate-era abuses of personal information, the FIPPs address concepts such as notice and access for individuals whose records are kept by government entities. These principles have spawned a rich legal legacy, including the 1974 US Privacy Act. More recently, DHS has adapted the FIPPs for its internal regulatory use, and the Obama Administration has relied on them as the conceptual basis for its newly-proposed consumer privacy protection blueprint. In Europe, the FIPPs have been embedded in the EU's Directive 95/46 on the processing of personal data. Multilaterally, the FIPPs form the core of the seminal 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; they also have spread to the Asia-Pacific region, where they are embodied in the Asian Pacific Economic Cooperation (APEC) Privacy Framework.
Kropf next analyses how the US Government's approach to international sharing of personal information has changed in recent decades. Agreements on social security information-sharing reaching back to the 1970s, for instance, provide protection through narrowly drawn purpose limitations and mutual recognition of the sufficiency of the other party's national laws protecting personal information. A different technique is employed in agreements dating back to the 1980s which relate to mutual assistance in criminal matters or to cooperation among securities regulators; they rely on mutual pledges to keep confidential foreign government-sourced personal information.
In newer law enforcement information sharing agreements reached between the United States and the European Union, however, much more elaborate privacy protections drawn from the FIPPs begin to appear. A 2002 agreement with Europol, the EU's police cooperation agency, for example, blends the FIPPs with protections drawn from the EU's own Directive 95/46. EU-sourced privacy protections play an even more prominent role in the series of recent agreements on police sharing of biometric information (Preventing and Combating Serious Crime Agreements) that the USA has concluded with EU member states. These agreements import numerous provisions from the EU's Prüm Agreement on police cooperation against cross-border crime, which is part of the Schengen acquis.
While Kropf's analysis and examples are clear and instructive, the greatest virtue of this book lies in the wealth of primary source material that the author has included in its appendices. Exemplary international agreements from no less than eight different US government departments and agencies—the Departments of State, Justice, Treasury and Homeland Security, the Federal Trade Commission, the Commodities Futures Trading Commission, the Securities and Exchange Commission, and the Social Security Administration—are featured. They are generally accompanied by helpful brief introductory summaries of the particular US government entity's regulatory role and the reasons why it exchanges personal information with foreign government counterparts. Texts of key multilateral accords concluded under the auspices of the OECD, APEC, and the Council of Europe also are provided.
While all of the materials Kropf incorporates are public source, some nonetheless would not otherwise be readily accessible. His deep knowledge of US government practice is particularly evident in several selections relating to border security. In instances where the texts of certain international agreements are non-public—for example formal arrangements DHS has reached on sharing biometric immigration with Anglophone foreign government partners in the fields of immigration, visas, asylum, and refugee matters—Kropf instead has included the texts of detailed privacy impact assessments that DHS has published. Similarly, he casts light on an exhaustive internal US government review that developed guidelines for the so-called Information-Sharing Environment (ISE), a set of rules designed to facilitate cooperation between US law enforcement and intelligence agencies in domestic sharing of terrorism information. The ISE guidelines wrestle, for instance, with the complexities of utilizing foreign government information and sharing US government information abroad.
There are some minor deficiencies in the appendices. The description of the sample US mutual legal assistance treaty with Ireland fails to note that this agreement was supplemented and amended by a subsequent US–EU agreement on this subject, which added, among other things, a provision on data protection. Moreover, not every selection is preceded by an explanatory note placing it in context. And the table of contents could be more complete; it identifies some of the included agreements only by the name of the responsible US government agency, failing to list their subject matter.
Kropf's focus on the practitioner's perspective also inhibits a full discussion of the political drama playing out between Washington and Brussels on such topics as PNR. He does not delve deeply into contested issues such as the circumstances in which a government should be able to utilize information obtained from a foreign government for one purpose, such as a criminal investigation, in furtherance of another, such as regulatory enforcement. Nor does he reflect on the differing trans-Atlantic perspectives on the nature of redress to be afforded to persons whose personal data has been misused. His Guide to U.S. Practice on Global Sharing of Personal Information ventures no prediction on the prospects for US and EU authorities to reach broad-scale understandings on privacy protections in either the commercial or law enforcement spheres.
But the lessons it teaches are nonetheless important. Kropf succeeds in highlighting the fundamental commonalities that link US and foreign practice in this increasingly prominent and controversial field. He effectively demonstrates that the United States government has long sought—and achieved—consensual resolution of the challenges that international sharing of personal information presents, by concluding a network of international agreements that is unparalleled globally. This practice undoubtedly will continue to evolve rapidly, since new privacy legislation is under consideration in the United States, in Europe, and worldwide. As Kropf writes, ‘Negotiating an international agreement is a specialty in itself. Negotiating personal information-sharing agreements is a growing specialty among agencies that requires a background in privacy, international affairs and experience in the particular subject matter areas …’ With information technology rapidly advancing and the world becoming ever more closely connected, it is safe to bet that the importance of this topic in international law and politics will only increase.
* Legal Counselor, U.S. Mission to the European Union, Brussels. The views expressed here are the author’s and not those of the US Department of State.