By Ellen Nakashima
Washington Post Staff Writer
Tuesday, July 1, 2008
A European Union lawmaker who frequently travels to the United States is suing the U.S. government for access to her personal records, such as credit card information and travel history, that the Department of Homeland Security and other security agencies may have gathered.
The lawsuit to be filed today by Sophie in't Veld, a Dutch member of parliament, comes as the United States and Europe are working on an agreement on privacy protections for transatlantic data-sharing. The pact would permit security agencies to obtain personal information for law-enforcement purposes. One sticking point, however, is the ability of European citizens to sue the U.S. government for access to information and redress if they think the data are inaccurate or have been misused.
In't Veld said her case underscored the need for more explicit data-protection guarantees than those contemplated in the draft of the accord. It is also the first high-level legal test of Bush administration assurances that anyone may access his or her data under the Freedom of Information Act, privacy experts said. The law allows anyone, including non-citizens, to sue for access. But it provides no mechanism for correcting errors.
"The bottom line is, the U.S. is trying to give the impression in Europe that there's a simple, well-established process for records access that any European can avail themselves of," said David L. Sobel, senior counsel for the Electronic Frontier Foundation, which is filing the lawsuit on in't Veld's behalf. "But as this lawsuit shows, it's a difficult, time-consuming process that might ultimately not result in anything being obtained."
In't Veld, who helps develop transatlantic data-sharing policies as a member of the E.U.'s Civil Liberties, Justice and Home Affairs Committee, has been flying to and from the United States for the past three years or so. She is almost always detained as she leaves the United States and sent to secondary screening for questioning and a search of her handbag and luggage.
Last October, she filed a FOIA request for access to her records at three agencies. "I don't expect to find anything specific in the files," she said in a phone interview from Utrecht, the Netherlands. "But I am entitled to know what is in them."
In March, DHS officials responded that a "comprehensive search" of files within agencies including Customs and Border Protection, U.S. Citizenship and Immigration Services, Immigration and Customs Enforcement turned up no "responsive records."
The FBI also said it found no records. The State Department has not responded, according to her complaint.
In't Veld said "there must be something if I'm traveling in and out of the United States." A Washington Post reporter's FOIA request for personal records to the DHS yielded airline travel and reservation records for flights to and from the United States.
A DHS official, who spoke on condition of anonymity because department officials generally do not discuss specific cases, said that in't Veld was not "on any list," including the no-fly list, and that she had not sought redress through DHS's Traveler Redress Inquiry Program (TRIP). The official could not address her records request, which is handled by a separate department.
The proposed agreement, according to a draft final report, contains 12 principles that are standard hallmarks of data privacy. They include ensuring that the information collected is relevant and timely, that it is collected for a specific and legitimate purpose -- in this case, for law enforcement, and that people have access to their data and a means to correct inaccuracies.
It specifies that anyone may have administrative redress for concerns about misuse of data and notes that FOIA allows judicial redress to anyone.
The accord has been the subject of E.U.-U.S. talks since February 2007 -- an effort to "stop the fighting," said Paul Rosenzweig, DHS deputy assistant secretary for policy, referring to difficult negotiations over the transmission of air passenger records and financial transaction data from Europe to the United States.
"The entire point of this exchange of views is for us to discuss with the Europeans what our safeguards are and for them to show us what their safeguards are so that we can be confident that the safeguards each is using are suitable," Rosenzweig said. On the U.S. side, that includes limits on access, how long data can be kept, what the information can be used for and punishment for people who violate the rules, he said.
The Bush administration hopes to finalize the accord by the end of the year.
But European parliamentarians are concerned that broad exceptions could be written into the rules and that a lack of effective redress remedies could open the door to misuse. "The whole issue is not about giving your private data to the United States but not being able to control it and not knowing who is going to protect that data, whether or not a court is going to have any power to correct abuses because abuses are going to take place," said Ignasi Guardans, a member of parliament from Spain.
One solution, he said, would be applying 1974 Privacy Act protections to European citizens, which would allow them to ask a court to force an agency to provide access to personal records held on them and to correct errors.
To do so would require Congress to amend the law, Rosenzweig said, adding that the administrative remedies are at least as effective as going to court. DHS's TRIP has cleared thousands of people off the no-fly list, for example, he said.
Moreover, the Privacy Act is no panacea, as the U.S. government generally exempts national security databases from the statute's judicial-review provision, Sobel said. "In reality," he said, "American citizens are in the same boat as Europeans are."