Book Review: Guide to U.S. Government Practice of Global Sharing of Personal Information
By Janet Steinman, CIPP/US
When information sharing using computer technology began in the 1970s, the issues were mainly the coordination of government benefits for foreign nationals living or working abroad. As time has passed and the issues have broadened to sharing personally identifiable information (PPI) in order to investigate and prevent international crime—including fraud that could harm market integrity, and most notably, terrorism—data protection laws and international agreements have become more widespread and complex. New U.S. and international data privacy and security principles have also become more numerous and complicated.
John W. Kropf, CIPP/US, CIPP/G, a lawyer whose career has included serving in the U.S. Department of Homeland Security, U.S. Department of State and USAID, has brought together a considerable amount of information regarding these principles, standards and agreements and written about them in the Guide to US Government Practice on Global Sharing of Personal Information.
In addition to the laws of individual nations, there are various Memoranda of Understanding, Mutual Legal Assistance Treaties and other treaties between the U.S. government and foreign governments. The plethora of laws, the question of which laws apply to particular transactions, which agency administers the laws, what the private sector is required to do and what it is prohibited from doing and the international agreements in data protection pose a complex tangle of questions for the legal professional. This guide makes the research regarding international agreements and the principles behind them considerably easier.
Kropf’s introduction includes sections on political, legal, foreign policy and national security considerations. Since September 11, 2001, public safety and law enforcement are uppermost in the minds of individuals and their governments. The U.S. has entered into a number of agreements to share PII with foreign nations. Who the U.S. federal government shares information with depends on that nation’s privacy laws, how close an ally they are, the due process protections they provide and their general track record of trustworthiness.
This guide sets forth the U.S. principles that are reflected in these agreements. They are Fair Information Practice Principles (FIPPS), the U.S. information sharing environment, information sharing guidelines plus principles regarding both obtaining and sharing information from foreign governments. The Department of Homeland Security (DHS) was the first U.S. agency to adopt FIPPS following 9/11. FIPPS include that the existence of and reason for the collection of data should be communicated to the data subject and that the PII should be handled securely.
Other U.S. principles include The Intelligence Reform and Terrorism Prevention Act of 2004, which established the Information Sharing Environment (ISE), “an approach that facilitates the sharing of terrorism information.” Based on the ISE, the U.S. exchanges biographic and biometric information with foreign partners about known and suspected terrorists. The U.S. also shares such information with international crime-solving entities such as INTERPOL. Kropf also discusses international principles from APEC and OECD.
There is a chapter on practices by the U.S. government, which include collection and use limitations, third-party disclosure questions and special issues regarding the EU. Many countries, particularly in Europe, consider data privacy to be a basic human right and say so in their constitutions. The U.S. has a less expansive concept of protecting PII. These and other principles are set forth in the EU-U.S. High Level Contract Group (HLCG), which includes the universally recognized FIPPs. Onward transfers to third countries, from either the sending party or a private party, may only occur if permitted under the domestic privacy laws of the receiving country and in accordance with applicable international arrangements and agreements between the sending and receiving countries.
The heart of the guide is, of course, the information sharing agreements themselves. While not exhaustive, these provide useful and hard-to-find examples of the issues considered and the language used to address them. Both U.S. government and international PII-sharing agreements are presented. In addition to the U.S. DHS, FTC, SSA, Department of the Treasury and the CFTC, there are a total of nine U.S. government entities that administer such agreements with foreign public entities.
This reader would have benefitted from a glossary of the multitude of acronyms, a list of all the treaties discussed and an expanded index. Kropf’s book otherwise fills a need for readily accessible information on the topic. It provides an outstanding overview of U.S. and foreign laws of PII protection and how they are addressed between U.S. and foreign governments, the reasons behind them and useful examples.
Janet Steinman, JD, CIPP/US, is a member of the Harvard Law School Online Media Legal network and the American Bar Association Advisory Panel. She is experienced in laws on information technology, data licensing, e-commerce, computer technology, software development and licensing, U.S. and foreign data privacy and security laws including HIPAA and GLBA, among others.