AGENCY:

Privacy Office, DHS.

ACTION:

Final rule.

SUMMARY:

The Department of Homeland Security is issuing a final rule to amend its regulations to exempt portions of a Department of Homeland Security/U.S. Customs and Border Protection system of records entitled the, “Department of Homeland Security/U.S. Customs and Border Protection—007 Border Crossing Information System of Records.” Specifically, the Department exempts portions of the Department of Homeland Security/U.S. Customs and Border Start Printed Page 5492Protection—007 Border Crossing Information System of Records from provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements.

DATES:

Effective Date: This final rule is effective February 3, 2010.

FOR FURTHER INFORMATION CONTACT:

For general questions please contact: Laurence E. Castelli (202-325-0280), Privacy Officer, U.S. Customs and Border Protection, Office of International Trade, Mint Annex, 799 Ninth Street, NW., Washington, DC 20001-4501. For privacy issues please contact: Mary Ellen Callahan (703-235-0780), Chief Privacy Officer, Privacy Office, U.S. Department of Homeland Security, Washington, DC 20528.

SUPPLEMENTARY INFORMATION:

Background

The Department of Homeland Security (DHS) published a notice of proposed rulemaking in the Federal Register, 73 FR 43374, July 25, 2008, proposing to exempt portions of a system of records from provisions of the Privacy Act because of criminal, civil, and administrative enforcement requirements. The system of records is the DHS/U.S. Customs and Border Protection (CBP)—007 Border Crossing Information system. The DHS/CBP—007 Border Crossing Information system of records notice was published concurrently in the Federal Register, 73 FR 43457, July 25, 2008, and comments were invited on both the notice of proposed rulemaking and system of records notice. Comments were received on the notice of proposed rulemaking and system of records notice.

Public Comments

Forty-eight comments were received on the system of records notice (SORN). Of those forty-eight comments, three comments were submitted in duplicate, one comment was submitted in triplicate, and one comment was submitted in quintuplicate. Accordingly, after accounting for the repetitive submissions, thirty-nine original comments were received on the system of records notice. Additionally, the same commenter posted comments twice on the notice of proposed rulemaking (NPRM) however, it was only one comment. Therefore only one original comment was received on the NPRM. The thirty-nine comments received on the SORN focused primarily on opposition either to the entire DHS/CBP—007 Border Crossing Information system of records or to specific aspects of the system including opposition to the proposed length of time the records would be maintained and several of the routine uses listed for the system. Several comments stated opposition to the system because they alleged that the system was unconstitutional. The one comment on the NPRM was against the proposed Privacy Act exemptions because the commenter believed that not all records within DHS/CBP—007 Border Crossing Information system of records are law enforcement data and exempting the DHS/CBP—007 Border Crossing Information system of records information from the Privacy Act would make it extremely difficult to contest and/or fix errors in the data, a right which is provided for in the Privacy Act. DHS notes that several comments submitted in conjunction with the SORN expressed disagreement with DHS' use of the Privacy Act exemptions. However, the comments were not submitted in response to the NPRM. The following is a synopsis of the comments received and DHS' response.

General Comments

Comment: No records should be maintained on law abiding U.S. citizens. Lawful border crossing of U.S. citizens should not be tracked. The focus should be on illegal entrants and non-U.S. citizens.

Response: Throughout its 219 year history, and beginning with actions by the First Congress of the United States, CBP and its principal legacy components, the Immigration and Naturalization Service (INS) and the U.S. Customs Service, have possessed the authority to stop and search all persons, conveyances, and cargo attempting to cross the U.S. border. The DHS/CBP—007 Border Crossing Information system of records is a tool that is by utilized CBP in performance of its mission at U.S. borders. The responsibility of CBP at the U.S. borders encompasses all persons crossing the borders, including U.S. citizens.

Furthermore, as explained in the DHS/CBP—007 Border Crossing Information system of records, the system does not represent a new or expanded collection of information by CBP. Rather, CBP is providing increased information regarding the agency's historical practices.

Comment: This system should be classified. The collected information should only be used for National Security purposes.

Response: The DHS/CBP—007 Border Crossing Information system of records was published as part of DHS's ongoing effort to increase transparency regarding the collection of information at the Department. Accordingly, if the system were classified, the public would generally not have access to information in the system either under the Privacy Act or the Freedom of Information Act.

Moreover, in CBP's judgment the system's level of classification is commensurate with the type of information maintained in the system and the agency has put in place adequate measures to ensure the integrity of the system.

Comment: The system should not be exempted from the Freedom of Information Act.

Response: The system is not exempted from the Freedom of Information Act. The Privacy Act by its terms at 5 U.S.C. 552a(b)(2) specifically provides for access to information in a system of records, including exempt systems of records, through a request made under the Freedom of Information Act. In response to a Freedom of Information Act request, and in accordance with that statute, the government may exempt certain portions of responsive records from disclosure when providing an individual with information about him or herself.

Comment: Criminal penalties for misuse of data must be specified with no exceptions for government employees.

Response: The Privacy Act authorizes criminal penalties for misuse of data maintained in a system covered by the Privacy Act. 5 U.S.C. 552a(i). There are no exceptions for criminal conduct committed by government employees. Additionally, CBP identifies misuse of information in its information systems as a specific violation applicable to all CBP employees. Employees may be dismissed from CBP for mishandling or misusing information maintained in CBP's systems and may be subject to criminal or civil penalties.

Comment: The system should have an audit trail and information should only be accessed if there is need to know.

Response: This system has a clear audit trail of who has accessed the system and who has accessed what records, so that if there are concerns about an individual's use of the system it can be tracked. CBP's Office of Internal Affairs regularly reviews the use of the system to ensure it is being used properly. CBP recognizes the need to prevent misuse of any information it collects. Therefore, CBP has implemented several internal controls to mitigate threats to the integrity of its systems. Access to CBP's systems is governed by a strict policy that implements rights and responsibilities to information. This means that only CBP employees with a need to know have access to information that falls Start Printed Page 5493within the performance of official duties. Furthermore, CBP requires that all employees participate in regular privacy awareness training to receive automated systems access and requires that employees periodically re-attend such training to continue their access. CBP also identifies misuse of information in information systems as a specific violation applicable to all CBP employees. Employees may be dismissed from CBP for mishandling or misusing information maintained in CBP's systems and may be subject to criminal or civil penalties.

Comment: DHS should have an updated System of Records Notice for TECS.

Response: A new system of records notice for TECS was published in December 2008. DHS/CBP—011 TECS (73 FR 77778, December 19, 2008).

Comment: The system security for the DHS/CBP—007 Border Crossing Information system of records data has not been adequately addressed.

Response: Multiple security measures are in place for data collected in DHS systems. CBP uses routers, firewall and intrusion detection systems to prevent unauthorized access to its systems. Any information stored via backup tape is protected through strict physical safeguards and other technical safeguards to ensure it cannot be inappropriately accessed.

Access and Redress Comments

Comment: Exempting information within the DHS/CBP—007 Border Crossing Information system of records from certain provisions of the Privacy Act will make it extremely difficult, if not impossible, for individuals to fix errors that show up in the database.

Response: CBP respectfully disagrees. CBP has not proposed exempting access to the DHS/CBP—007 Border Crossing Information system of records by individuals who have a system record that pertains to them. To the contrary, the DHS/CBP—007 Border Crossing Information system of records delineated procedures for contesting system records. The relevant section of the SORN states: “Requests to amend a record must be in writing and should be addressed to the CBP Customer Service Center (Rosslyn, VA), 1300 Pennsylvania Avenue, NW., Washington, DC 20229; Telephone (877) 227-5511; or through the “Questions” tab at http://www.cbp.gov.xp.cgov/​travel/​customerservice.” Requests should conform with the requirements of 6 CFR Part 5, Subpart B, which provides the rules for requesting access to Privacy Act records maintained by DHS and can be found at http://www.dhs.gov/​foia. The envelope and letter should be clearly marked “Privacy Act Access Request.” The request should include a general description of the records sought and must include the requester's full name, current address, and date and place of birth. The request must be signed and either notarized or submitted under penalty of perjury.

If individuals are uncertain what agency handles the information, they may seek redress through the DHS Traveler Redress Program (DHS TRIP) (72 FR 2294, January 18, 2007). DHS TRIP is a single point of contact for individuals who have inquiries or seek resolution regarding difficulties they experienced during their travel screening at transportation hubs, such as airports, seaports and train stations or at U.S. land borders. Through DHS TRIP, a traveler can request correction of erroneously stored data in other DHS databases through one application. Redress requests should be sent to: DHS Traveler Redress Inquiry Program, 601 South 12th Street, TSA-901, Arlington, VA 22202-4220 or online at http://www.dhs.gov/​trip.

Retention Period Comments

Comment: The retention period is too long for records about people that have committed no crime.

Response: The fifteen-year and seventy-five year retention periods proposed for the DHS/CBP—007 Border Crossing Information system of records were determined in order to allow CBP to effectively pursue its law enforcement mission while addressing privacy concerns. The fifteen-year retention period will allow CBP to access the data when needed for a law enforcement purpose yet permit the removal of the data in a time period significantly shorter than other systems. The seventy-five year period for non-immigrant aliens will allow for proper administration of certain immigration benefits as well as other law enforcement purposes. Furthermore, it should be noted, that while the DHS/CBP—007 Border Crossing Information system of records information is maintained for a number of years, any access to the information will always require a “need to know” by any person accessing the information. Access by persons without a proper “need to know” may result in criminal penalties and/or disciplinary actions.

Routine Uses

Comment: Under the listed Routine Uses, potential interested parties with whom the DHS/CBP—007 Border Crossing Information system of records information may be shared, such as press, foreign governments, State, prospective employers, students, contractors, etc., is too broad and not consistent with the reason for collecting the information.

Response: CBP, and its predecessor agencies, INS and the U.S. Customs Service, have signed Memoranda of Understandings (MOUs) or entered into agreements with a wide variety of Federal, State, and local agencies with an interest in maintaining border security and law enforcement; similar arrangements are in place with other nations in the form of Customs Mutual Assistance Agreements (CMAAs) and other information-sharing agreements and arrangements. The terms of these arrangements specify the necessity of sharing information and highlight the fact that the types of information sharing described in the SORN are neither unique nor a new practice for border authorities. Additionally, all MOUs and other arrangements for the sharing of information contain specific provisions relating to the responsibilities of the receiving party to keep the information confidential, protected, and secure. DHS does not share PII with domestic or foreign governments or multilateral organizations which DHS is not confident will protect the privacy interests of the data subject.

The routine uses identified are consistent with CBP's role as a law enforcement agency that enforces over 400 statutes on behalf of more than 40 agencies in the Federal Government. DHS is charged in its authorizing statute, specifically section 892 of the Homeland Security Act of 2002, to facilitate the sharing of terrorist information across the government. In addition, The Intelligence Reform and Terrorism Prevention Act of 2004 required the President to establish an Information Sharing Environment “that facilitates the sharing of terrorism information.” Following this enactment, on October 25, 2005, the President issued Executive Order 13388, directing that DHS and other agencies “promptly give access to * * * terrorism information to the head of each other agency that has counterterrorism functions” and establishing a mechanism for implementing the Information Sharing Environment.

In addition, routine use O. permits CBP to share information with the press where such a release would inform the public about the performance of CBP's border security mission, such as the release of information pertaining to an arrest of a person attempting to enter the United States with bomb making materials in the trunk of his/her car. Start Printed Page 5494Such uses are consistent with CBP's and DHS's overall law enforcement mission and serve to inform the public of how that mission is being accomplished. The particular routine use includes protections to balance the privacy interests of the person, whose information may be disclosed, with the public's right to know how the government is accomplishing its mission; this is the traditional balance that has always been struck between privacy and the public's right “to know what its government is up to.”

Comment: The listed Routine Use for sharing for civil cases is not consistent with the mission against terrorism.

Response: The priority mission of CBP is to prevent terrorist and terrorists' weapons from entering the United States while facilitating legitimate travel and trade. In performance of its duties at the border, CBP, as a law enforcement agency, enforces over 400 statutes on behalf of more than 40 agencies in the Federal government. As such, the enforcement is not always criminal in nature and the sharing of DHS/CBP—007 Border Crossing Information system of records information in certain civil matters is understandable and consistent with CBP overall mission. Again, the DHS/CBP—007 Border Crossing Information system of records does not represent a new collection of information, and the routine use for civil purposes is consistent with CBP's historical treatment of this information.

Comment: Routine Uses are vague, overbroad and in some instances unnecessary.

Response: CBP is a law enforcement agency that enforces over 400 statutes on behalf of more than 40 agencies in the Federal government. In addition, CBP and its predecessor agencies, the INS and U.S. Customs Service, have signed MOUs or similar agreements with a wide variety of Federal, State and local agencies with border security and law enforcement interests and have similar accords with other nations in the form of CMAAs and other information sharing agreements or arrangements. The DHS/CBP—007 Border Crossing Information system of records Routine Uses are established to facilitate the sharing of specific information in furtherance of these shared law enforcement missions. The Routine Uses set forth at great length in the DHS/CBP—007 Border Crossing Information system of records also provides notice and transparency to the public as to nature and extent of the sharing of system data while containing appropriate parameters to limit the sharing to discrete purposes.

Privacy Act Statutory Comments

Comment: The system is not consistent with DHS principles of minimization and the Fair Information Practice Principles, specifically the length of retention, and as such should be amended to comply with these standards.

Response: CBP collects the minimum amount of information to properly record the border crossing event of an individual and facilitate CBP's border security, law enforcement and counterterrorism functions. Additionally, as discussed, the length of retention for information stored in the system was established to allow CBP to effectively pursue its border security, law enforcement and counterterrorism missions, while addressing privacy concerns.

Legal or Constitutional Comments

Comment: The system is unconstitutional. No records should be maintained in the system without probable cause that something is illegal nor should any records be shared without probable cause.

Response: As the U.S. Supreme Court has stated, “[i]t is axiomatic that the United States, as sovereign, has the inherent authority to protect, and a paramount interest in protecting, its territorial integrity.” United States v. Flores-Montano, 541 U.S. 149, 153 (2004). Indeed, “the Government's interest in preventing the entry of unwanted persons and effects is at its zenith at the international border.” Id. at 152. For this reason, the U.S. Supreme Court has held that stops and examinations are reasonable in the absence of a warrant or probable cause when they are conducted at the U.S. border, see Carroll v. United States, 267 U.S. 132, 153-54 (1925), and the “functional equivalent of the border,” such as international airports, see United States v. Irving, 432 F.3d 401, 414 (2nd Cir. 2005).

Under the border search exception, routine stops and examinations conducted at the border are reasonable for Fourth Amendment purposes “simply by virtue of the fact that they occur at the border,” and may be conducted without any individualized suspicion. United States v. Ramsey, 431 U.S. 606, 616 (1977). In addition, the Congress has specifically authorized CBP to collect the information maintained in the system. (see, e.g., 49 U.S.C. 44909 for information collected through the DHS/CBP—005 Advance Passenger Information system of records (73 FR 68435, November 18, 2008)).

Comment: The system is prohibited by the Privacy Act because it involves the collection and retention of records pertaining to activities protected by the First Amendment (i.e., “right of assembly”).

Response: The broad authority of CBP to conduct activities relating to the entry or exit of persons or things into or out of the United States is codified at title 19 of the United States Code (U.S.C.), in sections 482, 1461, 1496, 1499, and 1581-83, and title 8, U.S.C. 1357. The system is a decision-support tool used by CBP officers to execute this lawful border enforcement authority and does not violate the right of citizens to assemble.

Privacy Act Exemptions Comments

Comment: There is no good reason for exempting a system of this type from the Privacy Act. All people for whom the government holds records ought to have the ability to review, amend, or correct information maintained by the government.

Response: The suggested exemptions from the Privacy Act listed in the DHS/CBP—007 Border Crossing Information NPRM (73 FR 43374, June 25, 2008) were selected to allow maximum transparency of data collected in the system while simultaneously allowing CBP to perform its border enforcement mission. For example, if the system did not have the proposed exemption from subsection (c)(3) of the Privacy Act, (5 U.S.C. 552a (c)(3)), the fact that certain DHS/CBP—007 Border Crossing Information system of records information was shared with a law enforcement agency could disclose to the subject of an investigation the existence of such an investigation, and reveal investigative interest on the part of DHS as well as the recipient agency. Disclosure of the accounting could possibly allow the suspect individual to impede the investigation and present a serious concern to successful law enforcement efforts and possibly compromise national security.

Public Recommendations

The submitted public comments offered numerous suggestions concerning DHS/CBP—007 Border Crossing Information system of records. Those suggestions ranged from cancellation of the system in its entirety, to proposed modifications to the system to enable it to meet concerns raised in the comments. Some of the suggested modifications included the following:

• Records not be shared without probable cause support by a court order (already in Privacy Act);
• Penalties for misuse of data (already exist);
• This system should be classified;Start Printed Page 5495
• Retention of records should only be in cases were there is a reasonable suspicion of criminal or terrorist activity;
• The retention period should be shortened;
• Records should only be maintained on non-U.S. Citizens; and
• Records should only be shared pursuant to a court order.

Responses to all these recommendations have been provided elsewhere within this document.

Upon careful review of the submitted public comments, having taken into consideration public comments resulting from this NPRM and SORN, as well as the Department's position on these public comments, DHS has determined that for the reasons stated, it is important that the exemptions remain in place. DHS will implement the rulemaking as proposed.

List of Subjects in 6 CFR Part 5

• Freedom of information; Privacy

For the reasons stated in the preamble, DHS amends Chapter I of Title 6, Code of Federal Regulations, as follows:

PART 5—DISCLOSURE OF RECORDS AND INFORMATION

1. The authority citation for Part 5 continues to read as follows:

Authority: Pub. L. 107-296, 116 Stat. 2135, 6 U.S.C. 101 et seq.; 5 U.S.C. 301. Subpart A also issued under 5 U.S.C. 552. Subpart B also issued under 5 U.S.C. 552a.

2. Add at the end of Appendix C to Part 5, Exemption of Record Systems under the Privacy Act, the following new paragraph “46”:

Appendix C to Part 5—DHS Systems of Records Exempt From the Privacy Act

46. The DHS/CBP—007 Border Crossing Information system of records will maintain border crossing information on travelers who are admitted or paroled into the United States. This information includes: certain biographical information; a photograph (if available); certain itinerary information provided by air and sea carriers and any other forms of passenger transportation, including rail, which is or may subsequently be mandated, or is or may be provided on a voluntary basis; and the time and location of the border crossing. This system may contain records or information pertaining to the accounting of disclosures made from DHS/CBP—007 Border Crossing Information system of records to agencies (Federal, State, Local, Tribal, Foreign, or International), in accordance with the published routine uses. For the accounting of these disclosures only, the Secretary of Homeland Security has exempted this system from the following provisions of the Privacy Act, subject to the limitations set forth in 5 U.S.C. 552(c)(3); (e)(8); and (g) pursuant to 5 U.S.C. 552a(j)(2). Additionally, for the accounting of these disclosures only, the Secretary of Homeland Security has exempted this system from the following provisions of the Privacy Act, subject to the limitations set forth in 5 U.S.C. 552(c)(3); (e)(8); and (g) pursuant to 5 U.S.C. 552a(k)(2). Further, no exemption shall be asserted with respect to biographical or travel information submitted by, and collected from, a person's travel documents or submitted from a government computer system to support or to validate those travel documents. After conferring with the appropriate component or agency, DHS may waive applicable exemptions in appropriate circumstances and where it would not appear to interfere with or adversely affect the law enforcement purposes of the systems from which the information is recompiled or in which it is contained. Exemptions from the above particular subsections are justified, on a case-by-case basis to be determined at the time a request is made, when information in this system or records is recompiled or is created from information contained in other systems of records subject to exemptions for the following reasons:

(a) From subsection (c)(3) (Accounting for Disclosures) because making available to a record subject to the accounting of disclosures from records concerning him or her would specifically reveal any investigative interest in the individual. Revealing this information could reasonably be expect to compromise ongoing efforts to investigate a violation of U.S. law, including investigations of a known or suspected terrorist or criminal, or other person of interest, by notifying the record subject that he or she is under investigation. This information could also permit the record's subject to take measures to impede the investigation, e.g., destroy evidence, intimidate potential witnesses, or flee the area to avoid or impede the investigation.

(b) From subsection (e)(8) (Notice to Individuals) because to require individual notice of disclosure of information due to compulsory legal process would pose an impossible administrative burden on DHS and other agencies and could alert the subjects of counterterrorism or law enforcement investigations to the fact of those investigations when not previously known.

(c) From subsection (g) (Civil Remedies) to the extent that the system is exempt from other specific subsections of the Privacy Act.