CBP's C-TPAT System of Records Raises Major Privacy Concerns, Say Trade Groups

CBP should "revoke implementation" of the C-TPAT system of records, said the American Association of Exporters and Importers (AAEI) in comments (here). The SORS "directly contradicts the spirit and original intent of C-TPAT and risks jeopardizing the continued success of the program," said AAEI. CBP's notice announcing the system of records said the system would be implemented as of April 12 "unless comments are received that result in a contrary determination." There's been no indication that plan hasn't gone forward and CBP didn't return a request for comment. The waiver of privacy issues is a separate proposal and is still in the administrative process.

The agency hasn't gone through the proper "consultation" with Commercial Operation Advisory Committee (COAC) regarding the collection and sharing of the confidential data, as required under the SAFE Port Act that created C-TPAT, said AAEI. The SAFE Port Act also requires CBP to ensure the protection of commercial data, but the SORS notice names several cases that would allow for CBP to release proprietary data as a matter of "routine use," the association said. One such "routine use" described by the agency says the data could potentially be given to the media "when there exists a legitimate public interest in the disclosure of the information or when disclosure is necessary to preserve the confidence in the integrity of" the Department of Homeland Security. AAEI worries about the breadth of the term "routine use" that is potentially damaging to the C-TPAT program, it said.

TechAmerica agreed that the SORS creates something different from what was originally described to C-TPAT members that provided their information to CBP. Prospective members must sign an C-TPAT agreement that specifically states that CBP will ensure confidentiality of that information and "the proposal to release C-TPAT information to other federal, state and local agencies, foreign governments, third parties and the media breaches the C-TPAT Agreement," said TechAmerica (here). C-TPAT members joined the program in the name of supply chain security and "to take that data and now use it for furtherance of non-supply chain security activities without limitation by and for other federal, state and local agencies, foreign governments, third parties, and the media is to misappropriate that data from its intended use," the group said. There's also significant concern as to how CBP will handle information from existing members that decide to withdraw from the program and CBP should give more time to allow members to withdrawal before the SORS goes into effect, it said.

The U.S. Council for International Business (USCIB) was also among the concerned parties and requested that CBP extend the deadline for comments. While a set of Frequently Asked Questions released earlier this month (see 13040312) said the C-TPAT information would continue to be protected at the same level and that the SORS and related proposed rulemakings are meant to add privacy protections, "questions remain about how this will unfold practically," said USCIB.

More Info Needed on Privacy Act Exemptions

Brother International, a Tier III C-TPAT member, sought a number of clarifications from CBP regarding the separate notice of proposed rulemaking (NPRM) that would exempt from privacy laws certain parts of the SORS. For instance, Brother International in its comments (here) asked why CBP discusses the release of business information as part of the proposed exception to disclosure provisions in the Privacy Act, which only applies to information about individuals. It's also unclear under what provisions of the Privacy Act CBP believes it has the authority to release business information, seemingly considered by CBP to be equal to Personally Identifiable Information. The company also wondered if CBP, previous to the SORS notice, maintained a database related to C-TPAT, and, if so, how those records will be considered since they have never been part of the SORS. The company also wonders if CBP believes the information could ever be used for "trade compliance purposes" as part of the agency's state goal of using the information for "trade facilitation."

Another troubling aspect about the proposed Privacy Act exemptions is the involvement of "law enforcement investigations," said The Retail Industry Leaders Association (RILA) in its comments (here). "It is worth noting that C-TPAT does not have criminal penalties associated with the program itself, even if a company is found to be ineligible," it said. "Thus, the application process is not in and of itself a law enforcement investigation with a committed crime and the C-TPAT applicant as a suspect." The relationship between industry and CBP as part of C-TPAT is important, with the members' role similar to a neighborhood watch, the group said. The SORS notice and NPRM "appear to jeopardize the trust and partnership that permit the agency to prioritize risks."

The pace at which the SORS is being implemented is also of worry, said RILA. The planned implementation date, April 12, provides for "a surprisingly short timeframe to solicit comments, and it appears to dissuade comments from being made," the group said. Also unclear is how seriously the agency will consider comments that are made considering the system was to be automatically implemented, it said. "We urge the agency to invest the time and resources necessary to fully evaluate and respond to the comments that you receive before you implement the proposal."