Failure to comply with privacy standards at the Customs and Borders Protection agency in the US

In the past, as well as, currently the Customs and Border Protection (CBP) agency of the USA has been questioned on their failure to provide complete and accurate privacy notices and conduct appropriate audits. This time the failure was in the ability to ensure that the agency’s facial recognition technology used for identity checks complied with privacy standards set by the legal privacy framework.

The Government Accountability Office (GAO) has published the audit report which states that the communication practices relating to how CBP informs the public are problematic. The information about its facial recognition program is inadequate. This includes a lack of informative actions and analysis such as the use of signs with inaccurate information. These are hard to see at ports of entry such as land border crossings, international airports and seaports.

The CBP has also audited just one of its 27 airline partners involved in deploying facial recognition technology. This will help in gauging whether the involved partners are complying with the privacy policies set out under the law.

GAO completed the audit at the request of Rep. Bennie Thompson, D-Miss., who is chairman of the House Homeland Security Committee, and Sens. Ron Johnson, R-Wis., and Gary Peters, D-Mich., along with the members of the Senate Homeland Security and Governmental Affairs Committees, respectively.

According to the auditors: “We have done a number of reviews looking at CBP’s efforts to develop and implement a biometric entry and exit system and we have, over the years, identified long-standing challenges in CBP’s efforts to develop and implement that system,” Gambler said.

The technology was implemented in May 2020. The privacy protection practices are not up to the international best practice as yet.

The privacy findings fall into two categories:

  • Upholding privacy commitments by informing the public about facial recognition technology, including information about how to opt-out of participation in the program.
  • CBP’s plans to conduct oversight of the program’s partners.

Now, the GAO’s audit is based on visits to sites where facial recognition technology is deployed and interviews with local CBP agents conducted. They shall engage in reviews of program documents like schedules and reports from pilot tests. A series of Data and Privacy Impact Assessments will follow. A joint CBP and Transportation Security Administration report on facial recognition technology will be then submitted to Congress.

GAO found multiple problems with signage at airports which will now be updated.

“The notices are really intended to provide travellers with information about CBP’s use of facial recognition technology, including locations where the technology is deployed and how the data collected is going to be used, and the notices are also to provide information on procedures for opting out if that’s applicable,” Auditors mentioned.

Don’t Risk €20 Million in Fines
—Ensure Compliance Today

Worth €30/Month