The Mobility Matters Bulletin reviews significant legal and policy developments regarding the secure movement of people and cargo across borders. Steptoe & Johnson LLP offers clients comprehensive counseling on these matters, including insights from former senior government officials responsible for homeland security laws and policies.
Air Cargo Developements
- The detection of explosives in air cargo bound for the United States has put the spotlight on the risks of inbound air cargo. Previous issues of this newsletter have discussed at length the new requirements for screening passenger plane air cargo. Key points in the new debate include the following:
- Most importantly, the US government lacks a process to obtain data and analyze risks with respect to air cargo. This situation is in stark contrast to the robust systems for obtaining and analyzing risks regarding inbound passengers and inbound maritime cargo.
- Thanks to good work by the Transportation Security Administration (TSA), there is a reasonably protective system for conducting physical screening of cargo on passenger planes traveling within or from the United States. But this leaves uncovered cargo on: (i) “all-cargo” flights; and (ii) many flights (whether passenger or all-cargo) from foreign locations headed to the United States.
- It would not be hard to develop a risk-rating system for air cargo that would cover all flights with a US nexus (whether inbound or domestic departure; whether passenger or all-cargo). Under current rules, data on air cargo (such as cargo contents, carrier, departure and arrival points, shipper identity, etc.) generally must be provided to Customs and Border Protection (CBP) either (i) before a flight departs to the United States (for flights departing from within North America) or (ii) four hours before the flight lands (for flights departing from outside North America). That often is inadequate time for even a well-automated risk assessment, and in any event this information generally is not used to assign risks to cargo.
- We were fortunate to have good intelligence and law enforcement work that prevented a catastrophe from the air cargo explosives plot last week. But the Department of Homeland Security (DHS) now will be under pressure to revise its data collection system (including timing requirements) into a robust data screening system to provide an added layer of protection.
- The alternatives to such a data screening system are not good. Congressman Markey has vowed to push through new rules that would require "100% screening" of cargo on all-cargo flights; to the extent such a requirement would entail physical screening rather than data screening, such a mandate would be impractical and both security and business would suffer.
Renegotiating the Passenger Name Record (PNR) Agreement
- United States law requires airlines operating flights to or from the United States to provide the DHS with certain passenger reservation information (passenger name record data or PNR) to facilitate secure and efficient travel.
- PNR contains a variety of information provided routinely by a passenger, such as name, address, itinerary, and details of the reservation (such as travel agency and payment information). PNR may include other information provided by a passenger during the booking process, such as affiliation with a frequent flier program.
- In 2007, following several years of negotiations, the United States and the European Union (EU) reached an agreement governing the transfer of PNR data to DHS. This agreement—which satisfied both US and EU law—was intended to remain in effect until 2014. However, it was not ratified by the requisite number of EU member states by December 2009 when the Lisbon Treaty came into effect. The Lisbon Treaty grants the European Parliament new authority over PNR and other law enforcement and security accords and in May 2010, the Parliament—voicing privacy and data protection concerns—called for a renegotiation of the agreement.
- In late September 2010 the European Commission adopted recommendations for negotiating a new PNR agreement with the United States. The recommendations touched on several issues that have been at the center of US-EU privacy and data protection discussions for years, including the nature of oversight and the availability of redress.
- For its part, DHS strongly believes that the 2007 PNR agreement has been successful in both protecting the data and privacy of individuals and helping to prevent terrorism and crime.
- It is unclear when formal renegotiations will begin; the EU is expected officially to adopt its new negotiating mandate by the end of the year.
- Depending on its final form, a new PNR agreement may have consequences for other multilateral and bilateral law enforcement and security agreement between the United States and Europe, including those designed to combat crime by exchanging biometric information.
PS-Prep Opportunities for Transportation Companies
- There has been growing interest among transportation companies in the Department of Homeland Security’s “Voluntary Private Sector Preparedness Accreditation and Certification Program,” generally called PS-Prep. At least two reasons may account for this: first, it is increasingly apparent that the program can affect the bottom line; and second, DHS just announced that small businesses will be able to self-certify as having met preparedness standards, which can significantly decrease certification costs.
- PS-Prep identifies widely accepted preparedness standards – basically guides to drafting company emergency procedures – and encourages incorporation of these standards into company policies. Companies that incorporate any of the standards may choose to get certified by an accrediting organization.
- As to the impact on a business’ bottom line, it’s likely that insurance companies will start weighing certifications when assessing risks and fixing premiums. When you insure your home, for example, the insurance company’s assessment of risk and your insurance premium often are affected by considerations such as whether you have a burglar alarm, fire alarm, or both. PS-Prep certifications for businesses likely will function in much the same way: a business’s insurance premium may be lower or higher based in part on whether the business has been certified under PS-Prep.
- One reason that insurance premiums may be lower for companies certified under PS-Prep is that certifications can improve the odds for companies defending against litigation and government investigations. People who have been physically or financially damaged in emergencies typically assert that more should have been done to prepare. The aftermath of the September 9 pipeline explosion in San Bruno, California provides a recent example. That explosion, which killed eight people and caused massive property damage, is the subject of lawsuits and government investigations. A Senate panel recently focused on the pipeline company’s response to the explosion, with California’s Senator Boxer saying that “it doesn’t sound to me that there was a response plan in place that actually functioned.” If a company has to prove that response plans were adequate, a certification that the company met DHS standards can be a powerful element of proof.
- As for self-certification, DHS’s Federal Emergency Management Agency (FEMA) made a proposal in an October 1 Federal Register Notice. Under FEMA’s proposal, two classes of businesses would have the option of self-certifying, rather than being certified by an independent accrediting body (as is generally required for PS-Prep certification). The two classes eligible for self-certification are: (1) small businesses as defined in the Small Business Administration's regulations at 13 CFR Part 121; and (2) other non-governmental entities with fewer than 500 employees that do not meet the requirements of 13 CFR Part 121.
- DHS explained that the self-declaration process will be similar to what is sometimes known as a manufacturer’s or supplier’s declaration of conformance. This is based on an accepted industry practice whereby manufacturers or suppliers formally declare that their products or services conform to relevant standards. DHS specifically proposed that self-declaration be based upon the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard 17050-1, “Conformity Assessment—Supplier's Declaration Assessment—Supplier's declaration of conformity—Part 1: General requirements” and ISO/IEC standard 17050-2, “Conformity Assessment—Supplier's declaration of conformity—Part 2: Supporting documentation.”
- The combination of the increased likelihood of a bottom-line impact and the lower costs for small business participation have led to growing interest in DHS’s PS-Prep program.