Participants in the Customs Trade Partnership Program Against Terrorism (C-TPAT) program may be interested to know that U.S. Customs and Border Protection has published a concurrent “System of Records Notice” (SORN) and “Notice or Proposed Rule Making” (NPRM). The recent move by CBP now brings the information that CBP has gathered on C-TPAT members and prospective members under the explicit protection of the Privacy Act of 1974, while also allowing CBP to claim certain exemptions to the Privacy Act in order to prevent C-TPAT participants from knowing when their information has been shared with outside law enforcement agencies. Current and prospective participants should familiarize themselves with the recent changes and how those changes affect their business.

The Privacy Act

To understand the SORN and NPRM, businesses must start by understanding the basics of their rights under the Privacy Act of 1974. The relevant provisions of the Privacy Act for grappling with CBP’s recent move deal with the sharing of information to outside agencies.

The Privacy Act provides standards for the government in its collection, maintenance, dissemination, and use of a system of records. The important thing to know is that information may not be shared from C-TPAT outside of the Department of Homeland Security (DHS) unless (1) you provide consent to the sharing, (2) a statutory requirement compels the sharing, or (3) the sharing conforms to one of the listed Routine Uses and the receiving party has an official need to know the specific information being sought. Furthermore, when information is shared for law enforcement purposes, the subject of that investigation must be given notice that CBP has shared their information. Importantly, the Privacy Act also provides CBP with the power to claim exemptions from some of its provisions, provided that the public is given notice.

The “System of Records Notice” (SORN)

The first place to start in understanding the new records system is with the SORN itself, which informs the public of the system of record’s purpose. In the SORN and NPRM, CBP states that the purpose of the record keeping system is to “use information collected to carry out trade facilitation, law enforcement, and national security missions.” While businesses probably assumed for some time that this was C-TPAT’s purpose, what businesses may find perplexing about the SORN is why it is only now being published after the C-TPAT program has been in place for over a decade. Furthermore, what protections were C-TPAT participants entitled to prior to the SORN? The answers to these questions may be found in a recent FAQ publication by CBP, In it, CBP states that “C-TPAT information for businesses and individuals is still protected to the same degree as before the publication of these documents” and that C-TPAT partners “will not experience any changes as a result of the publication of these documents or the subsequent Final Rule. These documents and the rulemaking process are used to reaffirm and provide notice to the public that PII (Personal Identifying Information) associated with C-TPAT businesses is protected under the Privacy Act of 1974 and will not be improperly collected, used, or disseminated.” This statement seems to indicate that businesses have always enjoyed the protections guaranteed under the Privacy Act, and can continue to expect those protections.

The Notice of Proposed Rule Making: CBP’s Exemption from the Privacy Act

While the SORN was a cause for confusion, it is the NPRM that is raising eyebrows. In the NPRM CBP asserts an exemption that allows CBP to share information with outside agencies for the purpose of civil and criminal investigations without providing notice to the subject of the investigation. Once the Proposed Rule becomes a Final Rule, CBP will no longer be required to inform C-TPAT partners that they have shared their information gathered through the C-TPAT application and vetting process with law enforcement.

What does all this Mean?

While CBP insists that the recent notice does not change their policies in any significant way, it is worth asking why CBP has waited until now to publish a System of Records Notice despite the fact that they have been collecting records through the C-TPAT program for over a decade? Furthermore, why did CBP wait until now to exert this exemption from the Privacy Act’s requirements?
What typically matters most for businesses is the protection of their proprietary information and trade secrets. To this end, CBP has stated that “CBP, as a matter of long standing policy, affords the same protections to business confidential information maintained in a SORN as it does to the Personal Identifying Information stored there.” Furthermore, business information is protected under the Trade Secrets Act. CBP assures businesses that information will not be shared with other businesses unless consent is provided. This consent can be provided through:

  1. Opting in to the Status Verification Interface (SVI), which allow participants to provide their business partners with their SVI number so those business partners can retrieve the C-TPAT partner’s company name and its “certified/non-certified” status or;
  2. By authorizing the release of its Supply Chain Security Profile (SCSP) to a third party C-TPAT partner. This function allows C-TPAT partners to evaluate the security practice of another partner for inclusion in their own supply chain profile.

In no other circumstance will outside businesses be able to access a C-TPAT partner’s information.

As for businesses concerned with the prospect that a criminal or civil investigation may benefit from the information provided through C-TPAT records, it may be useful to assume that when you give information to CBP, you are giving it to all government agencies.