Esta Pia

Privacy Impact Assessment Update
for the

Electronic System for Travel
Authorization (ESTA)
DHS/CBP/PIA-007(f)
June 9, 2016
Contact Point
Suzanne Shepherd
Director - ESTA
U.S. Customs and Border Protection
(202) 344-3710
Reviewing Official
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security
(202) 343-1717

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 1

Abstract
The Electronic System for Travel Authorization (ESTA) is a web-based application and
screening system used to determine whether certain foreign nationals are eligible to travel to the
United States under the Visa Waiver Program (VWP). The U.S. Department of Homeland
Security (DHS), U.S. Customs and Border Protection (CBP) is publishing this update to the
Privacy Impact Assessment (PIA) for ESTA, last updated on February 17, 2016, to provide
notice and privacy risk assessment of the updated enhancements to the ESTA application
questionnaire to apply stricter screening standards to certain foreign nationals who have traveled
to Somalia, Libya, and Yemen; and to include a Global Entry traveler number for ESTA
applicants, if applicable.

Overview
In the wake of the terrorist attack on the Nation on September 11, 2001, Congress
enacted the Implementing Recommendations of the 9/11 Commission Act of 2007.1 Section 711
of that Act sought to address the security vulnerabilities associated with Visa Waiver Program
(VWP) travelers who are not subject to the same degree of screening as other international
visitors to the United States. As a result, section 711 required CBP to develop and implement a
fully automated electronic travel authorization system to collect biographic and other
information necessary to evaluate the security risks and eligibility of an applicant to travel to the
United States under the VWP. The VWP is a travel facilitation program with robust security
standards designed to prevent terrorists and other criminal actors from exploiting the VWP to
enter the United States.
ESTA is a web-based system designed to determine foreign nationals’ eligibility to travel
to the United States under the VWP. Applicants use the ESTA website to submit biographic
information and respond to questions related to an applicant’s eligibility to travel under the
VWP. ESTA information is necessary to issue a travel authorization, consistent with the
requirements of the Form I-94W.2 A VWP traveler who intends to arrive at a U.S. air or sea port
of entry must obtain an approved travel authorization via the ESTA website prior to boarding a
carrier bound for the United States. The ESTA program allows CBP to eliminate the requirement
that VWP travelers complete a Form I-94W prior to being admitted to the United States via an
air or sea port of entry because the ESTA application electronically captures duplicate
biographical and travel data elements collected on the paper Form I-94W.
DHS/CBP published an ESTA PIA update on February 17, 2016 3 in accordance with the
1

Pub. L. 110-53, codified at 8 U.S.C. § 1187(a)(11), (h)(3).
See 8 CFR § 217.5(c). The Form I-94W must be completed by all nonimmigrant visitors not in possession of a
visitor’s visa, who are nationals of one of the VWP countries enumerated in 8 CFR § 217.
3
See DHS/CBP/PIA-007 Electronic System for Travel Authorization (ESTA), and subsequent updates, available at
2

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 2

new requirements of the Visa Waiver Program Improvement and Terrorist Travel Prevention Act
of 2015.4 In that update, DHS/CBP addressed new eligibility requirements established by the Act
to strengthen the security of the VWP to appropriately meet the current threat environment to the
United States.

Reason for the PIA Update
DHS/CBP is updating the ESTA questionnaire with the following enhancements: (1)
expanding the ineligibility (with some exceptions) of ESTA for certain nationals of VWP
countries if the applicant, at any time on or after March 1, 2011, was present in Libya, Somalia
or Yemen; (2) including “Global Entry Program Number” as part of the ESTA questionnaire;
and (3) including an optional field in which ESTA applicants may include information about
their presence on select social media platforms.
1. Travel History Ineligibility Expansion
As described in the previously published ESTA PIA update,5 the newly issued Visa
Waiver Program Improvement and Terrorist Travel Prevention Act of 2015 6 required
enhancements to the ESTA questionnaire for certain VWP nationals who have traveled to, or are
dual nationals of, certain countries. The initial expansion included applicants who are nationals
of, or who have traveled to Iraq, Iran, Syria, and Sudan at any time on or after March 1, 2011,.7
The Secretary of Homeland Security, using his discretion under the Visa Waiver Program
Improvement and Terrorist Travel Prevention Act of 2015,8 determined that due to national
security concerns and the ongoing threat posed by foreign fighters returning to VWP countries,
the ESTA ineligibility requirements will now apply to certain nationals of VWP countries if the
applicant has at any time on or after March 1, 2011 been present in Libya, Somalia, or Yemen.
These individuals must complete an additional list of questions about their travel history
on the ESTA questionnaire and may be determined to be ineligible for an ESTA. The expanded
questionnaire, and available access, correction, amendment, or redress procedures through the
DHS Traveler Redress Inquiry Program, remain the same as described in the February 2016 PIA
update.

https://www.dhs.gov/publication/electronic-system-travel-authorization.
4
See Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015, Pub. L. No. 114-113,
Division O, Title II.
5
See supra note 3.
6
See supra note 4.
7
See supra note 3.
8
See supra note 4.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 3

2. Global Entry Program Number
Certain categories of ESTA applicants may be considered for visa waivers at the
discretion of the Secretary of Homeland Security. If an individual is deemed ineligible to travel
to the United States under the VWP based on the dual national or prior travel restrictions under
the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015, he or she
may be eligible for a waiver.
If an individual referred for consideration for a visa waiver has a Global Entry Program
Number,9 they have already been pre-approved for travel under the Global Entry Program,
therefore DHS has previously assessed the individual to be low-risk traveler. This previous
assessment and continued vetting under the Global Entry Program will provide CBP with
valuable information when considering an applicant’s ESTA application, including allowing
CBP to make better informed determinations when assessing whether an applicant presents a
security risk, and when considering an applicant’s eligibility for a waiver of VWP ineligibility.

Privacy Impact Analysis
Authorities and Other Requirements
No change from the previously published ESTA PIA update.

Characterization of the Information
CBP is expanding the ESTA data elements to include the Global Entry Program Number.
There is no privacy risk to this expanded information collection. ESTA applicants may
voluntarily provide their Global Entry Number, if they opted to obtain one, to assist in the CBP
vetting process.

Uses of the System and the Information
CBP will continue to use the information submitted as part of an ESTA application to
determine the eligibility of a foreign national to travel to the United States and to determine

9

Participation in the Global Entry program is completely voluntary and allows applicants to exchange personally
identifiable information in return for expedited transit at United States border entry points. Global Enrollment
System data is used only for the purposes of border and immigration management, national security, and law
enforcement. For additional information about Global Entry, please see
https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_goes_0.pdf.

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 4

whether the visitor poses a law enforcement or security risk to the United States. 10 CBP will
continue to vet the ESTA applicant information against selected security and law enforcement
databases at DHS, including TECS11 (not an acronym) and the Automated Targeting System
(ATS).12
There are no privacy risks to use of this information. CBP will use the Global Entry
Number to assist in vetting efforts since Global Entry holders have been previously assessed by
CBP as a low-risk traveler. This previous assessment and continued vetting under the Global
Entry Program will provide CBP with valuable information when considering an applicant’s
ESTA application, including allowing CBP to make better informed determinations when
assessing whether an applicant presents a security risk, and when considering an applicant’s
eligibility for a waiver of VWP ineligibility.

Data Retention by the Project
The CBP retention period for ESTA has not changed. CBP retains ESTA application data
for no more than three years in an active database (one year beyond the ESTA authorization
expiration date) and twelve years in archive status.

Internal Sharing and Disclosure
No changes have been made to internal sharing and disclosure.

External Sharing and Disclosure
No changes have been made to external sharing and disclosure. CBP will continue to
share ESTA information in bulk with other federal Intelligence Community partners (e.g., the
National Counterterrorism Center), and CBP may share ESTA on a case-by-case basis to
appropriate state, local, tribal, territorial, or international government agencies. Existing external
information sharing and access agreements will continue and will now include the expanded
categories or records noted above.13

10

See 8 U.S.C. § 1187(h)(3).
DHS/CBP-011 U.S. Customs and Border Protection TECS (73 Fed. Reg. 77778, December 19, 2008).
12
DHS/CBP-006 Automated Targeting System (77 Fed. Reg. 30297, May 22, 2012).
13
This sharing takes place after CBP determines that the recipient has a need to know the information to carry out
functions consistent with the exceptions under the Privacy Act of 1974, 5 U.S.C. § 552a(b), and the routine uses set
forth in the ESTA SORN. Additionally, for ongoing, systematic sharing, CBP completes an information sharing and
access agreement with federal partners to establish the terms and conditions of the sharing, including documenting
the need to know, authorized users and uses, and the privacy protections for the data.
11

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 5

Notice
The online ESTA application contains a Frequently Asked Questions (FAQ) section that
will address the addition of social media elements to the ESTA application. In addition to the
FAQs on the online application, there will be a question mark indicator next to social media
field(s) that an applicant can click on, which will provide additional information regarding the
collection of social media information.
The System of Records Notice (SORN) for ESTA, last published on February 23, 2016,
is being updated concurrently with this PIA to reflect the ESTA enhancements, including the
new eligibility questions and collection of an additional data element on the ESTA application.
Due to the sensitive national security concerns necessitating the expanded information
collection required by the VWP and Terrorist Travel Prevention Act of 2015, CBP has
determined that the updated ESTA SORN will become effective upon publication, without a
prior comment period. Despite the exigent circumstances requiring immediate publication and
implementation of this new information collection, members of the public can still submit
comments on the updated SORN. CBP will evaluate these comments to determine if any future
changes should be made.

Individual Access, Redress, and Correction
No changes have been made to individual access, redress, and correction. The ESTA
enhancements will result in CBP denying some individuals eligibility for a travel authorization
under the VWP. Applicants denied a travel authorization to the United States via ESTA may still
apply for a visa from the U.S. Department of State. General complaints about treatment can be
made to the DHS Traveler Redress Inquiry Program (TRIP), 601 South 12th Street, TSA-901,
Arlington, VA 22202-4220 or online at www.dhs.gov/trip. Generally, if a traveler believes that
CBP actions are the result of incorrect or inaccurate information, then inquiries should be
directed to:
CBP INFO Center
OPA - CSC - Rosslyn
U.S. Customs and Border Protection
1300 Pennsylvania Ave, NW
Washington, D.C. 20229
In addition, CBP has updated the address to which individuals should submit their
requests for access and correction. Under the Privacy Act and the Freedom of Information Act
(FOIA), individuals may request access to the information they provide which is maintained in
the applicable CBP system of record. Proper written requests under the Privacy Act and FOIA
should be addressed to:

Privacy Impact Assessment Update
DHS/CBP/PIA-007(f) ESTA
Page 6

CBP FOIA Headquarters Office
U.S. Customs and Border Protection
FOIA Division
90 K Street NE, 9th Floor
Washington, D.C. 20002
Requests for access should conform to the requirements of 6 CFR Part 5, which provides
the rules for requesting access to Privacy Act records maintained by CBP. The envelope and
letter should be clearly marked “Privacy Act Access Request.” The request should include a
general description of the records sought and must include the requester’s full name, current
address, and date and place of birth. The request must be signed and either notarized or
submitted under penalty of perjury.

Technical Access and Security
No changes have been made to technical access or security.

Technology
No changes have been made to technology.

Responsible Official
Suzanne Shepherd, Director ESTA
U.S. Customs and Border Protection
Department of Homeland Security
John Connors, CBP Privacy Officer
U.S. Customs and Border Protection
Department of Homeland Security
Approval Signature

________________________________
Karen L. Neuman
Chief Privacy Officer
Department of Homeland Security