No progress reported by European Commission on USA demands for access to airline reservations

The enforcement of European Union laws against the transfer of airline reservation data (or other personal information collected in the EU) to countries like the USA that lack adequate legal protection for privacy rights was reportedly on the agenda for yesterday’s meeting of the European Commission in Brussels. But no announcement was made following yesterday’s meeting as to what, if any, decision was reached.

The European Commission is the branch of the European Union responsible for enforcing the EU code of conduct for computerized reservation systems (CRS’s), and for overseeing administration of the EU Data Protection Directive . The negotiations with the USA Department of Homeland Security on this issue have been led by European Commissioner Frits Bolkestein as part of his brief for internal markets issues including data protection and e-commerce. But final decisions and recommendations are made by the entire college of 20 members of the Commission.

A resolution enacted 9 October 2003 by the European Parliament called on the European Commission to take action by 9 December 2003 to ensure compliance with EU laws and regulations, either through cessation of transfers of passenger data from the EU to the USA or through adequate privacy provisions for the protection of passenger data once transferred to the USA.

An earlier resolution of the European Parliament, adopted 12 March 2003 by an overwhelming vote of 414 to 44, was amended on the floor of Parliament to include an explicit threat that Parliament could bring legal action in the European Court of Justice against the Commission should the Commission fail to carry out its duty to enforce EU privacy laws with respect to transfers of EU airline reservation data to the USA.

While most concern about CAPPS-II in the USA focused, at least initially, on the other personal information (from credit records and other data aggregators) that would be compared with reservation data, the profiling algorithm, and how the government would use this data, concern in Europe about CAPPS-II and other “Homeland Security” proposals affecting travellers has centered on the information contained in reservations themselves and how reservation data would (or wouldn’t) be protected from both commercial and governmental misuse. That’s clear from recent European reports on the issue, such as those here and here , and was equally clear in my meeting last week in Washington with European Commission staff familiar with the negotiations.

The crux of the diplomatic impasse is that:

1. The USA Department of Homeland Security is demanding access to the contents of all passenger name records (PNRs) on all flights to or from the USA.
2. EU law forbids the transfer of personal data from the EU to countries that do not provide adequate legal protection for the privacy of such data.
3. There are currently no legal protections whatsoever for the privacy of airline reservations in the USA. Travel data in the USA, like “commercial” data in almost all industries except certain areas of finance and health care, is considered the property of travel companies, which are free to use, sell, or disclose it without the knowledge or consent of travellers.

Particularly in the USA, reporting on the negotiations has concentrated on the first two of these three items. And negotiators for the USA (led by Secretary of Homeland Security Tom Ridge, Under Secretary for Border & Transportation Security Asa Hutchinson, and Chief Privacy Officer Nuala O’Connor Kelly) have tried — falsely — to represent the conflict between (1) the USA demand and (2) EU law as irreconcilable without “compromise” by both sides. On that basis, they have pressured the European Commission to approve an “agreeemnt” that falls short of full compliance with EU law, in exchange for slight reductions in the overbroad USA demands for data.

But the EC has no power to modify or authorize non-compliance with the law as enacted by the European Parliament. Both the European Commission and the European Parliament have already determined that the USA doesn’t have “adequate” legal protections for travel data. (It’s hard to imagine them finding otherwise, since at present there are no such legal protections at all.) And Parliament has already made clear, in both its March and October resolutions, that the duty of the EC is to enforce the existing law. That leaves the EC little choice but enforcement action — except perhaps to suggest changes in EU law for Parliament to consider.

Unless, that is, the USA agrees to provide adequate protection for travel data. That’s why the third item in the list above — lack of travel privacy law in the USA — has really become the key to resolution of the dispute.

The current dispute isn’t about USA government demands for data, or EU unwillingness to cooperate with USA “homeland security” measures. It’s about DHS unwillingness even to consider legislation governing commercial use of travel data, collected and turned over under goverment compulsion, that would conform to international norms of privacy rights.

If the USA-EU negotiations fall through, blame will belong squarely on the DHS Chief Privacy Officer, Ms. Nuala O’Connor Kelly, for failing to propose federal travel privacy legislation that would satisfy international (including EU) standards of adequacy. And if her superiors are unwilling to allow her to propose or endorse the legislation that would be essential to fulfilling her ostensible privacy protection assignment, she should do the honorable thing and resign.

In resisting any privacy legislation enforceable through courts or any independent arbiter, Ms. O’Connor Kelly is advocating for the DHS the same system of privacy “self-regulation” that she championed for corporate data aggregators and abusers in her previous job as chief privacy (invasion) officer for the Internet advertising company Doubleclick. So-called “self regulation” has failed to protect the public in the USA against corporate privacy invasion on the Internet, and the EC is right to dismiss it out of hand as ineffective and legally “inadequate”.

When I asked Ms. O’Connor Kelly why she didn’t propose travel data privacy legislation as the solution to the dispute with the EU, she told me, “That isn’t the only thing they [the EC] asked for”. That’s true — the EC has also, quite properly, asked that the DHS demand for access to data in PNRs data be limited to information relevent to determining security risks — but the EC negotiators have made clear that they have considerably more flexibility in negotiating which data is passed to the USA than in approving any “deal” that failed to include any legal privacy guarantees for that data once it’s in the USA.

In spite of the EC willingness to negotiate on this point, the DHS has described the data in PNRs to the EC in seriously misleading terms. According to the Undertakings of the U.S. Bureau of Customs and Border Protection and the TSA to the EC (the document labeled 22 May 2003 is labeled a draft, but was released and is available from the EC Web site), “Most data elements contained in PNR data can be obtained by … examining a data subject’s airline ticket and other travel documents.” But that’s complete nonsense, as is apparent from a comparison of any actual ticket with the list at the end of the same “Undertakings” of 39 possible types of data in current PNRs (most of them never incdicated on tickets) and 4 additional data items proposed to be added to all PNRs for use in CAPPS-II. Even that list of 43 items is merely a partial list of what might be included in PNRs, since lack of standardization in data entry permits the same type of data (such as e.g. religious meal preferences or other sensitive data) to be entered in any of several fields, and virtually any imaginable type of personal infomation can be entered — typically without the passenger’s knowledge — in unrestricted free-text fields.

The same discrepancy between the actual breadth of information in PNRs, and the narrower categories of information likely to have any use in assessing potential threats to aviation security, is apparent in the DHS/TSA demands for data for CAPPS-II.

The DHS and TSA claim publicly that CAPPS-II will use only the four newly-mandated PNR fields, or “Name plus three” (“full name”, “home address”, “home phone number”, and data of birth). But the most recent CAPPS 2.1 Privacy Act notice still provides for DHS/TSA access to all data in each PNR. When I asked Ms. O’Connor Kelly and the TSA spokesperson why they needed access to the whole PNR if only the “name plus 3” would be used, they said they couldn’t comment on which data elements would be required because, “We don’t yet know how CAPPS-II will work.”

(This uncertainty about how CAPPS-II will work hasn’t, of course, kept DHS and TSA officials from declaring confidently that it will work, although it certainly raises questions as to the basis for that confidence.)

As long as the DHS/TSA are unable or unwilling to justify their demands for the entire contents of each PNR on security grounds, it’s hard to avoid the inference that their real interest is in using the additional data for surveillance, not security, purposes.

The distinction between existing PNR data and the newly required “name plus 3” on which CAPPS-II will supposedly be based also raises serious questions about the testing of CAPPS-II. Admiral Loy of the TSA has reportedly been considering issuing a “security directive” that would purport to require airlines to turn over “historical” PNR data (such as has been used in previous CAPPS-II concept tresting) for further CAPPS-II tests. And Ms. O’Connor Kelly reiterated to me that future CAPPS-II testing would depend on access to airline PNR data. But supposedly CAPPS-II will use only the “name plus 3” (not in current PNRs), and won’t use any of the other data actually in current PNRs.

When I asked Ms. O’Connor Kelly how PNRs without the “name plus 3” would be useful in testing CAPPS-II, given its supposed reliance on “name plus 3”, she returned to the argument that she couldn’t comment because she doesn’t know how CAPPS-II will work. If true, her remarks cast serious doubt on any claims about the likely cost, implementation time, or effectiveness of CAPPS-II — the subjects, among other issues, of the ongoing investigation of CAPPS-II by the General Accounting Office mandated by Congress as a precondition to CAPPS-II deployment.

[Addendum: The Euopean Parliament has scheduled an “exchange of views” on this topic with Commissioner Bolkestein at a joint meting of the parliamentrary Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs with the Committee on Legal Affairs and the Internal Market in Brussels on Monday, 1 December 2003, in anticipation of the 9 December 2003 deadline previously set by Parliament for Commission action.]