USA still won't agree to legal protection for travel data

This week European Commissioner Frits Bolkestein was called before a joint meeting of the European Parliament’s Committees on Citizens’ Freedoms and Rights, Justice and Home Affairs, and Legal Affairs and the Internal Market to give his report on the USA/European Union talks on transfers of airline passengers’ personal data from the EU to the USA.

The Commision faces a 9 December deadline previously set by Parliament to bring airlines and computerized reservation systems into compliance with EU law on international transfers of personal data. That could be achieved either by ending data transfers to countries like the USA without adequate data privacy laws (a possibility Bolkestein refused even to contemplate in his reprt to Parliament) or by getting the USA to enact “adequate” protections (of which his report gives little hope).

It isn’t clear from Bolkestein’s report whether he and the other members of the Commission want Parliament to extend the deadline (possible, although more time seems unlikely to result in fundamental change in the position of the USA against enacting any legally enforceable privacy rights for travellers), change the law (highly unlikely, given the recognition in the EU of privacy as a fundamental human right), or approve an agreement with the USA inconsistent with EU law (which would be subject to legal challenge in EU courts).

Even some of the USA “concessions” that Bolkestein reports as successes for the EU negotiators raise questions of their own:

The second important success we achieved is that the arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II). The latter will only be considered in a second round of discussions yet to come. In any case, such discussions can only conclude after Congress has signed off on CAPPS II. And this first requires the US General Accounting Office to complete its study on the effectiveness and privacy implications of CAPPS II, as recently requested by the US Congress.

That would be great, if the USA had agreed to postpone any use of data from the EU in CAPPS-II tests until after the GAO report to Congress, which is due by 14 February 2004. But the law requiring the GAO report explicitly allows testing — including tests with real reservations — to continue in the interim. And President Bush, in signing the law, said he considered it only “advisory”, not binding.

As I’ve discussed earlier here and here , any CAPPS-II tests on a significant scale will inevitably include data from the EU: there’s nothing in current PNRs that would enable the identification and exclusion form the tests of those for which data was collected in the EU. (Not that that was even attempted in the previous CAPPS-II tests, about which the DHS and TSA continue to lie but which certainly violated EU privacy and data protection rules.)

There’s a larger problem, though, in the USA/EU negotiations on PNR data transfers. The USA and the EU have been using the words, “personal data transfers from the EU to the USA” to mean two quite different things, leaving the most important privacy vulnerabilities in the gap between those two meanings.

The USA has been talking about “personal data transfers from the EU to the government of the USA”, but EU laws and regulations apply to any “personal data transfers from the EU to the control, territory, or jursidiction of the USA”.

It’s not clear if the USA and the EU have been talking past each other because of genuine misunderstanding or willful misdirection by the USA. Many who claim to be privacy advocates in the USA — certainly including, from her past statements and actions, DHS Chief Privacy Officer Nuala O’Connor Kelly — have a blind spot for corporate privacy invasion, and falsely assume that Americans are only concerned about government, not commercial, privacy invasion.

But whatever the cause, what’s fallen through the cracks is the potential for legally unregulated use, abuse, or disclosure of passenger data by travel companies in the USA (especially the CRS’s and airlines) which serve as intermediaries between data collectors in the EU and elsewhere (such as travel agencies and tour operators) and the USA government.

In fact, PNR data is routinely transferred from the EU to the USA, and had been for years before any of it started being turned over to the government of the USA. With or without CAPPS-II, and regardless of which elements of that data, if any, are passed on to the goverment, those transfers violate EU privacy laws and regulations as long as there is no legal protection for how those USA companies that receive reservations from the EU make use of that data.

So let’s hope that the European Parliament continues to insist that the European Commission do its job of enforcing the law, and that any postponement of CAPPS-II testing is used as an opportunity to pursue the pre-existing violations of EU privacy law by travel companies in the USA — not an excuse to delay or let them off the hook.

Travellers in the USA shouldn’t have to rely for protection of our privacy on EU enforcement of global norms of human rights. But unless and until Congress acts to give American travellers the same rights as our fellow travellers in the EU, Canada, and elsewhere, that’s all we’ve got to protect us.