Proposal in the European parliament to reject transfer of PNRs to the USA

The European Parliament would “Call… upon the [European] Commission to withdraw the draft decision” on the adequacy of protection provided for personal data contained in airline reservations Passenger Name Records (PNRs) transferred to the USA from the European Union, according to a resolution to be taken up by a European Parliament committee next week.

The resolution proposed by Member of the European Parliament (MEP) and rapporteur Johanna Boogerd-Quaak is on the agenda for the meeting in Strasbourg next Tuesday, 9 March 2004, of the Committee on Citizens’ Freedoms and Rights, Justice and Home Affairs (LIBE).

Previous resolutions on this topic, strongly critical of the European Commission for its acquiescence to demands by the USA for access to PNRs in contravention of fundamental EU law, have been overwhelmingly approved by the European Parliament, with strengthening amendments adopted in committee and on the floor. As the latest draft resolution details, the Commission has ignored the desires of the Parliament, as clearly expressed in previous resolutions, and the latest resolution seems likely to be approved as well.

USA Undersecretary of Homeland Security for Border and Transportation Security Asa Hutchinson conceded last month that, “any agreement that is reached has to be approved by the European Parliament.” And in the same interview, Hutchinson also conceded that (as I pointed out more than a year ago in my comments on the first CAPPS-II Privacy Act notice, but as the DHS had been ignoring), it’s impossibe to identify where the data in any particular PNR was collected, or to separate “European Union” from “USA” or any other country’s data: “Whenever we get data from domestic airlines many times we’ll have a European link to the itinerary and so you cannot even test domestic flights without some data from European passengers being involved.”

So the USA is publicly committed not to begin any testing of CAPPS-II unless and until the inclusion in the test sample of data collected in the EU has been approved by the European Parliament. If, as it is now considering doing, Parliament sends the European Commission’s draft deal with the USA on CAPPS-II testing back to the drawing board, any eventuual Parliamentary approval will certainly take months — if it is ever forthcoming at all. And, in the meantime, CAPPS-II or no CAPPS-II, the USA may have to suspend its other ongoing uses of PNR data, if it is truly to keep Hutchinson’s promise.

But that’s not the end of the obstacles to CAPPS-II and other USA uses of PNR data. In the words of the proposed European Parliament resolution, “in the USA the protection of privacy… is not regarded as a fundamental right… , nor is there any right of legal redress should the measures restricting the freedom to travel be abused.” And it’s no more possible to eliminate data from any other country from PNRs, even those of USA-based airlines, than to eliminate data from the EU from those PNRs.

That leaves the USA with only 2 choices if it wants to use PNR data for “Homeland Security” or other government or commercial purposes without the consent of the data subjects: either (1) adopt a data privacy law applicable to PNRs, and commensurate with international norms (something the Bush Administration and the DHS have adamently refused to consider, although Cangress may soon take such an initiative on its own), or (2) obtain the permission of every other country with whose laws CAPPS-II and/or other USA uses of PNR data conflict, and where data included in PNRs of USA airlines might have been collected, before beginning any use of any of that PNR data. In effect, the lack of any reliable geographic indicator in PNRs of where the data they contain was collected means that any country where data was collected which is included in the global PNR pool has power of veto over how that pool of data is used.

Somewhat amazingly, the General Accounting Office reported that the DHS claimed to have used only 32 PNRs, which they created themselves, as the entire basis for their assumptions about the contents of PNRs. But it’s clear that CAPPS-II won’t get much further, if at all, without renewed access to real PNR data.

At a minimum, the DHS seems to have conceded that permisison from both the EU and Canada is a prerequisite to any start (resumption, actually, although the DHS has repeatedly, and falsely, denied that real PNRs were used in previous CAPPS-II tests) of CAPPS-II testing with real PNRs.

But it’s not hyperbole to describe EU and Canadian data privacy laws as exemplifying emerging global norms of privacy as a human right. Many other countries have similar laws, including for example several Latin American countries with large volumes of passenger air traffic to and from the USA that have based their data protection laws almost verbatim on those of Spain, and thus the EU. The only question is how many of these and other countries will assert their right to be consulted before their citizens’ privacy rights are violated by nonconsensual USA government access to passenger reservation records.

“Is it fair to say that you really don’t know when you will be able to begin testing the [CAPPS-II] system?”, DHS undersecretary Huthinson was asked last month. “That is a fair statement,” Hutchinson replied. But Hutchinson also said, “That timeline for testing probably will not be in a spring timeframe,” i.e not until summer 2004 at the earliest. Presumably that would be only if no countries other than Canada and the EU object to inclusion of data from their countries in the tests, and if negotations with Canada and the EU are concluded as quickly as possible.

If agreements can’t be reached with Canada and/or the EU, Canadian and/or EU legislators don’t approve the changes to their laws required by the agreements, or other countries object as well, it could easily take much longer — if ever — before the USA has the necessary permisisons to start the CAPPS-II juggernaut moving again.

Question: Do you think you’ll be able to start it by the end of the year?

Undersecretary Hutchinson: Absolutely, I certainly hope that is the case.

Question: You mean … start what, testing?

Undersecretary Hutchinson: Testing, I take the question as testing.

Aside from its direct effect on CAPPS-II testing, the European Parliament draft resolution’s detailed critique of the deal proposed to Parliament by the European Commission is noteworthy for bringing into the official debate several significant points that the USA authorities have until now avoided.

First, the draft resolution specifically notes that (as, once again, I pointed out a year ago in my comments), PNRs contain personal information on several other significant categories of “data subjects”, not just airline passengers: “data enabling both the passenger and the persons accompanying him to be identified, together with the person who requested the reservation on the passenger’s behalf, the agency or the employee who made the reservation and/or issued the ticket, and so on.”

The failure of the DHS to disclose or deal with the implications of CAPPS-II for the privacy of airline and travel agency staff and other people besides passengers is perhaps the most glaring deficiency in the DHS’s Privacy Act “Notice” for CAPPS-II — certainly one of the deficiencies most like to lead to legal challenge, under the Privacy Act, to any attempt to implement CAPPS-II until the effect on other categories of data subjects is disclosed, and provision made for their rights.

Second, the draft resolution reminds the European Commission that:

On 9 October 2003, Parliament formally requested the Commission to check that Regulation (EC) No 2289/99 was being correctly implemented…. The Commission has not so far notified Parliament of the results of its inquiries.

As I’ve reported previously, the PNR data being accessed by USA government agencies already far exceeds that authorized by the proposed deal, as would be shown by a sufficiently independent, thorough, and technically competent audit. Pressure from Parliament for reporting by the Commssion on compliance with existing data transfer rules and agreements makes it increasingly likely that this scandal will be brought into the light sooner rather than later.

Third, the draft resolution suggests two independent modes of enforement if the Commisison fails to heed the “call” of Parliament.

The draft resolution “calls upon… the Member States to require … airlines and travel agencies to obtain passengers’ consent for the transfer of data; such consent must be given freely and passengers must be informed of the options open to them for influencing the content of their PNR, of the implications of failing to give consent and of the fact that an adequate level of
protection does not exist in the USA.”

This would require a major change in business practices: I know of no major Internet travel agency, regardless of their purported privacy promises, that actually discloses which customer data is entered in a PNR, and which kept in a separate database, or at what point in the booking and purchasing process that irrevocable entry of certian data into a PNR is made.

In effect, this call in the draft resolution implicitly invokes the continued enforcement authority of national data protection authorities in EU member states — who have unanimously opposed the European Commisison proposal — regardless of the action or inaction of the European Commision.

The draft Parliamentary resolution also explicitly “Reserves the right to consult the Court of Justice with a view to ascertaining whether or not an international agreement which does not provide adequate guarantees regarding the protection of a fundamental right is soundly based;” and “reserves the right to appeal to the Court of Justice should such a decision be adopted.” That’s not a Constitutional crisis, but it’s more or less the equivalent of Congress considering a resolution threatening to bring an action in the Supreme Court against the President.