European Commission declares USA travel privacy non-protection "adequate"

Last Thursday, 14 May 2004, the European Commission (EC) approved a decision finding that “the United States’ Bureau of Customs and Border Protection [CBP] is considered to ensure an adequate level of protection for PNR data transferred from the [European] Community concerning flights to or from the United States, in accordance with the Undertakings set out in the Annex” to the decision (and included in the same PDF file).

And on Monday, 17 May 2004, the EC approved a second decision (PDF, HTML, legislative history) approving, and authorizing the signing on behalf of the European Community, of an “Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection”.

The two decisions (conflated and confused, and described in the singular) were announced on Monday in a press release by the European Commission and a press statement by USA Secretary of Homeland Security Tom Ridge.

But the actual text of the adequacy decision, and the proposed unilateral (and nonbinding) Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (“Annex”, pages 9-19 of the PDF file, oddly numbered 8-18 and 0) on which it depended, were not released until today.

As a result, most of the news reports on the decisions have focused on what the EC and the DHS claim has happened, with no opportunity to scrutinize what actually has been decided, or whether the EC and DHS claims are accurate.

Whatever the reasons for the delay in release of the texts of the decisions, it’s now clear on inspection of the agreements that they are very different from what the EC and DHS have claimed they are; that the press releases fundamentally mis-state the nature of the decisions and the underlying draft agreement and undertakings; that the draft agreement and undertakings continue to mis-describe the data in airline reservations and the manner in which it is handled; and that all of these secure much less, if any, protection for the privacy of airline reservation data, once it is made available for access by the DHS, than has been claimed.

The legal validity of both decisions remains in doubt. The European Commission was required to consult the European Parliament, but “finalized” its decisions without waiting for the recommendation of Parliament, which had requested an opinion from the European Court of Justice on the legality of the proposals before making its own recommendation to the EC.

Since the EC has already made the decision, with respect to Parliament’s recommendation on which the Parliament requested the Court’s opinion, the request for an opinion may now be deemed moot. But the Parliament could still seek the annulment by the Court of either or both of the decisions with respect to the “adequcy” finding and the agreement with the USA.

The USA Department of Homeland Security (DHS) had previously committed itself to the view that,”any agreement that is reached has to be approved by the European Parliament”, but more recently has said that, “we would still be able to continue to exchange the passenger name records” even in the absence of Europarl approval, and even in the event of an opinion from the European Court of Justice that one or both of the decisions (on the “adequacy” finding and the agreement with the USA) are contrary to fundamental EU law.

Europeans might well ask why, given that the USA has already reneged on its public commitment to obtain Europarl approval for any agreement on PNR data transfers, they should now trust the USA to comply with its proposed (but not yet published) unilateral (and nonbinding) “undertakings”, especially as both the undertakings and the agreement contain the identical explicit statement that they do not “create or confer any right or benefit on any person or party, private or public.”

Both Parliamentary committees which reviewed the proposals, as well as the Article 29 Working Party of national data protection authorities from throughout the EU, found that they would not ensure “adequate” protection for personal information contained in reservations transferred to the USA, and formally recommended against the decisions which have now been made by the EC.

Liberal Democatic Member of the European Parliament (MEP) Johanna Boogerd-Quaak of the Netherlands, Parliament’s “rapporteur” on the issue, released a statement that the decision by the EC not to wait for the Court’s opinion shows “breathtaking arrogance…. Refusing to wait for the Court’s opinion is disrespectful to the authority of the Court and a breach of the duty of loyal co-operation between EU institutions. I continue to believe that this agreement is legally flawed both in terms of substance and the way it was adopted. When Parliament reconvenes in July I will recommend to colleagues that they pursue the matter further. One way or the other, this issue will end up before the European Court of Justice.”

Other MEP’s concurred. Green MEP Daniel Cohn-Bendt of France reportedly said that the decisions were deliberately timed during the Parlimentary recess preceding the upcoming elections, to frustrate any prompt Parliamentary response: “No meetings are scheduled before the elections, but the Greens will take all the necessary initiatives with the European Parliament to launch a new appeal to the European Court.”

Even the members of the EC conceded the possibility that the decisions could still be overturned by the Court of Justice, on the initiative of the Parliament. Commissioners claim they would respect such a decision by the Court, but it’s hard to know if that commitment is any more meaningful than the USA commitment to respect the will of the European Parliament proved not to be. The EC press release says that, “The Parliament would… have the … right… to seek the annulment of the international agreement or of the adequacy finding or both.” Agence France-Press quotes Commissioner Chris Patten as saying that, “If of course the court were to find against us we would have to go back on the agreement with the United States, there’s no question about that.”

Both the decisions and the procedure by which they were adopted were immediately denounced by civil liberties organizations throughout Europe, including the European Association for the Protection of Human Rights, Statewatch, and European Digital Rights.

Privacy International released an analysis of the “adequacy” finding, Inadequate Adequacy, concluding:

This agreement is based on smoke and mirrors. The agreement was repeatedly deemed inadequate by legal experts and the European Parliament. The Commission was repeatedly admonished for its failure to uphold EU laws. The U.S. Department of Homeland Security repeatedly asked for more than it was statutorily authorized to….

Meanwhile, other countries under pressure from the U.S. to weaken their privacy regimes will have lost an ally Europe, and will be forced to transfer data under similar, if not worse, conditions. The result will be to a race to the bottom for global privacy protection….

The Commission has failed on many grounds….

Failing to revisit all of these agreements and settlements will thus lead to a global surveillance system of travel.

Many of the differences between the European Commission and DHS press releases on the one hand, and the actual texts of the 14 May 2004 dequacy decison and the 17 May 2004 decision on an agreement by the EC on the other hand, are the same misstatements and distortions that have characterized previous EC claims about the draft documents.

For example, the list of PNR data elements in the 11 May 2004 version of the “undertakings” of the USA Department of Homeland Security (DHS) Bureau of Customs and Border Protection (CBP), as incorporated in the “adequacy” decision, is essentially the same as in the previous drafts of the undertakings. And clause 3 of the undertakings still claims, falsely, that “Most data elements contained in PNR data can be obtained by CBP upon examining a data subject’s airline ticket and other travel documents” — even though, as I’ve previously explained in detail as part of my analysis of the undertakings, 17 of the 34 listed data elements could never be discerned from tickets or other travel documents, and in most cases only 8 of the 34 fields could be determined from inspection of tickets.

The decisions are clearly based on false factual premises.

“Whereas” clause 9 of the adequacy decision, for example, says that, “The data transfers concerned involve specific controllers, namely airlines operating flights between the [European] Community and the United States, and only one recipient in the United States, namely CBP.” But neither of those claims is true: as we’ve seen in the case of the American Airlines PNRs transferred to the TSA and its CAPPS-II contractors by Airline Automation, PNR-processing firms as well as CRS’s — not just airlines — have actual control over PNR data, once in the USA, and the ability to transfer it to the government or other third parties, with or without the airlines’ consent. And there are certainly mutiple recipients of this data in the USA, not just the CBP. In particular, most reservations are transferred first to a computerized reservations system (CRS) which hosts them in the USA, and accessed by the CBP from that CRS, after the data is already in the USA.

At a minimum, this means that — even if the adequacy finding and agreement are upheld — they offer no protection to the CRS’s against claims that they have violated EU data protection requirements, or to airlines or travel agencies that transfer data from the EU to CRS’s in the USA that fail to give that data adequate protection against commercial or government misuse.

This makes it ever more important for EU citizens and residents to press their demands, directly with each of the 4 main CRS’s, for access to the complete archives of PNRs containing data about them maintained by each CRS and a complete accounting of who has been given access by each CRS to any or all of that personal data, and to complain to their national data protection authorities if unauthorized, undisclosed, or nonconsensual disclosures are discovered.

“Whereas” clause 11 of the adequacy decision claims that “The processing by CBP of personal data contained in the PNR of air passengers transferred to it is governed by conditions set out in the Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) of 11 May 2004”. And the agreement purports to provide that, “This agreement shall enter into force upon signature”. But no international agreement with the USA can Constitutionally enter into “force” unless and until it is ratified by the Senate. And the activities of the CBP or other agencies of the government of the USA are in no sense bound or “governed” by unilateral statements made to foreign governments, regardless of whether those declarations are published in the Federal Register.

Both the EC and DHS press statements refer to the proposed undertakings (which have not yet been undertaken, even if that were of any legal significance, which it isn’t) and the proposed agreement (which has not yet been signed or ratified) in the present tense: “The Decision indicates that the Commission considers that the the data on air passengers [there’s no mention of the data on people other than passengers that is contained in PNRs] transferred to the US authorities enjoys the ‘adequate protection’ required under the EU’s data protection Directive,” says the EC, while Secretary of Homeland security Ridge described the decisions as, “the finding today that privacy is adequately protected under this agreement”.

To be accurate, both statements should be in the subjunctive: “If the USA makes certain specified undertakings, and if an agreement is concluded with the USA incorporating those undertakings and specified other terms, than data on air passengers transferred to the US authorities would enjoy adequate protection.” It wouldn’t enjoy adequate protection, as I’ve explained, but at least that would be an accurate statement of the EC decisions.

By shifting their claims about a future agreement and future undertakings into the present, the EC and DHS press releases attempt to deny the fact that, unless and until the undertakings are made in binding form and the agreement is signed and approved in accordance with the respective parties’ procedures (which in the USA means ratification by the Senate), there is no adequacy finding yet in effect, the ongoing data access remains illegal, and airlines and CRS’s remain fully liable to enforcement action by the EC itself (under the EU code of conduct for CRS’s) and EU national data protection authorities.

The EC press release describes the undertakings and agreement as providing that, to begin with, “Less data will be collected and retained by the US authorities.” But that’s not true: under the current “pull” system, there are no technical constraints on the ability of the CBP to “pull” (query and access) any portion of any PNR in the host system of any airline that serves the USA.

The undertakings provide that “CBP will ‘pull’ passenger information from air carrier reservation systems until such time as air carriers are able to implement a system to ‘push’ the data to the CBP.” And the agreement would, if adopted, provide that “air carriers … should arrange for transmission of PNR data to CBP as soon as this is technically feasible but … until then, the US authorities should be allowed to access this data directly.”

Development of a “push” system — ensuring that only the agreed data elements are transmitted, only for flights to and from the USA, and only at the agreed time (no more than 72 hours before the flight) — won’t be technically feasible for months at least, even if the USA and/or the EU have it in their budgets to pay the development costs. Absent any specific deadline, it’s false to represent “as soon as feasible” as providing any meaningful assurance that less data will actually be accessed.

I’ve left the worst of the lies for last: the categorical declaration in the EC press release, “There will be no bulk sharing of PNR.”

Only 2 days after that release are we able to read in clause 8 of the actual undertakings, “CBP may transfer PNRs on a bulk basis to the Transportation Security Administration (TSA) for purposes of TSA’s testing of of its Computer Assisted Passenger Screening System II (CAPPS II).”

The EC claim about bulk PNR transfers in its press release was a lie. It was a knowing lie, about a matter — use of data frim the EU for CAPPS-II testing — of intense concern to the public and to other EU institutions such as the European Parliament. And it was a lie about a matter for which the EC had previously come under strong criticsim for its lack of candor with the Parliament.

But CAPPS-II testing isn’t the only bulk transfer of PNR data contemplated by the undertakings, contrary to the EC statement. Clause 5 of the undertakings provides that, “With respect to the data elements identified as ‘OSI’ and ‘SSI/SSR’… CBP’s automated system will search those fields for any of the other data elements identified in Attacvhment ‘A’.”

What this suggests is that — as other sources have suggested to me is already the case — the CBP is not “pulling” only individual PNRs of interest or suspicion, but has an automated system, plugged into its connections to the airlines’ host systems, that systematically “pulls” large volumes of PNRs. In other words, bulk transfers of PNR data to the CBP, as falsely denied by the EC.

I’m also worried about what that “automatic system” already screening large volumes of PNRs is like, what it is doing, and how its results are being used. Is it really a version or prototype of CAPPS-II under another name? We don’t know. We do know, however, that the DHS has begun setting up an infrastructure of data visualization that could well incorporate PNR data, and that looks suspiciously like a revival under other auspices of the diiscredited and supposedly defunded Total/Terrorism Information Awareness Program, to which CAPPS-II was at one time intended to supply reservation data.

What happens next?

As I’ve mentioned previously, the DHS has conceded that it’s impossible to identify in what country data in any particular PNR was collected (in part because a single PNR commonly contains data that originated in several countries). That means that CAPPS-II testing can’t legally begin — at least not without risk for airlines and computerized reservation systems (CRS’s) providing the PNRs that they will be breaking the laws of some of the other countries where they operate — unless and until it can be reconciled with the privacy and data protection rules of every country where those airlines and/or CRS’s operate.

After the European Union, the largest issues of incompatibility between USA reservation data demands and other countries’ privacy laws were with Canada. The USA and Canada had begun negotiations on cross-border PNR data access, but both sides had conceded that an agreement was unlikely without changes in the law in the USA, Canada, or both.

Unfortunately, it’s Canada that has changed its laws to accommodate USA demands. What had been Canada’s Bill C-17, described by many as Canada’s counterpart to the USA-PATRIOT Act, was reintroduced in the Canadian Parliament this year, and received royal assent (the final stage of approval) 6 May 2004 as Bill C-7.

As adopted, Canadian Bill C-7 includes amendments to the [Canadian] Aeronautics Act which explicitly amend the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) to require that airlines turn over reservations to Canadian, USA, and other countries’ government agencies, with little control or oversight. Those provisions have provoked some of the harshest criticism of Bill C-7 within Canada.

Even before the passage of Canada’s Bill C-7, the European Union Article 29 Working Group (composed of the national data protection authorities from throughout the EU) had already expressed serious concerns about the adequacy of privacy protection for airline reservation data in Canada in its Opinion 3/2004 on the level of protection ensured in Canada for the transmission of Passenger Name Records and Advanced Passenger Information from airlines adopted 11 February 2004. The working group raised particular concerns about some of the provisions of what was then Bill C-17, which provisions have now been enacted as part of Bill C-7.

The EC decision currently in effect finding that Canada provides adequate protection for personal information was based on the law (PIPEDA) as it existed prior to passage of Bill C-7. Given the basis for the EC decision, the concerns raised by the national data protection authorities about the provisions of Bill C-7, and the explicit overturning of key provisions of PIPEDA by Bill C-7,the passage of Bill C-7 may have ended the “adequacy” of protection of airline reservation data in Canada, as defined by EU law.

At a minimum, both the Article 29 Working Party and the European Commission can, and should, re-open their consideration of the adequacy of Canadian privacy protection for airline reservation data. The EC could withdraw its finding of adequacy, or the EC adequacy decision currently in effect could be annulled by the European Court of Justice, on the basis of the changes made in Canadian law by Bill C-7.

In effect, the enactment of Bill C-7 may simply have shifted Canada’s problem of protection of airline reservation data from one of incompatibility with USA demands to one of incompatibility with EU requirements, and jeopardized the entire EU finding of the adequacy of the Canadian PIPEDA law. That would put Canada into the same category as the USA with respect to data protection: a rogue nation failing to protect international norms of privacy as a human right. For those of us in the USA who look to Canada as a positive example, on this and other issues, that would be sad indeed. Just as the latest decisions of the European Commission are sad for those who have looked to the European Union to set an international example of respect for fundamental rights.