No mention of "Secure Flight" in Ridge talks with the EU

With an announcement of more details about the USA Transportation Security Administration (TSA) Secure Flight passenger surveillance and no-fly scheme imminent, and Secretary of Homeland Security Tom Ridge in Europe for talks with European Union (EU) leaders on the use of airline passenger data by his Department of Homeland Security , there has still been no mention of how Ridge, the DHS, and the TSA intend to get approval from the EU in time to start testing Secure Flight by the end of this year, as they have said they intend.

In general, as has already been an issue between the USA and the EU, the EU Data Protection Directive provides only limited exceptions to its requirements, including those of consent from “data subjects” for use of personal data about them, and prohibits disclosure to others unless they agree to respect those rights and provide an “adequate” level of protection for personal data. In addition, the EU Code of Conduct for computerized reservation systems (CRS’s) prohibits CRS’s — which host almost all major airlines’ passenger databases — from disclosing any data from passenger name records (PNRs) without the consent of the passenger or other data subject.

The USA and the European Commission reached a so-called “agreement” (not technically speaking an international agreement under USA law, since it wasn’t ratified as a treaty by the Senate, and thus can’t be invoked as binding in any USA court) with the USA which would allow the DHS Customs and Border Protection (CBP) division to use personal data collected in the EU and entered into airline reservations, in certain cases and for certain purposes. Pursuant to this agreement and certain (non-binding) undertakings made by the DHS as to how they would use this data, the EC also issued a finding that this data would be “adequately” protected once transferred the USA government.

The European Parliament is challenging both the “agreement” and the adequacy finding in the European Court of justice. But what may be even more significant in the short term is that neither applies, even arguably, to “Secure Flight”. The USA-EU agreement and the DHS undertakings apply exclusively to data concerning international flights. Data collected in the EU for reservations on domestic flights within the USA, or data collected by or transferred to the TSA rather than the CBP, are included only through a clause in the undertakings permitting their use for testing (not deployment) of CAPPS-II . There is nor mention whatsoever of any other similar, related, or successor program(s).

As the DHS and TSA have long since admitted, it’s impossible to tell which reservations contain data originally collected in Europe, as many do. The TSA and DHS can only test Secure Flight, under the current USA-EU agreement, adequacy finding, and undertakings, if they admit that “Secure Flight” is really CAPPS-II, and re-name it accordingly.

The DHS has said it intends to test Secure Flight first with historical data from past flights — for which consent can’t possibly be obtained after the fact. If the DHS doesn’t rename “Secure Flight” back to “CAPPS-II”, or negotiate a new agreement and adequacy finding with the EU, any airline turning over passenger data for Secure Flight tests will have no protection under the existing agreement, and will be subject to enforcement action by EU national data protection authorities. And any CRS collaborating with the tests will also be subject to enforcement action by the European Commission for violation of the EU Code of Conduct for CRS’s.