Congress, EU, and businesses question "targetting" of travellers

Questions are beginning to be asked by members of the U.S. Senate , the European Commission , the European Parliament , and business travellers about the illegal “Automated Targeting System” (ATS) that the USA Department of Homeland Security has already used to deny more than half a million people their right to travel, and is continuing to use even while still accepting public “comments” on whether they should stop breaking the law.

Among those who have now filed formal comments demanding that the system be scrapped and the dossiers on travellers destroyed are a broad coalition of organizations representing business travellers and travel management companies in the USA and abroad, including the Association of Corporate Travel Executives (ACTE) and the Business Travel Coalition (BTC).

Reaction against the ATS scheme has been especially strong in Canada, where the double standard of Americans who want to give would-be Canadian visitors to the USA the third degree, while still treating Canada like a province of the USA, is an old and open wound.

The first report of U.S. Senator Leahy’s promise to hold hearings next year on the ATS came in a Canadian newspaper, not in the USA:

The 66-year-old six-term senator said as chair of the Senate judiciary committee, he will summon government officials to determine why they circumvented Congress in establishing the so-called Automated Targeting System, a data-mining program that assigns a “terrorist score” to all arrivals in this country based on information ranging from your cellphone number, to your credit-card data, to your seating preference on your flight.

“(This administration) has … created data banks and dossiers on law-abiding Americans, without following the law and without first seeking legal authorization.”

Some U.S. legislators and privacy advocates say they believe the homeland security department broke a law when it continued to develop the program despite a funding ban on such projects instituted by Congress.

Under the targeting system, the government retains records on travellers for up to 40 years and can share the data with foreign governments, law enforcement agencies or private employees, but it denies average citizens access to the data.

Across the pond, European Commissioner for Justice, Freedom and Security Franco Frattini
announced that he and the President of the EC have made formal inquiries to the USA about the ATS scheme:

The information published by the DHS reveals significant differences between the way in which PNR data are handled within the Automated Targeting System on the one hand and the stricter regime for European PNR data according to the Undertakings given by the DHS.

The Council Presidency and Commission are contacting the US Government to request formal confirmation that the way EU PNR data are handled in the ATS is the one described in the Undertakings.

I have always taken the position that travellers must be informed when their PNR data may be transferred to competent authorities of third countries. The DHS Undertakings expressly acknowledge this….We need an international agreement with the support of the public on both sides of the Atlantic and of the democratic representatives of the peoples.

That suggests that EU authorities will insist — as I’ve previously noted that they should — that any real “agreement” with the USA on passenger name record (PNR) data will have to take the form of a treaty, duly ratified by the U.S. Senate and by EU members.

The ATS scheme was also denounced as a “Big Brother Syatem” in repeated statements by Sophie in ‘t Veld , member of the European Parliament and rapporteur for the most recent Euoparl debate on PNR data transfers to the USA. (I’ll add more details if I can get a good translation from the Dutch of her statements.)

In response, the DHS continues to dissemble :

Jarrod Agen, a spokesman for the Department of Homeland Security, which includes the Customs agency, said that Customs is abiding by the October agreement [with the EU], including a provision that data about passengers arriving from Europe be held for only 3 1/2 years.

As the DHS knows — not least because I’ve pointed it out to them repeatedly — the applicability of EU data protection law depends on where the data was collected , not on where the passengers or the flight originated. Passengers who aren’t “arriving from Europe” are protected by European law, if any of the data in their reservations arrived from Europe.

The problem for the DHS is that they can tell from a PNR if it includes a flight that originated from the EU, but nothing in a PNR shows where the data originated. To complicate the problem, a single PNR can contain data collected and entered at many different times, by many different entities (a travel agency or tour operator, multiple airlines and hotel companies, a car rental company, etc.) in different jurisdictions.

In order to comply with the laws in all the places where they do business — unless and until each entry in a PNR includes the jurisdiction whose data protection rules apply to that information — travel companies should apply the highest standards of any of these countries to all the data in their PNRs. Instead, these companies and the DHS apply the lowest standard, that of the USA where there is no legal protection for “commercial” data like PNRs. They pretend that nobody ever makes reservations outside the USA for flights within the USA or on airlines based in the USA — as if they didn’t have agents appointed to represent them, make reservations, and sell and issues tickets on these “domestic” flights at locations and in jurisdictions around the world.

EU law is violated when data collected in the EU is transferred to an entity in a country that lacks adequate data protection law. That includes the USA, since the European Commission finding of “adequacy” with respect to the USA was annulled by the European Court of Justice.

Suppose you make reservations with a travel agency or tour operator in Munich for a tour of the USA that includes a domestic flight from New York City to Orlando, on a different airline from the one you use to fly to and from the USA.

The agency or operator collects your data in Germany, and uses it to create a PNR, protected by German law, in one of the major computerized reservation systems that operates in Germany.

The CRS then breaks the law by sending the data to the USA to an airline (and maybe to other commercial third parties) that doesn’t comply with German data protection law. The transfer to a commerical entity in the USA is just as illegal as the transfer to the USA government. The CRS breaks the law again by collaborating in sending the data to the government of the USA. (Since most airlines outsource their reservation databases to one or another of the major CRS’s, the airline couldn’t systematically feed all its PNRs to the DHS without the knowledge and complicity of the CRS that provides their hosting services.) The CRS also violates the EU Code of Conduct for CRS’s by doing this without the consent of the traveller, which the Code for CRS’s requires without exception, even for data transfers to the government for law enforcement purposes.

So while attention has focused on airlines and the government, the biggest lawbreakers have been the CRS’s that have been the conveyor belts, infrastructure providers, and active accomplices and profiteers in this flood of illegally copied and diverted personal data.

It’s crucial that this be recognized, and that the CRS’s be hauled into the spotlight and held accountable in any Congressional or European Parliamentary hearings or other investigations, as well as by requests for travel records by individuals in the EU.

[Addendum, 21 January 2007: A spokesperson for the European Commission (which tried to push through the original “deal” to allow the DHS acces to PNR data collected in the EU) now says the EC is satisfied with the latest unilateral, unenforceable assurances given by the DHS about the latest deal. But members of the European Parliament, which successfully sued the EC in the European Court of Justice to overturn the original deal, are pursuing their objections to the new deal with the DHS and to the Automated Targeting System, as are members of the “Article 29 Working Group” of EU members states’ national data protection officers.]