Testimony to Members of the European Parliament

[Hearing in progress. MEP Jan Philipp Albrecht in the chair, center.]

[My presentation. European Data Protection Supervisor Peter Hustinx at right.]

I’m testifying Thursday afternoon in Brussels (Thursday morning in the USA) on the hotly debated proposed agreement between the EU and the U.S. Department of Homeland Security on transfers of Passenger Name Records (PNRs) from the European Union to the DHS at a public hearing on “Protection of Personal Data in Transatlantic Security Cooperation: SWIFT, PNR & Co. - which way forward?”, hosted by Jan Philipp Albrecht, Member of the European Parliament. 14:00-17:00, European Parliament, Brussels, room ASP 1G-3 (Petra Kelly Room). Open to the public, but prior arrangement required for access to the building. Note that the video is best viewed with the slides open in a separate window, since only the speakers, not the slides, are visible on the video.

• Handout (my slides with annotations)
• Archive of official video: Part 1, Part 2
• Agenda and witness list

[On the dias, left to right: Peter Hustinx (EDPS), Edward Hasbrouck, MEP Jan Philipp Albrecht, Prof. Paul de Hert, Despina Vassiliadou (European Commission), Dr. Patrick Breyer.]

Additional information:

• 2010 Identity Project update on DHS non-compliance with the PNR agreement
• 2008 Identity Project analysis of DHS non-compliance with the PNR agreement
• 2007 Identity Project report on the first DHS responses to requests for PNR data
• How to request your own travel records
• Background: What’s in a PNR?
• FAQ: Transfers of PNR Data from the EU to the USA
• Other Identity Project policy analysis and research
• Thoughts from Berlin: A new “Silicon Curtain”?
• Related events on my European trip

Update: As I said at the start of my testimony, my role as an American technical expert was to inform MEP’s and other EU policy-makers about the PNR ecosystem, how PNRs are actually used in the USA and other countries, and what has happened when people have tried to obtain their own travel records — not to tell Europeans what policies they should adopt.

But at the end of the hearing, the chair (MEP Jan Albrecht) asked each of the witnesses, including me, to say what we thought would be the most important things to include in a new agreement on PNR between the EU and the USA. As it happens, I had exactly five items on my own list of prerequisites needed for a new PNR agreement to be effective (beginning at 1:16:00 of part 2 of the archived video):

1. It must be a treaty, so that it is binding on the USA. (Under the U.S. Constitution, a treaty ratified by the Senate is the only binding form of international instrument.)
   
   
2. It must be preceded by enforcement of existing EU data protection law as it applies to PNR data in the commercial sphere, and the necessary infrastructure changes (especially by the major CRS’s) to bring them into compliance with EU law when they handle personal data collected in the EU, or transfer it to the USA or other countries. (Many changes are required, but the most important first steps are for EU data protection authorities to place Sabre, Travelport, and Amadeus under the microscope, and for CRS’s to add access logs to PNR “histories” or change logs, using the same controls to prevent deletion or modification of access logs as are currently used to prevent alteration of PNR history data.)
   
   
3. The US Privacy Act must be amended to extend its protections and the right of private enforcement action in US courts to all data subjects regardless of nationality or residence.
   
   
4. The USA must withdraw its reservation that the International Covenant on Civil and Political Rights (Article 12 of which guarantees the right of freedom of movement) is not self-effectuating, and must enact effectuating legislation creating a private right of action under US Federal law for violations of the ICCPR, and giving US Federal courts jurisdiction to hear such cases.
   
   
5. The USA must create, and allow in practice, a right of private legal action and judicial review in US Federal courts (for all people regardless of citizenship or residence) of all no-fly decisions and any other decisions made in whole or in part on the basis of PNR data.

Further update: My testimony is at the start of Part 2 of the video archive. The most detailed account of the hearing to date is in German in Heise, which also links back to their earlier report on my request to KLM for their PNR and other data about me. My similar request to Air France is still pending with the French data protection authority, CNIL. If you aren’t already familiar with the issues, my podcast interview from HAX’s blog provides a more accessible introduction.