ENDitorial – Are Transatlantic Data Protected?

By EDRi · March 28, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

More questions than answers were produced by a full day of discussions,
26 March 2007, on Passenger Name Records (PNR), including a
public seminar by the European Parliament LIBE committee on
transfers of personal data to the U.S. (PNR, SWIFT, and “Safe Harbour”),
as well as a preparatory workshop of the Article 29 Working Party of
national data protection authorities on the EU approach to a new PNR
agreement with the US.

PNR can contain intimate personal information and enable the
construction of detailed histories of your movements. It’s generated
every time you make an airline reservation, even if you don’t take the
flight. PNR are being used for profiling and controling movements.

The sessions showed a high level of attention being paid to these
issues. Data protection authorities, MEPs, European airlines, NGOs,
and invited academics and experts all stressed their concern that human
rights and data protection are being bypassed by the European Commission
and Council. The European parliament, as well as the Article 29 Working
Party, have almost no information about what is actually being
negotiated in the new long-term PNR agreement.

The response from Council and Commission representatives was: “Trust us,
and trust the US authorities”, but they had few answers to specific
questions. At the end of the day, issues remaining on the table included:

* Lack of clear justification for US government access to PNR, or
evidence of its effectiveness.
“If there is any evidence that PNR data helps the fight against
terrorism, I would like to see it”, MEP and rapporteur on PNR Sophie
In’t Veld demanded. Commissioner Jonathan Faull replied that any
evidence must remain secret as a matter of national security.

* Mission creep.
A program justified as an anti-terrorist measure is being used primarily
for general law enforcement and border control. “We are as fanatic as
the Americans about terrorism,” said LIBE Committee vice-chair Staphos
Lambrinidis. “But thievery is not terrorism. Illegal immigration is not
terrorism.” There is a difference between what is necessary and what is
useful. Data protection is a fundamental right, and exceptions should be
considered only if it is truly necessary for fundamental purposes – not
merely if it is useful, or for less fundamental purposes.

* Lack of independent review of the current PNR agreement with the US.
MEPs and Peter Schaar, director of the German data protection authority
and chair of the Art. 29 Working Party, insisted that an independent
audit of the current interim arrangement had to be completed before any
long-term agreement was approved.

* Uncertainty regarding how PNR data is actually being used in the US.
The 2003 EDRI campaign to “ask for your data from travel companies”
showed that the only way to find out how PNR are being used is for
European travellers to assert their rights to access their data. US
activism is of no help here because people in the US have no right to
access their personal data. Therefore, new requests by Europeans for
access to their travel records (including more recently disclosed
categories and uses of data) are essential to uncover and document what
is actually happening. You can help by asking for your data if you
travel to the US. The Identity Project has prepared sample letters in
English for the UK that you can use as a model to request your data. These
could also be adapted to other European languages and countries. This
action is also necessary because even if airlines have opposed
government demands for them to make costly changes in their business
processes (and to function as assistants to the police), they have not
made any legal challenges to government demands for their passengers’
data. With no legal challenges in Europe, it will remain difficult to
accurately assess the situation.

* Uncertainty regarding the legality of the substance of the current PNR
agreement.
The European Court of Justice overturned the original PNR agreement on
constitutional grounds, but the ECJ did not decide if the substance of
the agreement was consistent with the European Convention on Human
Rights (ECHR) or the International Covenant on Civil and Political
Rights (ICCPR). In this context, seminar participants insisted that data
protection and freedom of movement were fundamental rights that had to be
protected, and that a Data Protection Framework Decision for the third
pillar was urgently needed.

* Lack of data protection in the US.
Once PNR and other data reach the US, US assurances that data will be
used “in accordance with US law” have no meaning, because there are
loopholes in US privacy laws for government use of data and no rules or
restrictions on commercial use of personal data.

* Parallel activities that appear to bypass the current interim PNR
agreement.
Concerns were raised that the proposed “Open Skies” treaty with the US
would legally override the PNR agreement, and would require compliance
with recommendations by the International Civil Aviation Organization
(ICAO), thus delegating authority for future decisions on PNR to ICAO.
Such an arrangement would transfer legislative power to a forum outside
the EU, where civil society, data protection commissioners and human
rights advocates have no voice. In addition, both the side letter by
Stewart Baker of the US Department of Homeland Security which
accompanied the interim agreement, and the disclosures after the interim
agreement was concluded regarding the use of PNR in the DHS “Automated
Targeting System” (ATS), suggested that the US considers itself
free to “move the goalposts” on PNR use unilaterally.

* Parallel initiatives by governments in the EU.
Gus Hosein of Privacy International stressed that the US is not alone in its
demands for PNR, and that Europeans should be equally
concerned about similar measures by the EU and its members. The Commission
is considering whether to require government access to PNR, while Tim Rymer
from the UK Customs Office reported that the UK is already using the
“Semaphore” program to profile travellers as part of its “e-borders”
initiative.

* Lack of basic understanding of the underlying systems.
Many questions regarding the number of fields in the PNR, and even their
content, as well as the role of Computerised Reservation Systems
(CRS), made substantive discussion difficult. As David Smith of the UK
data protection authority noted, “One country needs 25 fields and
another needs 34. Why?” Much of what happens to PNR’s, and how it is
possible to use them, is the result of a complex, poorly documented
travel information architecture developed over several decades on the
basis of mainframe computers, flat files, and narrow-bandwidth
communications links.

Throughout the day, attention was focused on the roles of commercial
intermediaries in processing personal data. PNR travel data, SWIFT
financial data, telecommunications data and Internet access data raise
parallel concerns regarding data retention, government access to this
data and use of it for profiling, and the role and responsibility of the
small numbers of information intermediaries that play key roles in each
of these parallel networks.

Companies like SWIFT for electronic fund transfers, and the four major
global CRS for PNR, are invisible to consumers, and claim they are
only message transmission services and not responsible as “data
controllers”. But these are the companies that actually transmit
financial and travel data to the US, and make it available to the US
government.

Currently, CRS are subject to strong, but unenforced, EU privacy
regulations – Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code
of conduct for computerized reservation systems:
“A system vendor shall not make personal information concerning a passenger
available to others not involved in the transaction without,the consent of
the passenger.”
“The subscriber shall inform the consumer of the name and address of the
system vendor, the purposes of the processing, the duration of the retention
of individual data and the means available to the data subject of exercising
his access rights.”

The Commission is currently conducting a public consultation and
accepting comments through 27 April 2007 on whether the Code of Conduct
for CRS should be amended or repealed entirely, as it has already been
done in the US. You can tell the Commission you want them to
retain, strengthen, and enforce these notice and consent rules – not
repeal them.

Edward Hasbrouck – What’s in a PNR?
http://hasbrouck.org/articles/PNR.html

LIBE – Committee on Civil Liberties, Justice and Home Affairs seminar
(26.03.2007)
http://www.europarl.europa.eu/hearings/default_en.htm

EDRI Campaign against the illegal transfer of European travellers’ data to
the USA
http://www.edri.org/campaigns/airline/0305

Europeans: Time to ask for your travel records (The Identity
Project) includes sample requests to airlines, travel agencies, and
reservation systems (20.10.2006)

Europeans: Time to ask for your travel records

American Travelers to Get Secret ‘Risk Assessment’ Scores (30.11.2006)
http://www.eff.org/news/archives/2006_11.php#005030

A common EU approach to the use of Passenger Name Record (PNR) data for law
enforcement purposes – Article 29 Working Party
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/2007_31_01_common_eu_approach_use_pnr_data_for_law_enforcement.pdf

Council Regulation 2299/89 (13.08.1999)
http://ec.europa.eu/transport/air_portal/consultation/doc/2007_04_27/ec_2299_89_crs_regulation_cconsolidated_en.pdf

Europe reconsidering rules for reservation systems (4.03.2007)
http://hasbrouck.org/blog/archives/001225.html

(Contribution by Erik Josefsson – Electronic Frontier Foundation and Edward
Hasbrouck – Identity Project )