Can the US be a “safe harbor” for travel surveillance?

By EDRi · November 4, 2015

This article is a shortened version of an analysis originally published on

At its plenary session on 29 October in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”. As part of the Resolution, the European Parliament, “[c]alls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

................................................................. Support our work - make a recurrent donation! .................................................................

While the Snowden clause is getting most of the attention by the media, it’s not all that’s included in the Resolution. It discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr Snowden has helped to expose. Notably, the Resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

Warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to Passenger Name Records (PNRs) stored in airlines’ Computerised Reservation Systems (CRS), about the movements of money via government access to electronic funds transfer intemediaries like SWIFT, and about the movements of messages through government root access to telecom and Internet backbone networks, are all part of the same overarching surveillance programme that raises issues common to all of these types of movement metadata. That point of view is implicitly endorsed by the Resolution.

The action by the European Parliament was prompted in part by the European Court of Justice (CJEU) decision in October 2015 in Schrems vs. Facebook. The CJEU found that, “without there being any need to examine the content of the Safe Harbor principles,” the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”, as guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.

The European Commission has similarly brushed off questions about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities (DPAs) have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs. Now, however, the Commission and European DPA’s have an explicit mandate to investigate complaints against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved that it urges the Commission to assess the legal impact and implications of the CJEU ruling vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, PNR agreements, the EU-US umbrella agreement, and other instruments under EU law which involve the collection and processing of personal data. What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalise a panopticon of travel dataveillance as a new norm?

As of now, since the CJEU’s decision, one thing is clear: Every company – regardless of whether it is incorporated in the US, the EU, or a third country – whose practices contradict the European Court’s ruling, for example by outsourcing the storage or processing of personal data collected in the EU to any entity in the US, or that makes personal data collected in the EU freely retrievable from the US, is violating fundamental EU law. That includes, but is not limited to, travel companies including some of the CRSs that have relied on the self-certified (and unaudited) claim that they were complying with the Safe Harbor framework to provide a fig leaf of purported legality for their ongoing data transfers from the EU to the US.

Today, every time any travel agency, tour operator, airline ticket office, or passenger handling contractor that subscribes to one of the US-based CRSs collects information in the EU – over the counter, by phone, or through a website – and enters it into a PNR stored on servers in the US, that company is violating the EU Data Protection Directive and the EU Charter of Fundamental Rights. Again, that is equally true regardless of whether the travel company in question is based in the US, the EU, or anywhere else. Unless and until the US puts in place “adequate” protections against unjustified government access to this data, or the EU repeals or amends its Charter of Fundamental Rights, each of these companies is vulnerable to sanctions and cease and desist orders as soon as anyone complains to the proper data protection authorities. Essentially every major airline that operates in Europe, even ones that do not fly to the US, is at risk: If they sell tickets through travel agents at all, even airlines that host their own PNRs in the EU-based Amadeus CRS have appointed agents who act in the name of the airline and subscribe to, and create PNRs in, the US-based CRSs Sabre, Galileo, or Worldspan.

There’s been talk of new or revised forms of “self-regulation”, in the form of a “Safe Harbor 2.0” framework or “binding corporate rules”. But under US law, US government demands for access to information (including warrantless secret demands that include their own gag orders) trump any contractual commitments to data subjects or third parties. So no regime based on enforcement of contractual commitments could possibly protect data, once it is stored on US servers, against unjustified government access.

A new “umbrella agreement” regarding transfers of personal data between the US and the EU for law enforcement purposes has recently been “initialled”. Professor Douwe Korff’s carried out a detailed and very critical analysis of the text,.

The prerequisite to continued transfers of personal data from the EU to the US, without violating fundamental rights recognised by the EU, is either ratification of a new, binding treaty, or a change in US law, to provide substantive protection and effective procedures for meaningful challenge and judicial review of government demands for access to personal data. Individuals can best put pressure on the US government to do so by complaining to EU data protection authorities whenever companies collect data about you in the EU and send it for storage on servers in the US -— including whenever you make reservations in the EU with a travel company that subscribes to Sabre, Galileo, or Worldspan.

European Parliament resolution on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)) (29.10.2015)

What’s wrong with mass surveillance of travel metadata? (24.02.2014)

What’s in a Passenger Name Record (PNR)?

European Parliament rejects deal for US access to SWIFT financial data. Next on the agenda: PNR deal for access to travel data (11.02.2010)

CJEU ruling, Max Schrems vs Data Protection Commissioner (06.10.2015)

European Parliament approves PNR agreement with the US. What’s next? (25.04.2012)

PNR in Practice

European Commission – Fact Sheet: Questions and Answers on the EU-US data protection “Umbrella agreement” (08.09.2015)

(Contribution by Edward Hasbrouck)