PNR: Bolkestein misleads European Parliament

By EDRi · January 15, 2004

Commissioner Frits Bolkestein concealed important details on the draft agreement reached with the USA on the transfer of Passenger Name Record Data (PNR) to the U.S. Bureau of Customs and Border Protection when reporting to two Committees of the European Parliament four weeks ago. This is what Bolkestein’s spokesman Jonathan Todd has admitted in an interview with German public television station WDR.

On 16 December 2003, speaking to a joint session of the EU Parliament’s Legal Affairs and Interior Affairs Committees, Bolkestein claimed that the use of EU citizen’s personal data in the CAPPS-II system was explicitly exempted from the agreement the negotiation group he heading had just reached with U.S. authorities. He made the point that this exclusion was part of ‘important concessions’ of the U.S. side, prerequisite to the Commission’s agreement to the transfer of PNR data to the U.S.: “The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II).” And: “In concluding my last round of discussions with Mr Ridge, I informed him that in the light of the narrower uses for PNR, the exclusion for now of CAPPS II and all the other improvements they had made, I was prepared to propose that the Commission make a finding of adequate protection with regard to transfers of PNR to the US Bureau of Customs and Border Protection.”

“We have”, Mr. Todd said on 13 January, “agreed that the TSA may use data for testing purposes. But that includes an obligation not to use the data operationally, to delete them after the test phase and not to pass them on to third parties.” It is entirely unclear, however, how the Commission wants to make sure that the deletion will happen and the data is indeed merely used for testing purposes.

The Commission’s confession comes one week after EDRI revealed that the U.S. side saw the agreement as covering the use of EU citizen’s data “to test – and only to test – CAPPS II”. In an e-mail to “Practical Nomad” editor Edward Hasbrouck, Nuala O’Connor Kelly, the ‘Chief Privacy Officer’ of the U.S. Department of Homeland Security, said that was what “the language of the agreement contemplates”.

Mrs. O’Connor Kelly futher more announced: “We also stated publicly that we will immediately begin follow-on discussions with the EU in order to establish a framework for the transfer of PNR data for use by CAPPS II operations once the system has been fully developed and deployed.” Mr. Todd now admits this statement correctly reflects the concessions made by Commissioner Bolkestein to the U.S. side: “We are already talking with the Americans about which security measures must be met if PNR data are to be used in CAPPS-II. We hope to reach an agreement as soon as possible once the U.S. Congress has approved CAPPS-II.”

According to Article 25 of the EU Data Protection Directive, personal data of EU citizens may be transferred to foreign countries only if these have an adequate level of Data Protection. In particular, the EU Commission has to test whether the data will be fairly, lawfully and securely processed, for limited purposes and in accordance with the data subject’s rights only, whether the transfer is adequate, relevant and not excessive, the data transferred are accurate and will not be kept longer than necessary. The CAPPS-II system, which constitutes an immense Computer network for surveillance purposes, would, according to almost all privacy experts, not meet this criteria. What’s more, the U.S. administration plans to interlink CAPPS-II with the even more extensive US-VISIT database system, to which the U.S. ‘Intelligence Community’ would have direct access, and where the data would be kept 100 years.

EDRi EU Affairs Director Andreas Dietl declared in a public statement on 14 January: “It is a shame that Commissioner Bolkestein has tried to mislead the European Parliament on the nature of the draft agreement dealt out with the U.S. Department of Homeland Security. The Commission has agreed to the abuse of EU citizen’s personal data to test a surveillance system that in its very nature is against the principles of EU data protection legislation. The claim by the U.S. that the data used for testing purposes will be deleted thereafter is merely a joke: the data will still be available in the Computerised Reservation System (CRS), where it can be accessed by government agencies at any time.”

Commissioner Bolkestein’s speech to the European Parliament (16.12.2003)
http://europa.eu.int/rapid/start/cgi/guestfr.ksh?p_action.gettxt=gt&doc=SPEECH/03/613%7C0%7CRAPID&lg=EN&display=

Press release EDRI (14.01.2004)
http://www.edri.org/cgi-bin/index?funktion=view&id=000100000123

Previous press release EDRI in English (06.01.2004)
http://www.edri.org/cgi-bin/index?funktion=view&id=000100000121

in French
http://www.iris.sgdg.org/actions/pnr/comm-edri0104.html

in German
http://www.quintessenz.org/cgi-bin/index?funktion=view&id=000100002802

Edward Hasbrouck’s “Practical Nomad” website
http://www.hasbrouck.org/index.html