ENDitorial - Are Transatlantic Data Protected?
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
More questions than answers were produced by a full day of discussions, 26 March 2007, on Passenger Name Records (PNR), including a public seminar by the European Parliament LIBE committee on transfers of personal data to the U.S. (PNR, SWIFT, and "Safe Harbour"), as well as a preparatory workshop of the Article 29 Working Party of national data protection authorities on the EU approach to a new PNR agreement with the US.
PNR can contain intimate personal information and enable the construction of detailed histories of your movements. It's generated every time you make an airline reservation, even if you don't take the flight. PNR are being used for profiling and controling movements.
The sessions showed a high level of attention being paid to these issues. Data protection authorities, MEPs, European airlines, NGOs, and invited academics and experts all stressed their concern that human rights and data protection are being bypassed by the European Commission and Council. The European parliament, as well as the Article 29 Working Party, have almost no information about what is actually being negotiated in the new long-term PNR agreement.
The response from Council and Commission representatives was: "Trust us, and trust the US authorities", but they had few answers to specific questions. At the end of the day, issues remaining on the table included:
- Lack of clear justification for US government access to PNR, or
evidence of its effectiveness. "If there is any evidence that PNR data helps the fight against terrorism, I would like to see it", MEP and rapporteur on PNR Sophie In't Veld demanded. Commissioner Jonathan Faull replied that any evidence must remain secret as a matter of national security.
- Mission creep.
A program justified as an anti-terrorist measure is being used primarily for general law enforcement and border control. "We are as fanatic as the Americans about terrorism," said LIBE Committee vice-chair Staphos Lambrinidis. "But thievery is not terrorism. Illegal immigration is not terrorism." There is a difference between what is necessary and what is useful. Data protection is a fundamental right, and exceptions should be considered only if it is truly necessary for fundamental purposes - not merely if it is useful, or for less fundamental purposes.
- Lack of independent review of the current PNR agreement with the US.
MEPs and Peter Schaar, director of the German data protection authority and chair of the Art. 29 Working Party, insisted that an independent audit of the current interim arrangement had to be completed before any long-term agreement was approved.
- Uncertainty regarding how PNR data is actually being used in the US.
The 2003 EDRI campaign to "ask for your data from travel companies" showed that the only way to find out how PNR are being used is for European travellers to assert their rights to access their data. US activism is of no help here because people in the US have no right to access their personal data. Therefore, new requests by Europeans for access to their travel records (including more recently disclosed categories and uses of data) are essential to uncover and document what is actually happening. You can help by asking for your data if you travel to the US. The Identity Project has prepared sample letters in English for the UK that you can use as a model to request your data. These could also be adapted to other European languages and countries. This action is also necessary because even if airlines have opposed government demands for them to make costly changes in their business processes (and to function as assistants to the police), they have not made any legal challenges to government demands for their passengers' data. With no legal challenges in Europe, it will remain difficult to accurately assess the situation.
- Uncertainty regarding the legality of the substance of the current PNR
The European Court of Justice overturned the original PNR agreement on constitutional grounds, but the ECJ did not decide if the substance of the agreement was consistent with the European Convention on Human Rights (ECHR) or the International Covenant on Civil and Political Rights (ICCPR). In this context, seminar participants insisted that data protection and freedom of movement were fundamental rights that had to be protected, and that a Data Protection Framework Decision for the third pillar was urgently needed.
- Lack of data protection in the US.
Once PNR and other data reach the US, US assurances that data will be used "in accordance with US law" have no meaning, because there are loopholes in US privacy laws for government use of data and no rules or restrictions on commercial use of personal data.
- Parallel activities that appear to bypass the current interim PNR
agreement. Concerns were raised that the proposed "Open Skies" treaty with the US would legally override the PNR agreement, and would require compliance with recommendations by the International Civil Aviation Organization (ICAO), thus delegating authority for future decisions on PNR to ICAO. Such an arrangement would transfer legislative power to a forum outside the EU, where civil society, data protection commissioners and human rights advocates have no voice. In addition, both the side letter by Stewart Baker of the US Department of Homeland Security which accompanied the interim agreement, and the disclosures after the interim agreement was concluded regarding the use of PNR in the DHS "Automated Targeting System" (ATS), suggested that the US considers itself free to "move the goalposts" on PNR use unilaterally.
- Parallel initiatives by governments in the EU.
Gus Hosein of Privacy International stressed that the US is not alone in its demands for PNR, and that Europeans should be equally concerned about similar measures by the EU and its members. The Commission is considering whether to require government access to PNR, while Tim Rymer from the UK Customs Office reported that the UK is already using the "Semaphore" program to profile travellers as part of its "e-borders" initiative.
- Lack of basic understanding of the underlying systems.
Many questions regarding the number of fields in the PNR, and even their content, as well as the role of Computerised Reservation Systems (CRS), made substantive discussion difficult. As David Smith of the UK data protection authority noted, "One country needs 25 fields and another needs 34. Why?" Much of what happens to PNR's, and how it is possible to use them, is the result of a complex, poorly documented travel information architecture developed over several decades on the basis of mainframe computers, flat files, and narrow-bandwidth communications links.
Throughout the day, attention was focused on the roles of commercial intermediaries in processing personal data. PNR travel data, SWIFT financial data, telecommunications data and Internet access data raise parallel concerns regarding data retention, government access to this data and use of it for profiling, and the role and responsibility of the small numbers of information intermediaries that play key roles in each of these parallel networks.
Companies like SWIFT for electronic fund transfers, and the four major global CRS for PNR, are invisible to consumers, and claim they are only message transmission services and not responsible as "data controllers". But these are the companies that actually transmit financial and travel data to the US, and make it available to the US government.
Currently, CRS are subject to strong, but unenforced, EU privacy regulations - Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code of conduct for computerized reservation systems: "A system vendor shall not make personal information concerning a passenger available to others not involved in the transaction without,the consent of the passenger." "The subscriber shall inform the consumer of the name and address of the system vendor, the purposes of the processing, the duration of the retention of individual data and the means available to the data subject of exercising his access rights."
The Commission is currently conducting a public consultation and accepting comments through 27 April 2007 on whether the Code of Conduct for CRS should be amended or repealed entirely, as it has already been done in the US. You can tell the Commission you want them to retain, strengthen, and enforce these notice and consent rules - not repeal them.
Edward Hasbrouck - What's in a PNR?
LIBE - Committee on Civil Liberties, Justice and Home Affairs seminar
EDRI Campaign against the illegal transfer of European travellers' data to
Europeans: Time to ask for your travel records (The Identity
Project) includes sample requests to airlines, travel agencies, and
reservation systems (20.10.2006)
American Travelers to Get Secret 'Risk Assessment' Scores (30.11.2006)
A common EU approach to the use of Passenger Name Record (PNR) data for law
enforcement purposes - Article 29 Working Party
Council Regulation 2299/89 (13.08.1999)
Europe reconsidering rules for reservation systems (4.03.2007)
(Contribution by Erik Josefsson - Electronic Frontier Foundation and Edward Hasbrouck - Identity Project )