Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)
The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.
But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.
Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.
Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.
By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.
The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US. The DHS made this explicit in testimony to Congress in October 2011:
To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.
But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.
Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.
Why is that?