Over the weekend Stewart Baker of the DHS posted an entry in the DHS “Leadership Journal” blog entitled U.S. and EU Agree on Data Protection Principles. Readers unfamiliar with the “back story” might conclude from this — as Baker and the DHS no doubt hope they will — that some sort of formal negotiations have been concluded, and that the USA and the European Union have actually worked out their differences on privacy and data protection.
Not so at all. Many details remain unclear, as has been typical of DHS international diplomacy. All the meetings of the previous so-called “EU US High Level Contact Group on information sharing and privacy and personal data protection” occurred in secret. But the joint statement by a new group of selected officials from US and EU executive agencies, released as an attachment to Baker’s blog post, indicates essentially the same impasse remains as existed when the “High Level Contact Group” made its final report in May 2008:
The High Level Contact Group had been created after the European Court of Justice invalidated the nonbinding “agreement” and unilateral DHS “undertakings” which had given a fig leaf of legality to DHS access to Passenger Name Record (PNR) data collected in the EU. (The ECJ ruling, in a lawsuit brought by the European Parliament, was based solely on the improper legal basis for the “agreement”. Any new agreement, even if adopted on a different basis, would still be vulnerable to challenge under EU law as a violation of fundamental rights.)
Despite being limited to representatives of executive agencies (excluding Congress, the European Parliament, and national governments of EU member nations, all of whom would have to be involved in ratification of any eventual treaty or implementing legislation), the High Level Contact Group failed to achive the agreement sought by the DHS: Even the most sympathetic Europeans were unwilling to give the DHS access to European personal data without some sort of legally binding accountability and oversight by an independent external arbiter. Even that didn’t go far enough for many other European officials, as evidenced by the Opinion of the European Data Protection Supervisor on the High Level Contact Group report, which stressed the essentiality of a binding agreement and the desirability of involving legislators and data protection authorities in the negotiations.
Meanwhile, the DHS continued to resist EU demands for reciprocal treatment of travelers from the USA and the EU. The USA continues to admit some EU citizens under the “Visa Waiver Program” (VWP) while requiring visas from citizens of many other EU members (including notably Greece, as well as some newer EU members in Eastern Europe). As a result, the EC was obliged to recommend sanctions against the USA for unequal treatment of EU visitors, in the form of a formal propsal to require visas from all US diplomatic visitors to the EU. The issue escalated when the USA proposed to require an advance electronic travel authorization even from VWP visitors. If, as it appears, a “travel authorization” is a visa by another name, the EU might be obliged to impose reciprocal visa requirments on all US citizens, not just those traveling on diplomatic or official passports.
According to a letter from the Vice-President of the EC to DHS Secrtary Chertoff, as published by Statewatch, Chertoff “fail[ed] to answer any of the specific questions we asked” about the ESTA. Instead, Chertoff replied that “the data we gather under US law from those seeking to enter the United States is not subject to negotiation.” Chertoff went on to refer to the High Level Contact Group (which had already concluded its work, unsuccessfully, and issued its “final” report on as yet unresolved differences) as providing a “framework … to resolve this matter quickly…. Assistant Secretary Baker should discuss this issue as soon as possible and resolve it in time for our signing an agreement when you come to Washington in December”.
In the past, Baker has been responsible for things like the side letter to the PNR “agreement”, fundamentally changing its meaning, that became public only after the conclusion of the “agreement”. In this case, despite the latest misleading DHS press release and blog entry, Baker wasn’t able to deliver, unless there is another secret side letter: No publicly disclosed agreement on ESTA or data exchange was signed during the Washnington meetings this month.
Thus, despite the appeal of the signers of the latest press release that “any adverse impact on private entities resulting form data transfers … should be avoided”, and Baker’s claim at the press conference that the press release “reassures private companies and third countries that they can share information … without … risk,” there is still no legal immunity for private entities that participate in warrantless, suspicionless — and, under EU law, illegal — dragnet travel surveillance. As with the NSA’s communications and Internet surveillance, it was inevitable that immunity for the DHS’s private partners in snooping on innocent travelers would eventually become an issue, and a key part of the government’s demands for revision of the law. But the DHS request for immunity hasn’t been granted, shouldn’t be, and isn’t likely to be, at least in the EU where travel companies face the real liability.
Only time will tell whether Baker will leave the DHS on this note. Unlike DHS Secretary Chertoff and TSA Administrator Hawley, Baker hasn’t yet announced his intended departure, but neither has he said publicly whether he wants to stay on at DHS. Nor has President-Elect Obama said whether he wants him to do so.
In the meantime, airlines, travel agencies, and Computerized Reservation Systems (CRSs) that send PNR data and other travel records from the EU to the USA remain in ongoing violation — crying out for both complaints to national and EU enforcement authorities, and private litigation — of national data protection laws and the EU Code of Conduct for CRS’s.