At the meeting of the LIBE (civil liberties) committee of the European Parliament on the 7th of April, a representative of the European Commission announced that the EC will shortly be releasing a report on the second closed-door EC-DHS joint review of DHS compliance with the current “agreement” on DHS access to and use of PNR data related to flights between the EU and USA.

We haven’t yet seen this report of the second joint review, although drafts of an EU report on the joint review and the DHS response to the EU draft have been posted by Statewatch. But since the first joint review in 2005, the DHS has published two reports — one in December 2008 and an update in February 2010 — on its own self-assessment and claims of compliance with the agreement, and we have studied  them carefully..

These 2008 and 2010 DHS reports are seriously misleading and contain significant legal and factual misstatements.  Their inaccuracy makes clear that DHS claims cannot be relied on without independent verification. The willingness of the DHS to publish such false claims calls into question the good faith of DHS participation in the joint review, and reinforces the need for a truly independent review including an audit of DHS actions by technical experts with access to legal process to compel full access to DHS records.

It’s not for us, as Americans, to tell European politicians what policies they should adopt. Nonetheless, as Americans who have systematically tested what happens when travellers attempt to access PNR data about themselves held by the DHS, and what happens when they attempt to complain about misuse of PNR data by the DHS, we think it is important for Europeans not to be misled about the status of DHS compliance or noncompliance with the current DHS-EU “agreement” on PNR data.

Here’s what we can say about the current situation, and about the claims in the 2008 and 2010 DHS reports regarding compliance with the agreement.

Immediately following the publication of the DHS’s December 2008 self-assessment of its compliance with the agreement, we published a detailed analysis of the claims made in that report. We found that, while the DHS concluded that its actions were in compliance with the agreement, the 2008 DHS self-assessment:

1. Contained admissions of facts which constituted significant violations of the agreement (particularly with respect to data subjects’ rights of access, an area where we have greater experience than any other organization in monitoring DHS actions and analyzing DHS responses to PNR access requests), and
2. Contained a clearly false denial that the DHS had received any complaints of misuse of PNR data, despite our repeated formal complaints (here, here, and here), filed with the DHS Privacy Office in their regulatory dockets, that DHS schemes for use of PNR violate US laws including the Privacy Act and US international treaty obligations under Article 12 of the International Covenant on Civil and Political Rights (ICCPR) — a treaty ratified by and binding on the US and, individually, each EU member state.

Since the 2008 DHS self-report and our analysis of it, we have continued to assist individuals to make requests for their data from DHS pursuant to the Privacy Act, to monitor and analyze the responses, and to await any response to our outstanding complaints that the DHS is misusing PNR data.

We have observed no change in the violations evident from the 2008 DHS self-report (failure to respond within the time limits in the Privacy act, failure to provide any or all PNRs, improper withholding of PNR data, etc.), and we still have received no response from the DHS to our complaints related to misuse of PNR data in violation of US law and US treaty obligations.

With respect to enforcement, the 2008 DHS self-assessment of compliance (pages 27-28) states that, “Privacy Act Section 5 U.S.C. 552a (g) and (i) provide for civil remedies and criminal penalties,” and quotes at length from those provisions. The DHS self-assessment misleadingly fails to note, however, that those remedies are available, and those penalties are applicable, only to US persons (citizens and residents).

Following these lengthy quotes from a law that doesn’t apply to non-US persons or their data, the 2008 DHS self-assessment continues:

Administrative, civil, and criminal enforcement measures are available under U.S. law for violations of U.S. privacy rules and unauthorized disclosure of U.S. records. Relevant provisions include but are not limited to Title 18, United States Code, Sections 64 1 and 1030 and Title 19, Code of Federal Regulations, Section 103.34…. DHS and CBP have clear authority under the Privacy Act, Title 18, and Title 19 to enforce any security, privacy, or other administrative, civil, or criminal penalties against individuals for unauthorized use or disclosure of PNR and other CBP data. [emphasis added]

In fact, no unauthorized use, disclosure, or misuse of data concerning non-US persons would constitute a violation of the Privacy Act or could give rise to DHS or CBP enforcement action or civil or criminal penalties under that Act.

The use of the word “all” in the sentence quoted above, which refers specifically to the Privacy Act which protects only US persons and their data, is clearly false.  We see no plausible interpretation of this false statement as other than a deliberate and knowing lie, made with the intent to deceive Europeans about the protections afforded them by US law.

As applied to PNR data related to EU citizens or other data subjects who are neither US citizens nor US residents, that claim was false when it was made in 2008. The relevant US law has not changed, and this DHS claim remains false today.

The only major change in DHS policies related to PNR data since the 2008 self-report is the promulgation by the DHS in February 2010 of a final rule exempting from the requirement of disclosure in response to subject access requests under the Privacy Act most data included in PNRs which originated with travel companies, other third-parties, or fourth parties.

Under the final rule, as we’ve previously discussed and to which we formally objected when it was first proposed in 2008, this data — which the DHS concedes is unknown and otherwise unknowable to travellers — can be retained and used as part of the basis for decisions of whether to allow them to travel, or for other purposes. At the same time, this potentially derogatory third-party and fourth-party information can be withheld from disclosure to data subjects, even when it is specifically requested.

The February 2010 final rule also exempts the Automated Targeting System (ATS) — the DHS system of records, first disclosed in 2006, that includes PNR data — from the requirement of the Privacy Act for the provision of an accounting of disclosures. In practice, even before the DHS Privacy Act exemption rule was promulgated, none of the responses to Privacy Act requests we have reviewed have included an accounting of disclosures, even when one was specifically requested. Both Privacy Act requests for an accounting of PNR data disclosures, and appeals of the constructive denial of those requests, even by US citizens such as ourselves, have simply been ignored by the DHS.

The February 2010 final rule for ATS exemptions from the Privacy Act — clearly the most significant change in DHS regulations related to PNR data since the 2008 DHS self-report — should have been central to any 2010 update on DHS PNR policy. However, it is not mentioned in the February 2010 DHS “update”. The Privacy Act exemption rule for the ATS database of PNR data is a flagrant violation of the DHS “undertakings” and the DHS-EU “agreement”.

The February 2010 DHS self-assessment update also makes clear that the DHS continues to process subject access requests for PNR under the much more limited provisions of the Freedom of Information Act (FOIA).  There are repeated references in the February 2010 DHS update to FOIA, FOIA processing, and the CBP FOIA Branch, and the statement that,

All requests related to the Automated Targeting System – Passenger (ATS-P), the system that processes PNR, are handled by a FOIA specialist in the CBP FOIA Branch who has dedicated responsibilities for PNR. [emphasis added]

From the DHS responses to requests for PNR that we have reviewed, this statement appears to be correct.  It is also an admission by the DHS of failure to comply with their undertakings and agreement to afford all data subjects, including EU citizens, the rights to which US citizens are entitled under the Privacy Act.

There are significant differences between FOIA and Privacy Act rights. The Privacy Act, which the DHS has to date ignored in its processing of PNR requests, is a privacy or data protection law — although one that falls short of EU requirements for adequate protection. The FOIA is a law for public access to government records.  The FOIA is not concerned with how records are used or with their disclosure or onward transfer, and provides no rights whatsoever related to correction, expungement, or logging or accounting for disclosures.  Processing of requests under FOIA, rather than the Privacy Act, even when the Privacy Act is invoked, is a clear violation of US law when the requests are made by US persons and of the DHS-EU agreement when they are made by EU citizens.

Contrary to the DHS “undertakings” and “agreement”, non-US persons are not being afforded the greater access rights provided by the Privacy Act.  Even when requests are explicitly made under the Privacy Act, the only information released has been that required by FOIA.  In every DHS response we have reviewed, provisions of FOIA have been improperly invoked as the basis for redaction or withholding from disclosure of information which would be required to be released if the request were considered under the Privacy Act.  And that has been true of DHS responses to PNR requests not just by EU and other non-US citizens but also of responses to PNR requests from US persons.

Since EU citizens have no rights under the Privacy Act, they have no legal recourse in the US for this improper processing of their requests under the wrong law, improper invocation of inapplicable FOIA exemptions in response to Privacy Act requests, or the resulting incomplete disclosures of PNR data and lack of any accounting of onward disclosures of that data by the DHS.

The 2008 and 2010 DHS self-assessments mention the backlogs of FOIA requests.  But they say nothing about the numbers, processing times, or backlog of Privacy Act requests and appeals.  DHS and CBP are not required to report, and have not published, any statistics on the numbers, responses, processing times, or backlog of Privacy Act requests or appeals.

At the end of the day, what is the state of play with respect to DHS compliance or noncompliance with the agreement with the EU on PNR data?

To the best of our knowledge, after careful study of the requests for PNR data and the DHS responses that have provided to us by both US and non-US data subjects:

1. No requests for PNR data have been processed or responded to by the DHS in accordance with the Privacy Act (only FOIA), even when requests have been made by US citizens and have explicitly invoked the Privacy Act.
2. All DHS responses we have seen to requests for PNR data have improperly invoked specific provisions of FOIA as the basis for redaction or withholding of portions of PNRs, even when the requests have been made under the Privacy Act, to which FOIA exemptions do not apply.
3. All DHS responses we have seen have been incomplete (although often in ways that would only be apparent to an expert). Most responses have included only a few sample PNRs, even when the request has been for all PNRs. Most responses have been provided months after the time limits in the Privacy Act, and some have not been answered at all, months or years after they have been made.
4. No DHS response that we have seen has included any accounting of disclosures whatsoever, even when such an accounting has been explicitly requested by US citizens, in flagrant violation of the Privacy Act. In February 2010 the DHS issued new regulations exempting itself from the requirement of the Privacy Act to provide an accounting of disclosures, even when specifically requested by a US person.
5. No administrative appeals related to requests for PNR data have been responded to in accordance with the Privacy Act. Some Privacy Act appeals have been processed, but they have been treated as FOIA appeals, even when they explicitly invoked the Privacy Act.  None of the specific Privacy Act issues raised in these appeals have been considered. One of our Privacy Act appeals by a US citizen has been pending and unanswered for more than 2 1/2 years.
6. No judicial review of failure to comply with the Privacy Act is available to non-US persons in US courts.
7. The DHS has not responded to formally docketed written complaints of misuse by the DHS of PNR data pertaining to US and non-US persons, in violation of US law and US treaty obligations under Article 12 of the ICCPR.  Some of our unanswered complaints of misuse of PNR data were filed as soon as the DHS published notice of the existence of the already-existing ATS system of PNR data in late 2006, and are now more than 3 years old.
8. The US ratified the ICCPR with the reservation that it is not self-effectuating, and still has not enacted any legislation explicitly effectuating  the ICCPR or creating a cause of action in US courts for actions in violation of US obligations under the ICCPR.
9. Misuse or disclosure of PNR data concerning non-US persons still violates no US law.
10. No criminal or civil sanctions have  been sought or imposed against any of the DHS and CBP officials responsible for the operations of the ATS system of PNR data and use of PNR data in violation of the Privacy Act and Article 12 of the ICCPR, even with respect to PNR data pertaining to US persons.
11. No US court has ruled on the evidentiary or legal basis for any no-fly order or any other decision taken in whole or in part on the basis of PNR data.  The DHS continues to argue that no-fly orders made on the basis of PNR data or on any other basis are not subject to judicial review in US courts.
12. The DHS issued new regulations in February 2010 exempting third-party and fourth-party data in PNRs from the Privacy Act, even when it pertains to US persons, and allowing the DHS to retain and use this data as the basis for no-fly and other decisions, while keeping it secret from data subjects even if it is specifically requested by US persons.

The DHS is not in compliance with US law, US treaty obligations, or its undertakings and agreement with the EU.

Given this situation, what are the prerequisites for a PNR agreement that might be effective? We were asked that question by MEP Jan Albrecht at the end of the hearing on this issue in the European Parliament on the 8th of April.

For any new PNR agreement to have the possibility to be effective:

1. It must be a treaty, so that it is binding on the USA. (Under the U.S. Constitution, a treaty ratified by the Senate is the only binding form of international instrument.)
2. It must be preceded by enforcement of existing EU data protection law as it applies to PNR data in the commercial sphere, and the necessary infrastructure changes (especially by the major CRS’s) to bring them into compliance with EU law when they handle personal data collected in the EU, or transfer it to the USA or other countries. (Many changes are required, but the most important first steps are for EU data protection authorities to place Sabre, Travelport, and Amadeus under the microscope, and for CRS’s to add access logs to to PNR “histories” or change logs, using the same controls to prevent deletion or modification of access logs as are currently used to prevent alteration of PNR history data.)
3. The US Privacy Act must be amended to extend its protections and the right of private enforcement action in US courts to all data subjects regardless of nationality or residence.
4. The USA must withdraw its reservation that the International Covenant on Civil and Political Rights (Article 12 of which guarantees the right of freedom of movement) is not self-effectuating, and must enact effectuating legislation creating a private right of action under US Federal law for violations of the ICCPR.
5. The USA must create, and allow in practice, a right of private legal action and judicial review in US Federal courts (for all people regardless of citizenship or residence) of all no-fly decisions and any other decisions made in whole or in part on the basis oif PNR data.