In an appearance on September 20th before the LIBE (civil liberties) Committee of the European Parliament to lobby for legalization of US government access to European airline reservations (PNR data), US Attorney General Eric Holder claimed that there has been “not one single example of privacy being breached” by the US in its processing of PNR data. We “need to deal with what is real, not what is hypothetical”.

Is Holder’s claim true? What’s “real”, and what’s “hypothetical”?

In reality, DHS policies prevent us from knowing how many breaches of privacy or other fundamental rights have resulted from US processing, use, and/or disclosure to others of PNR data.

The most obvious problem is that the US DHS has exempted its “Automated Targeting System”, which contains lifetime travel histories compiled from PNR data, from the access and accounting requirements of the Privacy Act. (The exemption regulations are here.)

Although the US has falsely claimed in reports to the EU that everyone who has requested their travel records has received them, the reality is that the DHS has withheld ATS records even when they have been requested by U.S. citizens. In our lawsuit, the DHS is continuing to claim that even U.S. citizens who made their requests before the exemption regulations were finalized have no right to see any of their ATS records or to receive any accounting of the other government agencies or third parties to which DHS has disclosed them. All of the responses to subject access requests made to the DHS that we have seen have included (improper) redactions of portions of this data. We don’t know what’s in DHS dossiers about our travel, and the official position of the DHS is that we have no right to know.

Without being able to access the DHS records about themselves, or to receive an accounting of third parties to which they have been disclosed, it’s impossible for anyone to know whether their privacy has been breached.

But the real situation is even worse: Contrary to the false claims made to the EU  (and repeated in the proposed US-EU “agreement” on PNR transfers to DHS) that all access to PNR data by DHS is logged and subject to audit, DHS has now claimed in response to our lawsuit that they have no logs that would allow them to tell whether, when, or by whom any particular individual’s PNR or ATS records have been retrieved or disclosed. So even if they hadn’t exempted themselves form the requirements of the Privacy act, they wouldn’t be capable of providing an accounting of disclosures. And without such logs, of course, any “audit” will be meaningless.

Attorney General Holder spoke only about breaches of “privacy”, but privacy is not the only fundamental right implicated by the use of PNR data.

DHS wants PNR data in order to use it to decide who to allow to travel, and who not to allow to travel. Those decisions are based in whole or in part of PNR data obtained from the EU. And those no-fly decisions affect the fundamental right to freedom of movement, which is protected by both international and European law.

The European Parliament’s previous resolution on PNR transfers to the US government noted that the use of PNR data should take into consideration Article 12 of the ICCPR, a treaty ratified by both the US and EU members.  However, there’s no mention of the ICCPR, the right to freedom of movement, or the rules for no-fly decisions based on PNR data in the proposed US-EU “agreement” on PNR data transfers.

We don’t need logs or an audit to know that  — contrary to Holder’s claims — there have been real violations of individuals’ fundamental rights as a result of the use of PNR data. US officials have boasted of how often PNR data has been used by DHS as the basis for no-fly decisions.

The US claims that these were “proper” decisions because the people prevented from flying were on a US “no-fly” list. In reality — unless courts have reviewed and upheld these no-fly orders —each no-fly order is a case of violation of rights, not a case of “successful” use of PNR data.

A secret, standardless, administrative decision to put someone’s name on a secret list does not constitute a leaggly valid basis under the applicable standards of international law for denying fundamental rights, such as the right to travel. But whenever attempts have been made to challenge no-fly orders, the US government has claimed that US courts have no jurisdiction to review these secret orders, or that the court cases are moot. No US court has yet reviewed or ruled on the legality of a DHS no-fly order.

Holder’s rhetoric about breaches of “privacy” is an attmept to distract European lawmakers and travellers form the real PNR problem: breaches of the fundamental right right to travel. Rather focusing on “data protection”, they should focus their attention on  protection of the right to travel. No-fly decision-making, not privacy, is the heart of the issue of PNR usage.

Here are some of the real  questions that should be asked of the US government and of the European negotiators with the US:

• How many people have been prevented from traveling on the basis, in whole or in part,  of PNR data collected in the EU?
• How many, if any, of these no-fly orders been reviewed by US, EU, or international courts? How many, if any, have been upheld after review by such courts?
• Has the US government said what, if any, procedures it believes exist for review of a no-fly order by US, EU, or international courts?
• How many, if any, people prevented from flying on the basis of PNR data from the EU have been convicted of crimes? How many, if any, of these convictions have been for crimes of terrorism?
• What, if any, compensation has been paid to those who have been prevented from traveling by no-fly orders, but who have not been convicted of any crime or had the no-fly orders against them upheld by competent courts? What, if any, other sanctions are available under US law and through US courts for improper no-fly orders or other violations of the right to freedom of movement, as protected by Article 12 of the ICCPR?

The same questions could be asked about the proposed Australia-EU agreement on transfers of PNR data.

A question has already been tabled to the European Commission as to whether they are aware of “improper” use of PNR data. But from their point of view, if someone is on a no-fly list, using PNR data to stop them from flying is “proper”. A more precise question about the statistics on no-fly decisions will be needed to find out how many are examples of successful use of PNR data, and how many are examples of violations of individuals’ right to travel.