Nov 28 2011

Revised EU-US agreement on PNR data still protects only travel companies, not travelers

On November 17, 2011, US and European Union officials initialed a renegotiated proposed agreement (original English version; official German translation; official French translation) to authorize airlines to forward PNR data (travel reservations) to the U.S. Department of Homeland Security (DHS). As an executive agreement, not a treaty, it doesn’t require any further US approval, but it does require ratification by both by Council of the EU (national governments of EU members) and the European Parliament.

The US is mounting an exceptionally intense high-level lobbying and public propaganda campaign on this issue in Brussels. But despite the importance of the issue, members of the European Parliament (MEPs) have only been allowed to read the proposed agreement in a sealed room, and have been forbidden to take written notes or speak publicly about what the revised proposal says.

To facilitate informed public debate, we are publishing the full text of the proposed agreement in English, German, and French. This is the final version as initialed, on which the Council and Parliament will be voting, possibly as soon as the end of this year.

The latest version of the EU-US agreement on PNR transfers to the DHS fixes none of the fundamental problems we and the European Parliament have identified in previous drafts, as discussed in our previous articles, our FAQ about the previous version of the proposal, and our recent presentations to MEPs:

(1) The revised agreement still does not meet many of the criteria set by the European Parliament.

In its resolution of 5 May 2010, the European Parliament said that any PNR transfer agreement with the US should, among other criteria, (A) take the form of a treaty, (B) include in its terms of reference the fundamental right to freedom of movement, as guaranteed by Article 12 of the International Covenant on Civil and Political Rights, (C) prohibit the use of PNR data for data mining or profiling, and (D) take into consideration PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.

The revised agreement satisfies none of these criteria. In fact, it does not mention any of these issues at all, or make any changes to even pretend to address them.

(2) The retention limits and “depersonalization” of PNR data would be completely ineffective, and could be easily and secretly bypassed (without that bypass violating the agreement or violating any US law).

The agreement would require that the DHS copies of PNR data be “depersonalized” after 6 months. But the retention limits in the agreement would apply only to the PNR copies made by the DHS.

The CRSs which host the master copies of PNRs would still be the able to retain them forever. (There is still no data protection law in the US for commercial data like PNRs or commercial entities like CRSs.), And the “depersonalized” DHS copy of each PNR would still include its unique “record locator”.

At any time, the DHS could — secretly, legally, and without a court order or ¬†notice to the airline or traveller — use the record locator to obtain a copy of the complete PNR from the CRS, including all sensitive and personally identifying information.

It is absurd and misleading Orwellian doublespeak to describe a copy of a PNR that contains the unique record locator of the complete master copy of the PNR as “depersonalized”. And unless retention of the master copies of PNRs by the CRSs is limited, time limits on retention of DHS copies are meaningless. The DHS can get a new copy from the CRS whenever it wants, forever.

(3) The purported “access” and “redress” provisions in the revised agreement would be ineffective, and are described in misleading terms.

(A) Access: According to the revised agreement, any individual is entitled to “request” their PNR data from DHS. That’s true: Anyone can request their PNR data. But that doesn’t mean that DHS is required to provide PNR data in response to such requests. Most PNR data is exempt from the Freedom Of Information Act (FOIA). Under both the agreement and US law, you are entitled to request your PNR data, and the DHS is entitled to say, “No”. In addition, FOIA is not a data protection law, and never requires any accounting of how data has been used or to which government agencies or other third parties it has been disclosed.

(B) Correction: The agreement says that anyone may “request” correction of records about them. But neither the agreement nor US law requires the DHS to make any corrections. They are legally entitled to deny all such requests. The only US law creating any right to correction of records is the Privacy Act, which applies only to US persons, not to foreign visitors. FOIA never requires correction of records, regardless of whether they are inaccurate, irrelevant, incomplete, or misleading.

(C) Accountability and oversight: The agreement claims that all DHS access to PNR data will be logged. But we know that this is not happening now, and there is no evidence of any plan by DHS or CRSs to implement access logging. Both the DHS and European airlines have said, in response to our requests for logs of who has accessed our PNR data, that there are no such logs. DHS has said this to the judge hearing our lawsuit, in which (as US citizens) we sought those logs and an accounting of disclosures of our PNR data to third parties. Without access logs, there can be no accountability or oversight.

(D) Judicial review: According to the revised agreement, any person may “seek” redress. But nothing in the agreement or US law guarantees a right to receive redress, or would even allow a US court to review violations of the agreement or of data protection principles.

The revised agreement says that individuals may “seek”or “petition” for judicial review under the Administrative Procedure Act of any “final agency action”. But the policy and practice of the DHS is never to confirm or deny that it has taken any action on the basis of PNR data, such as a no-fly decision or a decision on a “redress” request through the TRIP program. When individuals have attempted to challenge no-fly decisions, the position of the DHS in US courts is that without DHS confirmation of a decision, there is no “final action” for the court to review.

Even if an individual could establish that there had been a “final action” against them, the APA only pertains to violations of administrative procedure. The APA imposes no substantive restrictions on DHS actions. No violation of the agreement or of data protection principles would ever, in itself, constitute a violation of the APA.

While anyone can “petition” for judicial review of anything, such a petition related to violations of the agreement would be denied.

The agreement also refers to the Freedom Of Information Act (FOIA). But FOIA is not a data protection law. It is a law for access to public records. FOIA does not restrict how information is used, shared, retained, or transferred to other countries. Violations of the agreement, including misuse or disclosure of personal information, would never constitute violations of FOIA. US courts have no authority under FOIA to take any action against misuse, sharing, retention, or transfer of information.

The agreement cites the Computer Fraud and Abuse Act, but this law does not restrict government access to information. And the agreement cites the Electronic Communications Privacy Act. But none of the DHS access to PNR data has been conducted in accordance with the ECPA requirements for a warrant issued by a court — it has all been carried out by extra-judicial administrative action.

Finally, by its own terms (Article 21), and because it would not be a treaty, the agreement would not create any basis for action by any US court.

The only reason for the agreement to mention FOIA or these other laws, or to refer to a right to “petition” the courts when under current US law any such petition would be denied, is to mislead Europeans who are unfamiliar with the details of US law and the meaning of these terms in US law.

Fundamentally, as we’ve discussed previously, the only real reason for, or effect of, the proposed agreement would be to grant travel companies immunity from EU data protection laws that they know they are violating daily — not to provide any protection at all to US or European travelers.

EU members voting in the Council, and Members of the European Parliament, should say, “No.”

5 thoughts on “Revised EU-US agreement on PNR data still protects only travel companies, not travelers

  1. Pingback: Papers, Please! » Blog Archive » Civil liberties principles for border policy

  2. Pingback: New Agreement Between the United States and Europe Will Compromise the Privacy Rights of International Travelers |

  3. Pingback: Papers, Please! » Blog Archive » The EU-US PNR Agreement — A Legal Analysis of Its Failures

  4. Pingback: Papers, Please! » Blog Archive » European Parliament approves PNR agreement with the US. What’s next?

Leave a Reply

Your email address will not be published. Required fields are marked *