The EU-US PNR Agreement — A Legal Analysis of Its Failures
[The following complete article (27 pages) or a summary of the key points (3 pages) can be downloaded in PDF format. Additional analyses and critiques of the proposed EU-US PNR agreement have been published by, among others, the Identity Project, the Electronic Frontier Foundation, and a coalition of US and EU NGOs.]
FROM THE DESK OF BARRY STEINHARDT
Chair, Friends of Privacy USA
December 26, 2011
The proposed agreement regarding Passenger Name Records (PNR) between the United States and the European Union is riddled with faulty assertions and assumptions about US law and the actual operations of the US Government.
These faulty assertions and assumptions go to the heart of the agreement and undercut the claims of protections for European travelers.
As an American lawyer with substantial experience on the PNR and related issues, I want to set the record straight for the European officials who must act on the proposed agreement.
This memo highlights the most serious of those faulty claims and assumptions.
- The Agreement does not apply to the agency – the Terrorist Screening Center – which actually decides which travelers will be subject to the No Fly rules.
- The US Laws cited in the agreement as offering protections to European travelers actually provide very little benefit or are completely irrelevant to the international transfer of PNR data;
- Europeans cannot, as the agreement suggests, obtain independent and adequate relief from unlawful actions by the US Executive Branch (USG) by appealing those decisions under the Administrative Procedure Act (the APA).There are virtually insurmountable substantive and procedural hurdles to the use of the APA in “appealing” decisions of the Department of Homeland Security (DHS).Of greatest importance, most of the relevant actions taken pursuant to the agreement will not qualify as a “Final Order” that can be appealed under the APA;
- Beyond that the APA is of little use to travelers who want to challenge the centrally important actions taken by the Terrorist Screening Center (TSC) of the Department of Justice (DOJ).The Agreement is focused on the TSA’s screening of air passengers. It gives short shrift to and offers very little protection from the Automated Targeting System (ATS) operated by Customs and Border Protection (CBP) which is a wholly separate branch of DHS.It is CBP – not the TSA – that use the ATS to decide how Europeans will be treated when they enter exit the US;
- There are substantial uncertainties about which, if any, court would be empowered to hear an “appeal” and which agencies would need to be sued. Complex jurisdictional rules regarding APA appeals and transportation security issues throw air passengers into a procedural thicket from which they may never escape;
- The DHS Chief Privacy Officer has neither the independence nor the authority claimed in the Agreement. Nor does the CPO of the Justice Department whose jurisdiction includes the TSC, and;
- The Agreement does not cover the USG’s uses of private commercial data e.g. data obtained from the Computer Reservation Services (CRS) and the USG has wide power under the Patriot Act and related law to obtain data them.