As we’ve noted previously, members of the European Parliament have been exercising their right to question the European Commission about the proposed agreement negotiated by the EC with the USA to give travel companies partial immunity from EU privacy law when they open their reservation (“PNR“) databases to the US Department of Homeland Security.

Numerous written questions about the proposed PNR agreement have been posed by MEPs, and answers from the Commission have been trickling in, although often later than the 6-week deadline in Parliament’s rules.

The most interesting of these questions and answers is one about the “Implications for the EU-US PNR agreement on computerised reservation systems, including new CRS providers such as Google“:

Google’s recent confirmation that it is developing a new computerised reservation system (CRS) for passenger name records (PNRs) (1) gives new importance to Parliament’s call for ‘an analysis of … PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU’ (2).

1. Has the Commission conducted such an analysis yet? When will the Commission share the results with Parliament?

2. Has the Commission considered the technical or policy implications of potential new CRS providers such as Google, which may use different technology platforms from those of legacy CRS vendors?

3. Has the Commission discussed with the CRS industry, including Google, whether to adopt a best practice for government requests for hosted data(3), or what policies should be adopted with respect to disclosure of government requests for data hosted by CRSs? If not, why not?

4. Has the Commission conducted any research into compliance or non-compliance by CRS vendors with a) the data protection provisions of the Code of Conduct for CRSs, or b) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in particular with respect to retrieval of data by CRS system users located outside the EU? If not, why not?

5. Has the Commission designated a point of contact or established procedures for handling complaints from individuals of violations of the Code of Conduct for CRSs? If so, how has the Commission made public this point of contact and the procedures for handling such complaints? If not, why not?

(1) Jeremy Wertheimer (Vice-President, Travel, ITA Software by Google), answer to question during the PhoCusWright conference, 16 November 2011, http://conference.phocuswright.com/program_sessions/1257

(2) European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada P7_TA (2010) 0144.

(3) See for example http://www.google.com/transparencyreport

Commissioner for Home Affairs Cecilia Malmström has finally responded, several weeks late, with an evasive and misleading statement on behalf of the EC that’s as noteworthy for what it ignores as for what it says:

The PNR agreements cover PNR data transfers by air carriers operating passenger flights between the EU and those countries. They specify that PNR data that are processed or stored in the territory of the EU are covered. PNR data transferred under the agreements may only be processed for the purposes specified under the agreements.

The processing of PNR data is the responsibility of the air carriers, as they are considered the data controllers under European data protection law. The providers of computer reservation systems handle reservation data, including PNR data, under the responsibility of the air carrier.

The agreements thus cover PNR data processed or stored in the territory of the EU and subsequently transferred directly by an air carrier or, alternatively, processed or stored in the territory of the EU by the provider of a computer reservation system on behalf of an air carrier. The agreement also covers PNR data processed or stored outside the territory of the EU, as long as they concern flights between the EU and the US.

In this respect, it should be noted that it is irrelevant where a computer reservation system is located. To the extent that a computer reservation system stores data which is covered by the agreement, then the agreement will apply.

The International Civil Aviation Organisation (ICAO) has already adopted guidelines on best practices for storing PNR data to be disclosed to governments. The Commission participates at the work of ICAO and considers the standards an efficient and sufficient regulation of the issue. The Commission does not believe that further guidelines need to be developed.

It should be noted that to the extent that PNR data is processed by or on behalf of air carriers for their own commercial purposes in the EU, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data will apply.

Missing from Commissioner Malmström’s “answer” is any mention of the EU Code of Conduct for CRSs, whose privacy and data protection provisions are violated whenever a travel company that does business in the EU (e.g. an airline, travel agency, or tour operator, regardless of whether it is based in the EU, US, or another country) outsources its PNR storage to a US-based CRS without notice or consent from travelers.

No travel agency in Europe ever says to a customer — although they should — “Is it OK with you if our company stores your reservations from Berlin to Brussels in a CRS in Chicago, where the US government can access them without a court order and without telling you or our travel agency?”

Malmström also ignored the question as to what, if any, point of contact or procedures have been designated for complaints to the EC about violations of these rules.

Malmström also ignores the European Parliament’s call for investigation of CRS privacy and cross-border data transfer practices. Whether or not “further guidelines need to be developed” is different from whether — as the EP has asked — the EC is policing or enforcing the current EU standards contained in the Code of Conduct for CRSs and the data protection directive.

Malmström claims that “The processing of PNR data is the responsibility of the air carriers, as they are considered the data controllers under European data protection law.” That should be true, but it contradicts the claims made by European airlines including KLM, Air France, and Lufthansa. In response to our access requests, each of those airlines has claimed that it is not the controller of some or all processing of PNR data, and has referred requests to CRSs, agents, and/or contractors. Malmström’s statement thus reinforces the need for review of whether airlines are complying with their obligations under the current rules.

Malmström’s statement that ICAO “has already adopted guidelines on best practices for storing PNR data to be disclosed to governments” is, at best, deeply misleading.

ICAO’s standards for PNR data are concerned only with standardizing which additional data elements airlines and their agents may be required by government to add to PNRs. The sole purpose of the ICAO standards is to minimize the burden on the travel industry of having to collect different data for different governments. (Most of the ICAO standards concern APIS data, which both EU and US officilas continue to claim is unrelated to PNR data even though it is typically stored in PNRs. And even with respect to APIS data, the ICAO recommendations defer to national data protection laws and are silent on commercial use and corss-border data transfers or outsourcing.)

The ICAO standards are entirely silent on privacy, data protection, rights of data subjects, how or where PNR data is stored, or cross-border commercial outsourcing or transfers of PNR data.

Malmström’s statement that, “The Commission does not believe that further guidelines need to be developed,” should therefore be of grave concern to MEPs and European travelers.

Perhaps most importantly, if ICAO is, as Commissioner Malmström apparently believes, the appropriate venue for addressing these issues, MEPs and European data protection authorities (such as the EDPS and the members of the Article 29 Working Party) should insist on an active role in consultation with the EC on its role at ICAO, and on the inclusion of privacy, civil liberties, and data protection experts in EC and EU members’ delegations to ICAO’s working group on Machine Readable Travel Documents (MRTD).