Important new questions about how the US government can bypass the proposed EU-US agreement on access to PNR data have been asked by a key Member of the European Parliament.

These new questions by MEP Sophie in ‘t Veld (the Europarl “rapporteur” or floor leader on the proposed PNR agreement) follow up on evasive, misleading, and incomplete responses by European Commissioner Cecilia Malmström’s to previous questions from MEPs about PNR data.

The proposed EU-US agreement would pertain only to DHS copies of PNR data obtained directly from airlines, but would not regulate the master copies of PNRs held by Computerized Reservation Systems (CRSs) such as Sabre, Galileo/Apollo by Travelport, Worldspan by Travelport, and Google in the US or Amadeus in Europe (each of which is used by travel companies in the US, EU, and other countries).

Two sets of questions (here and here) about US government access to CRS databases of PNRs were tabled today by MEP in t’ Veld, with a request that the European Commission respond before the LIBE Committtee of the EP vote on the proposed EU-US agreement, currently scheduled for March 27th.

The first set of these questions focuses on US government access to PNR data held on servers in the US (such as whenever a European travel agency or tour operator uses one of the US-based CRSs).

The second set of questions concerns the ways that US law allows the US government to bypass the proposed agreement and obtain PNR data through CRS offices in the US — even when the data is stored on servers in the EU:

US access to PNR data in Computer Reservation System Amadeus II

Computer Reservation System Amadeus has its headquarters in Madrid (Spain) and its central database in Erding (Germany). Additionally, it has several offices outside the EU, including an office in Miami, in US jurisdiction. All Amadeus offices around the world have access to the PNR data base in Erding.

1. Is the Commission aware that the US authorities may retrieve PNR data stored in Europe (Erding) through the Amadeus office in the US, for example by using National Security Letters? Is the Commission aware that such retrievals are not being logged, and that Amadeus may be sworn to secrecy by the US authorities?
2. Does the Commission consider this would allow the US authorities to get access to PNR data, at least on an ad hoc basis, at any given moment? Does the Commission agree that this is not only equivalent to the PULL method, but that it even exceeds PULL, as it allows for the retrieval of all PNR data, not just the fields specified in the EU-US Agreement, without the obligation to log the retrievals? Does the Commission agree that this leaves the clauses on PUSH and PULL and logging, in the EU-US agreement completely meaningless in practice?
3. Does the Commission agree that data retrieved by the authorities of a third country from an EU located data base would constitute a transfer of data to a third country? Is the Commission aware if Amadeus or similar CRS are keeping logs of such retrievals? If not, does the Commission consider that such retrievals are a violation of EU data protection rules?
4. If no logs are being kept of the retrievals described above, would the Commission agree that citizens would have no means to exercise their rights to verify and correct their data?
5. Can the Commission provide an overview of other Computer Reservation Systems with a presence in the US, that would be in the same position as Amadeus? Can the Commission provide an overview of PNR data stored in Europe by CRS, that are thus available to third countries other than the US?

We’ve been asking exactly these questions for years, and we’re pleased to see that MEPs are demanding answers from the European Commission before they vote on an agreement that, in fact, would do little to reign in the US government’s demands to PNR data because it could so easily be bypassed.

Some of these questions are easily answered, although the EC may not want to admit the answers.

EU-based airlines including KLM, Air France, and Lufthansa have each told us, in response to our requests for access to our PNR data, that Amadeus has no logs of who has accessed our PNRs. And in response to our lawsuit seeking access to PNR data held by DHS, the US government has claimed that it has no logs of who has accessed the DHS copies of PNRs with information about us.

We presented diagrams of the information architecture of the PNR data ecosystem, and the pathways for PNR data flows which bypass the EU-US agreement, in our testimony to MEPs in Brussels in 2010. A representative of the EC attended and spoke on the same panel with us at that hearing, so the Commission can’t claim that they were unaware of these issues. We also explained this bypass pathway in our FAQ on Transfers of PNR Data from the EU to the USA, which was first distributed to MEPs in 2010 and which we’ve just updated and re-posted.

The possibility for the US government to bypass the EU-US agreement and obtain PNR data directly from CRS servers or offices in the US was also explicitly raised by the US government in its negotiations with European governbments.  European authorities, including the German data protection commissioner and chair of the Article 29 working party, have been fully aware of the US ability to bypass the agreement in this way since at least 2006, when the US pointed this bypass channel out to European authorities.

Many of the US diplomatic cables made public by Wikileaks relate to US access to PNR data. Perhaps the most interesting of these PNR-related Wikileaks cables was sent to Washington from the US Embassy in Berlin on  October 31, 2006. This cable reports on two days of meetings between Assistant Secretary (“A/S”) of Homeland Security Stewart Baker  — the chief drafter and negotiator for the US of the original PNR agreements — and various German government officials. (Baker’s own self-serving account of these meetings is included in his memoir, Skating on Stilts, which he has kindly made available for free download.

But Baker’s account omits some of what he reported to his bosses in Washington:

A/S Baker warned that in many cases the actual airline databases reside in the United States, and the airlines of many EU countries do not have flights to the United States, and so in this light, from the U.S. perspective, it was difficult to see why an EU government and parliament should have any influence on the access of U.S. agencies to data in the United States.

This is why the DHS recently testified to Congress that the reason for the proposed agreement was to “To protect U.S. industry partners from unreasonable lawsuits.” The US government doesn’t need any “agreement” with the EU to obtain PNR data collected in the EU, as long as EU travel companies continue to outsource the storage of PNR data to CRSs based in, or with offices in, the US.

It’s also important to note that the DHS referred to the need to “protect U.S. industry partners”, not European companies. The US govenrment doesn’t care whether European companies comply with European law, or are disadvantaged by US law. the US government wants to protect US companies that are at risk of liability for violating EU law.

Who are those companies? Clearly, the principal violators of EU law in this case are the US-based CRSs, which shouldn’t be allowed to operate or serve travel agencies, tour operators, or airlines in the EU unless they comply with EU law — which they don’t.

It’s not illegal to transfer PNR data from a travel agency in the EU to a CRS in the US. but it is illegal to do so without being able to ensure that the data transferred will be protected, and without the knowledge or consent of the data subject.

No travel agency or tour operator in the EU ever says to a customer, “Is it OK if I store your PNR for this flight from Berlin to Brussels on a server in Denver (or Dallas)?” But that’s what happens whenever a Sabre or Travelport subscriber in the EU makes a reservation, regardless of whether the itinerary involves any destination in the US. And that’s the question any such travel agency is required to ask, under current EU data protection laws, before they can outsource their customers’ data to the US.

The fact that this practice is flagrantly illegal, but so widespread, is one of the clearest examples of the failure of EU authorities and the so-called “Safe Harbor” scheme to protect the personal information of either European or US travelers.

We hope to see these issues addressed not just by the EC and the European Parliament, in response to MEP in ‘t Veld’s questions, but also by EU policy-makers reviewing “Safe Harbor” and the protection of personal data stored by “cloud services” (of which CRSs are one of the first examples).

We’ve been invited to attend the EC’s trans-Atlantic conference on Privacy and Protection of Personal Data later this month, and hope to raise these issues there and see them made part of the ongoing review of “Safe Harbor”, the EU Data Protection Directive, and privacy policy for cloud services.