Oct 29 2015

Can the US be a “safe harbor” for travel surveillance?

At its plenary session today in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”.

As part of that resolution, the European Parliament, “Calls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

We’re pleased, of course, to see such a democratically and popularly elected body as the European Parliament coming to Mr. Snowden’s defense and joining the calls for recognition of his claim for asylum. But while the Snowden clause is getting most of the attention, it’s not all that’s included in today’s Europarl resolution.

The resolution adopted today by the European Parliament discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr. Snowden has helped to expose. Notably, the resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

We have long argued, and we suspect Mr. Snowden would agree, that warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to PNRs stored in airlines’ Computerized Reservation Systems, warrantless, suspicionless dragnet collection of metadata about the movements of money through government access to electronic funds transfer intemediaries like SWIFT, and warrantless, suspicionless dragnet collection of metadata about the movements of messages through government root access to telecom and Internet backbone networks are all part of the same overarching surveillance program that raises issues common to all of these types of movement metadata.  That point of view is implicitly endorsed by today’s Europarl resolution.

Today’s action by the European Parliament was prompted in part by the decision earlier this month by the European Court of Justice (sometimes abbreviated “ECJ”, sometimes “CJEU”) in Schrems v. Facebook.  In that case, an Austrian user of Facebook, Max Schrems, asked the data protection authority in Ireland, where Facebook’s European subsidiary is based, to prohibit the transfer of personal data about him to Facebook servers in the USA where it would be subject to uncontrolled and secret access by the NSA and possibly by other US government agencies. The Irish authorities refused to investigate Facebook’s practices and dismissed Mr. Schrems’ complaint on the grounds that the European Commission had already determined that the so-called “Safe Harbor framework” for self-regulation assured adequate protection for personal data transferred from the EU to the US by participating companies.

The ECJ found that, “without there being any need to examine the content of the safe harbour principles,”  the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” of Fundamental Rights and Freedoms of the European Union.

Too bad that US courts haven’t yet recognized, as of course they should, that these US laws and government practices also violate fundamental rights guaranteed by the US Constitution.

The European Commission has previously brushed off questions — including questions from Members of the European Parliament and in a more recent expert report commissioned by the Council of Europe — about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs.

Now, however, the European Commission and European DPA’s have an explicit mandate to investigate complaints like that of Mr. Schrems against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved today that it:

Urges the Commission to assess the legal impact and implications of the Court of Justice ruling of 6 October 2015 in the Schrems case (C-362/14) vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, passenger name record (PNR) agreements, the EU-US umbrella agreement and other instruments under EU law which involve the collection and processing of personal data.

What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalize a panopticon of travel dataveillance as a new norm?

Read More