Oct 29 2015

Can the US be a “safe harbor” for travel surveillance?

At its plenary session today in Strasbourg, the European Parliament adopted a “Resolution on the electronic mass surveillance of European Union citizens”.

As part of that resolution, the European Parliament, “Calls on the EU Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender.”

We’re pleased, of course, to see such a democratically and popularly elected body as the European Parliament coming to Mr. Snowden’s defense and joining the calls for recognition of his claim for asylum. But while the Snowden clause is getting most of the attention, it’s not all that’s included in today’s Europarl resolution.

The resolution adopted today by the European Parliament discusses what needs to be done, and by whom, to address the “electronic surveillance” Mr. Snowden has helped to expose. Notably, the resolution explicitly includes the electronic surveillance of travel and finance along with surveillance of telephone and Internet communications.

We have long argued, and we suspect Mr. Snowden would agree, that warrantless, suspicionless dragnet collection of metadata about the movements of people through root access by governments to PNRs stored in airlines’ Computerized Reservation Systems, warrantless, suspicionless dragnet collection of metadata about the movements of money through government access to electronic funds transfer intemediaries like SWIFT, and warrantless, suspicionless dragnet collection of metadata about the movements of messages through government root access to telecom and Internet backbone networks are all part of the same overarching surveillance program that raises issues common to all of these types of movement metadata.  That point of view is implicitly endorsed by today’s Europarl resolution.

Today’s action by the European Parliament was prompted in part by the decision earlier this month by the European Court of Justice (sometimes abbreviated “ECJ”, sometimes “CJEU”) in Schrems v. Facebook.  In that case, an Austrian user of Facebook, Max Schrems, asked the data protection authority in Ireland, where Facebook’s European subsidiary is based, to prohibit the transfer of personal data about him to Facebook servers in the USA where it would be subject to uncontrolled and secret access by the NSA and possibly by other US government agencies. The Irish authorities refused to investigate Facebook’s practices and dismissed Mr. Schrems’ complaint on the grounds that the European Commission had already determined that the so-called “Safe Harbor framework” for self-regulation assured adequate protection for personal data transferred from the EU to the US by participating companies.

The ECJ found that, “without there being any need to examine the content of the safe harbour principles,”  the Commission’s finding that US law “ensures” adequate protection for personal data transferred to the US was invalid, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter” of Fundamental Rights and Freedoms of the European Union.

Too bad that US courts haven’t yet recognized, as of course they should, that these US laws and government practices also violate fundamental rights guaranteed by the US Constitution.

The European Commission has previously brushed off questions — including questions from Members of the European Parliament and in a more recent expert report commissioned by the Council of Europe — about the legality of outsourcing and transfers of PNR data to CRSs to which the US government has unlogged root access. And EU data protection authorities have dismissed or declined to investigate complaints against airlines, travel agencies, and CRSs.

Now, however, the European Commission and European DPA’s have an explicit mandate to investigate complaints like that of Mr. Schrems against companies that are transferring personal data from the EU to the US, and the explicit authority and obligation to order the termination of such transfers.

It’s in this context that the European Parliament resolved today that it:

Urges the Commission to assess the legal impact and implications of the Court of Justice ruling of 6 October 2015 in the Schrems case (C-362/14) vis-à-vis any agreements with third countries allowing for the transfer of personal data, such as the EU-US Terrorist Finance Tracking Programme (TFTP) Agreement, passenger name record (PNR) agreements, the EU-US umbrella agreement and other instruments under EU law which involve the collection and processing of personal data.

What does this mean for the future of travel surveillance in the EU, the example it might set for other countries, and the prospects for US efforts to globalize a panopticon of travel dataveillance as a new norm?

As of now, since the ECJ’s decision that the Safe Harbor framework does not ensure adequate protection for personal data once it is in the US (and thus subject to secret and uncontrolled access by US government agencies), one thing is clear: Every company — regardless of whether it is incorporated in the US, the EU, or a third country — that outsources the storage or processing of personal data collected in the EU to any entity in the US, or makes personal data collected in the EU freely retrievable from the US, is violating fundamental EU law.

That includes, but is not limited to, travel companies including some of the CRSs that have relied on the self-certified (and unaudited) claim that they were complying with the Safe Harbor framework to provide a fig leaf of purported legality for their ongoing data transfers from the EU to the US.

Today, every time any travel agency, tour operator, airline ticket office, or passenger handling contractor that subscribes to one of the US-based CRSs collects information in the EU — over the counter, by phone, or through a website — and enters it into a PNR stored on servers in the US, that company is violating the EU Data Protection Directive and the EU Charter of Fundamental Rights and Freedoms.  Again, that is equally true regardless of whether the travel company in question is based in the US, the EU, or anywhere else.

Unless and until the US puts in place “adequate” protections against unjustified government access to this data, or the EU repeals or amends its Charter of Fundamental Rights and Freedoms, each of these companies is vulnerable to sanctions and cease and desist orders as soon as anyone complains to the proper data protection authorities.  Essentially every major airline that operates in Europe, even ones that don’t fly to the US, is at risk: If they sell tickets through travel agents at all, even airlines that host their own PNRs in the EU-based Amadeus CRS have appointed agents who act in the name of the airline and subscribe to, and create PNRs in, the US-based CRSs Sabre, Galileo, and/or Worldspan.

There’s been talk of new or revised forms of “self-regulation”, in the form of a “Safe Harbor 2.0” framework or “binding corporate rules“. But under US law, US government demands for access to information (including warrantless secret demands that include their own gag orders) trump any contractual commitments to data subjects or third parties. So no regime based on enforcement of contractual commitments could possibly protect data, once it is stored on US servers, against unjustified government access.

A new “umbrella agreement” regarding transfers of personal data between the US and the EU for law enforcement purposes has recently been “initialled”.  But as the use of the term “initialled” suggests, this “agreement” is not a treaty. It has not, and will not be, presented to the US Senate for ratification, and it will not create any rights enforceable in US courts. As far as the US is concerned, the legal status of this “agreement” is the same as that of a press release: a nonbinding expression of transient intent. As such, it cannot “ensure” any rights or make it legal under EU law to transfer personal data from the EU to the US.

Speaking last week at a privacy conference in Amsterdam, FTC Commissioner Julie Brill suggested that a new legal basis for “ensuring” protection of personal data transferred from the EU to the US might be found in sector-specific US privacy protection legislation and/or in the authority of the FTC (part of the Department of Commerce) to sanction fraudulent and/or deceptive privacy claims.  But with respect to airline reservation data, that’s wishful thinking. None of the sector-specific US privacy laws covers travel data, and no law that would protected the privacy of travel data has ever been considered by the US Congress.  In addition, as the Safe Harbor framework explicitly acknowledged in its Annex VI, airlines are subject exclusively to the  jurisdiction of the Department of Transportation (DOT), and not to the jurisdiction of the FTC or the Department of Commerce.  The DOT has never taken any publicly-disclosed action to investigate violations of the Safe Harbor framework by airlines or travel agencies, and had been notably less interested than the FTC in the entire issue of privacy.

The prerequisite to continued transfers of personal data from the EU to the US, without violating fundamental rights recognized by the EU, is either ratification of a new, binding treaty, or change in US law, to provide substantive protection and effective procedures for meaningful challenge and judicial review of government demands for access to personal data.

In this regard, today’s European Parliament resolution mentions the Judicial Redress Act, H.R. 1428, which was approved by the House of Representatives on October 20th and now awaits consideration by the US Senate. This bill is described by its sponsor as “essential to US law enforcement” in order to enable international sharing of surveillance data, and not as a bill to protect privacy or fundamental rights.  If enacted, this bill would allow the Attorney General of the US to designate countries whose citizens would be allowed the same rights (if any) as US citizens and residents are allowed under the US Privacy Act.

it is crucial to recognize that approval of the Judicial Redress Act is a necessary but not a sufficient condition for adequate protection against government surveillance of PNR data and other personal information.

Most government surveillance is exempt from most of the rules and redress provisions of the Privacy Act, even with respect to US citizens. “The same rights as US citizens” means, in such cases, “no rights at all”.  For example, when we sued to enforce our Privacy Act rights with respect to mirror copies of our PNR data obtained by the DHS from airlines based in the US, the EU, and other countries, the DHS stalled us while it retroactively exempted its “Automated Targeting System” database of PNR copies and other travel data from most of the requirements of the Privacy Act.  And the court upheld the application of this exemption to a request that we had made three years earlier!  The NSA has ignored Privacy Act requests from US citizens for its telephone and Internet metadata, and has claimed that these databases are exempt form the Privacy Act.  Some of our administrative appeals of the denial or constructive denial of these Privacy Act requests to the NSA have been pending, unanswered, for more than a year. And the US government claims the right to preempt lawsuits under the Privacy Act or any other law, even when they are brought by US citizens,  by asserting that the subject of the lawsuit is a “state secret”.

A more subtle but also significant inadequacy in the Judicial Redress Act is that it is limited to citizens of designated countries. It would provide no rights to non-EU citizens who reside in the EU, or to other individuals who do business with, or provide data to, US or EU or other companies that operate in the EU. But the EU Charter of Fundamental Rights and Freedoms recognizes human rights that do  not depend on citizenship, and that all entities operating in the EU must respect. As others have observed:

The proposal does not address the thorny issue of the privacy rights of people who reside in Europe but hold citizenship in a third country. Like much commentary on the ruling, it seems limited to data belonging to “Europeans”, which could mean EU citizens or residents, but might not extend to people who are simply in the EU without official status of any kind. In light of the ongoing refugee crisis in the region, the question of to whom, precisely, the ruling will apply, may merit greater attention.

The US government must do more to recognize and respect the human rights of all people, to respect the Constitutional limits on surveillance, and to enable US courts to adjudicate human rights complaints. This is what the UN Human Rights Committee recommended at the conclusion of its most recent review of US compliance with human rights treaties.  But in more than a year since that recommendation, the US has failed to act on it. The US also needs to repeal 49 U.S.C. § 46110, the law which precludes meaningful judicial review of no-fly orders and other decisions made, in whole or in part, on the basis of PNR data including data collected in and obtained from the EU. If Congress doesn’t repeal 49 U.S.C. § 46110, Federal courts should find it unconstitutional and in violation of US obligations under international human rights treaties.

Individuals can best put pressure on the US government by complaining to EU data protection authorities whenever companies collect data about you in the EU and send it for storage on servers in the US — including whenever you make reservations in the EU with a travel company that subscribes to Sabre, Galileo, or Worldspan.

8 thoughts on “Can the US be a “safe harbor” for travel surveillance?

  1. Some readers have asked whether this gives an advantage to the one major EU-based CRS, Amadeus.

    Not really, because:

    (1) Amadeus has offices in the US which are subject to US legal jurisdiction and US legal demands that could be made secretly include gag orders forbidding them to be disclosed to data subjects or to Amadeus subscribers (such as airlines or travel agencies) in the EU.

    These US Amadeus offices have full, unlogged, access to all worldwide Amadeus PNRs.

    We explained this in our testimony at a hearing on PNR transfers in the European Parliament in 2010. See especially slide 5 from our presentation at that hearing:


    (2) As noted in the article above, “even airlines that host their own PNRs in the EU-based Amadeus CRS have appointed agents who act in the name of the airline and subscribe to, and create PNRs in, the US-based CRSs Sabre, Galileo, and/or Worldspan.”

    (3) Amadeus has admitted that it keeps no access logs of PNR retrieval by Amadeus users. So neither Amadeus nor any subscriber would be able to provide the accounting of disclosures required by EU law, even if they wanted to. Amadeus has been aware of this problem for years, but has done nothing to fix it.

    Amadeus *could* gain a privacy advantage over US-based CRSs, but only if it first cleaned up its own act — starting with access logs — and complied with EU privacy law. It hasn’t even tried to do so.

  2. Pingback: Can the US be a “safe harbor” for travel surveillance?

  3. Pingback: Papers, Please! » Blog Archive » Most Federal agencies still ignore human rights complaints

  4. Pingback: Papers, Please! » Blog Archive » Accurint exposed as data broker behind TSA “ID verification”

  5. Pingback: European court (again) finds US data protection inadequate – Papers, Please!

Leave a Reply

Your email address will not be published. Required fields are marked *