Congress is currently considering multiple “immigration” bills containing provisions for “continuous screening” or “continuous vetting” of foreign residents, visitors, and would-be visitors to the US. As we have noted previously, “continuous screening” and “continuous vetting” are euphemisms for “continuous surveillance and control”.
These so-called “immigration” bills would not be limited to foreigners. Many of them would include US citizens exercising our right to leave our country, and to return, in pre-crime travel surveillance and control schemes.
One question that has been raised about some of these proposals is (1) whether they would require airlines to provide the DHS with additional information about air travelers, or require information about potential passengers to be provided further in advance of scheduled flights, and (2) if so, whether this would violate the US “agreement” with the European Union regarding US government use of PNR data obtained from airlines.
Here’s some background, and some analysis, of what “continuous vetting” might mean for US government use of data from airlines, and for the US agreement with the EU:
There are two partially-overlapping datasets which DHS receives via airlines for all passengers on international flights to, from, or via the US : Passenger Name Records (PNR) and Advance Passenger Information (API, sometimes called APIS for the Advance Passenger Information System):
- Examples of API data (from the TECS database) and PNR data
- Forms and instructions to request your own API and PNR data from the DHS
- Overview of how DHS obtains and uses PNR and API data (video, slides)
There are separate DHS regulations mandating airlines to provide API and PNR data about all passengers on international flights starting 72 hours before scheduled flight departure or as soon thereafter as reservations are made. The Identity Project objected to both the API and PNR regulations as unauthorized by statute, unconstitutional, and in violation of US human rights treaty obligations, but those objections were ignored.
A new statutory mandate for “continuous vetting” of travelers, as included in some versions of “immigration” bills being considered in Congress, wouldn’t necessarily change or lead to change in the API or PNR regulations. Any change in those regulations would require notice-and-comment rulemaking, and would be subject to legal challenge.
Continuous vetting could be based on whatever data is already available to DHS, which generally wouldn’t include PNR or API data more than 72 hours in advance. (Or at least this data isn’t supposed to be sent systematically to the DHS by airlines more than 72 hours in advance. In fact, DHS has unlogged root access to airline reservations systems and the NSA has hacked those systems and may share data it obtains with the DHS.)
The US-EU “agreement” on US use of PNR data is neither a statute nor a treaty. It’s a press release that is binding on the US neither internationally nor domestically, and by its own explicit terms creates no enforceable rights for anyone.
So a US “continuous vetting” law wouldn’t necessarily change the collection or use by DHS of PNR or API data, directly violate the US-EU agreement, or create the possibility for enforcement action, sanctions, or a lawsuit in any US or European court.
The validity of the current EU-US agreement on PNR data — which has not yet been reviewed by any EU court — has already been placed in question by the decision in 2017 by the Court of Justice of the European Union (CJEU) that the similar EU-Canada agreement on government use of PNR data cannot be concluded without violating fundamental rights recognized by EU law. Members of the European Parliament have already been asking whether the same arguments should be applied to the EU-US agreement. One of President Trump’s first Executive Orders, even before the Muslim Ban, already appears to have repudiated some of the “undertakings” made by the US to the EU in the PNR agreement.
If the US enacts specific new statutory language that refers to PNR or API data, especially language that would authorize or require DHS to demand, or airlines to provide, data further in advance of travel, that might lead to a finding by European courts or legislators that the US is violating the current agreement, and/or that the current agreement is inadequate or invalid under EU law.
So, supposing that either (a) the US enacts some new mandate for additional or earlier provision of data by airlines, or (b) the EU decides that the current agreement on US government access to and use of PNR data is insufficient to assure rights guaranteed by EU law, what will happen?
That would depend on what the US government might do to enforce requirements for government access to and use of commercial travel records. “Enforcement” of travel data demands by the US could target travelers, airlines, or foreign governments:
- Travelers could be ordered to provide more information to the DHS, directly or through airlines. Most likely this would include photographs and/or other biometric data as part of a “biometric entry/exit” scheme. We discussed some of the issues and potential challenges to such a scheme here. Proposals for biometric entry/exit systems aren’t unique to the US, but are a global goal of ICAO’s Traveler Identity Program (TRIP). As Statewatch has noted, the CJEU decision on the EU-Canada PNR agreement has implications for the transfer and use of PNR data to the US, but “The opinion also has significant implications for the EU’s proposed Entry/Exit System, which now appears to be illegal”. Would-be travelers who refuse to submit are likely to be denied passage, with little realistic path to judicial review of those denials.
- Airlines could be ordered to provide more information about travelers. It’s not clear what this information might be. Almost all the information airlines collect for commercial purposes, plus additional information collected solely for government purposes, is already being transmitted to the DHS. Airlines might also be ordered to provide continuous access or updates to this data starting further in advance of scheduled flights. This would require no technical changes. The DHS already has unrestricted root access to the computerized reservation systems (CRSs) that host PNR data. Only DHS internal policy restricts how far in advance the DHS retrieves data, or whether it retrieves data for flights that don’t touch the US. Our sources at CRSs have provided us with credible evidence of DHS users retrieving PNR data for flights not touching the US. For an airline to say “No” to DHS data demands, it would have to get the CRSs to implement new technical measures to restrict DHS users. To date, no airline has made any attempt to challenge any DHS data demand in court in any country, even when the legal basis for these demands has been questionable. Nor have airlines demanded that CRSs restrict DHS access. Only one airline, Lufthansa, has resisted any DHS demands. It’s possible that Lufthansa or some other airline might have DHS blocked from access to PNR data for flights more than 72 hours in the future, or challenge such a demand in court. But the US could respond to any such resistance by threatening to deny landing rights to that airline.
- Foreign governments could be ordered by the US to provide additional information about travelers to the US, or information further in advance. As we have pointed out, the Muslim Ban 3.0 Executive Order contained an explicit threat that citizens of countries that tried to restrict data transfers to the US would be added to the Muslim Ban blacklist for denial of entry to the US, or subjected to more intrusive searches, interrogation, and/or other harassment on arrival. One analysis by a European think tank referred to “the underlying objective of the order, namely to harvest personal data on foreigners. In fact, any country refusing to deliver personal data of their citizens travelling to the US could be added to the list. Therefore, the objective is not to combat states that sponsor terrorism, but to harvest personal data on individuals from around the world, which could be used by US intelligence agencies in ways that may go beyond the struggle against terrorism.”
It remains to be seen who will say “No” to further DHS demands on travelers, and whether any airline or foreign government will stand up to the US government in the face of threats to deny landing rights to its flights or deny entry to the US to its citizens.