May 14 2019

Government access to airline PNR data challenged in German courts

Complaints filed today in German courts and administrative complaints to data protection authorities in Austria challenge government access to and use and retention of Passenger Name Record data (commercial airline reservation records) as a violation of fundamental rights guaranteed  by European Union, German, and Austrian law:

We’ve made (unsuccessful) administrative complaints regarding PNR data to data protection authorities in EU member states incluidng the Netherlands, France, and Germany, and challenged  some aspects of the US governmet’s PNR-based travel surveillaace system in US court under the Privacy Act. But so far as we know, the lawsuits filed today se are the first court cases outside the US to challenge the legality of government demands for access to PNR data or other travel records.

The European legal campaign against PNR-based mass surveillance of travelers is a project of the Gesellschaft für Freiheitsrechte (GFF) in Germany and epicenter.works – Plattform Grundrechtspolitik in Austria, funded in part by one of the first grants from Digital Freedom Fund (DFF) for impact litigation.

The lead plaintiff in the case filed in German administrative court in Wiesbaden, Emilio De Capitani, is a retired former director of the staff of the LIBE (civil liberties) committee of the European Parliament. Mr. De Capitani and the plaintiffs in additional cases filed in other German local courts are represented by Prof. Dr. Remo Klinger and his colleagues at the law firm of Geulen and Klinger in Berlin. The plaintiffs in the Austrian cases are represented by attorney Ronald Frühwirth in Graz.

Mr. De Capitani plans to fly from  Brussels to Berlin for a meeting of GFF in November 2019. He has purchased tickets and informed the airline that he does not want PNR data pertaining to his travel to be made available to government agencies

In response, the airline has told Mr. De Capitani that regardless of his preferences, the airline will provide government agencies in Germany (and possibly also Belgium, although it is not clear if Belgium already has or will have established a “Passenger Information Unit” to receive and process PNR data) with complete copies of the PNRs pertaining to his travel.

This action by the airline is required by German law. Germany and each other member state of the European Union is required to establish a Passenger Information [surveillance] Unit within the government and to have such a law mandating airlines to provide PNR data to the government to comply with the EU PNR Directive adopted in 2016.

The legal analysis in the complaint is conducted primarily under the legal standard of “proportionality” of intrusions on rights to legitimate government purposes. It focuses on the suspicionless, dragnet character of the  surveillance and retention of data concerning  travelers carried out through government access to PNR data, and the use of PNR data not merely for carrying out judicial orders against identified individuals, but also for pre-crime predictive profiling of innocent individuals based on algorithms and “patterns”.

Mr. De Capitani has asked the German court to find that the German PNR law violates fundamental rights recognized by German law, a decision that would ultimately be made by the German Constitutional Court. Because national courts of EU member states do not have jurisdiction to invalidate EU legislation, Mr. De Capitani has asked the German court to refer the question of whether the EU PNR Directive violates fundamental rights recognized by EU law to the European Court of Justice for a binding determination. And Mr. De Capitani has asked for a temporary preventive injunction prohibiting the government from accessing or requiring the airline to give the government access to PNR data pertaining to him and his travel to government agencies while the case is pending.

Mr. De Capitani’s legal complaint is directed against the German government. Others of the lawsuits filed today name airlines including Lufthansa as defendants.

[This article has been updated with additional information and links.]

May 07 2019

Air travelers question use of facial recognition

A Tweet that went viral from an airline passenger questioning JetBlue Airlines about its use of automated facial recognition at departure gates has called new attention to the growing use of automated facial recognition to identify and track travelers.

Our friends at the Electronic Frontier Foundation have an excellent analysis in their Deeplinks blog of some of the unanswered questions raised by this practice. We’ve talked about these before, in our blog and in meetings with DHS officials:

  • What is the relationship between the government and its airline and airport “partners” for the use mug shots of travelers and related identifying information?
  • Can travelers really opt out of airport mug shots, and if so how, especially if — as with ceiling-mounted cameras or other new airport designs for “touchless” passenger processing — facial images are automatically captured before travelers reach the point where they could ask to opt out
  • What, if any, restrictions apply to use or “sharing” of the images and tracking data by airlines, airport operators (which are often local government agencies or other parastatal entities), or DHS components or other government agencies?

We agree completely with EFF that travelers should “Skip the surveillance by opting out of face recognition at airports” and that both members of the public and members of Congress should question what is happening , why, and whether it is legally justified.

But we also want to call attention to two additional aspects of this problem that have been overlooked or misinterpreted in much of the recent discussion: retention of facial images and accuracy of automated facial recognition.

Read More