[MEPs picket outside the plenary chamber to ask their colleagues to say “No” to the PNR agreement with the US. (Photo by greensefa, some rights reserved under Creative Commons license, CC BY 2.0)”]

Last week — despite the demonstration shown above (more photos here) by Members of the European Parliament as their colleagues entered the plenary chamber for the vote — the European Parliament acquiesced, reluctantly, to an agreement with the US Department of Homeland Security to allow airlines that do business in the EU to give the DHS access to PNR (Passenger Name Record) data contained in their customers’ reservations for flights to or from the USA. (See our FAQ: Transfers of PNR Data from the European Union to the USA.)

The vote is a setback for civil liberties and the the fundamental right to freedom of movement, in both the US and Europe.

But the vote in the European Parliament is neither the definitive authorization for travel surveillance and control, nor the full grant of retroactive immunity for travel companies that have been violating EU data protection rules, that the DHS and its European allies had hoped for.

Many MEPs voted for the agreement only reluctantly, in the belief (mistaken, we believe), that it was “better than nothing” and represented an attempt to bring the illegal US surveillance of European travelers under some semblance of legal control.

Whatever MEPs intended, the vote in Strasbourg will not put an end to challenges to government access to airline reservations and other travel records, whether in European courts, European legislatures, or — most importantly — through public defiance, noncooperation, and other protests and direct action.

By its own explicit terms, and because it is not a treaty and is not enforceable in US courts, the “executive agreement” on access to PNR data provides no protection for travelers’ rights.

The intent of the US government in negotiating and lobbying for approval of the agreement was not to protect travelers or prevent terrorism, but to provide legal immunity for airlines and other travel companies — both US and European — that have been violating EU laws by transferring PNR data from the EU to countries like the US.  The DHS made this explicit in testimony to Congress in October 2011:

To protect U.S. industry partners from unreasonable lawsuits, as well as to reassure our allies, DHS has entered into these negotiations.

But because of the nature of the PNR data ecosystem and the pathways by which the DHS (and other government agencies and third parties outside the EU) can obtain access to PNR data, the agreement does not provide travel companies with the full immunity they had sought.

Most of the the routine practices of airlines and travel companies in handling PNR data collected in the EU remain in violation of EU data protection law and subject to enforcement action by EU data protection authorities and private lawsuits by travelers against airlines, travel agencies, tour operators, and CRS companies in European courts.

Why is that?

Read More →

The “Automated Targeting System” (ATS) has been a topic of discussion this week at the Securing Our Rights in the Information-Sharing Era conference on national security, surveillance, and immigration enforcement.

ATS is operated by the Customs and Border Protection (CBP) component of DHS, although ATS apparently contains links to records held by other agencies and other commercial databases. ATS records include passenger name records (travel reservations), border crossing logs, secondary inspection notes, “risk assessments” of all travelers (even if you aren’t on any watch list), risk assessment algorithms, and pointers to other databases.

Public notice of the existence of ATS was first provided in 2006, but ATS records provided in response to individual requests show that it had already been in operation, illegally, for years before that. If you’ve been on an international airline flight to or from the U.S. in the last ten years, or crossed the U.S. land border in the last few years, CBP has an ATS file of information about you and your travels. There might be ATS records of earlier trips, although older ATS records are spottier. Some ATS files include border crossings and international flights from as far back as the early 1990s.

We’ve posted forms you can use to request your own ATS file from CBP, as well as examples of some of the types of data included in responses to requests for ATS records. (There’s more about what we’ve found in ATS records in this front-page story from 2007 in the Washington Post.) Contact us if you want help with requests or administrative appeals, or in interpreting responses.

If you think there’s any chance you might be on a watch list, you should also send a separate request to the DHS Chief Privacy and FOIA Officer for records from the DHS /ALL-030 Use of the Terrorist Screening Database (TSDB)  System of Records.  Be sure to state that your request is made under both the Privacy Act and FOIA, and include a request for an accounting of all disclosures of records about you.

The first panelist at the conference was Julia Shearson, a native-born U.S. citizen who was arrested when she tried to drive back into the U.S. after an innocent weekend trip to Canada, on the basis of an entry in ATS falsely flagging her as an “armed and dangerous terrorist”. She’s suing DHS under the Privacy Act to find out why they labeled her a terrorist. Her lawsuit is still pending on remand after a favorable Circuit Court ruling reinstating her complaint. We last reported on her case here; there’s more about her story in this video which was shown yesterday at the conference, and this article from the Cleveland Plain Dealer. Whether the Privacy act provides for recovery of emotional damages was the subject of oral argument before the Supreme Court earlier this week in FAA v. Cooper.

Also still pending is our Privacy Act and FOIA lawsuit against CBP on behalf of Identity Project consultant Edward Hasbrouck, who is seeking ATS records about himself (including his “risk assessments” and the rules used for determining those risk assessments), an accounting of disclosures of those records to other agencies or third parties, information about how ATS records are indexed and retrieved, and records of the processing of his initial requests for ATS records. (He received only incomplete and redacted responses, and not until three years after his initial request and three weeks after he filed suit against CBP for its failure to respond or provide the requested records). A hearing on motions for summary judgment was held in September, and a decision is pending.

Other previous lawsuits related to ATS are discussed here. We’ve also filed comments on CBP rulemakings, objecting to ATS as in violation of the Privacy Act and international human rights treaties.

[On a separate note, the ongoing prosecution of Dr. Ghulam Nabi Fai under the Foreign Agents Registration Act, which was also mentioned at the conference, is discussed here.]

We’ll be participating in a series of public events and private meetings next week with European activists and with European Union and European national officials on PNR data (airline reservations), privacy, data protection, and human rights. Our presentations at all of these events will be in English, although much of the publicity is (naturally, given the venues) in German. see the links below for slides, handouts, video, and news reports on our presentations:

Read More →