A leaked copy of the latest draft of a proposed “Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Record [PNR] data to the United States Department of Homeland Security” has been published by the civil liberties watchdog and investigative reporting group Statewatch.

The leaked draft “agreement” fails to satisfy the criteria set by the European Parliament for its ratification of such an agreement, including that any PNR agreement should:

1. Take the form of a duly ratified international treaty binding on all parties. (The draft “agreement” is not a treaty, and would not be binding on the U.S., as discussed in more detail below.)
2. Recognize and respect fundamental rights including the freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights. (The draft “agreement” does not mention freedom of movement, the ICCPR, or any fundamental rights other than those related to privacy and data protection.)
3. Require that the use of PNR data for law-enforcement and security purposes must be in line with European data protection standards. (There is no mention of these standards in the draft “agreement”.)
4. Prohibit the use of PNR data for data mining or profiling. (There is no mention of data mining or profiling in the draft “agreement”.  The draft claims that the U.S. will not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on automated processing of PNR. But all other data mining and profiling is permitted, as long as there is the slightest element of non-automated human rubber-stamping before adverse actions are taken against an individual.)
5. Take into consideration “PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” (There is no mention in the draft “agreement” of computerized reservation systems, indirect transfers of PNR data, or any of the other means by which, as we have testified to members of the European Parliament, the DHS and other U.S. government agencies could bypass the “agreement”.)
6. Provide for independent review and judicial oversight. (The only review provided for under the draft “agreement” is self-review by the DHS Privacy Office, which is directly controlled by the DHS itself, has no independence, and is the subject of an ongoing scandal and attempted cover-up involving political interference with requests — including ours — for DHS records. The only judicial oversight contemplated in the draft “agreement” is limited to violations of laws that contain no protections for privacy or other substantive fundamental rights.)

The proposed “agreement” has been negotiated in secret between the European Commission (on behalf of the EU) and an interagency Executive Branch working group led by the DHS (on behalf of the USA).

Just as the U.S. Constitution requires that any international treaty negotiated and signed by the President must be ratified by the Senate before it becomes effective, international agreements negotiated by the European Commission and approved by the Council of the European Union must be ratified by the European Parliament.

Some people and groups who ought to know better, including lobbyist and former DHS Assistant Secretary for Policy Stewart Baker — the principal architect of an earlier US-EU “agreement” on PNR data — and the Heritage Foundation, have suggested that for the European Parliament not to ratify whatever the Commission and Council propose would be to “renege” on their agreement with the US. That’s nonsense, obviously. The European Parliament has no more obligation to ratify treaties proposed by the European executive than the U.S. Senate is obligated to ratify every treaty proposed by the President.

(Writing in the Heritage Foundation blog, Baker’s former assistant Paul Rosenzweig also repeats the bogus claim that the Chicago Convention treaty provisions for flights arriving at U.S. airports somehow give the U.S. extra-territorial jurisdiction over foreign citizens boarding foreign-flag aircraft at foreign airports. This clearly false claim by Baker and Rozenzweig was first made by their then boss, Secretary of Homeland Security Chertoff, in a speech to the European Parliament in 2007, and we debunked it in detail at that time. The proposed agreement goes far beyond the explicitly detailed and narrow specifications in the Chicago Convention for what data elements are required to be provided to governments, how, when, and where. )

Both the European Parliament and the U.S. Senate have approved resolutions intended to provide guidance to their respective negotiators as to what sort of agreement they would or would not ratify. Neither legislative body is any more or less out of line in doing so.

The draft “agreement” does not appear to be intended to constitute a treaty, and would not be binding on the U.S., so it would not need to be presented to the U.S. Senate for ratification. The recent Senate resolution, however, makes clear that even if the “agreement” were presented to the Senate, the Senate is unwilling to make any concessions to privacy or human rights, or to enact any new or expanded protections for privacy or for any of the other fundamental rights at stake.

The European Parliament resolution is less intransigent. While it starts from the explicit (and proper) premise that fundamental rights must be respected, and provides details of how that might be done, it still leaves open the possibility of compromise with the U.S. and of modifying existing EU data protection rules.

The key problem is that as long as both the DHS and the U.S. Senate (with, so far as we can tell, the full backing of the Obama Administration, and the concurrence of the U.S. House of Representatives) are completely unwilling to compromise or to provide travelers with any additional rights, any “agreement” will inevitably result only in more infringement of those rights.

No good can come of any such “agreement”. It would serve only to give airlines, Computerized Reservation Systems (CRSs), and other travel companies impunity from EU legal sanctions for ongoing transfers of PNR data to the U.S. that are currently in violation of EU data protection laws, and to remove EU authorities’ current responsibility, which they have been improperly shirking, to enforce those laws against travel companies.

If it is presented to the European Parliament in its present form, the draft “agreement” should be debated, and rejected, not as a “data protection” agreement but as a grant of immunity from EU data protection law to travel companies that are currently making their reservations (PNR) databases accessible to the U.S. government, and the EU authorities who have deliberately refrained from enforcing EU data protection laws against those companies.

The draft “agreement” would not be binding on the U.S., according to the U.S. Constitution, because it would not be a treaty and would not be presented to the U.S. Senate for ratification.  (That’s why we use the term “agreement” in quotation marks.)  By its own explicit terms, the draft “agreement” would not create any enforceable individual rights.  The “agreement” does not purport to contain any enforcement mechanisms or sanctions for breach of the agreement.

But if the “agreement” would not be a binding treaty, and would not provide any enforceable individual rights, what is it? What, if anything, would it accomplish? What purpose, and whose interests, would it serve? Read More →

The travel industry — concerned that treating all travelers as suspected terrorists will discourage travel and reduce their business — has joined forces with the homeland-security industrial complex of providers of travel surveillance and control technology in a pseudo-grassroots lobbying and propaganda campaign for more profiling of travelers.

The motives of DHS contractors and their lobbyists are obvious. But we’re disgusted with travel companies, especially “common carriers” required to transport all would-be customers, whose pitch to the public is that it’s OK for the travel industry to collaborate with the government in collecting lifetime travel histories of their customers, and to subject some of them to everything from virtual strip-searches and/or manual groping to standardless secret no-fly orders, as long as those invasions of privacy and the right to travel are imposed selectively.

Making sexual assault, warrantless searches, and denial of transportation discriminatory and selective — where the selection is based on anything other than a search or arrest warrant, injunction, or  other court order — only exacerbates the unfairness and the denial of rights.

The latest euphemistic buzzword for “trusted traveler” and other profiling schemes is “risk-based”. The term “risk-based’ is used to create the mis-impression that profiling actually measures risk. But let’s be clear: whether there is sufficient evidence of “risk” in a particular case to justify search, detention, and/or denial of freedom of movement is a matter to be determined by a judge, not a profiling algorithm. And even if we wanted to ignore the Bill of Rights, there is no reliable algorithm for identifying “risky people”.  Some people do bad things, but trying to identify “bad people” is impossible without trying to read minds. Any trusted traveler program would inevitably be a “Department of Pre-Crime”, and not based on any actual judicial determination of risk — much less of risk sufficient to justify prior restraint on the exercise of First Amendment rights of assembly.

The travel industry and the profiling companies want you to think that you’d never fit the profile, that you’d be considered a “trusted” traveler, and that all the bad things would be reserved for other bad people who, on the basis of their travel history or other (legal) activities, “deserve” to be treated like terrorists. But the reality is that any trusted traveler program is a threat to all our rights.

Just say no to any “trusted traveler” proposal. Just say no to the traveler surveillance and profiling it would require. And just say no to the discrimination it would embody and institutionalize.

The DHS can’t exempt itself from the civil remedies provided by the Privacy Act for people who are harmed by government violations of the law, according to a decision announced today by the 6th Circuit Court of Appeals in Cincinnati in the case of Shearson v. Department of Homeland Security.

The case was brought by Julia Shearson, Executive Director of the Cleveland chapter of the Council on American-Islamic Relations (CAIR). The incident that led to the case is described in today’s court opinion as follows:

Shearson and her four-year-old daughter, United States citizens by birth and Muslims, returned by car from a weekend in Canada at around 8:30 p.m. on January 8, 2006, via the Peace Bridge in the Buffalo, New York/Fort Erie area. On scanning their United States passports, the CBP computer flashed “ARMED AND DANGEROUS,” and CBP agents asked Shearson to turn over her car keys and step out of the car. Shearson was handcuffed, and, after several hours of questioning in the terminal, she and her daughter were released without explanation. As they left, Shearson inquired whether her vehicle had been searched and was told no search had been conducted. This proved to be false; Shearson’s vehicle had been searched and was damaged in the course of the search. After Shearson wrote several Ohio congressional representatives, who in turn contacted the CBP, the CBP advised the legislators that its agents had acted “in response to what later proved to be a false computer alert.”

The DHS admitted that they had improperly flagged her as a “suspected terrorist” in the (illegal) travel records system that later came to be known as the “Automated Targeting System,” but refused to say why or on the basis of what, if any evidence or allegation against her they did so. Five years later, she’s still trying to find out why — other than working for CAIR — she was labeled in ATS as a “suspected terrorist” to be arrested at gunpoint, separated from her child, and held in handcuffs.

Shearson brought suit against the DHS under the Privacy Act for, among other violations, improperly maintaining records of her religious and other activities protected by the First Amendment, failure to maintain accurate records, improper disclosure of the erroneous records about her, and refusal to show her their files about her.  She filed and argued the case pro se for several years, although Gadeir Abbas (then a law student and now a staff attorney with CAIR) and David Wolfe Leopold (now the president of AILA, the American Immigration Lawyers), later assisted in the case, and attorney Kurt Hunt represented Ms. Shearson in the appeal to the 6th Circuit Court of Appeals.

In response to the lawsuit, CBP (U.S. Customs and Border Protection, a division of DHS), argued that they had exempted themselves from any liability related to ATS for under the provisions of the Privacy Act for civil remedies. Such overbroad self-exemption claims have been a common technique of the DHS to shield itself from acountability to the courts for its actions, even when they infringe citizens’ rights.

As Shearson’s attorney in the 6th Circuit appeal, Kurt Hunt, described the ruling, it means that, “A citizen can sue the government for breaching mandatory provisions of the Privacy Act (for example: improperly maintaining records of First Amendment activity), and the government cannot simply pass a rule to ‘exempt’ itself from potential civil liability for violating those mandatory provisions. In short, it makes it possible for a citizen to actually enforce the Privacy Act in a civil action.”

Hunt notes that, “The circuits are currently split about this question, and the split appears to be widening. Because this was the first 6th Circuit decision to address civil remedies exemptions, today’s ruling will have national implications. We hope the Sixth Circuit’s decision will be the start of a trend of decisions putting the “teeth” back into the Privacy Act.”

Now that DHS’s attempt at self-exemption has been overturned by the Court of Appeals, Shearson’s case has now been remanded for further action on her claims for violation of the Privacy Act and her rights.

We don’t yet know whether similar claims of total self-exemption from  liability to civil remedies will be asserted by CBP in our own case, Hasbrouck v. CBP, which so far as we know is the only other case to have been brought under the Privacy Act and related to Automated Targeting System records.

Highlighting what will happen — and already is happening — when other countries follow the bad example of the USA in restricting freedom of movement, the Canadian Press news service reported last night on the situation of, “A British man … stranded in Canada after being denied permission to fly home because he’s on the U.S. no-fly list”:

Dawood Hepplewhite of Sheffield, England, turned up at Pearson Airport in Toronto on Sunday only to be told by an Air Transat official he couldn’t board the plane…

Hepplewhite, 30, divides his time between Sheffield and Toronto, where his Canadian wife Farhia and their three children reside. All five were planning to head back to England for an extended stay.

Hepplewhite says Air Canada and British Airways also refused to let him fly to England on Monday…

Hepplewhite says he’s no security threat, but suspects he is on the no-fly list because he’s a white Muslim and attended a job interview in Yemen — considered a hotbed of terrorism — for a position teaching English a few years ago.

“And when I came back to England I got pulled aside by the police.”

But Hepplewhite abandoned any idea of working in the Middle-Eastern country and has been to Canada several times since that incident.

It’s not clear what will happen next, but, “Hepplewhite’s visa allowing him to stay in Canada expires on April 29.”  If he overstays his visa, Canadian law would provide for him eventually to be deported from Canada to the country of his citizenship, the U.K.  By air. At the expense of the airline that brought him to Canada — the same airline that is now refusing to allow him to use his paid ticket  for just such a flight home before his visa expires.

Who gave the no-fly order? And how did they know Mr. Hepplewhite planned to be on that plane? According to the Canadian Press story:

A bill currently before Parliament would allow airlines to share passenger information required by the U.S. Secure Flight program….

But both Canada and the U.S. say there is no statutory requirement — at least not yet — to provide passenger information for such flights, and Air Canada says it is not doing so….

When asked recently about use of the U.S. list, Air Canada spokesman Peter Fitzpatrick said “we comply with all applicable laws and regulations wherever we operate, and that includes those in the U.S.”

Whatever is happening, it certainly isn’t complying with Canadian law (which requires airlines to operate as common carriers, and protects against arbitrary denial of fundamental rights) or international treaty law by which Canada is bound (which guarantees the right to return to the country of one’s citizenship). And there’s no claim that the U.S. would have had any jurisdiction over Mr. Hepplewhite’s YYZ-LHR flight, since unlike unlike some flights to and from Canada, such as Montreal-Paris flights that sometimes pass over part of Maine, it wouldn’t have passed through U.S. airspace.

So there’s really no question that there was no basis for any valid U.S. no-fly order.

But it’s unclear whether:

1. The Canadian government (illegally and extrajudicially, in violation of its treaty obligations under Article 12 of the ICCPR) ordered all airlines serving Canada not to transport people with names matching those on the U.S. no-fly list in general, or Mr. Hepplewhite in particular, perhaps without even seeing the evidence, if any, forming the basis for this U.S. request for a Canadian government order; or
2. The airlines (illegally, in violation of Canada’s basic privacy law, PIPEDA) allowed passenger passenger information to be accessed by the U.S. government, or by CRSs or other intermediaries who did so, and (illegally, in violation of their licenses to operate as common carriers) denied transportation to those the U.S. requested not be transported or (more likely, given the change in the U.S. default to, “No”) those with respect to whom the U.S. didn’t send back an affirmative “Cleared” message.

Which of these happened, and how, is an appropriate question for inquiry both by the Canadian Parliament and by the Privacy Commissioners of Canada and of Ontario.

It might be true, in the narrowest sense, that Air Canada does not directly “provide passenger information” to the U.S. government for flights that don’t touch U.S. airspace. But as the treatment of Mr. Hepplewhite shows, the U.S. government has access to such data, either or both because (a) airlines serving Canada have given the U.S. government “root” access to their reservation systems, not restricted to flights to, from, or overflying the U.S., and/or (b) the U.S. government has similar root access to the Computerized Reservation Systems/Global Distribution Systems (CRSs/GDSs) based in the U.S., to  which most travel agencies and tour operators in Canada outsource (illegally, in flagrant violation of PIPEDA, without notice to or consent of travelers and in the absence of any U.S. privacy law governing CRSs) the storage of their reservations and agency customer/traveler profiles.

We’ve talked about both these problems before, in testimony to both the Canadian and European Parliaments, and they picked up on in a recent letter to the European Commission (see the top of p. 2) from the “Article 29 Working Party” of EU national data protection authorities.  It remains to be seen how they will be dealt with in Canada, and how this will affect other countries’ willingness to join the U.S. war on freedom of travel through PNR and identity-based surveillance and control.

[Update from the Toronto Star: “James Mortimer, a spokesman for the British Foreign and Commonwealth Office in London, England, told the Star he is looking into the matter.”]

[Update from the Canadian Press: “British man on U.S. no-fly list gets ‘one-time offer’ to fly to Glasgow…. An Englishman left stranded in Canada because he’s on the U.S. no-fly list is headed home — sort of. Dawood Hepplewhite says a British consular official called with a ‘one-time offer’ from Air Transat to fly with his wife and children to Glasgow, Scotland, on Wednesday night as a ‘goodwill gesture.'”]