{"id":4081,"date":"2012-01-03T10:25:50","date_gmt":"2012-01-03T17:25:50","guid":{"rendered":"http:\/\/papersplease.org\/wp\/?p=4081"},"modified":"2012-01-26T08:43:13","modified_gmt":"2012-01-26T15:43:13","slug":"the-eu-us-pnr-agreement-a-legal-analysis-of-its-failures","status":"publish","type":"post","link":"https:\/\/papersplease.org\/wp\/2012\/01\/03\/the-eu-us-pnr-agreement-a-legal-analysis-of-its-failures\/","title":{"rendered":"The EU-US PNR Agreement — A Legal Analysis of Its Failures"},"content":{"rendered":"

[The following complete article (27 pages)<\/a> or a summary of the key points (3 pages)<\/a> can be downloaded in PDF format. Additional analyses and critiques of the proposed EU-US PNR agreement have been published by, among others, the Identity Project<\/a>, the Electronic Frontier Foundation<\/a>, and a coalition of US and EU NGOs<\/a>.] <\/em><\/p>\n

FROM THE DESK OF BARRY STEINHARDT<\/h3>\n

Chair, Friends of Privacy USA
\nBsteinhardt@friendsofprivacy.us
\nDecember 26, 2011<\/strong><\/p>\n

Introduction<\/h3>\n

The proposed agreement regarding Passenger Name Records (PNR) between the United States and the European Union is riddled with faulty assertions and assumptions about US law and the actual operations of the US Government.<\/p>\n

These faulty assertions and assumptions go to the heart of the agreement and undercut the claims of protections for European travelers.<\/p>\n

As an American lawyer with substantial experience on the PNR and related issues, I want to set the record straight for the European officials who must act on the proposed agreement.<\/p>\n

This memo highlights the most serious of those faulty claims and assumptions.<\/p>\n

In summary:<\/p>\n

    \n
  1. The Agreement does not apply to the agency \u2013 the Terrorist Screening Center \u2013 which actually decides which travelers will be subject to the No Fly rules.<\/li>\n
  2. The US Laws cited in the agreement as offering protections to European travelers actually provide very little benefit or are completely irrelevant to the international transfer of PNR data;<\/li>\n
  3. Europeans cannot, as the agreement suggests, obtain independent and adequate relief from unlawful actions by the US Executive Branch (USG) by appealing those decisions under the Administrative Procedure Act (the APA).There are virtually insurmountable substantive and procedural hurdles to the use of the APA in \u201cappealing\u201d decisions of the Department of Homeland Security (DHS).Of greatest importance, most of the relevant actions taken pursuant to the agreement will not qualify as a \u201cFinal Order\u201d that can be appealed under the APA;<\/li>\n
  4. Beyond that the APA is of little use to travelers who want to challenge the centrally important actions taken by the Terrorist Screening Center (TSC) of the Department of Justice (DOJ).The Agreement is focused on the TSA\u2019s screening of air passengers. It gives short shrift to and offers very little protection from the Automated Targeting System (ATS) operated by Customs and Border Protection (CBP) which is a wholly separate branch of DHS.It is CBP \u2013 not the TSA \u2013 that use the ATS to decide how Europeans will be treated when they enter exit the US;<\/li>\n
  5. There are substantial uncertainties about which, if any, court would be empowered to hear an \u201cappeal\u201d and which agencies would need to be sued. Complex jurisdictional rules regarding APA appeals and transportation security issues throw air passengers into a procedural thicket from which they may never escape;<\/li>\n
  6. The DHS Chief Privacy Officer has neither the independence nor the authority claimed in the Agreement. Nor does the CPO of the Justice Department whose jurisdiction includes the TSC, and;<\/li>\n
  7. The Agreement does not cover the USG\u2019s uses of private commercial data e.g. data obtained from the Computer Reservation Services (CRS) and the USG has wide power under the Patriot Act and related law to obtain data them.<\/li>\n<\/ol>\n

    US Privacy Law<\/h3>\n

    The US does not have a general overarching privacy law like the European Data Directive or the sweeping privacy protections contained in the European declarations of rights.<\/p>\n

    The EU-US accord cites several laws, which it claims, give privacy rights to non- US persons. None of the cited laws offer any real substantive or procedural protections for Europeans.<\/p>\n

    As explained below, one law \u2013 the Privacy Act, 5 U.S.C 552a \u2013 that could offer some modest protections is tellingly not even mentioned.<\/p>\n

    But before turning to those laws to those laws in detail it is important to understand the Agreement\u2019s glaring structural deficiency \u2013 it does not address the central role played by the Terrorist Screening Center.<\/p>\n

    The Agreement focuses on the actions of the US Department of Homeland Security (DHS), which under its terms will receive the PNR data.<\/p>\n

    But \u2013 in many respects \u2013 DHS is not the crucial decision maker.<\/p>\n

    The Agreement does not squarely pertain to or offer any protections from the actions of the US agency \u2013 the Terrorist Screening Center (TSC) \u2013 which is at the center of many of the most important decisions affecting Europeans.<\/p>\n

    The TSC, which is part of the US Department of Justice (DOJ) and administered by its sub agency the Federal Bureau of Investigation (FBI), is the governmental component, which actually places persons on the \u201cNo Fly List\u201d and administers that list.<\/p>\n

    DHS is a consumer of the list and uses it to screen passengers. But is has no control over who is placed on the list.<\/p>\n

    DHS cannot offer any real redress to Europeans. It cannot correct a mistake or remove a person from the No Fly List. That must be done by the TSC.<\/span><\/p>\n

    The Terrorist Screening Center develops and maintains the Terrorist Screening Database (\u201cTSDB\u201d) or \u201cwatch list\u201d of which the No Fly List is a component. The Terrorist Screening Database is the federal government\u2019s central repository for watch list-related screening.<\/p>\n

    The TSC decides whether an individual will be included in the watch list as a known or suspected terrorist and which screening systems will receive information about the individual.<\/p>\n

    The TSC sends records from the TSDB to other government agencies like DHS, which then use those records to identify suspected terrorists. For example, applicable TSC records, including those from the No Fly List, are provided to TSA for use in pre-screening passengers. TSC records are also provided to U.S. Customs and Border Protection for use in screening entrants to the United States.<\/p>\n

    Agencies like the TSA may carry out the screening function, but they do not decide who should or should not be included on a watch list.<\/p>\n

    The TSC has provided no publicly available information about how it makes these decisions.<\/p>\n

    The TSC does not accept redress inquiries from individuals who have been barred from boarding an aircraft or otherwise subjected to an adverse action as a result of their apparent inclusion on the No Fly List.<\/p>\n

    Aggrieved individuals are referred to the DHS TRIP program, which can only transmit traveler complaints to the TSC.<\/p>\n

    It is the TSC, which determines whether any action should be taken. Once TSC makes a determination regarding a particular individual\u2019s status on the watch lists, it notifies DHS TRIP. DHS TRIP then responds to the individual with a vague letter that neither confirms nor denies the existence of any terrorist watch list records relating to the individual.<\/p>\n

    Here is the pertinent language from an actual and typical letter:<\/p>\n

    \u201cSecurity procedures and legal concerns mandate that we can neither confirm nor deny any information about you which may be within federal watch lists or reveal any law enforcement sensitive information. However, we have made any corrections to records that our inquiries determined were necessary, including, as appropriate, notations that may assist in avoiding instances of misidentification.\u201d<\/p><\/blockquote>\n

    The \u201cprocess\u201d unfolds in total secrecy.<\/span> The traveler plays no role in this process after she has submitted a TRIP request. For example, she cannot present evidence or contest allegations.<\/p>\n

    And, as noted above, not even the result is disclosed to the traveler.<\/p>\n

    Finally, the USG may argue that the agreement applies to actions taken by the TSC and it protects European passengers against breaches by the TSC.<\/p>\n

    Any such assertion would be flatly wrong.<\/p>\n

    The actions of the TSC in administering the TSDB are not governed by the agreement. The Agreement governs only the transfer of PNR data from Europe to the US and the decisions made on the basis of that data.<\/p>\n

    The PNR data is irrelevant to the actions taken by TSC. It is only after the TSC acts that PNR data comes into play when DHS uses it to identify air passengers to determine if they are on the list.<\/p>\n

    A.\tThe \u201cRelevant\u201d Laws Offer No Real Protection to Europeans.<\/h4>\n

    The Agreement refers to several US laws which is asserts offer substantive or procedural rights to Europeans.<\/p>\n

    But none of those laws offer any real protections.<\/p>\n

    1. The Administrative Procedure Act. 49 U.SC. Sec 46110<\/strong><\/p>\n

    Article 13 Sec.4 of the agreement asserts that:<\/p>\n

    In particular, DHS provides all individuals an administrative means (currently the DHS Traveler Redress Inquiry Program (DHS TRIP)) to resolve travel-related inquiries including those related to the use of PNR. DHS TRIP provides a redress process for individuals who believe they have been delayed or prohibited from boarding a commercial aircraft because they were wrongly identified as a threat.<\/p>\n

    Pursuant to the Administrative Procedure Act and Title 49, United States Code, Section 46110, any such aggrieved individual is entitled to petition for judicial review in U.S. federal court from any final agency action by DHS relating to such concerns.<\/p><\/blockquote>\n

    There are multiple reasons why this assertion is, at best, a gross exaggeration and, at worst, fundamentally wrong.<\/p>\n

    a.\tDHS\u2019 decisions may not, in fact, be appealable to the Federal Courts as a \u201cfinal agency action\u201d.<\/span><\/p>\n

    As the agreement itself notes the APA is only available to challenge a \u201cfinal agency action\u201d.<\/p>\n

    Judicial precedent \u2013 past decisions from relevant courts \u2013 and the plain language of the Act lead to the inevitable conclusion that DHS\u2019 decisions regarding passenger screening using PNR are not \u201cfinal actions\u201d under the APA.<\/p>\n

    What follows is a summary of the applicable US law. I would be happy to provide a longer explanation to any European official.[Note 1]<\/sup><\/a><\/p>\n

    To begin with the DHS letters like the one quoted above neither confirm nor deny the complainants\u2019 watch list status. They do not tell them whether they can fly, and do not inform them of the outcome of their redress complaints; indeed, they are devoid of any substantive content. TSA\u2019s TRIP determination letters are not \u201corders\u201d in any sense<\/p>\n

    An agency decision is an \u201corder\u201d under Section 46110 only if it \u201cimposes an obligation, denies a right, or fixes some legal relationship.\u201d Mace v. Skinner, 34F.3d 854, 857 (9th Cir. 1994) (discussing the predecessor provision, 49 U.S.C. app. \u00a7 1486 (1988));<\/p>\n

    DHS TRIP letters do none of those things. The letters do not say whether an individual was on a watch list prior to receipt of a redress inquiry; they do not set forth the bases for any such inclusion; and, most critically, they do not say how the government has resolved the complaint at issue or specify whether an individual will be permitted to fly in the future. DHS \u201cdoes not order anybody to do anything at the conclusion of\u201d a DHS TRIP inquiry, so a DHS TRIP letter is a \u201c\u2018final disposition\u2019 of that proceeding\u201d only in the sense\u201d that DHS refuses to do anything more after issuing\u201d of a complaint.<\/p>\n

    Moreover, to constitute an \u201corder,\u201d a decision must \u201cprovide [] a \u2018definitive\u2019 statement of the agency\u2019s position.\u201d Mace, 34 F.3d at 857 (internal citations omitted). The DHS TRIP letters take no position, let alone a \u201cdefinitive\u201d one, on whether a traveler is on or will be removed from the No Fly list or will receive any lasting relief.<\/p>\n

    Indeed, the Department of Homeland Security\u2019s own Office of the Inspector General (\u201cOIG\u201d) has conceded as much, observing that TSA\u2019s responses to redress-seekers leave travelers \u201cwithout a clear understanding of how their travel difficulty arose, whether they are likely to face future problems, and what course of action they might take next.\u201d Dep\u2019t of Homeland Sec. Office of the Inspector Gen., OIG-09-103, Effectiveness of the Department of Homeland Security Traveler Redress Inquiry Program 89 (2009). The OIG noted that DHS TRIP letters may not even accurately report that the government has investigated an individual\u2019s case and made any appropriate changes because the Office of Transportation Security, which issues the letters, \u201chas no authority over DHS components\u2019 or other agencies\u2019 redress personnel\u201d who are \u201ccentral to much of the case review and adjudication process,\u201d and is thus \u201cin no position to ensure\u201d the truth or accuracy of these representations.<\/p>\n

    Finally, DHS TRIP letters are not \u201corders\u201d because the agency that issues them does not create a record that would permit meaningful appellate review of any claims, let alone of the claims raised here. The \u201cexistence of a reviewable administrative record is the determinative element\u201d in deciding whether a decision is an \u201corder.\u201d Sierra Club v. Skinner, 885 F.2d 591, 593 (9th Cir. 1989); see also Ibrahim, 538 F.3d at 1256 & n.8 (noting that \u201cthe absence of a record lends support to the view that Congress didn\u2019t intend\u201d for courts of appeals to review pursuant to Section 46110 TSC decisions to place names on the No Fly List).<\/p>\n

    To the extent that any administrative record is created, it is created by the TSC, not TSA; as the government\u2019s declarations make clear, TSA transmits traveler complaints to the TSC, which determines whether any action should be taken.<\/p>\n

    If DHS TRIP letters can be described as \u201corders\u201d of any agency, they are orders of the TSC.<\/p>\n

    b.\t There are substantial uncertainties about which, if any, court would be empowered to hear an \u201cappeal\u201d and which agencies would need to be sued.<\/span><\/p>\n

    Complex jurisdictional rules regarding APA appeals and transportation security issues throw air passengers into a procedural thicket from which they may never escape.<\/em><\/p>\n

    In the US judicial system, the lower District Courts are the trial courts. Cases ordinarily begin in the District Courts.<\/p>\n

    The District Courts hear evidence and act as the Trier of facts as well as applying the relevant law.
    \nThe Courts of Appeal are not trial courts capable of hearing witnesses or other original evidence. As the name suggests, the primary responsibility of the Circuit Courts of Appeals is to consider appeals from the District Courts based on the record established in the lower court.<\/p>\n

    However the US Congress sometimes give the Appeals Courts \u201coriginal jurisdiction\u201d over appeals from Administrative Agencies where a factual record was developed by the Agency.<\/p>\n

    In this case, a federal law, 28 U.S.C. Section 46110, grants exclusive jurisdiction to the Courts of Appeals to hear \u201cappeals\u201d from final<\/span> orders of DHS regarding certain matters related to air security.<\/p>\n

    That\u2019s where things get complicated.<\/p>\n

    In an important 2008 decision from the 9th Circuit Court of Appeals, Ibrahim v. Department of Homeland Security<\/em>, 538 F.3d 1250 (9th Cir.) 2008 \u2013 The Courts of Appeal are one step below the Supreme Court and the 9th Circuit is the highest Court to have ruled on this issue \u2013 suggests that depending on which agencies and issues are involved the appellant may need to bring two separate actions \u2013 one in a Court of Appeals and the other in a lower Federal District Court.<\/p>\n

    Ibrahim<\/em> involved a non-resident alien who was detained at the airport because she was apparently on the No Fly List. Without reaching the question of whether the Ibrahim could challenge her inclusion on the No Fly list as a final agency action, the Court held that any APA claim would have to be brought against the actual decision maker \u2013 the TSC \u2013 and the TSA or DHS.<\/p>\n

    Moreover, that claim would have to begin in the District Court and not the Appeals Court.<\/p>\n

    However, the Court went on to say that if a traveler wished to challenge DHS\u2019 general policies regarding Airport Security \u2013 again assuming their was a final order to appeal \u2013 the case would have to be brought in the Court of Appeals.<\/p>\n

    In other words, a plaintiff, who wished to challenge her inclusion on the No Fly list and the procedures employed against her. would need to bring two different actions against two different agencies in two different courts.<\/p>\n

    And, of course, once she got to the right court(s) she would need to demonstrate that the relevant agencies had issued a final order and that the courts were was not barred from hearing the matter because it involved \u201cstate secrets\u201d. (see below.)<\/p>\n

    c. ATS \u2013 The Missing Program<\/span><\/p>\n

    The Agreement is almost singularly focused on the airline passenger screening programs run by the TSA.<\/p>\n

    But an equally important use of PNR will be made by a different component of DHS \u2013 Customs and Border Protection (CBP) \u2013 which operates the Automated Targeting System (ATS) in its role as America\u2019s border agent.<\/p>\n

    The Agreement offers little, if any, protection to European travelers against US abuse of ATS<\/span>.<\/p>\n

    The most glaring deficiencies relate to redress and access.<\/p>\n

    While much of ATS\u2019 operation is shrouded in secrecy from the public, the Commission negotiators were presumably privy to a more detailed understanding of its workings.<\/p>\n

    But regardless of their of knowledge, they failed to address this critical program in the agreement.<\/p>\n

    What is publicly known (see e.g. the DHS\u2019s Privacy Impact Statement of 11\/22\/2006) is that ATS includes a computerized system that scrutinizes a large volume of data related to every person who crosses U.S. borders and then assigns a \u201crisk assessment score\u201d to each traveler which may be used to place them in a risk group of terrorists or other criminals.[Note 2]<\/sup><\/a><\/p>\n

    PNR data plays a crucial role in ATS. ATS receives the PNR data supplied by European sources and it is used extensively in the risk assessment process.<\/p>\n

    Targeted persons are subjected to additional \u201cscrutiny\u201d that ranges from exclusion from the US, to detention, to invasive questioning and physical searches.<\/p>\n

    The Agreement presumably covers ATS and ATS with regards to some provisions, e.g. the provisions of Article 5 related to data security.<\/p>\n

    However it is does not apply to many other provisions that are of greatest concern to Europe.<\/p>\n

    For example, Article 8 on Data Retention explicitly applies to a database in which DHS \u201cretains\u201d PNR.<\/p>\n

    That is presumably a central database of PNR data maintained by the TSA or another subdivision of DHS. But ATS has its own separate and independent records systems that will contain PNR data.<\/p>\n

    It is not publicly known precisely how the records are stored or for how long the data is retained by CBP. But the plain language of the Agreement \u2013 in particular the exclusive reference to a single database \u2013 logically means that separate records systems such as ATS\u2019 are not bound by the provisions regarding data retention.<\/p>\n

    Most importantly, the supposed redress provisions clearly do not apply to ATS.<\/p>\n

    First, the highly touted TRIP program applies to the passenger screening done by a different agency \u2013 the TSA.<\/p>\n

    The ATS program is operated by the CBP on a completely separate basis. CBP\u2019s decisions are not subject to review under the TRIP program.<\/p>\n

    Travelers cannot use TRIP to seek redress from ATS or its use of ATS.<\/p>\n

    TRIP is irrelevant to ATS.<\/span><\/p>\n

    Second, the APA is of little \u2013 if any \u2013 benefit in this situation. Even if a passenger knew that they were being treated differently by CBP at the border as a result of ATS they could not bring an appeal under the APA.<\/p>\n

    As described above, APA appeals can only be taken from a \u201cfinal agency order\u201d.<\/p>\n

    There are no such orders here. Indeed ATS is designed to be a dynamic program so no decisions are \u201cfinal.\u201d<\/p>\n

    Finally, as described below, agencies like ATS reflexively use the law enforcement and\/or national security exemptions to deny individuals FOIA access to their own record.<\/p>\n

    European travelers will encounter FOIA hurdles that will make it exceedingly difficult or even impossible to obtain the records necessary to bring suit.<\/p>\n

    d. \tThe USG may be able to block Judicial Review by citing the \u201cState Secrets\u201d or other \u201cNational Security\u201d doctrines.<\/span><\/p>\n

    Despite its rhetoric, the Obama Administration has largely adopted the Bush Administration arguments that the Courts may not hear many cases involving its prosecution of the \u201c War on Terror\u201d. They continue to argue that hearing such cases would compromise national security or require the disclosure of \u201cstate secrets\u201d.<\/p>\n

    Such claims, at a minimum, make it very difficult to litigate these issues and many courts have accepted them and dismissed important cases.<\/p>\n

    The New York Times has an excellent piece summarizing the use of the State Secret doctrine at:<\/p>\n

    http:\/\/topics.nytimes.com\/topics\/reference\/timestopics\/subjects\/s\/state_secrets_privilege\/index.htm<\/a>l<\/p>\n

    The Washington Post editorialized for its reform at:<\/p>\n

    http:\/\/www.washingtonpost.com\/opinions\/state-secrets-privilege-time-for-congress-to-end-the-rubber-stamp\/2011\/05\/20\/AGrTEzEH_story.htm<\/a>l<\/p>\n

    Further information can be found at the web sites of the two NGOs, which have litigated the most cases in the area \u2013 the ACLU and the Center for Constitutional Rights:<\/p>\n

    http:\/\/www.aclu.org\/national-security\/background-state-secrets-privilege<\/a><\/p>\n

    http:\/\/ccrjustice.org\/learn-more\/faqs\/faqs:-what-are-state-secrets<\/a><\/p>\n

    2. The Freedom of Information Act (FOIA). 5 USC Sec 552<\/strong><\/p>\n

    FOIA is an access-to-documents law. In theory, both American and Non-US Persons can use FOIA to gain access to the PII about them held by the USG.<\/p>\n

    There are two principal problems with FOIA in this context:<\/p>\n

    First, FOIA is riddled with loopholes in the form of \u201cexemptions\u201d that the government can used to deny access. As a practical matter, the USG routinely and promiscuously denies FOIA requests or heavily \u201credacts\u201d, i.e. censors, what it does release on the basis of Exemption 1 related to \u201c National Security\u201d or on the ground that the release would interfere with a criminal investigation.<\/p>\n

    Second, FOIA does not require or even permit the USG to correct errors in its records.<\/p>\n

    Third and perhaps most startlingly, the USG may not even tell the truth about whether a relevant record exists see e.g.:<\/p>\n

    http:\/\/articles.latimes.com\/2011\/oct\/31\/opinion\/la-ed-secrets-20111031<\/a><\/p>\n

    The Privacy Act, in contrast, does have some relevant provisions on redress \u2013 including error correction. (See below.)<\/p>\n

    3. The Computer Fraud and Abuse Act. 18 USC Sec. 1030<\/strong><\/p>\n

    The Computer Fraud and Abuse Act covers only unauthorized \u2013 rogue \u2013 access to databases. It does not apply to the \u201cauthorized\u201d uses that are the principal subject of the agreement.<\/p>\n

    4. The Electronic Communications Privacy Act (ECPA). 18 USC 2510 et seq<\/strong><\/p>\n

    As the name suggests ECPA governs electronic communications and covers such topics as wiretapping. It is \u2013 to put it charitably \u2013 very difficult to understand its inclusion in a list of laws relevant to the transfer of PNR.<\/p>\n

    The only explanation that I can imagine is that the USG believes that the electronic gathering and transmission of PNR data implicates ECPA.<\/p>\n

    That would be a novel and not unwelcome concession.<\/p>\n

    However, you should be aware that ECPA offers very little protection to records that have been stored for even milliseconds prior to their transmission.<\/p>\n

    So ECPA would not offer any meaningful protections regarding the transmission of PNR data from sources in Europe to the US.<\/p>\n

    5. The Privacy Act. 5 USC Sec 552<\/strong><\/p>\n

    The EU-US agreements does not even mention the Privacy Act which governs \u201csystems of records\u201d created or held by the USG and which has elaborate provisions on access, accuracy, redress, etc.<\/p>\n

    You may hear suggestions that the Privacy Act is not relevant because it does not apply to Non-US persons.<\/p>\n

    That is a red herring!<\/p>\n

    While the provisions of the Act apply to US persons, the USG can and has chosen to apply it foreigners. For example, the Department of Homeland Security (DHS) has agreed to allow foreign passenger to use the Privacy Act based TRIP program.<\/p>\n

    The Privacy Act could provide real protections to Europeans.<\/p>\n

    But only if:<\/p>\n

      \n
    1. The USG agrees to apply it to actions taken pursuant to the Agreement it and,<\/li>\n
    2. The USG agrees not to claim the broad exemptions e.g. for national security, that absolve it from having to comply with the Act\u2019s protections,<\/li>\n<\/ol>\n

      B. \t Redress<\/h3>\n

      Privacy Officials<\/strong><\/p>\n

      The United States is one of only two OECD nations \u2013 Japan is the other \u2013 that does not have an independent privacy or data protection official.<\/p>\n

      Many agencies do have a \u201c Chief Privacy Officer\u201d(CPO).<\/p>\n

      But these officials are appointed by and report to the head of their agency.<\/p>\n

      They have little if no independent authority.<\/p>\n

      The EU agreement cites the CPO of DHS.[Note 3]<\/sup><\/a><\/p>\n

      Even though the Congress created her position (Sec. 222 6 U.S.C. 142) she is far from \u201cindependent\u201d. [Note 4]<\/sup><\/a><\/p>\n

      The Office\u2019s lack of independence has long been understood by the International Data Protection Community.<\/p>\n

      So, for example, the Conference of Data Protection Commissioners has refused to admit the CPO into their ranks.<\/p>\n

      The CPO of DHS fails the test set out by the Agreement itself:<\/p>\n

      A. She is appointed by and reports directly to the Secretary of the Department of Homeland Security (Sec. 222 (a)).<\/p>\n

      B. She can initiate investigations. But that power is limited by both law and practice:<\/p>\n

        \n
      1. After nearly 3 years in office, the CPO finally conducted her first \u201cinvestigation\u201d this year and that according to her most recent Annual Report to the Congress was for an \u201cincident” involving the loss of an unencrypted flash drive.[Note 5]<\/sup><\/a> There have been no investigations for matters comparable to a violation of the Agreement;<\/li>\n
      2. Her investigatory powers are greatly hampered by the fact that she cannot compel the cooperation of USG officials from other agencies e.g. the TSC and she that needs the Secretary\u2019s approval to issue a subpoena to a private party e.g. an airline;<\/li>\n
      3. She has no authority to bring an enforcement action on her own or refer issues to the Department of Justice for enforcement. She is can refer cases to the Department\u2019s Inspector General (IG) for investigation. But the IG\u2019s authority is limited to instances of waste, fraud and abuse. He has no jurisdiction over violations of data protection laws or agreements.<\/li>\n<\/ol>\n

        C. She does receive complaints. But as the annual report makes plain she has no independent authority to resolve them or order a remedy.<\/p>\n

        Given the central role of the TSC, the other relevant official is the CPO of the Justice Department.
        \nHer position was also created by Congress is governed by 42 USC Sec 2000 ee1.<\/p>\n

        The applicable law states that, rather than being an independent official, she reports to the Attorney General (Sec (c) (1)) and her first responsibility is to \u201c advise\u201d and \u201c assist\u201d him in considering privacy and civil liberties matters (Sec (a) (1).<\/p>\n

        The current CPO Nancy Libin can be seen explaining how her role differs from Europe\u2019s independent DPAs at:<\/p>\n

        https:\/\/www.facebook.com\/video\/video.php?v=389139172920<\/a><\/p>\n

        C.\tCommercial Data and the Impact of Laws Like the Patriot Act<\/h3>\n

        On its face, the EU Accord, only applies to direct transfers of PNR data to the USG.<\/p>\n

        This, as others have pointed out, is a huge loophole, which allows the USG to get unfettered access to the same data by going directly to the private companies, which created and continue to hold the data:<\/p>\n

        http:\/\/papersplease.org\/wp\/2011\/11\/28\/revised-eu-us-agreement-on-pnr-data-still-protects-only-travel-companies-not-travelers\/<\/a><\/p>\n

        I won\u2019t rehash the points made by others.<\/p>\n

        But I do want to highlight an important point \u2014the Agreement puts no limitations on the ability of the USG to obtain sensitive PNR directly from CRS or any other private company which has the data.<\/p>\n

        In other words, any limitations the Agreement places on the direct government to government transfer of PNR could be circumvented by forcing companies to turn over the data.<\/p>\n

        The USA Patriot Act is well known to many Europeans. Originally enacted within weeks of the 9\/11 2001 terrorist attacks, it vastly expanded the USG\u2019s powers.<\/p>\n

        Two sections are especially troubling:<\/p>\n

          \n
        1. Section 505 gives the USG extraordinary power to issue \u201cNational Security Letters\u201d (NSLs) to compel private parties to turn over sensitive data.These Letters allow the FBI unilaterally to order the disclosure of records like PNR without judicial oversight.<\/span> There is no limitation on the number of records that may be released, so that a single Letter could be used to gain access to entire databases. The Letters also contain an automatic gag order barring the individuals who comply with the order from disclosing that the FBI has sought the information.<\/li>\n
        2. Section 215 gives law enforcement broad power to seek an order from the Foreign Intelligence Surveillance Act court to access to \u201ctangible things\u201d such as PNR held by private parties things that are \u201csought for\u201d an investigation \u201cto obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.\u201d Like National Security Letters there is no limitation on the number of records that may be released, so that a single warrant could be used to gain access to entire databases.<\/li>\n<\/ol>\n

          These provisions unquestionably apply to the reservation systems which are based in or doing business in the US.<\/p>\n

          (Attached for your reference is the relevant section from a memo<\/a> prepared by my ACLU colleague Chris Calabrese for then British Columbia Privacy Commissioner David Loukedelis which explains the long reach of US law. Subsequent developments in the law have only strengthened the conclusions reached in this 2004 memo.)<\/p>\n

          The failure to address the USG\u2019s private path to PNR data is a glaring and unexplained loophole in the Agreement.<\/p>\n

          Note 1.<\/a> This analysis heavily draws from one prepared by the domestic human rights group the American Civil Liberties Union (ACLU). The ACLU has initiated or bee\/p\/strongThat\u2019s where things get co mplicated.n involved in virtually all of the recent relevant litigation.<\/p>\n

          Note 2.<\/a> Article 7 of the Agreement provides:<\/p>\n

          “The United States shall not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on automated processing and use of PNR.”<\/p>\n

          But Article 7 does not bar the use of ATS. While CBP uses a computerized system to process reams of information, the final decisions are made by human agents. So decisions are not being made \u201cbased solely on automatic processing\u201d.<\/p>\n

          Note 3.<\/a> In the interest of full disclosure, I am a member of DHS\u2019 Data Privacy and Integrity Advisory Committee (DPIAC) which provides advice to the Chief Privacy Officer on issues that she refers to us. I have the greatest respect for the current CPO Mary Ellen Callahan. But my service on DPIAC has only reinforced my understanding of how little independence and authority she has.<\/p>\n

          Note 4.<\/a> “Article 14. Compliance with the privacy safeguards in this Agreement shall be subject to independent review and oversight by Department Privacy Officers, such as the DHS Chief Privacy Officer, who:<\/p>\n

          (a) have a proven record of autonomy;<\/p>\n

          (b) exercise effective powers of oversight, investigation, intervention, and review;
          \nand<\/p>\n

          (c) have the power to refer violations of law related to this Agreement for prosecution or disciplinary action, when appropriate.<\/p>\n

          They shall, in particular, ensure that complaints relating to non-compliance with \tthis Agreement are received, investigated, responded to, and appropriately redressed. These complaints may be brought by any individual, regardless of nationality, country of origin, or place of residence.”<\/p>\n

          Note 5.<\/a> 2011 Annual Report to the Congress, p.24: http:\/\/www.dhs.gov\/files\/publications\/editorial_0514.shtm#0<\/a><\/p>\n

          Note on the Author:<\/em><\/p>\n

          Barry Steinhardt, <\/em>President, <\/em>Friends of Privacy USA<\/em><\/p>\n

          Barry Steinhardt is the founder of Friends of Privacy USA, a new NGO which focuses on America\u2019s compliance with international privacy principles and its engagement on privacy with the international community.<\/em><\/p>\n

          Steinhardt retired in 2009 after a nearly 30 year career with the American Civil was previously the Director of the ACLU’s Program on Technology and Liberty. Prior to leading that new program, Steinhardt served as Associate Director of the ACLU. He is a member of the Data Privacy and Integrity Committee of the Department of Homeland Security. Steinhardt is a Trustee of Privacy International. He Chairs the Steering Committee for the Computers Freedom and Privacy Conferences and serves on the Board of the ACLU of Virginia.<\/em><\/p>\n

          He has served on a wide variety of panels and Boards, including the Department of Transportation\u2019s Negotiated Rule Making on national driver\u2019s license standards, the Advisory Committee to the US Census, the Blue Ribbon Panel on Genetics of the National Conference of State Legislatures. In 1998, Steinhardt took a leave of absence from the ACLU to serve as President of the Electronic Frontier Foundation.<\/em><\/p>\n

          Article 7 of the Agreement provides:<\/p>\n","protected":false},"excerpt":{"rendered":"

          [The following complete article (27 pages) or a summary of the key points (3 pages) can be downloaded in PDF format. Additional analyses and critiques of the proposed EU-US PNR agreement have been published by, among others, the Identity Project, the Electronic Frontier Foundation, and a coalition of US and EU NGOs.] FROM THE DESK […]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,3,2,5],"tags":[],"_links":{"self":[{"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/posts\/4081"}],"collection":[{"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/comments?post=4081"}],"version-history":[{"count":38,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/posts\/4081\/revisions"}],"predecessor-version":[{"id":4180,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/posts\/4081\/revisions\/4180"}],"wp:attachment":[{"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/media?parent=4081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/categories?post=4081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/papersplease.org\/wp\/wp-json\/wp\/v2\/tags?post=4081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}