Tuesday, 16 December 2003
European Commission reports to Parliament on airline passenger data
European Commissioner Frits Bolkestein is reporting back at this hour today in Strasbourg to an extraordinary joint meeting of the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) and the Committtee on Legal Affairs and the Internal Market concerning the transfer of airline passenger data from the European Union to the USA.
Bolkestein's speech to Parliament announces his proposal that, "The Commission make a finding of adequate protection with regard to transfers of PNR to the US Bureau of Customs and Border Protection. The Commission gave its agreement to this proposal today."
A close reading of Bolkestein's speech reveals that the finding of "adequacy" is based on a number of highly questionable assumptions about what the USA Department of Homeland Security has done and will do.
Among other things, the DHS has represented to the EC, according to Bolkestein, that "the [DHS] Privacy Officer's rulings on complaints will be binding on the Department", a claim with no legal foundation, no apparent enforcement mechanism, and which has yet to be tested. (It will be interesting to see whether the DHS extends its promise to respect its Chief Privacy Officer's rulings to complaints by USA citizens, or whether only rulings on European complaints will be treated as binding.)
More importantly for the European Parliament, Bolkestein explicitly argues that, "ultimately political judgements will be needed". Bolkestein and the Commission appear to have taken it upon themselves, rather than Parliament, to make those decisions -- an approach strongly criticised in Parliament's previous resolutions threatenting to haul the Commission into the European Court of Justice if it doesn't carry out its duties in accordance with Parliament's directives and EU law.
Member of the European Parliament (and of the LIBE Committee) Marco Cappato made a formal complaint to the Commission last month concerning the transfer of his own personal data to the USA, and last week reiterated his and Parliament's criticism of the Commission for failing to enforce EU data privacy laws against such transfers.
(Perhaps MEP Cappato and other concerned EU citizens should test the DHS's new promises by taking their complaints concerning their perosonal travel data -- and its transfer both to USA corporations and the DHS -- directly to the DHS Chief Privacy Officer.)
Two major aspects of the use of travel data in the USA are explicitly excluded from the recommended finding of "adequacy" of privacy protection, and remain under active consideration by both the Commission and the Parliament:
- The DHS has not agreed to any restrictions on commercial use of travel data in the USA, which can continue unrestricted regardless of whether or not the data is also given to the DHS or other government agencies. The DHS couldn't do so even if it wanted to: the authority of the DHS to govern how data is used, or to protect its privacy, extends only to use by the DHS, and not to commercial use in the USA of the same data.
The transfer of travel reservation data from the EU to commercial entities in the USA, in the absence of any legal protections (much less "adequate" ones) for its privacy in the USA, thus continues to violate the EU data protection directive and the EU code of conduct for CRS's and remains subject to possible enforcement action by the EC. Only a USA Federal privacy law governing commercial use of travel data could cure the violation of EU law inherent in these (routine and ongoing) transfers of reservation data from the EU to the USA.
- The proposed EU-USA "arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II). The latter will only be considered in a second round of discussions yet to come. In any case, such discussions can only conclude once Congress' privacy concerns have been met, and so far they have not."
Since it is impossible reliably to determine from current airline reservations which ones (including reservations made in Europe for domestic flights within the USA) contain data originally collected in the EU, this implies that the DHS will not conduct any CAPPS-II tests with real passenger data until after the conclusion both of the report ordered by Congress from the GAO (due 14 February 2004) and a further agreement with the EU on the use of EU data in the CAPPS-II system.
The DHS promise to the EU on CAPPS-II isn't self-enforcing, but any claim or admission by the DHS that CAPPS-II has been tested with real data (as in fact it has, repeatedly, and as I and other have been reporting for months) would be an admission of breach of the DHS promise to the EC.