Sunday, 12 August 2007

Another USA-EU "agreement" on airline reservations

Wendy Grossman has a good story today in The Register on the latest "agreement" between the USA and the European Union on transfers of Passenger Name Record (PNR) data from the EU to the government of the USA.

I haven't posted much about the latest PNR "agreement", largely because I see it as irrelevant to (and a distraction from) the central problems of PNR transfers, not to mention unenforceable and legally all but meaningless. But since Wendy was kind enough to refer extensively to my research and reporting on this issue, and since others have asked my opinion, a few comments are in order.

(If you aren't familiar with the background to this story, Statewatch has an excellent page of links to the agreement itself and related documents.)

The key points about the PNR "agreement", as I see them, are as follws:

First, the agreement is not a treaty, and has none of the attributes of contractual force suggested by the term "agreement". Since it has not been ratified as a treaty by the U.S. Senate, it has no legal force or effect in the USA, is not binding on the government of the USA, and cannot be invoked as a cause of action or cited as law in any court in the USA. It has no more force than a joint press release, as befits what is fundamentally an exercise in propaganda.

Second, the agreement applies only to the relatively small amount of PNR data obtained directly from airlines and directly from the EU by the Customs and Border Protection (CBP) division of the USA Department of Homeland Security. In reality, the typical data path is that recently confirmed to me in response to my own request for my data from KLM/Air France : PNR data is transferred first to a computerized reservation system , "code-share partner" airline, or other intermediary, and only indirectly through those intermediaries to the USA government. The loophole that renders the PNR agreement all but meaningless in the real world is that it does not apply to intermediaries or to indirect data transfers to the USA government. The real problem, as I've been saying for years and testified earlier this year in Brussels, remains the commercial transfer of PNR data to CRS's and other commercial entities in the USA. Once the data is in the hands of businesses in the USA, the USA govenrment can obtain it easily from those intermediaries, without the need for judicial process and without the knowledge of the data subjects or the airlines.

Third, because the agreement does not apply to indirect data transfers or the intermediaries who participate in them, it does not immunize airlines, CRS's, and commercial intermediaries against complaints that their transfers of PNR data to commercial entities in the USA (not directly to the government of the USA, and regardless of whether the government eventually gets the data) violate EU data protection laws and the EU Code of Conduct for CRS's. In the wake of the clarification on this point provided by the agreement, EU data protection authorities now have no excuse not to proceed with investigations and sanctions against airlines and CRS's that do business in the EU (including those based in the USA that fly to or sell tickets in the EU), who engage in commercial transfers of PNR data to the USA, in violation of EU rules against transferring personal data to entities in countries like the USA that don't ensure adequate data protection.

Fourth, because EU authorities generally will sanction violators of data protection laws and regulations only when they receive complaints from affected individuals, the agreement reinforces the essential need for Europeans to request the records of their travel from airlines, travel agencies, tour operators, and CRS's, and complain to national authorities and the European Commission (which is supposed to enforce the EU Code of Conduct for CRS's) if they don't get the required answers, or if the answers reveal that their their data was sent to commerical entities in the USA without their consent.

Link | Posted by Edward on Sunday, 12 August 2007, 11:26 (11:26 AM) | TrackBack (0)
Comments

What are the chances that this agreement will be annulled by the Court of Justice, like the last "agreement" was?
Also, is this effort actually for businesses' marketing purposes?

Posted by: ESLaporte, 18 August 2007, 13:41 ( 1:41 PM)

Hello all!

Nice to see I'm not the only one interested in this topic. I've just created a blog in which I talk about international politics. My last post is titled 'On technology, privacy, and other challenges in the XXI century'. It talks about cameras, databases, and how Governments and Corporations should manage that data. Feel free to take a look and comment or post there if you want. It doesn't have any advertising.

It's here:

http://ladyjusticesscholar.blogspot.com

See ya!

Posted by: Scholar, 15 December 2007, 13:30 ( 1:30 PM)

There are different polices in different counties.

Posted by: , 8 May 2008, 02:19 ( 2:19 AM)
Post a comment









Save personal info as cookie?