Wednesday, 24 April 2013
European parliamentarians question surveillance of air travellers
Today in Brussels the "LIBE" (civil liberties) committee of the European Parliament decisively rejected a proposal backed by European police and some European national governments (and heavily lobbied for by the USA) to establish systems throughout the EU, modeled on those in the USA, for government access to, and use of, airline reservation data (Passenger Name Records or PNRs). [See this video for some MEPs explanations of their votes.]
According to my friend MEP Jan Philipp Albrecht, spokesperson on civil liberties for the Greens/ European Free Alliance, one of the political groups which opposed the proposal for an EU PNR scheme:
This disproportionate proposal would have been a grave departure from the constitutional presumption of innocence. Travel itineraries, hotel bookings, credit card details and other personal information of passengers would have been stored in police databases for five years. It would have created an automatic dragnet of this data on the basis of risk profiles without concrete suspicion and without a court order. This unacceptable paradigm shift in security policy would reverse the presumption of innocence, as well as breaching rulings of constitutional courts in Europe and the European Court of Human Rights. Thankfully, MEPs have voted to prevent this and to defend the rule of law and fundamental rights in Europe.
MEPs approved transfers to the U.S. government of PNR data collected in the EU,out of fear that if they didn't, the US would either ground all such flights (unlike) or require visas or otherwise harass all visitors to the U.S. from the EU (a less draconian but nonetheless severe, and more credible, threat). Today's vote not to mandate such a system for flights to, from, or within the EU suggests that acquiescence by the European Parliament to the EU-US PNR agreement was given only under duress.
Meanwhile, reports like the following in the European press have brought my talk on C-SPAN earlier this month about how governments obtain and use PNR data to the attention of European citizens as well as Members of the European Parliament (MEPs):
- Brian Beary, Europolitics.com (5 April 2013): EU-US PNR deal «completely meaningless», says travel expert
- Gilbert Kallenborn, 01.net (12 April 2013): Les données personnelles des passagers aériens ne seraient pas assez protégées
French MEP Françoise Castex, Vice-President of the Legal Affairs Committee, submitted a formal priority question to the European Commission (the written equivalent of "question time" with government ministers in the U.K. Parliament) based on the information I obtained from FOIA and Privacy Act requests and my lawsuit against DHS and presented in my recent talk in Washington. The English translation of the original question in French is a bit rough, but gives the sense of the question:
11 April 2013
Question for written answer to the Commission
Françoise Castex (S&D)
Subject: PNR agreement and personal data
The US Government has just been prosecuted [I think this refers to my lawsuit - EH] over the agreement on the Passenger Name Record (PNR) of airlines, which has been in place between the EU and the US since 2012.
Although the PNR agreement was supposed to limit the US Government’s use of data, the Department of Homeland Security (DHS) would be able to easily bypass the agreement because of the extensive access the DHS has to databases of companies which aggregate travel records from across the travel industry. The DHS could thus retrieve data from the US offices of Europe-based companies like Amadeus, which store their data and keep records of European travellers’ intra-EU movements.
Does the Commission not consider that, in allowing this, travel companies are constantly violating Directive 95/46/EC on the protection of personal data?
Moreover, there would be no log to show who accessed what data and from where. It would therefore be impossible to audit the DHS, especially as the DHS legally is not bound by the US Privacy Act on the issue.
If this poses a problem, what measures does the Commission intend to take to solve it?
The European Commission is required to respond in writing by 2 May 2013.
I expect that the answer will be similar to the answer given earlier this year by the European Commission to a question by MEP Castex regarding airlines tracking of IP addresses, which are routinely captured (with timestamps) in PNRs. According to Commissioner Reding:
Any processing of client data such as IP addresses must be in line with the national laws implementing the requirements of Directive 95/46/EC; inter alia personal data must be processed on legitimate grounds, for a specific purpose and must be proportionate to the aim pursued. The clients of the travel companies must be informed about the processing.
Without prejudice to the powers of the Commission as guardian of the Treaty, national data protection supervisory authorities are the competent bodies to monitor the application of the national measures implementing Directive 95/46/EC.
The Commission gave similar responses to questions asked by MEPs last year.
The Commission's deference to EU national data protection authorities is all well and good, except that:
- European national authorities aren't monitoring compliance with data protection laws by travel companies, and aren't enforcing their national laws even when they receive specific complaints against travel companies. MEP Castex has now forwarded her questions about IP address tracking by travel companies to the French national data protection authority CNIL. But in my case, the CNIL never even responded to my complaint (English; French) against Air France. Nor was any action taken by the respective national authorities on my complaints against KLM and Lufthansa.
- The European Commission itself has direct responsibility for supervision and enforcement of the EU Code of Conduct for Computerized Reservation Systems, but has completely neglected that responsibility. It's unclear to whom, or following what procedures, I or any other individual could make a complaint to the Commission about any of the ongoing violations of the Code of Conduct that pervade the operations of the CRSs and are inherent in their current architecture.