Wednesday, 17 December 2003
More on EU passenger data transfers to the USA
I've been studying the full Communication from the Commission to the Council and the Parliament (thanks to EDRI for the link; the final document is essentially identical to the draft I received yesterday, and that was actually distributed at the meeting) concerning yesterday's meeting between the European Commission and the European Parliament on transfers of airline passenger data from the EU to the government of the USA.
Most reporting on yesterday's meeting, especially in the USA, seems to be based primarily on the USA Department of Homeland Security spin control press release and the DHS fact sheet that mis-states the most fundamental facts about what has happened.
The report in the New York Times is among the most misleading, referring repeatedly to what "the European Union" has supposedly done, and making no distinction between the European Commission, the European Parliament, and EU national Data Protection Authorities. Since yesterday's meeting was between the Commission and the Parliament, as the latest round in their ongoing dispute on this issue, the over-simplistic conflation of all the various EU entities into "the European Union" makes it impossible for Times' readers to discern the real story.
The full communication from the Commission makes two key points concerning issues yet to be resolved, although both are relegated to the footnotes:
- "A decision making a finding of adequate protection is limited to doing just that. The proposed international agreement is therefore necessary to address the other legal issues." (footnote 5, page 6)
Crucially, the Commission did not find that current protections for EU-originating travel data in the USA are adequate. It found that that they will be adequate, at some future time, if a binding agreement is entered into with the USA.
Read closely, the language of the communication is quite clear that the Commisison has not (yet) made a finding of adequacy. Rather, "The Commission proposes to deliver this legal framework in the form of an adequacy finding, accompanied by an international agreement with the US. The European Parliament will be consulted on both elements of this solution." (page 10) Parliament has already made clear its dissatisfaction with Commission (in)action on this issue, so such an agreement (once it is drafted and proposed) is by no means assured of Parliamentary approval.
Although not mentioned by the EC, such an agreement would also have to be ratified by two-thirds of the U.S. Senate in order to be binding on the USA as a treaty. It will be interesting to see how the Senate will respond to a proposal to ratify a treaty giving EU citizens privacy rights in the USA (including, for example, the right to notice of the fact that their reservation data will be passed on to the government) which the USA has to date been unwilling to extend to its own citizens.
And since the ongoing transfers of passenger data will continue to be in violation of EU law until the entry into force of such a treaty, the complaints and demands for enforcement of the law have not been rendered moot: both the EC and EU national data protection authorities can and, by law, must continue to pursue them unless and until an agreement to cure the violations is signed, ratified by both sides, and put into effect.
- "Although the comments of DPAs [national Data Protection Authorities] have been sought and many have been incorporated, the Article 29 Working Party [of DPA's] declined to adopt or approve the text, on the grounds that the transfers of PNR to the US are in any case illegal and nothing should be done to blur that fact." (footnote 7, page 7)
In addition to the dispute between the USA and the EU, there has been ongoing disagreement between the various EU institutions (the Commission, Parliament, and national DPA's) about how to proceed, and in particular about the limits of the Commission's authority to "agree" to a compromise with EU law as determined by Parliament and national governments.
In its formal communication yesterday, the Commission explicitly ackowledged that continuing disagreement. Parliament will still need to be consulted on any agreement with the USA. And EU member goverments, through their national data protection authorities, retain independent jursidiction over violations of EU and national privacy laws (even if national laws grant further rights than the minimum required by the EU).
"The European Parliament and European Data Commissioners didn't like the US requirements earlier this year, so should now be considering what it might be about the new 'renegotiated' requirements that might make them acceptable," suggests my favorite UK technology news source, The Register .
Perhaps the most disturbing detail of the EC proposal (as should by now be clear, it's a proposal, not yet an agreement) is section 3.5 (pp. 9-10) calling for, "The creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO).... In September 2003, the Commission decided to accelerate work on developing an international arrangement for PNR data transfers within ICAO. The Commission services have prepared a working paper to this effect that will be submitted by the Community and its Member States to ICAO shortly."
This deal heralds the beginning of an EU-USA axis to impose the exchange of passenger data globally through the ICAO. This will be the first step to vetting all passengers before they board a plane, boat or cross-border train -- denying boarding to those considered an immigration or security risk. The global surveillance of travel will not be limited to combating terrorism but will extend to other serious crimes.
The EC says that, "The Commission has taken the view that the best solution would be a multilateral one and that the ICAO would be the most appropriate framework to bring forward a multilateral initiative." Unfortunately, ICAO includes no privacy-protection or civil liberties advocates or organizations (except to the extent those roles are taken on by ICAO member governments, which they usually aren't). ICAO decision-making procedures provide minimal, if any, opportunity for direct participation by the public, public-interest NGO's, and civil society.
With a mandate for RFID biometric passports already on the agenda, and now a forthcoming proposal from the EU for sharing of PNR data with governments worldwide (doesn't that make you feel safer already?), the next meeting of ICAO's Facilitation Division scheduled to be held in Cairo 22 March - 2 April 2004 warrants close attention from privacy and travel consumer advocates worldwide.Link | Posted by Edward on Wednesday, 17 December 2003, 08:12 ( 8:12 AM)