Friday, 28 May 2004
DHS, European Commission sign "deal" on airline reservations
On Friday, 28 June 2004, the USA Secretary of Homeland Security and representatives of the European Union signed an agreement negotiated between the DHS and the European Commssion that -- if and when it is ratified and comes into force, if and when the DHS publishes specified Undertakings in the Federal Register , and if the "agreement" is not overturned by the European Court of Justice -- would provide a basis for a finding by the European Commission (which finding could itself be overturned by the Court of Justice) that the "protections" afforded to PNR's data (airline reservations) in the hands of the DHS are adequate to satisfy the requirement of EU data protection law.
The European Commission headlined its press release on the signing, International Agreement on Passenger Name Records, PNR, enters into force . But that's not true: under the Constitution of the USA, an international treaty can enter into force in the USA only with the "advice and consent" of the Senate. No matter what the signed document may say, an international agreement cannot be invoked as binding in a court of law in the USA unless and until it has been ratified by the Senate -- which the PNR agreement with the EU has not been, and almost certianly won't be.
By lying to the European public about the legal status of the agreement with the USA, the European Commission is also trying to obscure the fact that the "adequacy" finding is contingent on the entry into force of the agreement, and the publication in the Federal Register of the Undertakings by the DHS. Since neither of those events has yet occurred, the adequacy finding itself is not yet in effect, and as yet provides no bar to enforcement proceedings against airlines by EU national data protection authorities for giving the DHS access to PNR's.
The DHS Press Release claims that, "both the U.S. and the EU had agreed not to take enforcement action while negotiations were underway," but no EU institution had the power to do that.
The DHS press release continues, "Without an agreement, air carriers were placed in a situation where they could either face fines for violating EU privacy laws or penalties for failing to provide passenger data to CBP.... Today's formal agreement removes air carriers from that situation."
That's not true either. As I've just explained, the agreement cannot come into force until it is ratified by the U.S. Senate, and the adequacy finding does not come into effect until the Undertakings are published in the Federal Register as well. (Publication in the Federal Register has, in and of itself, no legal significance in the USA, since the undertakings aren't being issued as federal regulations. But that's the condition set by the adequacy finding for its coming into effect.)
Perhaps more importantly, even if the agreement, adequacy finding, and Undertakings are considered to be validly in force, and even if they are upheld against the renewed legal challenges likely to be mounted by the European Parliament when it re-convenes next month after the pending Parliamentary elections, they are explicitly limited to access by the DHS itself to PNR data controlled by the airlines (not controlled by, for example, CRS's) and provided directly by airlines to the DHS:
The data transfers concerned involve specific controllers, namely airlines operating flights between the Community and the United States, and only one recipient in the United States, namely CBP [the DHS Customs and Border Protection division].
Even construed in the broadest possible terms, they provide no immunity to enforcement action under EU and national data protection law for transfers of PNR's controlled by CRS's or other companies other than airlines, or for PNR data transfers to CRS's, airlines, or other companies in the USA.
In virtually all cases, PNR data collected in the EU is transferred to commercial entities in the USA before being accessed by the DHS. In the absence of any data protection or privacy law in the USA applicable to commercial use of personal information in travel reservations, those commercial transfers of PNR data to commerical entities in the USA have been, and remain, in violation of EU and national data protection law regardless of whether those PNR's are made available to the DHS or other USA government agencies.Link | Posted by Edward on Friday, 28 May 2004, 14:39 ( 2:39 PM)