Thursday, 24 August 2006
European debate on airline reservation data
Government mandates for collection of, access to, and transfer to the USA of information from airline passenger name records (PNR's) are once again on the table in the European Union, with a European court decision annulling the present EU-USA agreement on PNR data transfers and a new EU directive on the subject both taking effect next month.
With those deadlines and a diplomatic crisis over trans-Atlantic USA-EU air travel looming -- a crisis both within the EU and its members and institutions, and between them and the USA -- widely varying proposals on what policy should be adopted, through what procedures, in what legal form, by what decision making body of the EU or its member nation-states, and with what degree of involvement by governments from the USA and other countries outside the EU in the development of a new global norm on logging of airline passengers' movements, are being put forward as the debate "hots up":
Yesterday, a spokesperson for Justice and Security Commissioner Franco Frattini (who holds the relevant brief on the European Commission), said that "making passenger name records (PNR) available to European governments is one of Frattini's main aims to tighten security following the exposure of a terrorist plot to bomb aircrafts flying between the UK and the US." According to another report , the spokesperson said Frattini "came up with the idea in London last week where he was discussing terrorism."
But Tony Bunyan of UK-based NGO Statewatch , who has been following the issue of EU surveillance of passengers through PNR data as closely as anyone, points out that the EU already has a directive on the subject about to come into effect: "I find it very strange that the Commissioner came up with this idea last week when the measure to introduce an EU-PNR scheme was adopted in April 2004 and is due to come into effect in 12 days time," Bunyan says.
The directive obligates each EU member government to enact implementing legislation or regulations by 5 September 2006 (a week from Tuesday) mandating airlines to collect and provide to the government of the destination country certain information about each passenger on a flight with a destination in the EU. It's unclear if any EU country has or will have complied with the directive by the deadline, or what (if anything) will happen if they don't.
The fields of data specified in the EU directive coming into effect 5 September are substantially more limited than those to which the USA currently gets access on flights from the EU to the USA, under the "agreement" annulled by the European Court of Justice by a decision whose effective date was deferred until 30 September 2006. And it's unclear if the directive taking effect 5 September, which was enacted in 2004 long before the court decision on the USA-EU agreement, will be vulnerable to legal challenge on the same or other grounds.
Muddying the waters further, and perhaps foreshadowing additional litigation, yesterday the European Parliament (Europarl) Committee on Civil Liberties, Justice and Home Affairs ("LIBE" Committee) approved and sent to the full Parliament, for consideration sometime in September, a report and proposed recommendations from the Europarl to the European Council regarding its next steps.
The LIBE Committee recommends that the Europarl ask that both the LIBE Committee itself (as the EU representative of civil liberties interests) and the Article 29 Working Party of heads of EU national data protection authorities (as the representative of privacy interests) be included and consulted in the EU-USA negotiations on whether, how, and under what legal framework PNR data should be "shared" after the annullment of the present USA-EU agreement takes effect 30 September 2006. (The LIBE report also explicitly endorses in its clause I the recommendations of the Article 29 Working Party.)
If this happens, it would be the first time that advocates from government agencies for the protection of privacy and civil liberties would be directly involved in government negotiations -- typically conducted solely by diplomatic, "security", and law enforcement agencies -- on PNR data or other travel and traveller surveillance schemes.
In the "Explanatory Notes" accompanying its recommendations, the LIBE Committee says -- entirely correcetly, I think -- that:
It could not be more obvious that the EU/US agreement in this sphere is going to become a reference standard both for European legislation and globally.
Before transforming the approach which the US administration seeks to impose in this field into a world standard, it would be extremely desirable to have an in-depth discussion in bodies such as the ICAO and a democratic debate in the national parliaments. Rules making such a substantial change in relations between citizens and the public authorities and affecting hundreds of millions of people every year warrant much more than a "quick fix" as the Member States and the Commission are suggesting even after the judgment of the Court of Justice.
Moreover, the threats of economic reprisals against airlines and passengers must be assessed cautiously in that if they were applied indiscriminately (e.g. in the absence of any persons classed as dangerous), they would expose the US administration to the charge before the WTO of altering air transport abusively as well as causing its own airlines to suffer economic losses. From this point of view, the data which Congress is currently examining in relation to the effectiveness of such preventive screening raises doubts as to its cost-effectiveness.
In light of this, and highlighting level of attention and significance being given to the issue as well as its precedent-setting character, the LIBE report recommends unprecedented joint legislative meetings of U.S. Congress, the Europarl, and the Parliaments of Canada and Australia:
The European Parliament...
4. Proposes that a dialogue in which parliamentary representatives would take part, be launched before the end of 2006 between the EU, the US, Canada and Australia with a view to preparing jointly the 2007 review and establishing a global standard for the transmission of PNR, if that is deemed necessary;
5. Strongly recommends that the Parliament organise a joint session in this respect with the US Congress, being the democratic representative institutions of the citizens concerned, to start a dialogue on the fight against terrorism and its consequences for civil liberties and human rights;
This approach would also require harmonization of any new EU and EU-USA rules with the international APIS proposals for data on flights to, from, and via the USA, which are currently under consideration in a (unilateral) USA administrative rulemaking by the Department of Homeland Security.
Through the USA's new international APIS rules, the new EU and EU-USA rules are also likely to set the norms for the planned Secure Flight scheme for flights within the USA: the Government Accountability Office (GAO) told Congress earlier this month (see page 6 of the PDF) that:
In announcing CBP's Notice of Proposed Rulemaking for its Advance Passenger Information System (APIS), CBP reaffirmed the Department of Homeland Security's commitment to a common reporting process for the airline industry through APIS and TSA's Secure Flight program. CBP and TSA plan to continue their coordination of Pre-Departure APIS for international flights and Secure Flight for domestic flights by leveraging information gained during the Pre-Departure APIS Notice of Proposed Rulemaking. It is anticipated that TSA and CBP's joint efforts will allow for the prescreening function to occur through coordinated information connections and avoid duplication of communications, programming, and information requirements.
The European Court of Justice voided the the EU-USA "agreement" on PNR data on very narrow grounds, without reaching most of the issues originally raised in the lawsuit. The LIBE report and recommendations include thinly-veiled reminders that these issues, and others, would provide a basis for renewed legal challenges to any replacement agreement:
2. Any European agreement, however, must be a genuine international agreement and not merely an "envelope" containing unilateral, non-binding undertakings, as in the case of the agreement which has just been annulled. From this point of view, a mere reference to undertakings is unsatisfactory because it leaves doubts as to their character of binding, judiciable acts (N.B.: undertakings of a purely administrative nature on the part of the USA would not satisfy the requirement for "legislative" measures prescribed by Article 8 of the ECHR, which the Member States - and the EU institutions - have to respect both in domestic legislation and in international agreements.)
3. Since it would be international agreement affecting an area falling within the competence of the Member States and dealing with fundamental rights, it would have to be ratified by the national Parliaments. Technically, that requirement would have to be raised with their governments by the national Parliaments themselves by activating the declaration provided for in Article 24(5) of the EU Treaty.
4. It would be necessary to effect a legal evaluation as to whether, in the event of ratification only by some Member States, the agreement could be applied provisionally. The situation which is going to come about will the same as the situation obtaining with the EU/US agreement on extradition and judicial cooperation in criminal matters.
In referring to the inability of "undertakings of a purely administrative nature on the part of the USA" to satisfy the requirments of EU human rights law for such a treaty, the LIBE report reminds both the European Commssion and the USA that no agreement with the USA on this subject will withstand challenge under EU law unless it is binding on the USA. Constitutionality, that can only hapen if it is, as a treaty, presented to and ratified by the U.S. Senate -- something that it would be almost unimaginable to see happen by 30 September 2006.
And finally, the LIBE report in clause J(e) begins to direct attention to:
the role to be played by airlines, the Computerized Reservation Systems (CRS) or private organisations (such as the SITA and AMADEUS) in transferring passengers' data and the means envisaged (APIS, PNR, etc.) for public-security purposes.
The attention on Amadeus is especially appropriate, since it is the only one of the 4 major CRS's based in the EU, and Amadeus' wholly-owned subsidiary in the USA Airline Automation, Inc. in the worlds's largest aggregator and data warehouse of PNR's from multiple CRS's. CRS's were deregulated last year in the USA, but those that do business in the EU (as all of them do) are still subject to the EU Code of Conduct for CRS's which without exception requires consumers' consent for any disclosure to third parties -- including governments -- of PNR data:
Article 6 ... (d) personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer.
So far as I can tell, no enforcement action has ever been taken under this section, despite its flagrant violation in PNR data access by the government of the USA which could not happen without the collaboration of the CRS's. EU citizens should prepare to petition the European Commission for enforcement action against each of the major CRS's (Amadeus, Sabre, Galileo, and Worldspan) on 1 October 2006 as soon as the court decision annulling the EU-USA "agreement", and providing a legal fig leaf for the CRS's, takes effect.
[Update, 25 August 2006: Now that the LIBE Committee report has been published, I've updated the link here to point to the copy on the on the official EU Web site.]Link | Posted by Edward on Thursday, 24 August 2006, 11:43 (11:43 AM)