(Comments of the Identity Project at a workshop on “What’s on the agenda in the USA and Canada?” at the annual conference on Computers, Privacy, and Data Protection, Brussels, 16-17 January 2009)

Two major issues have emerged in the last year in relation to personal data about travel: (1) The overall goal of the government of the USA in its various policy initiatives on “travel security” has become increasingly clear. The USA is seeking to establish a global norm that:

1. Government-issued identity credentials should be required for all forms of travel, domestic and international.
2. All travel transactions should be recorded in a lifetime “travel history”.
3. Pre-departure government permission should be required for all travel (based on the identity credential and the associated historical dossier), particularly for air travel or international travel.

These goals have been implicit in US practice, but became explicit policies in 2008 with the changes to the “Advance Passenger Information System” (APIS) rules (which added an explicit permission requirement to what was previously only an information-submission rule for international flights to and from the USA, the similar “Secure Flight” rule (which established for the first time explicit ID and permission requirements for domestic flights within the USA), and the “Electronic System for Travel Authorization” (ESTA) rule (which established an additional permission requirement for visitors to the USA from many EU and other countries). The imposition of ID requirements runs counter to previous initiatives toward free movement within individual countries and blocs such as the Schengen and (to a lesser extent) NAFTA zones. The conversion of “identity verification” systems into systems of surveillance (“reporting” or event logging) and control (“clearance” or “vetting”) raises questions that are broader than any specific policy or the limited perspective of “data protection”:

1. Should identity credentials be required for routine movement of innocent citizens?
2. Should governments keep records of the travels of people who are not suspected of any crime?
3. Should travel require government permission?

The USA has been reluctant to label its individual policy initiatives as measures for surveillance or control, for fear of public reaction. But since these are the real underlying issues, these questions should be confronted directly, through widespread public and political debate. (2) More information has emerged about whether actual practices for handling of travel data by governments and the travel industry are consistent with declared policies and laws. As a result of experiments by individuals who have attempted to exercise their right to access their records, and as a result of admissions by the USA Department of Homeland Security, it is now clear that current practices by the DHS and travel companies do not comply with either USA or EU law. The DHS has promised that everyone who flies to the USA, including Europeans, can access their travel records held by the DHS. But when an MEP requested her records, she received nothing until she got a US lawyer to file a lawsuit in US court. Even then, the file she received was obviously incomplete, and inconsistently censored, apparently by someone who didn’t understand PNR data. The DHS has promised to access only data related to flights to and from the USA, but records received in response to requests by the Identity Project included data on flights within the EU on European airlines, ticketed separately from any flights to or from the USA, indicating the the DHS has been given, and has used, “root” access to PNR data from Computerized Reservation Systems (CRS’s) both in the USA and the EU. In December 2008, shortly after the decision in the MEP’s lawsuit, the Chief Privacy Officer of the DHS issued a report admitting that:

1. Requests for PNR data have typically taken more than a year to answer — many times longer than the legal time limits in the Privacy Act and Freedom of Information Act.
2. Individuals who requested “all data” about them held by the DHS typically have not been given any of their PNR data.
3. PNR data has been inconsistently censored before it was released.
4. A large backlog of requests for PNR data remains unanswered

Despite these admissions, neither the DHS nor any EU agency has taken any steps to halt DHS access to PNR data collected in the EU, or to compel the DHS to comply with its promises to the EU. (One of our own appeals with DHS is still pending after more than 1 year.) Data subjects are also entitled under the EU Data Protection Directive and national laws to obtain their travel records from European airlines and other travel companies. Following a trip to Brussels, IDP consultant Edward Hasbrouck requested his data from KLM, the airline on which he had travelled. KLM told him that, to their knowledge, this was the first such detailed request to any European airline. After almost a year, and after mediation by the Dutch Data Protection Authority, KLM told Hasbrouck that:

1. KLM outsourced most of the collection and processing of passenger data to agents and contractors in the USA.
2. KLM is not responsible for the actions of its agents and contractors.
3. KLM doesn’t know what data their agents and contractors have about KLM passengers, how they have processed their data, or to which third parties or other countries they have disclosed it.

Hasbrouck was unable to challenge this action unless, within 45 days, he could hire a Dutch lawyer and file a lawsuit in Dutch court, which he could not do. In light of these revelations, discussion of the protection of travel data needs to start with recognition that existing EU and USA laws are already being routinely and systematically violated. Policies and promises for protection of this data are, and will remain, meaningless, unless they are accompanied by effective enforcement and compliance mechanisms.

References:

• How to request your travel records
• DHS admits problems in disclosing travel records
• IDP report on DHS responses to requests for travel records
• Request for records from KLM
• Frequently-asked questions about Secure Flight
• IDP comments on the APIS rules
• IDP comments on the ESTA rules
• Transfers of PNR data from the EU to the USA (IDP testimony to the European Parliament and the Article 29 Working Group, 2007)
• “Are Transatlantic Data Really Protected?” (European Digital Rights Initiative, 2007)