May 05 2010

European Parliament hands DHS a setback on access to PNR data

Today the Department of Homeland Security received its most significant rebuff from any democratically elected body since the DHS was created after September 11, 2001.

In response to a recommendation from the Council of the European Union (the EU member national governments) for approval of the “interim” agreement under which the DHS obtains all airline reservations (PNRs) for flights between the USA and the EU, the European Parliament instead voted to send the European Commission back to the negotiating table, and set strict conditions (which the DHS will likely be in part unable and in part unwilling to meet) that must be satisfied before Parliament will approve any such agreement in the future.

The motion for a resolution was jointly sponsored by representatives of all seven political groups in the Parliament. The votes by show of hands — including votes in favor of several amendment to strengthen the resolution — were overwhelming, with insufficient opposition to necessitate recorded votes.  And that was in spite of what our sources in the Parliament tell us was an unprecedented and heavy-handed US government lobbying campaign.

The vote today in Brussels follows a Parliamentary hearing (at which we testified) and a debate last month in Strasbourg on travel surveillance and control, the likes of either of which the US Congress has yet to hold — despite the leading role of the US since September 11, 2001 (and even before then) in implementing a system of mandatory retention of travel data, using it as the basis for a permission-based travel control regime, and attempting to get these schemes adopted as global norms.

The ability of the Parliament to dictate conditions for negotiations to be conducted by the European Commission, with the implicit threat to veto any agreement that fails to meet those conditions, is one of the first expressions (the first was Europarl rejection of DHS access to European inter-bank wire transfer data) of the new veto power that the Parliament acquired in December 2009 when the Lisbon Treaty came into effect.

What has the European Parliament done? What happens next? And what else remains to be done, outside the negotiating room?

The resolution adopted today sets the terms of reference for the European Commission to follow in a new round of negotiations with the USA, incluidng numerous specific criteria and conditions for Parliamentary approval of any agreement on Passenger Name Records (PNRs).  There’s no guarantee that any agreement can or will satisfy these terms, among the most significant of which are the following:

  • Any new PNR agreement must respect “the fundamental right to freedom of movement, as guaranteed by Article 12 of the International Covenant on Civil and Political Rights.”  That means that any such agreement must be evaluated according to the substantive and procedural standards established pursuant to that treaty by the U.N. Human Rights Committee for measures which implicate the right to freedom of movement, including a showing of actual effectiveness for a legitimate purpose (not just intent to serve national security or counter-terrorism)  and the absence of any less restrictive alternative.
  • “[A]ppropriate mechanisms for independent review and judicial oversight and democratic control must be provided for in any new agreement.” This would require the DHS not only to extend the rights of US persons under the Privacy Act to foreign citizens but also to abandon the current legal posture of the DHS that no-fly decisions are not subject to judicial review.
  • “[I]n no circumstances may PNR data be used for data mining or profiling; no ‘no-fly’ decision or decision to investigate or prosecute may ever be taken on the sole results of such automated searches or browsing of databases; use of data must be limited to specific crimes or threats, on a case-by-case basis.” The reference here to no-fly decisions is especially significant, because the US has tried to frame the PNR debate as pertaining solely to privacy or “data protection”, and to exclude any discussion of the primary use of PNR data (deciding who to allow to fly, and who not to allow to fly) and the primary right thus implicated (the right to freedom of movement).
  • “[I]n the case of the transfer of PNR data of EU citizens to third countries, the terms of such transfers shall be laid down in a binding international treaty.”  The reference to a binding treaty is significant on two counts: first because the current interim “agreement”, not being a treaty, has no legal force or effect in the USA; and second because a treaty would have to be ratified by 2/3 of the members of the US Senate, creating an opportunity for public debate and a recorded vote on practices of universal travel surveillance, mandatory travel data retention, permission-based travel control, and secret “fly/no-fly” decision-making based on secret dossiers (including lifetime travel histories but also other data withheld from those against whom it is used), that both houses of Congress, and the DHS, have to date avoided.

Now what?  The European Commission will attempt to negotiate a new agreement that satisfies the Parliament’s conditions.  During the plenary debate, they said they hoped to do so before Parliament’s summer break.  But the renegotiation is, we suspect, unlikely to be completed before the recess, and the result is unlikely to meet Parliament’s terms.  The Commission isn’t really motivated to carry out Parliamentary instructions — the Commission’s real master is the Council. On the other side, the DHS is likely to be horrified at the idea of submitting their policies to the Senate for ratification, complying with international human rights treaties (when it ratified the ICCPR, the USA did so with the reservation that it was not “self-effectuating”, and the DHS has ignored our complaints that its use of PNRs violates the ICCPR), or giving anyone, much less foreigners, the right to judicial review of no-fly orders.

So the next act in this drama, perhaps as early as late June but more likely sometime in the autumn, will be when the Commission comes back with a deal that doesn’t meet the conditions set by Parliament in today’s resolution.  “We tried really hard,” they will say, “but the DHS wasn’t willing to agree to your terms, and this is the best we can do.”

According to a statement by MEP and rapporteur Sophie In ‘t Veld following the vote, “I am pleased the resolution got such a huge majority; I am convinced such a strong statement by Parliament will be helpful for the EU negotiations. It is now for the European Commission and Council to negotiate new international agreements and draft a new EU PNR scheme. At the end of the procedure, Parliament will assess these proposals against the conditions set in today’s resolution, when considering whether or not to give its consent.”

Will members of the European Parliament uphold their own standards and their obligation to stand up for the rights of their constituents, or will they capitulate in the face of US intransigence? And will Parliament use this opportunity to take a fresh look at the lies the DHS told the team reviewing its “compliance” with the current “interim” PNR agreement, and the changes the DHS made to its PNR access policies even while the the review was going on?  At some point, MEPs will have to decide either to approve what is almost certain to be a seriously deficient new agreement, or to pull the plug on the current, seriously deficient “interim” agreement. Which will it be? Stay tuned.

But today’s resolution addresses only part of the problem of misuse of PNR data and violations of the right to travel.

Controls on direct DHS access to PNRs from airlines in the EU will have little effect if EU airlines continue to outsource hosting of PNR data, from the moment of its collection and even for travel entirely within the EU, to uncontrolled computerized reservation systems (CRSs) in the USA, from whom everyone from the DHS and data mining companies to other governments, commercial entities, and identity thieves or other criminals around the world can obtain PNR data without their access even being logged.  This offshoring and the operations of these CRS companies in the EU are in flagrant violation of EU data protection law.

For this to change, EU citizens and residents need to request their data and an accounting of where it has gone from travel companies (as well as the DHS if they have visited the USA), and complain to data protection authorities if travel companies are unable to provide access logs or any accounting of disclosures (as is inevitable, since CRSs don’t maintain such logs). EU national data protection authorities shouldn’t wait for those complaints, but should initiate their own investigations and enforcement actions to let the CRSs know that if they want to operate in the EU, they need to comply with EU law.

Anything done in the EU could also be overridden globally by the inclusion of PNR access mandates in ICAO aviation “security” standards, which are already being incorporated by reference into many nation’s domestic laws.  ICAO’s latest 10-year plan is a scary document indeed for anyone concerned about the right to travel.  National data protection authorities and civil liberties agencies need to insist on their inclusion in national delegations to ICAO and its working group on Machine-Readable Travel Documents and related databases and processes, and civil society needs to organize itself to participate as observers at those same ICAO meetings.

Finally, of course, whatever happens in the EU will leave us in the USA with the problem of cleaning up our own rogue government’s act at home. We’re grateful to Europeans, and their elected MEPs, for remembering the lessons of barriers to free movement within Europe like the Berlin Wall and the Iron Curtain, and applying those lessons to contemporary secret police like the DHS, but we can’t afford to rely on anyone but ourselves to stand up for our own inalienable rights.