A leaked copy of the latest draft of a proposed “Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Record [PNR] data to the United States Department of Homeland Security” has been published by the civil liberties watchdog and investigative reporting group Statewatch.
- Take the form of a duly ratified international treaty binding on all parties. (The draft “agreement” is not a treaty, and would not be binding on the U.S., as discussed in more detail below.)
- Recognize and respect fundamental rights including the freedom of movement guaranteed by Article 12 of the International Covenant on Civil and Political Rights. (The draft “agreement” does not mention freedom of movement, the ICCPR, or any fundamental rights other than those related to privacy and data protection.)
- Require that the use of PNR data for law-enforcement and security purposes must be in line with European data protection standards. (There is no mention of these standards in the draft “agreement”.)
- Prohibit the use of PNR data for data mining or profiling. (There is no mention of data mining or profiling in the draft “agreement”. The draft claims that the U.S. will not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on automated processing of PNR. But all other data mining and profiling is permitted, as long as there is the slightest element of non-automated human rubber-stamping before adverse actions are taken against an individual.)
- Take into consideration “PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU.” (There is no mention in the draft “agreement” of computerized reservation systems, indirect transfers of PNR data, or any of the other means by which, as we have testified to members of the European Parliament, the DHS and other U.S. government agencies could bypass the “agreement”.)
- Provide for independent review and judicial oversight. (The only review provided for under the draft “agreement” is self-review by the DHS Privacy Office, which is directly controlled by the DHS itself, has no independence, and is the subject of an ongoing scandal and attempted cover-up involving political interference with requests — including ours — for DHS records. The only judicial oversight contemplated in the draft “agreement” is limited to violations of laws that contain no protections for privacy or other substantive fundamental rights.)
The proposed “agreement” has been negotiated in secret between the European Commission (on behalf of the EU) and an interagency Executive Branch working group led by the DHS (on behalf of the USA).
Just as the U.S. Constitution requires that any international treaty negotiated and signed by the President must be ratified by the Senate before it becomes effective, international agreements negotiated by the European Commission and approved by the Council of the European Union must be ratified by the European Parliament.
Some people and groups who ought to know better, including lobbyist and former DHS Assistant Secretary for Policy Stewart Baker — the principal architect of an earlier US-EU “agreement” on PNR data — and the Heritage Foundation, have suggested that for the European Parliament not to ratify whatever the Commission and Council propose would be to “renege” on their agreement with the US. That’s nonsense, obviously. The European Parliament has no more obligation to ratify treaties proposed by the European executive than the U.S. Senate is obligated to ratify every treaty proposed by the President.
(Writing in the Heritage Foundation blog, Baker’s former assistant Paul Rosenzweig also repeats the bogus claim that the Chicago Convention treaty provisions for flights arriving at U.S. airports somehow give the U.S. extra-territorial jurisdiction over foreign citizens boarding foreign-flag aircraft at foreign airports. This clearly false claim by Baker and Rozenzweig was first made by their then boss, Secretary of Homeland Security Chertoff, in a speech to the European Parliament in 2007, and we debunked it in detail at that time. The proposed agreement goes far beyond the explicitly detailed and narrow specifications in the Chicago Convention for what data elements are required to be provided to governments, how, when, and where. )
Both the European Parliament and the U.S. Senate have approved resolutions intended to provide guidance to their respective negotiators as to what sort of agreement they would or would not ratify. Neither legislative body is any more or less out of line in doing so.
The draft “agreement” does not appear to be intended to constitute a treaty, and would not be binding on the U.S., so it would not need to be presented to the U.S. Senate for ratification. The recent Senate resolution, however, makes clear that even if the “agreement” were presented to the Senate, the Senate is unwilling to make any concessions to privacy or human rights, or to enact any new or expanded protections for privacy or for any of the other fundamental rights at stake.
The European Parliament resolution is less intransigent. While it starts from the explicit (and proper) premise that fundamental rights must be respected, and provides details of how that might be done, it still leaves open the possibility of compromise with the U.S. and of modifying existing EU data protection rules.
The key problem is that as long as both the DHS and the U.S. Senate (with, so far as we can tell, the full backing of the Obama Administration, and the concurrence of the U.S. House of Representatives) are completely unwilling to compromise or to provide travelers with any additional rights, any “agreement” will inevitably result only in more infringement of those rights.
No good can come of any such “agreement”. It would serve only to give airlines, Computerized Reservation Systems (CRSs), and other travel companies impunity from EU legal sanctions for ongoing transfers of PNR data to the U.S. that are currently in violation of EU data protection laws, and to remove EU authorities’ current responsibility, which they have been improperly shirking, to enforce those laws against travel companies.
If it is presented to the European Parliament in its present form, the draft “agreement” should be debated, and rejected, not as a “data protection” agreement but as a grant of immunity from EU data protection law to travel companies that are currently making their reservations (PNR) databases accessible to the U.S. government, and the EU authorities who have deliberately refrained from enforcing EU data protection laws against those companies.
The draft “agreement” would not be binding on the U.S., according to the U.S. Constitution, because it would not be a treaty and would not be presented to the U.S. Senate for ratification. (That’s why we use the term “agreement” in quotation marks.) By its own explicit terms, the draft “agreement” would not create any enforceable individual rights. The “agreement” does not purport to contain any enforcement mechanisms or sanctions for breach of the agreement.
But if the “agreement” would not be a binding treaty, and would not provide any enforceable individual rights, what is it? What, if anything, would it accomplish? What purpose, and whose interests, would it serve?
Since the proposed “agreement” would not be binding on the U.S., it serves the U.S. purely as a press release. It’s a piece of propaganda intended to mislead Europeans and Americans alike about what the DHS does with PNR data, whether the DHS respects travelers’ rights in its compilation of travel history dossiers and its issuance of secret extrajudicial no-fly orders, and what (if any) judicial review or redress is available to those whose rights to privacy and freedom of movement are violated.
U.S. officials and some European spokespeople have talked about what the agreement would “guarantee” or “require” the U.S. to do. But nothing in the “agreement” would require the U.S. to do, or not to do, anything. At most, the “agreement” is a list of claims by the U.S. about what the U.S. has done, is doing, or will do.
Worse, the draft “agreement” is worded not as a unilateral U.S. statement, but as a joint communique that would imply EU agreement with a long list of claims — some unproven, some misleading, and some clearly false. For example:
- The draft “agreement” claims that, “DHS processes and uses PNR data … in compliance with safeguards on privacy and protection of personal data and information.” There is no basis for such a claim. The DHS has exempted its PNR database from the protections of the Privacy Act, even for U.S. citizens. No privacy or data protection laws apply to PNR data held by the DHS.
- The draft “agreement” claims that “the United States insures that passengers whose PNR is collected by DHS are made aware of the … use of their PNR.” In fact, the only U.S. law that requires any accounting of disclosures of personal data is the Privacy Act. The Privacy Act applies only to U.S. citizens and residents, and the DHS has exempted its PNR database from the Privacy Act requirement for an accounting of disclosures, even when such an accounting is requested by a U.S. citizen.
- The draft “agreement” claims that “the collection and analysis of PNR is necessary for DHS to carry out its border security mission.” In fact, there is been no showing of the elements of “necessity”, either that the systematic dragnet collection of PNR data (as distinct from its use on a case-by-case basis, in specific instances in which a court order for disclosure of PNR data could be obtained), or its analysis by the secret DHS targeting and profiling algorithms, is genuinely effective, or that no less intrusive alternative (again, such as normal law enforcement procedures for access to personal data by court order) could be equally effective.
- The draft “agreement” acknowledges “the successful Joint Reviews in 2005 and 2010 of the 2004 and 2007 Agreements between the Parties on the transfer of PNR.” In fact, those reviews were “successful” only in whitewashing DHS’s failure to comply with those earlier agreements. As we have previously reported in detail in 2008 and in 2010, the reports on those reviews contained clearly false claims by DHS that everyone who requested their PNR data had received it, and that the DHS had received no complaints of misuse of PNR data. We have received no response to our formal complaints to the DHS that its use of PNR data violates the U.S. Privacy Act, the U.S. Constitution, and U.S. international treaty obligations under the ICCPR. Nobody we know who has requested their PNR data has actually received it in full, and we have been obliged to sue the DHS to try to obtain our records and an accounting of their disclosures.
- The draft “agreement” claims that “effective administrative, civil and criminal enforcement measures are available under U.S. law for privacy incidents.” In fact, no U.S. privacy law whatsoever, civil or criminal, applies to PNR data concerning individuals who are not U.S. citizens or residents.
- The draft “agreement” claims that, “All access to PNR, as well as its use, shall be logged or documented by DHS.” However, the DHS has claimed in response to our FOIA and Privacy Act requests and lawsuit that no such logs or records exist.
- The draft “agreement” claims that, “In accordance with the provisions of the Freedom of Information Act, any individual … is entitled to request his or her PNR from DHS.” While it is technically true that anyone is entitled to request anything under FOIA, agencies are not required to comply with all such requests. DHS has claimed in response to such requests that much PNR data is exempt from disclosure under FOIA. Every response we have seen to a request for PNR data has invoked FOIA exemptions to withhold some portion of the requested information.
- The draft “agreement” claims that, “Any individual … whose personal data and personal information has been processed and used in a manner inconsistent with his Agreement may seek effective administrative and judicial redress in accordance with U.S. law.” While it is, again, technically true that any individual may seek redress for anything through U.S. courts, violations of the draft “agreement” would not constitute violations of U.S. law, and claims of such violations would not constitute valid causes of action over which U.S. courts would have jurisdiction or for which they could give redress. U.S. courts have jurisdiction only over claims of violations of U.S. law, not claims of violations of executive agreements, and not claims of violations of the ICCPR or other human rights treaties. In the absence of a self-effectuating international treaty or U.S. legislation creating such a cause of action, none of the “redress” mechanisms described in the draft “agreement” would actually provide for any judicial review whatsoever of whether DHS actions had complied with the “agreement” or had respected any fundamental rights of privacy, data protection, or freedom of movement.
- The draft “agreement” claims that, “Any individual is entitled to seek to administratively challenge DHS decisions related to the use in processing of PNR.” But like U.S. judicial challenges, such administrative challenges are limited to claims that DHS actions have violated DHS regulations and/or U.S. law, not executive agreements like the proposed PNR “agreement”.
- The draft “agreement” claims that “under the provisions of the Administrative Procedure Act and other applicable law, any individual is entitled to petition for judicial review in U.S. federal court of any final agency action by DHS.” But any such review would be limited to whether the DHS complied with the procedures in the APA (for example, publishing proper notice of its exemption of the PNR database from the Privacy Act requirements for access and accounting of disclosures), and not the substance of those DHS decisions or whether they complied with executive agreements.
- The draft “agreement” claims that “any such aggrieved individual is entitled to petition for judicial review in U.S. federal court for any final agency action by DHS related to” inquiries made to the Traveler Redress Inquiry Program (TRIP). But the policy of the DHS is never to confirm or deny, in response to an inquiry to the TRIP program or otherwise, whether the DHS has issued a no-fly order to airlines or taken any other adverse action with respect to any individual. As a result, no individual who makes an inquiry to the TRIP program ever receives notice of any “determination” by the DHS. Without such notice, it is almost impossible to establish the necessary basis for pleading a claim against the DHS, and judicial review of such secret determinations is effectively precluded. So far as we know, no plaintiff has yet succeeded in getting a U.S. court to review a DHS no-fly order.
- The draft “agreement” claims that, “compliance with the privacy safeguards in this Agreement shall be subject to independent review and oversight by Department Privacy Officers, such as the DHS Chief Privacy Officer, who have a proven record of autonomy [and] have the power to refer violations of law related to this Agreement for prosecution or disciplinary action, when appropriate.” In fact, the DHS Chief Privacy officer has no independence or record of autonomy, and has recently been called before a Congress oversight committee to explain her role in a FOIA scandal in which she ordered that responses to “sensitive” FOIA requests, such as those for PNR data held by DHS, be delayed or withheld until they could be reviewed and approved by higher-level political appointees within the DHS and/or the White House.
The European Parliament should look closely at all of these claims before ratifying them.
Other than for propaganda purposes, though, the U.S. government doesn’t need this “agreement”. The US government already has access to PNR data, both under the terms of the previous PNR “agreement” with the EU (which is being “applied provisionally”, even though it is no longer in effect and the legal basis and authority for such “provisional” application is unclear) and, bypassing both the previous and the proposed new “agreements”, from CRSs that host PNR data in the U.S. and/or have offices in the U.S. with access to their PNR data. The DHS or other U.S. government agencies can obtain both active and archived PNR data from any of these CRSs with a “National Security Letter” or under the recently-renewed “business records” provisions of the USA-PATRIOT Act.
A CRS can be ordered to hand over PNR data, and to keep the fact that it has done so secret from travelers, the airlines, or anyone else. Under U.S. law, CRSs can, and do, retain PNR data indefinitely. This renders the purported time limits in the proposed “agreement” on retention of PNR data by the DHS completely irrelevant. Those limits apply only to the copies of PNRs maintained by the DHS. Whenever it wants, even if it has expunged its original copy, the DHS can go back to the CRS and get another copy of any PNR of interest. Contrary to the European Parliament’s instructions, this indirect access through CRSs in the U.S. is not mentioned in the leaked draft “agreement,” and would remain an unregulated method to bypass it.
Advocates for privacy, data protection, civil liberties, and human rights — in the EU or in the U.S., inside or outside of governments — have nothing to gain from this “agreement” in its present form. Under the U.S. Constitution, the U.S. President and the Executive branch of the U.S. government have no authority to create any enforceable legal rights by “executive agreement”, or to commit the Congress to enact or modify any laws. Unless the “agreement” is changed to make it a treaty, and unless it is actually ratified by the U.S. Senate, it cannot possibly create any legal rights or protections.
The only entities which have anything to gain from this agreement are (a) travel companies whose current activities are in violation of EU laws, and (b) enforcement authorities in the EU (including national data protection authorities and the European Commission as enforcer of the Code of Conduct for CRSs) who don’t want to carry out their current responsibility to enforce EU law, to cut off U.S. access to PNR data collected in the EU, and to impose sanctions on the travel companies that are transferrring PNR data to the U.S.
Making the proposed “agreement” into a treaty would only be the first step in the necessary negotiations, creating the possibility that such a treaty might serve to protect individuals’ rights. The terms of the draft would still need to be modified to spell out substantive requirements, procedures by which they could be enforced, and penalties for violations. The necessary changes were clearly indicated in key clauses of the May 2010 European Parliament resolution that didn’t make it into the latest draft of the “agreement”, as listed at the start of this article.
The U.S. government, of course, is unlikely to be willing to agree to any such terms. Why should it, when it doesn’t need this “agreement,” and is already getting everything it wants without an “agreement”?
In his memoir (available in full for free downloading from his website), former DHS Assistant Secretary for Policy Stewart Baker describes how confident he was, when he was negotiating the first U.S.-EU “agreement” on PNR data, that the EU would never actually try to enforce its data protection laws against travel companies. To date, Baker’s assumption has been proven correct, and no doubt it remains the assumption of the current U.S. negotiators. As long as that is the case, and the U.S. continues to get everything it wants without an “agreement”, the U.S. has nothing to lose by intransigence in the “negotiations” or if there is no agreement.
The U.S. will only be willing to consider making concessions if the EU begins to enforce its data protection laws, to cut off U.S. access to PNR data, or to impose meaningful sanctions on travel companies that continue to give the U.S. government access to PNR data or to transfer that data to the U.S.
The European Parliament needs to reject the proposed travel industry impunity agreement. But more than that, activists on both sides of the Atlantic need to request their PNR data and other travel records from the DHS and from travel companies, complain to EU data protection authorities if travel companies don’t comply or can’t account for how PNR data has been accessed from abroad or used, and pressure EU data protection authorities to begin enforcing their existing laws against travel companies’ current, clearly illegal, data transfer practices.