Did you see the recent press coverage extolling the virtues of latest European Union Agreement with the USA as to how Europe will exchange Passenger Name Records (PNR)? Much of the press coverage was highly favourable, highlighting additional privacy protections, shorter periods of data retention and thorough respect for data subject rights. All these assertions are somewhere between misleading and wrong.
Yesterday, the European Data Protection Supervisor (EDPS) entered the fray. His analysis (see references) concludes that: the 15-year retention period is excessive; the purposes should be limited to combating terrorism or a well defined list of transnational serious crimes; the list of data to be transferred to the USA is disproportionate; data subjects' rights are ineffective, and the Department of Homeland Security (DHS) should not transfer the data to other US authorities or third countries unless they guarantee an equivalent level of data protection.
Also yesterday, the USA Deputy Secretary of Homeland Security , Jane Holl Lute, signed the PNR Agreement and stated: "Today's signing of the new agreement on the transfer of Passenger Name Records (PNR) is a significant step forward in strengthening our cooperation with the EU to combat terrorism and transnational threats, while respecting our commitment to privacy and data protection. ..."
So who do you believe?
This is why in the last few days I have been admiring the text of this Agreement in detail and have prepared an annotated version which highlights several shortcomings. This analysis confirms and provides the evidence that justifies the EDPS’s stance. I should add that the Agreement that I have read bears no relationship to the Agreement described in the official Press Releases and as reported in the press.
In summary these are the major issues I have identified:
1. Proportionality is not an obligation; it is an aspiration. The Agreement does not stipulate that any data sharing has to be proportionate, even when there are transfers, made by the USA, to third countries or internally within the USA. There is a requirement to be “mindful” of data protection obligations but not “conform with” or “apply” them.
2. The Agreement is being promoted to the public as an aid to prevent “serious transnational crime and terrorism”; however, the term “serious transnational crime” is not found in the Agreement other than in its preamble, nor is it a defined term. The Agreement also covers data sharing that is not related to crime nor terrorism.
3. The retention period could be far longer than has been stated by the Commission. This arises because after 7 years of operation, the Agreement is renegotiated where “the necessity of a 10-year dormant period of retention will be considered”(see Article 8(6)) and the “consultations shall in particular examine whether any future EU PNR system would apply less stringent data protection standards than those provided for in the present Agreement” (see Article 20). Get the gist! Although the text might say there is 10 year retention period, any renegotiation might add on a further 10 years.
4. The data subject rights are very weak because they are limited to PNR data; most passengers will know how they paid for their flight, where they were going and when. In other words, most of the rights apply to personal data that passengers already know; these rights are rarely going to be exercised. Although there may be circumstances where the rights could be useful for data subjects, I contend that for the vast majority of data subjects, the PNR data will be of little (probably no) interest at all.
5. Most of the data protection issues will reside in the other personal data (i.e. other than the PNR data). For example, suppose a name of flyer is shared with a known criminal etc and the authorities think the criminal is flying to the USA. It is when this kind of mix-up occurs, that the other personal data that needs correcting, updating etc. Any damage to the data subject arises from the other information and not the PNR data – but the Agreement, as it relates to PNR data, does not relate to this other information. Nor does it state how this kind of issue will be resolved.
6. There is no role for the data protection authority, not even an advisory one in the circumstances identified above. These bodies who have been established in Europe to protect the data subjects’ interests have been airbrushed out of the Agreement (even when there is a large personal data loss, a major privacy incident or when “rights of access and correction” go awry). Even the provisions that describe the reviews of the data protection elements, do not give a role for any data protection authority.
7. Reporting on how the Agreement works in practice, or assessing its privacy protection is undertaken by the parties who want to exchange the PNR data; there is no independent audit, no independent reporting, no requirement to keep statistics that would show that the Agreement is worthwhile. Any analysis runs the risk of being flawed, skewed, self-serving and lacking in credibility. At worst, it’s like asking Count Dracula (yes him again) to report on the effectiveness of the distribution of blood from a blood bank, where our blessed Count manages that blood bank.
8. The press release associated with the Agreement does not even pass the threshold of being “economic with the truth”. If I am honest, it turns being “misleading by omission” into an art form. The Commission evidently also restricted Euro MPs from seeing the Agreement when issuing its press release thus ensuring the absence of critical commentary based on its text. If this is true, it is truly shocking.
The real problem is the conflict of interest that arises because the European Union (EU) has two responsibilities: (a) it negotiates the terms of the Agreement to facilitate the transfer of PNR data, and (b) it also decides whether the privacy protection in the USA is adequate. As the EU has a vested interest in getting PNR data from the USA to support Europe’s law enforcement bodies, the suspicion is that it has compromised on data protection standards to get these data.
The role of the data protection authority should be to act as an independent counter-balance that ensures that any compromise on the personal data needs of law enforcement does not unfairly prejudice individual privacy. In a nutshell, the exclusion of these authorities means that there is no independent counter-balance in this Agreement that protects the interests of data subjects.
Just ask a simple question: “Who should have oversight of an issue that involves data protection?”. The answer the Agreement comes to is “the law enforcement bodies that are responsible for the interference with private and family life in the first place”.
If you want the detail of the annotated Agreement (plus press release) see below – but have a stiff drink by your side.
References specific to the EU-USA PNR Agreement
1. Follow the link to download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” and related press release Download Eu-usa-pnr-deal-amberhawk analysis
2. To get the full agreement down load here Download Eu-usa-pnr-deal-com-807_November 2011
3. To download the (“economic with the truth”) Press Release from the Commission’s web-site just go to http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1368
4. EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release
5. The Commission evidently restricted Euro MPs from seeing the agreement when issuing its press release; if this is true, it is truly shocking:
http://www.itworld.com/government/225603/eu-parliamentarians-speak-out-over-gag-order-data-deal)
Related references to the general data sharing PNR Directive between EU Member States
The general PNR Directive which deals with internal flights shows many of the faults of the EU-USA PNR Agreement. See Hawktalk on:
- “Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html
- “Data Protection: UK wants to extend PNR Directive despite proportionality fears and the lack of evidence”:http://amberhawk.typepad.com/amberhawk/2011/04/data-protection-uk-wants-to-extend-pnr-directive-despite-proportionality-fears-and-the-lack-of-evidence.html
- “Why the PNR Directive is disproportionate and does not protect privacy”: http://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html
- The problems with data sharing with the USA are unbalanced in relation to the financial sector also. See “Financial data sharing agreement with USA remains unbalanced and defective”: http://amberhawk.typepad.com/amberhawk/2010/06/financial-data-sharing-agreement-with-usa-remains-unbalanced-and-defective.html
- Spoof: “Oyster Card Passenger Name Record system to protect London Olympics” : http://amberhawk.typepad.com/amberhawk/2011/04/oyster-card-passenger-name-record-system-to-protect-london-olympics.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.