EU planning to nod through use of PNR data for use by CAPPS II
01 February 2004
A new document on the exchange access to passenger data records (PNR) between states has become available. This is a Commission Staff Working Paper on "An EU-US Agreement on Passenger Name Record (PNR)" (SEC 2004/81, 21.1.04) which assumes - and see as quite unproblematic - that a further agreement with the USA will authorise the use of this data for CAPPS II (Computer-Assisted Passenger Pre-Screening).
The document on the EU-US agreement on PNR says that: "it will be necessary in the near future to cover transfers of PNR data to the TSA" (US Transport Security Administration) for use by CAPPS II (ie: the screening and checking of passengers against a multitude of state and commercial databases). The Commission expects the TSA to simply issue:
"undertakings analogous to the issues by the CBP that can justify the adoption of an adequacy finding by the Commission. The international agreement should thus cover both CBP and TSA"
Put in simple terms the current state of play is that:
1) on 16 December 2003 the European Commission declared that it could make a statement of "adequacy" (under Article 25.6 of the 1995 EC Directive on data protection) on the "Undertakings" given by the USA Customs and Border Protection agency (CBP);
2) on 12 January these "Undertakings" were submitted by the USA but not made public (but see: Full text of:
"Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP)" (pdf)
3) on 29 January the EU's Article 29 Working Party of national Data Protection Commissioners produces a highly critical report on the "Undertakings" which required substantial changes:
Article 29: Opinion on Adequate Protection of Personal Data (pdf) (the European Parliament also passed critical Resolutions on 13 March 2003 and 9 October 2003);
4) on 2 February NGOs (Privacy International, European Digital Rights, Foundation for Information Policy Research and Statewatch) published a highly critical report looking especially at how the PNR would be used for surveillance purposes by US agencies:
Privacy International report (pdf)
5) the Commission's Article 31 Committee has to formally adopted the Commission's statement of adequacy - the European Parliament can only intervene if it passes a Resolution saying the the Commission has exceeded its powers under Article 25.6 of the 1995 Directive
6) the Commission has to produced a "light international agreement" authorising airlines to hand over passenger data
5) Throughout the negotiations on the EU-US PNR agreement European Commissioner Bolkestein has said that the use of PNR data by CAPPS II would be the subject of separate negotiations and discussions -
now it is clear that the Commission simply expect to extend the PNR agreement to CAPPS II with "analogous" undertakings of the highly unacceptable PNR agreement and to make an international agreement covering both.
6) The Commission working paper says that an international agreement is necessary because:
"access by US law enforcement authorities to PNR databases situated on Community territory ("pull") amounts to exercise of US sovereign power in Community territory"
and because "the legal obligations" are those "imposed" by a third country.
Comments
A. The EU-US agreement to give access to personal details of passengers (PNR data) to US agencies giving away the rights of EU citizens under the 1995 EC Directive on data protection and is opposed by the Article 29 Working Party -
this constitutes a denial of rights under EU law
B. The further step that this personal data is then used to "screen" all passengers and through "data-mining" to gather information on them through CAPPS II from state and commer