Privacy concerns in USA lead to withdrawal of CAPPS II - Could this happen in the EU?
01 May 2004
- farce over mandatory biometic identifier - facial scans or fingerprints?
The withdrawal of CAPPS II (Computer Assisted Passenger Pre-Screening System) in the USA in mid-July is a salutary lesson in democracy for the EU. CAPPS II would have provided real-time profiling and background checks on all travellers based on data held on both state agencies (FBI, CIA etc) and commercial databases. It was withdrawn because of privacy objections by civil society and in Congress and due to an authoritative report from the General Accountability Office (GAO, previously "Accounting" Office). The report from the GAO, published in February, examined the CAPPS II plan according to eight privacy and data protection standards and found that it did not meet seven of them. The Congress on the basis of this report refused to agree further expenditure on CAPPS II. So CAPPS II is effectively dead - any replacement scheme will have to go through the same accountability checks.
In the USA Edward Hasbrouck said that CAPPS II was a "data-mining programme for surveillance" rather than one that checked passengers names against "watch-lists". Barry Steinhardt, of the American Civil Liberties Union, said: "It is finally sinking in that the focus should be on physical security, not on background checks on all airline passengers".
Passengers will still be screened using their passenger name record data (PNR) against "watch-lists" (said to be 10,000 names and growing) for suspected terrorists or organised criminals - and have to "consent" to giving their fingerprints on entering the USA.
EU adopts its own passenger screening system
In April the EU adopted the first stage of its own PNR screening system for everyone entering the EU (this was twice rejected by the European Parliament). Their personal data has to be deleted after 24 hours, except if it is needed by national law enforcement agencies who can keep it indefinitely. Whether the multitude of national agencies across the EU who will be able to access this data would have passed the GAO privacy standards we shall never know.
Such a reversal of policy as happened over CAPPS II could not happen in the EU. Whereas in the EU the opinions of the Article 29 Working Party on data protection (from the 25 member states’ data protection authorities) are routinely ignored, or sidelined, the reports of the GOA in the USA cannot be dismissed by government. Equally the repeated opposition of the European Parliament to the EU-US access to passenger data deal was ignored too. The parliament has taken the Council and Commission to the Court of Justice on the issue but this is a last resort. For democracy to function properly the EU should accord the Article 29 Working Party with the status of the GAO and the parliament, based on its reports, should have the final say.
Nor are these issues of independent assessment and parliamentary powers to reject proposals addressed in the new EU Constitution. Quite the reverse: "operational" matters on internal security are to be handled by a new "Article 162" Committee and national and European parliaments only to be "kept informed". While the creation of EU-wide databases and their scope could be hidden under the "non-legislative" category of "administrative" measures.
U-turn on biometric identifiers?
At a press conference in Brussels on 24 June Admiral James Loy, US Deputy Homeland Security Chief said that: "We would just like to specify fingerprints as a very practical, better biometric to use" indicating an extraordinary U-turn. In 2003 the USA and UK pushed through facial scans as the primary biometric identifier in G8 which then got the proposal through the International Civil Aviation Organisation (ICAO).
Although the EU has agreed that fingerprints are to be the mandatory identifier for its VIS (Visa Identification System) it bowed to the USA, UK, G8 and ICAO determined standard for EU biometric passports (and ID card