Airlines and CRS's violating European privacy laws -- again

At midnight last night a decision of the European Court of Justice announced in May took effect, annulling both the “finding” by the European Council that airline reservation data transferred to the USA is protected adequately to satisfy European Union (EU) privacy and data protection rules, and the nonbinding “agreement” between the USA Department of Homeland Security (DHS) and the European Commission which purported to legitimize access by the DHS to reservation data collected in the EU.

The entry into effect of the Court judgment, and the annulment of both the adequacy finding and the agreement, makes it legally as though that finding and agreement had never existed. It thus removes any possible doubt that access by the DHS to passenger name record data collected in the EU is as of today, and has been at all times since it began, unauthorized by any valid EU law or regulation.

Both airlines flying to and from the USA, and the computerized reservation systems (CRS’s) that host their reservation databases, have been giving the DHS total access to their PNRs since at least 2003. That means that anyone who made a reservation, while in the EU, for a flight to or from the USA since 2003, is entitled to complain (A) to their national data protection authorities against both the airline and the CRS that hosts their reservations (if you aren’t sure which CRS that is, ask the airline — if you are in the EU, they are required to tell you), for violation of national laws implementing the EU Data Protection Directive, and (B) directly to the European Commission against the CRS, for violation of the privacy clause, Article 6(d), of the EU code of conduct for computerized reservation systems .

As of today, it is the legal duty of EU national data protection authorities and the European Commission to enforce those laws and regulations, to act on any such complaints, and to reinstate and resume action on any such complaints or enforcement actions that were previously dismissed or stayed on the basis of the findings or agreement that have now been annulled.

If you made such a complaint before, you should contact the authorities with whom you lodged your complaint, to make clear that you are renewing your request for enforcement action. If you haven’t previously done so, you can — and should — make a complaint for any flights you’ve taken to or from the USA since 2003, as long as you are an EU citizen and made your reservations in the EU. Be sure to include both the airline and the CRS in your complaint to your national data protection authorities, and make a separate complaint directly to the European Commission against the CRS. It might help to send copies of your complaints to your Members of the European Parliament (MEP’s).

In addition, the lack of adequate protection for PNR data in the USA means that airlines, CRS’s, travel agencies, or tour operators that send PNR data collected in the EU to the USA are and have been violating EU law by transferring that data to commercial entities in the USA (such as USA-based CRS’s), regardless of whether or not the government of the USA also has access to the information.

There was ample notice of the European Court of Justice decision, and of the legal obligations it would impose on airlines, CRS’s, and EU enforcement authorities. The court’s decision was clearly foreshadowed by a preliminary opinion in December 2005, and was definitively announced in May with its effective date postponed for four months to avoid any disruption of airline operations.

Either airlines or CRS’s — on whom they depend for PNR data storage and transfer to third parties such as the DHS — could have, and should have, pulled the plug yesterday at midnight on DHS access to their PNRs. If they didn’t, EU national data protection authorities and the EC are required to enforce their laws and regulations, and to act on citizen complaints. But that doesn’t appear likely without concerted public pressure, including as many individual complaints as posible to European enforcement agencies. According to an Associated Press story today, “[USA Secretary of Homeland Security Michael] Chertoff said he’d been assured that European airlines would continue to transmit passenger data and said he didn’t think European governments would penalize them for doing so.”

Since no law requires the DHS to demand or obtain access to PNRs, the DHS could also have avoided any conflict with EU law by rescinding its administrative directive to the airlines,

In addition, as I told the Washington Post for its story today,

The dispute could easily have been resolved if the United States had adopted privacy protection for passenger reservation data that satisfied the European standards, said Edward Hasbrouck, an expert on travel data privacy in San Francisco. The standards include giving the person whose data is shared the right to have access to and to review the data and putting limits on its use and on its retention.

Airlines have tried to portray themselves as “caught in the middle”, and as only reluctantly betraying their customers’ privacy under USA government coercion. But if that were true, airlines would have publicly called for, endorsed, and committed their considerable lobbying ability to getting the USA to pass a travel data privacy law — or, better, a general commercial data privacy law — consistent with international and EU norms of adequacy.

Instead, most airlines and their trade associations appear to be hoping to trade government access to airline PNR data for airline access to data from government documents and records, especially government “watch lists” and data from RFID passport chips including travellers’ digital photographs and other digitized biometric identifiers.

Talks between the USA and at least some EU bodies are continuing. Secretary Chertoff of the DHS claims in a statement today that:

[F]ollowing our negotiations with representatives of the European Union (EU), I have initialed a draft formal U.S. /EU agreement regarding the sharing of Passenger Name Record (PNR) data…. [W]e await the final ratification of the draft agreement.

But the key thing to understand about this “deal” is that it is legally meaningless. The initials of a Cabinet member on a draft (or even their signature on a final document) cannot, under the U.S. Constitution, bind the government of the USA. Unless the “ratification” Chertoff is predicting takes the form of a vote by the U.S. Senate to ratify a treaty, and similar action by EU member governments, the new “agreement” will — just like the one the European Court has already overturned — have no legal force or effect, will not be enforceable against the DHS or any other USA government agency, and will leave intact the continuing duty of EU authorities to enforce their laws and act on citizen complaints and request for action against airlines and CRS’s that transfer PNR data either to the DHS or to commercial entities in the USA.

The “deal” now bing discussed will, if it is concluded, probably be temporary, reportedly for a one-year term. Within that year, I expect that an actual treaty on PNR data will be negotiated and presented for ratification to the U.S. Senate and to EU member governments. In the meantime, the challenge for EU national data commissioners, and the European Commission as enforcement body for the EU code of conduct for CRS’s will be whether they hide behind a nonbinding administrative fig leaf as a face-saving excuse for acquiescence in lawbreaking by airlines and CRS’s, or whether they do their duty to uphold and enforce their current privacy laws.