The PNR agreement and transatlantic anti-terrorism co-operation: No firm human rights framework on either side of the Atlantic

Common Market Law Review

Volumn 46, Issue 3, 2009, Pages 885-919

  Papakonstantinou, Vagelis ^a   de Hert, Paul ^b  

^a UNIVERSITY OF PATRAS   (Greece)

^b VRIJE UNIVERSITEIT BRUSSEL   (Belgium)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 67649646446     PISSN: 01650750     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Article

References (111)

1. Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. 1995, L 281/31, (hereinafter, the Data Protection Directive).
2. See, for instance, the German or French Data Protection Acts dating back to 1976 and 1978 respectively.
3. For a comprehensive list covering developments until the Safe Harbor arrangement was concluded, see the official European Commission Data Protection site at ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm (US - United States - Safe Harbor).
4. For a brief but accurate introduction to the international debate, see the European Data Protection Supervisor (EDPS) Letter to the incoming presidency: fundamental rights are not captives of security, 11 June 2007 (available in the official EDPS site).
5. See en.wikipedia.org/wiki/Passenger_Name_Record.
6. Few airlines (either in the EU or in the USA) host their own passenger databases; in fact, most " outsource" the processing of their PNR data altogether to third (data processing) parties (for instance, EDS) that ultimately upload airlines' PNR data to the so-called Global Distribution Systems (SABRE, Galileo, Amadeus, Worldspan).
7. see Hasbrouck, "What's in a Passenger Name Record", hasbrouck.org/articles/PNR.html. The issue of, even European, airlines having their data processed by American companies for PNR purposes is one of the least discussed aspects of the PNR scene.
8. Art. 2 of the Data Protection Directive, cited supra note 1.
9. Art. 2(a) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No. 108, the 28 Jan. 1981.
10. In this context, at least according to First Pillar distinctions, such data would constitute "sensitive data", requiring thus additional safeguards to "common" data processing (see Art. 8 of the Data Protection Directive, cited supra note 1).
11. At the time of writing this paper, the future of the Treaty of Lisbon, particularly after the result of the Irish referendum, remained unknown
12. For instance, Directive 97/66/EC of the European Parliament and of the Council of 15 Dec. 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, or Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
13. By now, DG Justice, which has succeeded DG Internal Market - a switch of authorities of accurate semantic value, see relevant Statewatch coverage available at www.statewatch.org/news/2005/jul/06eu-data-prot.htm.
14. Officially named the Working Party on the Protection of Individuals with regard to the processing of Personal Data, established by Art. 29 of the Data Protection Directive, cited supra note 1.
15. See edps.europa.eu/EDPSWEB/.
16. See Art. 3(2) of the Data Protection Directive, cited supra note 1.
17. For work within the Council of Europe on Convention 108, as it has been code-named, see www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/.
18. Actually referring to Schengen I (Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, signed in 1985) and Schengen II or CIS (Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, signed in 1990)
19. See The EUROPOL Convention (consolidated text) at www.europol.europa.eu/index.asp?page=legal.
20. See Council Decision of 28 Feb. 2002 setting up Eurojust with a view to reinforcing the fight against serious crime (2002/187/JHA), O.J. 2002, L 63/l.
21. The Data Protection Directive and the First Pillar mechanisms have nevertheless unavoidably become reference points for all European data protection and, thus, extremely influential for the Third Pillar, especially when the people responsible for applying them in the First Pillar are called upon to act in Third Pillar situations; therefore, an indirect but ever-present influence on Third Pillar processing should always be considered (see, Proposal for a Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, COM(2005)475 final, 4 Oct. 2005, 4). Additionally, it should be noted that a number of Member States have used in their own jurisdictions First Pillar instruments (the data protection principles and the Data Protection Commissioners) to regulate their, internal, security processing as well.
22. Council Framework Decision 2008/977/JHA of 27 Nov. 2008, O.J. 2008, L 350/60.
23. Council Decision of 27 Feb. 2007, on the stepping up of cross-border cooperation, particularly in combating terrorism, and cross-border crime (available at: register.consilium.europa. eu/pdf/en/07/st06/st06566.en07.pdf). As per the relevant Press Release, "The Justice and Home Affairs Council reached agreement about a Council Decision on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, incorporating in the framework of the Union important provisions of the Prüm Treaty [which] have now become part of the legislative framework of the European Union and will be implemented in all Member States" (See "The Integration of the 'Prüm Treaty' into EU legislation", 12.06.2007, available at europa.eu/rapid/pressReleasesAction.do?reference=IP/07/803).
24. Convention between the Kingdom of Belgium, the Federal Republic of Germany, the Kingdom of Spain, the French Republic, the Grand Duchy of Luxembourg, the Kingdom of the Netherlands and the Republic of Austria on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration, "Treaty of Prüm", 27 May 2005. Available at register.consilium.europa.eu/pdf/en/05/st10/st10900.en05.pdf.
25. See Bellanova, "'The Prüm Process': the way forward for EU police cooperation and data exchange?" in Guild and Geyer (Eds.), Security vs. Justice? - Police and Judicial cooperation in the European Union (Aldershot, Ashgate, 2008), pp. 203-221.
26. See infra note 80.
27. Joined Cases C-317/04 & C-318/04, Parliament v. Council, [2006] ECR I-4721 (hereinafter, the ECJ ruling).
28. Ibid., para 57.
29. Ibid., para 56.
30. Brenner, "Constitutional Rights and New Technologies in the United States" in Leenes, Koops and de Hert (Eds.), Constitutional Rights and New Technologies (Cambridge University Press, 2008), pp. 225-265; Bignami, "European versus American Liberty: A comparative privacy analysis of anti-terrorism data mining", 11 et seq., with further bibliography (available at www.astrid-online.it/Dossier--t1/BIGNAMI-EU-USPrivacy.pdf).
31. OECD, Report on the Cross-Border Enforcement of Privacy Laws, 2006, 12 (available at www.oecd.org/sti/security-privacy).
32. In this context, even since 1989 it has been noted, probably not unjustifiably, that " Americans are sensitive to foreign ignorance of a long line of court cases protective of personal privacy", Flaherty, Protecting privacy in Surveillance Societies (University of North Carolina Press, 1989), p. 306.
33. See Brenner's listing, op. cit. supra note 28, pp. 5-18, and Privacy and Human Rights Report 2006 (PHR 2006) analysis on the USA, under www.privacyinternational.org/article.shtml?cmd[347]=x-347-559478.
34. See Brenner's listing, op. cit. supra note 28, p. 230 and PHR 2006, cited supra note 31.
35. Brenner, op. cit. supra note 28, p. 235. See also PHR 2006, cited supra note 31.
36. Brenner, op. cit. supra note 28, p. 38.
37. See Kropf, "Networked and layered: U.S. privacy oversight and accountability", (2007) World Data Protection Reporter, 3.
38. For a complete list, see the PHR 2006 analysis, cited supra note 31.
39. The Privacy Act of 1974, although issued within a "Watergate" climate, created political concerns for creating "more bureaucracies" and, ultimately, the risk of a presidential (President Ford) veto led to the intermediate solution of awarding part of these duties to the US Office of Management and Budget, Flaherty, op. cit. supra note 30, p. 314.
40. Flaherty, op. cit. supra note 30, p. 315.
41. Kropf, op. cit. supra note 35, at 4, see also PHR 2006 analysis cited supra note 31.
42. Kropf, op. cit. supra note 35, at 4.
43. On the role of codes of practice in European data protection see Art. 25 of the Data Protection Directive, cited supra note 1, and Papakonstantinou, Self-regulation and the protection of privacy (Nomos, 2002), pp. 91 et seq.
44. Kropf, op. cit. supra note 35, at 4.
45. Consequently, all European queries or requests as afforded by the Second PNR Agreement have to be filtered through it (see below under 6.3.).
46. As per DHS explanation, "a System of Records is a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. The Privacy Act requires each agency to publish notice of its systems of records in the Federal Register. This notice is generally referred to as a system of records notice (SORN)" (www.dhs.gov/xinfoshare/publications/gc_1185458955781.shtm).
47. Available, together with all updates, at www.dhs.gov/xinfoshare/publications/editorial_0511.shtm.
48. Kropf, op. cit. supra note 35, at 4. The Bush Administration, however, allowed it to fall into disuse, by failing to appoint members.
49. Under the Second (2007) PNR Agreement (see below under 6.2.).
50. It should, nevertheless, be noted that all DHS Traveller Redress Inquiry Program (TRIP) forms have been placed online and are thus readily available to all passengers (at www.dhs.gov/xtrvlsec/programs/gc_1169826536380.shtm). For the respective 2007 PIA see www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhstrip.pdf.
51. Kropf, op. cit. supra note 35, at 6.
52. A distinction suggested by Whitman in "The Two Western Cultures of Privacy: Dignity Versus Liberty", 113 Yale Law Journal (2004), 1151
53. The CBP implemented in fact the Aviation and Transportation Security Act 2001. See UK House of Lords, European Union Committee, The EU/US Passenger Name Record (PNR) Agreement (HL Paper 108, 5 June 2007), 1-4. More US projects on PNR processing after 9/11, both abandoned and eventually adopted, may be found at the PHR 2006 analysis, cited supra note 31.
54. Unless any of the derogations foreseen in Art. 26 of the Data Protection Directive apply.
55. Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows. At any event, the Protocol has not received sufficient signatures to bring it into force; it also remains questionable whether the Council of Europe norms can be equated automatically with the Third Pillar.
56. More precisely, with the requirements of Art. 25 of the Data Protection Directive, cited supra note 1. The "adequacy" criterion has survived the DPFD process (see its Art. 13), it therefore remains relevant within security processing of personal data.
57. See the official Commission webpages on "the adequacy of the protection of personal data in third countries", at ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm.
58. See Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, Council of the European Union, 9831/28.05.2008, and also de Hert and Gonzalez Fuster, Memorandum to House of Lords PNR Report, cited supra note 52, 61 et seq.
59. Para 33, ECJ ruling, cited supra note 25.
60. Commission Decision 2004/535/EC of 14 May 2004, O.J. 2004, L 235/11-22.
61. Council Decision 2004/496/EC of 17 May 2004, O.J. 2004, L 183/83.
62. The EDPS did not, however, support the ultra vires claim, see the official EDPS site at www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/47.
63. Parliament v. Council (ECJ ruling), cited supra note 25.
64. Paras. 71-74, ECJ ruling, cited supra note 25. See also annotation by Gilmore and Rijpma, 44 CML Rev. (2007), 1081-1099.
65. Para 74, ECJ ruling, cited supra note 25.
66. Nevertheless, a review of its implementation was indeed performed, as provided for in its Undertakings (clause 44) in Sept. 2005. The Report of the Privacy Office of DHS, establishing that "CBP has achieved compliance with the representations made in the Undertakings" may be found under www.dhs.gov/xlibrary/assets/privacy/privacy_pnr_rpt_09-2005.pdf.
67. Preamble, Council Decision on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security, 13226/06
68. See, for instance, European Parliament, "Balancing security and data protection for air travel and judicial cooperation", available at www.europarl.europa.eu/news/expert/background_page/019-10233-247-09-37-9 02-20060901BKG10232-04-09-2006-2006-false/default_en.htm.
69. Para 4, Interim PNR Agreement.
70. Ibid., para 1.
71. Ibid., para 2.
72. Para (3), Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection, 2004, published in the US Federal Register Vol. 69, No. 131, 41543.
73. See Preamble, Interim PNR Agreement.
74. See para (1), Interim PNR Agreement, and House of Lords PNR Report, cited supra note 52, 60.
75. See EDRI's, "Enditorial, Are Transatlantic data protected?", 28 March 2007, under www.edri.org/edrigram/number5.6/transatlantic-data-protected.
76. The SWIFT case was resolved by the German Presidency practically in parallel with the PNR data issue (negotiations run at the same time, between the same participants) in June 28, 2007 (see, EDRI, "Final Agreements between EU and USA on PNR and SWIFT", at www.edri.org/book/print/1231).
77. Council Decision 2007/551/CFSP/JHA of 23 July 2007 (O.J. 2007, L 204/16-25) on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement) available at eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2007:204:0016:01: EN:HTML.
78. A process still not concluded at the time of finalizing this paper, which was nevertheless undermined by bilateral agreements between certain Member States and the USA (see below, under 6.7.). It should be noted, however, that the Agreement provided for provisional application, as per Art. 24(5) TEU, and therefore entered into force immediately not needing to wait for national procedures to be completed.
79. See, for example, OUT-Law News, European Commission Broke Rules over passenger Data Parliament told, 28 March 2007, at www.out-law.com/page-7912.
80. A process that begun only in late 2007 - early 2008 with an unforeseeable, at least at the time of this paper, outcome. See however a first draft of the Commission's proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes under www.statewatch.org/news/2007/oct/eu-com-pnr-proposal.pdf, as well as, the relevant EDPS Opinion on the Proposal, issued on Dec. 20, 2007 (available at the official EDPS site).
81. Parliamentary Debates, Monday, July 9, 2007, Strasbourg (under www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+20070709+I TEM-018+DOC+XML+V0//EN).
82. See EDRI, cited supra note 76.
83. Art. 1, 2007 PNR Agreement.
84. One explanation for such "letter exchange" could be that the USA expected, on the basis of its assurances, an EU assurance of adequacy, that would also serve to bind national data protection authorities (some of which under their respective national law have powers over international transfers that do not distinguish between the First and Third Pillars in the same way as EU law)
85. See Ch. III, U.S. Letter to EU.
86. The same term was used to clear data collected since the First PNR Agreement, an acute problem for American authorities at the time the Second PNR Agreement was concluded, because under the First and the Interim PNR Agreement it had to delete them already (see above).
87. See Ch. VII, U.S. Letter to the EU.
88. Frattini to Parliament "Protection given under the United States Privacy Act will be extended through administrative procedures to non-US citizens, in particular with regard to redress and correction, and, therefore, EU citizens will be entitled to protection under that Act. That was not the case under the previous agreement" (see www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+CRE+20070709+I TEMS+DOC+XML+V0//EN).
89. Even these rights were however diminished unilaterally by the USA immediately after entering the Second PNR Agreement (see infra, under 6.7).
90. See, above all, the European Parliament's Resolution of 12 July 2007, where among others, it is stated that: "the new PNR agreement fails to meet the second objective, as it is substantively flawed in terms of legal certainty, data protection and legal redress for EU citizens, in particular as a result of open and vague definitions and multiple possibilities for exceptions" (also available at www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2007- 0347+0+DOC+XML+V0//EN&language=EN).
91. See fields No. 6, 8 and 9 of the Undertakings for the First and Interim PNR Agreements and field No. 7 of the Second PNR Agreement respectively.
92. See fields No. 12 and 13 of the Undertakings for the First and Interim PNR Agreement and field No. 10 of the Second PNR Agreement respectively.
93. In the European Parliament's words, it: "Takes note of the reduction in data fields from 34 to 19, but points out that the reduction is largely cosmetic due to the merging and renaming of data fields instead of actual deletions" (Resolution of 12 July 2007, cited supra note 90)
94. See a common EU approach to the use of Passenger Name Record (PNR) data for law enforcement purposes - Art. 29 Working Party (available at ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/others/2007_31_01_comm on_eu_approach_use_pnr_data_for_law_enforcement.pdf), 8.
95. See the Data Retention section in the Interim PNR Agreement.
96. See Commissioner Jonathan Faull's response to a relevant question in a public seminar held by the European Parliament LIBE Committee on 26 March 2007 (minutes available at www.edri.org/edrigram/number5.6/transatlantic-data-protected).
97. See In't Veld or Schaar in European Parliament LIBE Committee Seminar (previous note), as well as House of Lords PNR Report, cited supra note 52, at 20-22.
98. See supra note 80.
99. See also House of Lords PNR Report, cited supra note 52, at 5.
100. See relevant Statewatch entry at www.statewatch.org/news/2007/sep/04eu-usa-pnrexemptions.htm.
101. Federal Register: Aug. 22, 2007 (Volume 72, No. 162), see also the relevant Statewatch announcement at www.statewatch.org/news/2007/aug/usa-adis-privacy-act-exemptions.pdf.
102. See EDRI, "US gains new advantages in the EU-USA PNR agreement", Newsletter No. 5.17, 12 Sept. 2007.
103. The DHS at the same time also amended the APIS system, where PNR data are maintained, because "DHS needs these exemptions in order to protect information relating to law enforcement investigations from disclosure to subjects of investigations and others who could interfere with investigatory and law enforcement activities. Specifically, the exemptions are required to: Preclude subjects of investigations from frustrating the investigative process;" etc. (Notice of Proposed Rulemaking for Privacy Act Exemptions Aug. 23, 2007, 72 FR 48346, available at www.dhs.gov/xinfoshare/publications/gc_1185458955781.shtm).
104. See EUBusiness.com, "EU Nations Set to Negotiate Individual US Visa Deals", 28 Feb. 2008, at www.eubusiness.com/news-eu/1204192026.71, and The Guardian, "Bush Orders Clampdown on Flights to US", 11 Feb. 2008, at www.guardian.co.uk/world/2008/feb/11/usa. theairlineindustry, ("the Americans could 'get' a gung-ho frontrunner" to sign up to the new regime and then use that agreement 'as a rod to beat the other Member States with'. The frontrunner appears to be the Czech Republic").
105. See Council Decision of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data, 2006/230/EC.
106. Available at www.statewatch.org/news/2008/jun/eu-australia-pnr-agreement-2008.pdf.
107. See Joint Motion for a Resolution to the European Parliament on the PNR Agreement with the United States, available at www.alde.eu/fileadmin/files/plenary_session/2007/july/2007-LIBE_-0048-01 -EN.pdf.