EU-US Passenger records deal in possible breach

26/04/2006

The American Civil Liberties Union and Privacy International have written to the European Parliament and to European privacy officials to raise the alarm that the U.S. Department of Homeland Security has reached a secret agreement to share airline passenger data with the Centers for Disease Control and Prevention (CDC).

The text of the letter is below.

Mr. Jean-Marie Cavada
Chairman of the Committee on Civil Liberties, Justice and Home Affairs

Mr. Peter Hustinx
European Data Protection Supervisor

Mr. Peter Schaar
Chairman of the Article 29 Data Protection Working Party



April 24, 2006


Dear Mr. Cavada, Mr. Hustinx and Mr. Schaar,

We wanted to bring to your attention an apparent violation of the agreement reached between the United States and the European Commission for the sharing of European Passenger Name Record (PNR) data with the United States government.

The “finding of adequacy” on which that decision was based <1> was premised on American compliance with the globally recognized “purpose limitation” principle, under which data collected for one purpose will not be shared for other purposes. In paragraph 15, the finding stated that

the PNR transferred to CBP [U.S. Customs and Border Protection agency] will be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. In particular, PNR data will be used strictly for purposes of preventing and combating: terrorism and related crimes; other serious crimes, including organised crime, that are trans-national in nature; and flight from warrants or custody for those crimes.

However, it was recently disclosed here in the United States that the U.S. Department of Homeland Security (DHS) has reached an agreement with the Centers for Disease Control and Prevention (CDC) to share passenger data. <2> The agreement was revealed in comments filed with the government by the Air Transport Association (ATA), which is the primary industry association representing U.S. airlines. Through its ties to government agencies the ATA appears to have obtained a copy, or other firsthand knowledge, of the agreement. <3>

The CDC is engaged in a sweeping effort to institute a system of data collection from and about air passengers to, from, and within the United States as part of an effort to conduct surveillance of diseases. While the CDC’s goal is laudable, we have argued that its effort to do so is clumsy, lacking in adequate protections, and would require the construction of a sweeping new data-collection regime. <4>

Therefore, the U.S. government appears to be in clear violation of the PNR agreement. The finding of adequacy is quite clear about the purposes of the data sharing, and equally clear that the use of the data is not to go beyond those purposes. Yet, the United States government appears to be doing just that.

The ACLU has filed an open-records request for a copy of the Memorandum of Understanding between DHS and the CDC, and related information. <5> We will let you know if we discover any further information, but we thought you should know about this apparent breach right away.

Ultimately, our concern is that the purposes for which this data is shared will constantly expand to meet shifting public policy goals. We will continue to monitor these and other developments as they arise, and look forward to further co-operating with you in the future.

Sincerely,

Barry Steinhardt
Director, Technology and Liberty Project
American Civil Liberties Union

Gus Hosein
Senior Fellow
Privacy International


Cc: Alexander Alvaro, Jean-Marie Cavada, Charlotte Cederschiold, Baroness Sarah Ludford, Edith Mastenbroek



Footnotes:

<1> Commission Decision of 14-V-2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection. http://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32004D0535:EN:HTML or http://www.statewatch.org/news/2004/may/com-adequacy-final.pdf

<2> See Bob Brewin, “DHS, HHS make secret pact to share airline passenger info,” Federal Computer Week, April 20, 2006; online at http://www.fcw.com/article94142-04-20-06-Web

<3> The ATA's comments to the CDC, which includes the paragraph disclosing the agreement on page 5, is online at http://www.cdc.gov/ncidod/dq/nprm/comments/2006Mar1_ATA.pdf

<4> See http://www.aclu.org/privacy/spying/25244leg20060421.html

<5> See http://www.aclu.org/privacy/spying/25246prs20060421.html

Related:
Border and Travel Surveillance Home Page
Policy Laundering Home Page
PI and ACLU Comment on Passenger Profiling (PDF)
PI condemns EU for data sharing agreement with U.S.