Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


PI and ACLU call for repeal of EU-US agreement on data transfers

Privacy International and the American Civil Liberties Union have appealed to the Council of the European Union, the European Commission, the European Parliament, and privacy commissioners in 31 countries across Europe to repeal the agreement between the EU and the US on passenger data transfers. We argue that, with the recent disclosure of the 'Automated Targeting System' being used by the US Department of Homeland Security, the US has violated both American law and the agreement with the EU by using European passenger data for creating a 'risk assessment score', and retaining this data for 40 years.

Background on 'ATS'

According to recently disclosed documentation from the Department of Homeland Security and its Customs and Border Protection branch (CBP), see

  • DHS, Office of the Secretary, Privacy Act of 1974; System of Records - Notice of Privacy Act system of records, November 2, 2006, Volume 71, Number 212. (hereafter ‘Register Statement’)
  • DHS, Privacy Impact Assessment of the Automated Targeting System, November 22, 2006. (hereafter ‘PIA’)

for a number of years the U.S. has been using a system called the Automated Targeting System to assess risks to transport. All analyses and studies of the ATS up until August 2006 stated that the system was used to target cargo shipments. Yet it was only discovered in November that CBP was using this system for targeting passengers.

We found that the system has the following characteristics:

  • it uses Passenger Name Records (from the databases of airlines and reservation systems), and potentially the full record of PNR[1]
  • it collects PNR[2], and stores it[3]
  • it creates a risk assessment score[4]
  • the data is kept for 40 years[5] (though there is discussion of a shorter period of time for the EU PNR data[6], but this exemption does not extend to the risk assessments derived from that data[7])
  • it is not limited to combating terrorism or international crime[8]
  • the data may be shared with other agencies in the U.S. government and foreign and multi-lateral organisations[9]
  • data will be used for additional testing of other new technologies[10]
Problem

There have been a number of excellent analyses of the problems with ATS under U.S. law, including how it violates explicit Congressional prohibitions on passenger risk-assessment schemes (see the EFF, EPIC, and ACLU websites for more information). To date these have focused solely on how the scheme violates U.S. law and the privacy rights of U.S. millions of citizens. But ATS goes well beyond that.

Because ATS uses PNR received from EU carriers under the EU-US Agreement on the transfer of passenger name record information, CBP is violating the EU-US agreement by:

  • using the data for profiling or risk assessments when it was agreed the data would only be used for verifying whether someone is on a watch-list, in accordance with U.S. law
  • retaining the risk assessment profiles for 40 years when the EU-US agreement permits only the extraneous retention of data beyond 3.5 years on a case-by-case basis when someone is actually suspected of terrorism
  • using the data for general law enforcement purposes, when the EU-US Agreement only permits PNR to be used for combating terrorism and international organised crime
  • removing all the safeguards embedded within the EU-US agreement including the right to correct inaccurate data

As a result, we call for the repeal of the agreement and investigations into how this system was kept a secret for so long even while the U.S. was negotiating with the EU and was promising that the data would be used in limited ways, and even after EU officials conducted an in-depth review of the U.S. operations. The letters are available here:

Larger context

When the EU-US agreement was first negotiated, it was a highly contentious idea. The EU insisted, at first, that the data from EU carriers could not be submitted to the U.S. without explicit safeguards. The U.S. authorities were demanding that the data be accessed directly by CBP officials whilst logging into airlines' databases, that the data be kept for more than 40 years, that the data be used for any law enforcement purpose, and that the data could be used with the (now defunct) passenger profiling system called 'CAPPS II'. European privacy commissioners, the European parliament, and European Commission officials called for stronger protections, limited retention periods, limited access to the databases (including restricted access to medical and religious information of travelers). Eventually the EU and the U.S. came to an agreement in 2004 that permitted for the transfer of data with some safeguards, including 3.5 year period of retention, some rights of access by European citizens to correct their data, and promises that the data would only be used for combating terrorism and international organised crime. Most importantly, the U.S. promised that the data would not be shared with other agencies and that the data would not be used for automated profiling or risk-assessment scoring.

In 2006 the European Court of Justice ruled, on a case brought by the European Parliament, that the agreement needed to be renegotiated by the end of September 2006 (due to legal problems that were not directly related to privacy concerns). Over the summer of 2006 tense negotiations followed with an agreement being reached after the deadline of the dissolution of the agreement, in October 2006, that re-established the original agreement but with an expiration date of summer 2007. The U.S. has made it quite clear that they intend that the new agreement will give them greater access and abilities to process this information however they see fit.

As we approach the moment where negotiations are to re-open between the EU and the US we are seeing how the U.S. abused the conditions and ignored the safeguards under the original agreement. The EU's resolve weakened in the original negotiations and the European Commission argued that they had managed to get the Americans to agree to some strong safeguards. Now that we have seen that even these limited safeguards were being ignored and are likely to be ignored in the future (recall: DHS is also breaking U.S. law by using ATS), this places into serious jeopardy the likelihood of any new agreement in the future unless the EU willingly abandons its position on the protection of privacy in accordance with the 1995 Directive on Data Protection and Article 8 of the European Convention on Human Rights.

References

[1] Page 64545 of Register Statement: “ATS--P (Automated Targeting System--Passenger), a component of ATS, maintains the PNR information obtained from commercial carriers for purposes of assessing the risk of international travelers. PNR may include such items as: PNR record locator code, Date of reservation, Date(s) of intended travel, Name, Other names on PNR, Number of travelers on PNR, Seat information, Address, All forms of payment information, Billing address, Contact telephone numbers, All travel itinerary for specific PNR, Frequent flyer information, Travel agency, Travel agent, Code share PNR information, Travel status of passenger, Split/Divided PNR information, Identifiers for free tickets, One-way tickets, E-mail address, Ticketing field information, Automated Ticketing Fare Quote (ATFQ) fields, General remarks, Ticket number, Seat number, Date of ticket issuance, Any collected APIS information, No show history, Number of bags, Bag tag numbers, Go show information, Number of bags on each segment, Other Supplementary information (OSI), Special Services information (SSI), Special Services Request (SSR), Voluntary/involuntary upgrades, Received from information, and, All historical changes to the PNR. Not all carriers maintain the same sets of information for PNR.”

[2] Page 2 of PIA: “ATS receives various data in real time from the following different CBP mainframe systems: the Automated Commercial System (ACS), the Automated Export System (AES), the Automated Commercial Environment (ACE), and the Treasury Enforcement Communication System (TECS). ATS collects certain data directly from commercial carriers in the form of a Passenger Name Record (PNR). Lastly, ATS also collects data from foreign governments and certain express consignment services in conjunction with specific cooperative programs.”

[3] Page of 64544 Register Statement: “As part of the information it accesses for screening, Passenger Name Record (PNR) information, which is currently collected pursuant to an existing CBP regulation (19 CFR 122.49d) from both inbound and outbound travelers through the carrier upon which travel occurs, is stored in the Automated Targeting System.”

[4] Page 64544 of Register Statement: “The risk assessment and links to information upon which the assessment is based, which are stored in the Automated Targeting System, are created from existing information in a number of sources, including, but not limited to: the trade community through the Automated Commercial System or its successor; the Automated Commercial Environment system; the traveling public through information submitted by their carrier to the Advance Passenger Information System; persons crossing the United States land border by automobile or on foot; the Treasury Enforcement Communications System, or its successor; or law enforcement information maintained in other parts of the Treasury Enforcement Communications System that pertain to persons, goods, or conveyances.”

[5] Page 64546 of Register Statement: “The retention period for data specifically maintained in ATS will not exceed forty years at which time it will be deleted from ATS. Up to forty years of data retention may be required to cover the potentially active lifespan of individuals associated with terrorism or other criminal activities.”

[6] Page 11 of PIA: “Generally, data maintained specifically by ATS will be retained for up to forty years. Certain data maintained in ATS may be subject to other retention limitations pursuant to applicable arrangements (e.g., PNR information derived from flights between the U.S. and the European Union).”

[7] Page 11 of PIA: “This assessment and related rules history associated with developing a risk-based assessment are maintained for up to forty years to support ongoing targeting requirements.”

[8] Page 64546 of Register Statement: “Purpose(s): (a) To perform targeting of individuals, including passengers and crew, focusing CBP resources by identifying persons who may pose a risk to border security, may be a terrorist or suspected terrorist, or may otherwise be engaged in activity in violation of U.S. law; (b) To perform targeting of conveyances and cargo to focus CBP's resources for inspection and examination and enhance CBP's ability to identify potential violations of U.S. law, possible terrorist threats, and other threats to border security; and (c) To assist in the enforcement of the laws enforced or administered by DHS, including those related to counterterrorism.”

[9] Page 64546 of Register Statement: “In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside DHS as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:” and continues to refer to ‘appropriate Federal, state, local, tribal, or foreign governmental agencies or multilateral governmental organizations” for the purpose of enforcement of civil or criminal laws; amongst a number of other statement organisations and purposes.

[10] Page 64546 of Register Statement: “To appropriate Federal, State, local, tribal, or foreign governmental agencies or multilateral governmental organizations where CBP is aware of a need to utilize relevant data for purposes of testing new technology and systems designed to enhance border security or identify other violations of law.”

 

Add new comment