EU Commission plots global travel surveillance system
Whatever made you think America was the privacy villain?
Observers of the European Commission's negotiations with the US Department of Homeland Security over the transfer of airline passenger data might easily run away with the impression that the Commission has meekly capitulated to the US' extraterritorial and unilateralist demands. A report into the Commission's activities published this week by Privacy International however argues persuasively that the Commission has used the US negotiations as a Trojan Horse to aid the construction, first, of the EU's own surveillance and monitoring systems, and second, of a global system.
So actually, we're not talking about a battle between US Big Brother on the one hand and freedom and privacy loving Europe on the other; we are talking about a general, and effectively global, effort to neuter, circumvent or overthrow privacy protection legislation. As the Privacy International report says, "Starting with a simple law in the US, the European Commission has negotiated a global surveillance system tracking the movement of people."
Privacy International says the Commission "has engaged in a process of systematic deception and subterfuge... Not only has it allowed key privacy rights to be extinguished in a deal struck with the US last December, but it has also failed to disclose its own intention to establish a more extensive regime in the EU. The proposed EU surveillance system will be used not only for purposes of anti-terrorism, but also for immigration, law enforcement and customs."
The Commission certainly has not advertised its intentions broadly, but the processes whereby its initial apparent rejection of US demands were defanged, and it moved from the position of opponent to accomplice, are fairly clear. The EU cannot, Commissioner Bolkestein has argued, reasonably deny the US access to information in the fight against terrorism when member states themselves have such access. Having taken this somewhat dodgy (because actually, this is precisely what the law says the EU cannot and should do) premise on board, the Commission looks at the data requirements of the US, and concludes: "The list of data elements also seems broad enough to accommodate law enforcement needs in the EU. Nothing in the arrangements agreed with the US therefore seems to prejudice the development of an appropriate EU policy."
Which is...? The report lists the EU vested interests who have a need to perform radical surgery on Europe's data protection regime. "The Internal Market Commission argued for an EU policy on access to PNR so that it could ensure that it was not restricting access for the US to something that the EU member states would have access to; while also arguing for a centralized solution to filter out sensitive data. Meanwhile the Transport Commission wishes to establish an international solution through the ICAO for immigration controls, and the Justice and Home Affairs Commission aims to establish a centralized solution for access by EU member states for law enforcement purposes."
The process that will result in the construction of a centralised European PNR database system is particularly fascinating because of the way it's being pitched as a protection mechanism and a convenience, rather than the foundation of a travel surveillance system. Currently the US 'pulls' the data from European airlines' systems, i.e. its operatives can go into the airlines' systems and get it. This is clearly unacceptable from a privacy point of view, because the airlines' systems do not as yet differentiate between data that the US does not want or is not allowed to access, and data that it does want, and is allowed to access. So for example they could access free text data in the comments field*, and data on flights which neither go to nor come from the US, because that data is held on the system of an airline which flies to the US. The US is not of course going to do this.
Airlines will however be moving over to a 'push' system, where they send the required data to the US in the required format. But this is going to expensive, and matching up US requirements with the requirements of individual EU states will introduce confusions. So, it makes obvious sense for the EU to standardise PNR disclosure requirements, collate them in its own central database, filter them, then let the US have them. Cute, no?
ICAO, the International Civil Aviation Organization, is the chosen vehicle for taking the surveillance system international. The US and EU plan to take the issue to ICAO with a view to constructing an international regime, and this could then be ratified by the European Parliament "under the requirements of international co-operation." Privacy International argues that the Commission, by abandoning the protection of European privacy rights will remove Europe as an ally for other countries coming under pressure from the US to weaken their privacy regimes, and that the result will be "a race to the bottom for global privacy protection."
A commentary on the report produced by the American Civil Liberties Union says that "instead of the Europeans' civilized privacy regime rubbing off on the United States, it appears that our Wild West legal regime is instead rubbing off on them." But this seems to The Register to be unnecessary self-flagellation. It is in the nature of states everywhere to attempt to erode rights, which is why (in their occasional fits of altruism) they construct checks, balances, bills of rights, constitutions and the like. These then have to be defended when these states decide with hindsight that the fits of altruism were extreme, and should therefore be amended. Which, we reckon, is what we have here. ®
* Register readers passing through the BA terminal at LAX may care to check to see if this still works. Some years back The Register, and the rest of a planeload of Northwest passengers, missed its connection to London, and had to attempt to negotiate a place on the next flight (my, how the BA staff laughed at the distraught Virgin passengers whose next available flight was a whole 24 hours away...). We went for humble, polite, submissive, which is always best under these circumstances, but others were less wise, stamping, foaming, screaming - up to and exceeding the threshold that'd probably get you arrested these days. Now, while awaiting the wait-list verdict, The Register lounged by the partition just at the left hand end of the BA check-in desks. We noted, with increasing fascination, that from here we could clearly read the content of the free text section of the database BA staff were using as part of the wait-list collation process. "Africa correspondent of the Financial Times," one said (right, we thought, and I'm Lech Walesa...), while another pithily noted: "Hopelessly out of control." We're sure BA doesn't write these sorts of things today. Matter of fact, we're sure BA would never have invaded its passengers' privacy like this, and we therefore must have imagined the whole incident. Honest. But if you're passing and fancy a quick look, remember to be discreet, OK?
Sponsored: Fast data protection ROI?