EU Fundamental Rights Agency: EU-PNR Directive not good

The Fundamental Rights Agency of the European Union (FRA) has finished its opinion on the proposed directive for an EU-PNR system for the retention and mass analysis of flight passenger data. It had been asked by the Civil Liberties Committee of the European Parliament in March 2011, on initiative of the Greens/EFA group.

I provide a summary of the most important findings below. A summary in their own words is at page 20.

Further reading: In the meantime, the legal service of the EU Council has also shred the proposed directive into pieces (German version only, sorry!).

The FRA opinion criticises the proposed PNR directive on the following grounds:

1) Data Protection Violations
FRA shares the concerns published by the EUropean Data Protection Supervisor (EDPS) and the Article 29 Working Party. The FRA opinion therefore is seen as complementing it and only touches on issues that are not addressed by the data protection bodies:

"In general, the FRA shares these analysis and opinions and takes them as a point of departure. This FRA opinion complements and adds to the opinions of the EDPS and the Article 29 Working Group by focusing on topics from a broader fundamental rights perspective." (p. 5)

2) Ban of Discrimination not sufficiently respected

a) Discriminatory Profiling based on sensitive Data: The directive would have to exclude many more categories than the ones listed in articles 5 and 11. The Commission did not cover the following categories in its proposal, though they are protected under EU law:

"[I only list the ones not covered by the proposed directive, RB] sex, colour, social origin, genetic features, language, any other opinion (beyond political views), membership of a national minority, property, birth, disability, age” (p. 7)

b) Indirect Discrimination based on Profiling for Other Data: This would also be prohibited and is not by the proposed directive. It includes all data categories that are not covered by a) (p. 9). To me it reads like a cautiously written general ban on profiling, because any data category can be used for discrimination. Surveillance studies scholars have called profiling "digital discrimination" years ago.
An example by anaologue: Discrimination based on language or nationality or religion is banned, but if someone travels from Islamabad to Mekka once a year, you can assume he or she is Muslim. This would be prohibited.

3) Clarity of the law is not given:

"Individual passengers may be generally aware that their flight details are being recorded and exchanged but will typically know neither the assessment criteria applied nor whether or not they have been flagged by the system for further scrutiny. Therefore, any measure giving the authorities power to interfere with fundamental rights should contain explicit, detailed provisions" (p. 12)

This clarity is lacking because of

a) Generic clauses such as “general remarks (...) such as" in the description of the data transmitted, retained and analysed (item 12 in the annex to the proposed directive, see p. 13 of FRA opinion). The types of data are also not limited:

"The explanatory text within the brackets also indicates solely what kind of information is included, but does not limit the data to be collected. This might possibly permit unlimited information gathering and transfer and, therefore, might not be justified by the purpose of the PNR system" (p. 13)

b) Purpose Limitation is lacking:

"The definition of serious crime included in Article 2 (h) includes an open formulation: (...) the discretion the proposal grants Member States to decide which crimes are covered and which are not seems unnecessarily broad." (p. 14)

c) Data Matching is unspecified:

"Article 4 (2) (b) states that “the Passenger Information Unit may compare PNR data against relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such files.” This provision allows for matching PNR data ‘with undetermined databases’. Because the databases are not specified, the use of PNR data might not reach the required level of foreseeability" (p. 14)

4) No Proof of Necessity:

"The FRA is aware that further evidence proving the necessity of a PNR system might exist beyond what was disclosed." (p. 15)

In plain English: Do your homework! (Fun fact: The Commission currently has the same problem with regards to the evaluation of the data retention directive 2006/24/EC, where they were not able to prove the necessity based on hard data.)

5) False Positives / Repression against Innocent People

"The examples provided by the European Commission relate only to cases in which PNR data were successfully used in the course of investigations. For a more complete picture, it would also be necessary to analyse those cases in which the use of data proved to be misleading and led to the investigation of innocent people. Such a case is included by the European Union Committee of the UK House of Lords in its 2007 report on the EU/US Passenger Name Record (PNR) Agreement: the case of Maher Arar." (p. 16)

6) Proportionality of Applying the Measures to all Passengers: The FRA quotes at length from rulings by the German Constitutional Court etc., and then concludes:

"The FRA suggests for proportionality reasons to include an explicit obligation in the proposal to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system. This aspect could also play an important role for the review envisaged in Article 17 of the proposal which states that special attention should be given in the course of the review to “the quality of the assessments”. (p. 18)

7) Effective Oversight unclear: Any data protection oversight must be fully independent and must have powers of investigation and binding rulings, which apparently is not clear from the proposed directive draft. (p. 19f)

Conservative hardliner admits: lack of data retention has no impact on crime clearance rate

Uwe Schünemann, conservative home affairs minister of the German Land of Lower-Saxony, admits in a reponse to a parliamentary question:

Erhebliche Auswirkungen im Hinblick auf die Aufklärungsquote bei Straftaten, die im Zusammenhang mit dem Tatmittel Internet begangen wurden, sind für das Jahr 2010 nicht festzustellen.

English translation:

Significant impact in terms of the clearance rate for crimes that were committed in connection with the Internet for the year 2010 can not be determined.

After a constitutional court ruling, Germany has had no data retention in place since 2nd of March 2010.

Fun fact I: Schünemann just received a Big Brother Award in Germany for the second time. German laudation here.

Fun fact II: The question came from Social Democrats. This is the party that was crucial for adopting data retention in the EU in 2005 and then later in Germany. They have been losing so many votes in recent years (of course also for factors not related to privacy) that they seem to move into the right direction again. Hopefully.

Battle over Passenger Data is heating up

In late May 2011, the new draft agreements on the transfer and retention of air passenger data between the EU and the United States and between the EU and Australia respectively have leaked to the public. The re-negotiation of the agreements from 2007, which have since then been provisionally applied, had become necessary after the European Parliament refused to vote on them in May 2010.

The new agreements do not substantially improve the situation with regards to the old ones. They both require that data of air passengers is transferred to public authorities (DHS in the US, Customs and Border Protection in Australia) ahead of a flight; they allow for profiling, i.e. the use of data for sorting assengers into risk categories based on pre-defined and secret criteria without an initial suspicion or criminal lead; and they allow for retention of the data up to 5.5 (Australia) and 15 (US) years. There are also provisions for onward transfer of the data to third agencies and countries.

The agreement with the US met heavy criticism both among EU member states as well as among Members of the European Parliament and from civil society, and provoked an emergency reaction from the UK Justice secretary as well as the US ambassador to the EU. At the moment, there are talks with the negotiator (DG Home Affairs of the European Commission) to re-open the text, though improvements have been made very unlikely by a recent resolution of the US Senate that rejects European privacy demands.

The agreement with Australia is less prominent, but still highly relevant. There is a small blocking minority in the Council, consisting of Germany, France, Belgium, Czech Republic, Ireland, Austria and Portugal, that is mainly concerned about the provisions on transfer to third countries, and sometimes about the retention periods (Germany, France). The Commission is not willing to re-negotiate, though. The Council of Justice and Home Affairs Ministers on 9th/10th June might overcome the blocking minority and the parliamentary reservations from some countries, and adopt the agreement. At the moment, a veto in the European Parliament is unlikely. In the worst case, the Australia agreement may be concluded before the summer break and open the floodgates for other such agreements, and for the first time accepting profiling and preventive policing.

Privacy activists from EDRi members Mensenrechten.be, Digitale Gesellschaft and FoeBuD, as well as from EDRi observer AK Vorrat and other groups, met in Brussels from 27th to 30th May to do a legal, technical and political analysis, coordinate their short-term work and plan for long-term collaboration with others. A mailing list will be set up shortly.

Comprehensive PNR Wiki: http://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record

Reding asks the "Kissinger question" on Data Protection Agreement with US

The preparations for a comprehensive data protection framework agreement between the EU and the US for cases where personal data is exchanged in the context of criminal law enforcement have been finalized - in Brussels. The Council of EU Justice and Home Affairs Ministers approved the negotiation guidelines for the Commission on 3rd December.

The US government, unfortunately, is reluctant to move forward. They seem to prefer to agree on the new Passenger Name Records (PNR) deal quickly and postpone the data protection framework - which would cover PNR, TFTP/SWIFT bank data, as well as other data exchanged between the EU and the US.

Now, Viviane Reding came up with one of her unique quotes again:

European Justice and Fundamental Rights Commissioner Viviane Reding criticised the US for having shown little interest in negotiating with the EU a deal to protect the private data of European citizens during terrorism probes.

In what appears as a remake of the so-called "Kissinger question" ('what is the EU's telephone number'?), Reding lamented that Washington had not yet appointed a negotiator for the data protection agreement.

"I certainly can wait for a few days. But I expect to be given the telephone number of the US chief negotiator before the end of the year and seriously start the talks," she said, cited by AFP. [emphasis added]

The Guardian has more info on Reding's recent trip to Washington.

I am collecting all publicly available documents on the data protection agreement here.

UK sued at European Court of Justice over Deep Packet Inspection

The United Kingdom has just been sued by the European Commission because of the lack of data protection enforcement over companies that do Deep Packet Inspection. The trigger that had started the infringement procedure was the Phorm case around DPI-based targeted advertising, but the Commission seems to be annoyed in general by the lack of rules and enforcement on telecommunications privacy. Phorm has already closed its operations in the UK as far as I know.

So this is the first case at the European Court of Justice that involves DPI, and the first time a whole county has been sued over being too lax about DPI - as far as I am aware.

European Commission press release from today

Update: More links to legal aspects at JURIST Paperchase.

APSA Paper on Deep Packet Inspection

As a result of my previous research project at TU Delft, my former supervisor Milton Mueller and I have co-authored a paper on Deep Packet Inspection for the upcoming convention of the American Political Science Association (APSA):

The End of the Net as We Know it? Deep Packet Inspection and Internet Governance

I will not be able to attend the meeting because of the duties in my new job in the European Parliament, but Milton will be there and present our work. For those of you at APSA or in Washington DC next week, it should be an interesting panel in general: "Global Information Technology Issues: Policy, Politics, & Methods", 2nd September, 14:00 to 15:45, Marriott Wilson Hotel, room B.

Side note: Because APSA is now using the Social Science Research Network (SSRN) as their paper repository, you get all kinds of information on the usage of your papers. Ours, it turned out, made it to the top ten downloads for the SSRN e-journal "Journal of Entrepreneurship, Innovation, & Growth" under whose umbrella the paper was posted. Interesting, though I have to confess I had never heard of that journal before.

New SWIFT / TFTP Agreement still has Massive Weaknesses

The new agreement on the transfer of banking data from the EU to the US Department of Treasury's Terrorist Finance Tracking Programme (TFTP), informally called "SWIFT agreement", was adopted by Council on Monday 28 June 2010 at 10:00 in written procedure. Minor details: Even the German liberal Minister of Justice, who had fought the agreement wildly in November, gave in. So now, even Germany did not abstain (what they normally do when the coalition can not agree), but instead voted in favour. France abstained in Council, but only because they did not get the required consent from the national assembly in time.

The agreement was signed on the same day at 12:30 by the Spanish Homeland Minister Alfredo Pérez Rubalcaba, the EU Home Affairs Commissioner Cecilia Malmström, and the US Ambassador to the EU, William Kennard. Spain had pushed hard to achieve this during the last days of their EU Council presidency.

The agreement will now be rushed through the next EP plenary session in Strasbourg (5-8 July) with an extraordinary session of the LIBE committee there on Monday and the plenary vote on Wednesday or Thursday. EPP was long planning to accept it, and over the last few days S&D and ALDE have completely given in. They even try to sell it as a success, though there are no real substantial improvements compared to the agreement from November which the EP voted down in February. Only the Green and Left groups in the Parliament still stick to their principles and to previous EP resolutions on this matter and will vote against it.

All documents are already on Statewatch:

• Council Decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program (EU doc no: 11222/1/10, dated 24 June 2010, pdf);
• Declarations to be adopted upon the adoption of the Council Decision on signature of the TFTP Agreement (pdf): referring to the EU developing its own system for monitoring financial transaction related to terrorism
• Corrigendum (pdf).

Main points of critique still remain:

• Bulk data transfers of unsuspicious EU citizens still systematically built-in (the "tailored as narrowly as possible" is a joke, because they can only filter the data by a few criteria, such as country & day).
• Retention periods still 5 years (probably in breach of the German Constitutional Court's decision on data retention inn march)
• There is no clear sunset clause or conditioning of the agreement on data extraction on EU soil. The clause "EU shall consider whether to renew the agreement" if there is no extraction on EU soil after 5 years is a joke, because it automatically extends for one year each if nothing happens. It does not have to be renewed, it has to be actively terminated.
• There is no binding legal redress mechanism. The US government guarantees that they will treat EU citizens equally in administrative procedures, but there is still a hole in the juridical redress, because the US Privacy Act court clauses only apply to US citizens and legal residents. The agreement is not conditioned upon the US changing their law here.
• The role of Europol is a total mess on several levels:
  a) Europol is supposed to authorize data transfer requests from the US. This derogates from the demand of the EP in its May 2010 resolution to have a judicial authority do this.
  b) Europol can now itself request data searches from the US, which reduces their incentive to limit the transferred amount of data in the first place to exactly zero.
  c) UK, Ireland and Denmark have opt-in clauses on Europol. If they don't participate here, the whole agreement will not apply to their "territory". It's totally unclear what that means: Can SWIFT (based in BE, servers in NL and CH) still transfer data, even if it concerns citizens of these three countries? Is this happening with or without Europol then? Who would do the autorization instead if Europol would not do it?
  d) The consent of the EP to the agreement extends the mandate of Europol and might therefore imply a "Lisbonization" of the agency - which of course should be done under ordinary legislative procedure, not just by saying "yes" or "no". The Council explanations ("no Lisbonization") are not necessarily convincing. There may be a legal challenge based on this.
• The fundamental issue of proportionality is still not solved: Just seeing the data as useful for police and intelligence work does not suffice to legitimate these massive data transfers. Instead, there has to be facts-based evidence that there is a clear and imminent danger to the lives and limbs of people or to the existence of the state which can not be fought with less intrusive and much narrower means. A general risk of terrorist activity is not sufficient to give up our civil liberties.

For the old agreement from 2009, see: SWIFT Agreement Not in Line with European Parliament 's Demands.