thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, June 15, 2011

EU Fundamental Rights Agency: EU-PNR Directive not good

The Fundamental Rights Agency of the European Union (FRA) has finished its opinion on the proposed directive for an EU-PNR system for the retention and mass analysis of flight passenger data. It had been asked by the Civil Liberties Committee of the European Parliament in March 2011, on initiative of the Greens/EFA group.

I provide a summary of the most important findings below. A summary in their own words is at page 20.

Further reading: In the meantime, the legal service of the EU Council has also shred the proposed directive into pieces (German version only, sorry!).

The FRA opinion criticises the proposed PNR directive on the following grounds:

1) Data Protection Violations
FRA shares the concerns published by the EUropean Data Protection Supervisor (EDPS) and the Article 29 Working Party. The FRA opinion therefore is seen as complementing it and only touches on issues that are not addressed by the data protection bodies:
"In general, the FRA shares these analysis and opinions and takes them as a point of departure. This FRA opinion complements and adds to the opinions of the EDPS and the Article 29 Working Group by focusing on topics from a broader fundamental rights perspective." (p. 5)
2) Ban of Discrimination not sufficiently respected

a) Discriminatory Profiling based on sensitive Data: The directive would have to exclude many more categories than the ones listed in articles 5 and 11. The Commission did not cover the following categories in its proposal, though they are protected under EU law:
"[I only list the ones not covered by the proposed directive, RB] sex, colour, social origin, genetic features, language, any other opinion (beyond political views), membership of a national minority, property, birth, disability, age” (p. 7)
b) Indirect Discrimination based on Profiling for Other Data: This would also be prohibited and is not by the proposed directive. It includes all data categories that are not covered by a) (p. 9). To me it reads like a cautiously written general ban on profiling, because any data category can be used for discrimination. Surveillance studies scholars have called profiling "digital discrimination" years ago.
An example by anaologue: Discrimination based on language or nationality or religion is banned, but if someone travels from Islamabad to Mekka once a year, you can assume he or she is Muslim. This would be prohibited.

3) Clarity of the law is not given:
"Individual passengers may be generally aware that their flight details are being recorded and exchanged but will typically know neither the assessment criteria applied nor whether or not they have been flagged by the system for further scrutiny. Therefore, any measure giving the authorities power to interfere with fundamental rights should contain explicit, detailed provisions" (p. 12)
This clarity is lacking because of

a) Generic clauses such as “general remarks (...) such as" in the description of the data transmitted, retained and analysed (item 12 in the annex to the proposed directive, see p. 13 of FRA opinion). The types of data are also not limited:
"The explanatory text within the brackets also indicates solely what kind of information is included, but does not limit the data to be collected. This might possibly permit unlimited information gathering and transfer and, therefore, might not be justified by the purpose of the PNR system" (p. 13)
b) Purpose Limitation is lacking:
"The definition of serious crime included in Article 2 (h) includes an open formulation: (...) the discretion the proposal grants Member States to decide which crimes are covered and which are not seems unnecessarily broad." (p. 14)
c) Data Matching is unspecified:
"Article 4 (2) (b) states that “the Passenger Information Unit may compare PNR data against relevant databases, including international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such files.” This provision allows for matching PNR data ‘with undetermined databases’. Because the databases are not specified, the use of PNR data might not reach the required level of foreseeability" (p. 14)
4) No Proof of Necessity:
"The FRA is aware that further evidence proving the necessity of a PNR system might exist beyond what was disclosed." (p. 15)
In plain English: Do your homework! (Fun fact: The Commission currently has the same problem with regards to the evaluation of the data retention directive 2006/24/EC, where they were not able to prove the necessity based on hard data.)

5) False Positives / Repression against Innocent People
"The examples provided by the European Commission relate only to cases in which PNR data were successfully used in the course of investigations. For a more complete picture, it would also be necessary to analyse those cases in which the use of data proved to be misleading and led to the investigation of innocent people. Such a case is included by the European Union Committee of the UK House of Lords in its 2007 report on the EU/US Passenger Name Record (PNR) Agreement: the case of Maher Arar." (p. 16)
6) Proportionality of Applying the Measures to all Passengers: The FRA quotes at length from rulings by the German Constitutional Court etc., and then concludes:
"The FRA suggests for proportionality reasons to include an explicit obligation in the proposal to make every reasonable effort to define assessment criteria in a manner which ensures that as few innocent people as possible are flagged by the system. This aspect could also play an important role for the review envisaged in Article 17 of the proposal which states that special attention should be given in the course of the review to “the quality of the assessments”. (p. 18)
7) Effective Oversight unclear: Any data protection oversight must be fully independent and must have powers of investigation and binding rulings, which apparently is not clear from the proposed directive draft. (p. 19f)

Tuesday, June 07, 2011

Conservative hardliner admits: lack of data retention has no impact on crime clearance rate

Uwe Schünemann, conservative home affairs minister of the German Land of Lower-Saxony, admits in a reponse to a parliamentary question:
Erhebliche Auswirkungen im Hinblick auf die Aufklärungsquote bei Straftaten, die im Zusammenhang mit dem Tatmittel Internet begangen wurden, sind für das Jahr 2010 nicht festzustellen.
English translation:
Significant impact in terms of the clearance rate for crimes that were committed in connection with the Internet for the year 2010 can not be determined.
After a constitutional court ruling, Germany has had no data retention in place since 2nd of March 2010.

Fun fact I: Schünemann just received a Big Brother Award in Germany for the second time. German laudation here.

Fun fact II: The question came from Social Democrats. This is the party that was crucial for adopting data retention in the EU in 2005 and then later in Germany. They have been losing so many votes in recent years (of course also for factors not related to privacy) that they seem to move into the right direction again. Hopefully.

Battle over Passenger Data is heating up

In late May 2011, the new draft agreements on the transfer and retention of air passenger data between the EU and the United States and between the EU and Australia respectively have leaked to the public. The re-negotiation of the agreements from 2007, which have since then been provisionally applied, had become necessary after the European Parliament refused to vote on them in May 2010.

The new agreements do not substantially improve the situation with regards to the old ones. They both require that data of air passengers is transferred to public authorities (DHS in the US, Customs and Border Protection in Australia) ahead of a flight; they allow for profiling, i.e. the use of data for sorting assengers into risk categories based on pre-defined and secret criteria without an initial suspicion or criminal lead; and they allow for retention of the data up to 5.5 (Australia) and 15 (US) years. There are also provisions for onward transfer of the data to third agencies and countries.

The agreement with the US met heavy criticism both among EU member states as well as among Members of the European Parliament and from civil society, and provoked an emergency reaction from the UK Justice secretary as well as the US ambassador to the EU. At the moment, there are talks with the negotiator (DG Home Affairs of the European Commission) to re-open the text, though improvements have been made very unlikely by a recent resolution of the US Senate that rejects European privacy demands.

The agreement with Australia is less prominent, but still highly relevant. There is a small blocking minority in the Council, consisting of Germany, France, Belgium, Czech Republic, Ireland, Austria and Portugal, that is mainly concerned about the provisions on transfer to third countries, and sometimes about the retention periods (Germany, France). The Commission is not willing to re-negotiate, though. The Council of Justice and Home Affairs Ministers on 9th/10th June might overcome the blocking minority and the parliamentary reservations from some countries, and adopt the agreement. At the moment, a veto in the European Parliament is unlikely. In the worst case, the Australia agreement may be concluded before the summer break and open the floodgates for other such agreements, and for the first time accepting profiling and preventive policing.

Privacy activists from EDRi members Mensenrechten.be, Digitale Gesellschaft and FoeBuD, as well as from EDRi observer AK Vorrat and other groups, met in Brussels from 27th to 30th May to do a legal, technical and political analysis, coordinate their short-term work and plan for long-term collaboration with others. A mailing list will be set up shortly.

Comprehensive PNR Wiki: http://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record