Tuesday, May 18, 2004

The Guardian is reporting that now that the EU council of foreign ministers has rubber stamped the Commission agreement to hand over airline passenger data to the US, the EU parliament's European Court of Justice challenge to the deal is rendered invalid.

Surely that can't be right? The processes involved need a serious review if it is. I don't care whether you're one of Jerry Kang's 'market' or 'dignity' ideologists in the privacy debate, allowing the circus of ministers to nod through an agreement to bypass that kind of ECJ challenge on principle doesn't work for me.

How does it stack against Kang's questions?

a) Who gets the initial entitlement? Well, it's a get out of jail card for the airlines who were caught between large US fines for not sharing data for homeland security and large EU fines for breaching data protection rules. On ideologies it's a nod to the market and the war on terrorism. The individual gets relegated to the choice of not flying if they don't want personal data transferred.

b) How will the choices get made? How is it ensured that the decisionmaker is fortified to do it well/effectively? I don't see much fortification for the individual here. How, for example can someone correct errors that may occur and accumulate? How can an individual opt out? The only way I can see is as above - don't fly.

c) What are the societal overrides? What are the allowable contexts within which we can override the rights/market actions of individuals? How to pick/adjudicate/etc. The article says "dietary requirements that could reveal religion, race or health" will not be included in the data transfers. We don't have any further detailed information on the small print here. One important 'how to' process - the ECJ challenge - would appear to have been neutered?

d) How much supporting information infrastructure needed to enforce? Quite a lot from a technical perspective alone and this is rapidly evolving on both sides of the atlantic with no fly lists and CAPPS II, for example. There are lots of issues of substance related to the development and deployment of these infrastructures alone e.g the design, collection rules, access rules, maintainance, error correction, identification, authentication, restrictive purpose, function creep etc.

Prof Kang would like us to explore issues of substance on all four questions rather than getting distracted by unproductive ideology. As he says, the key thing is the "fortifying of the individual" i.e. can you say yes(or no)?

That's an off the top of the head application of the Kang framework, so don't look too closely for holes.

Privacy International have been pretty quick to respond by updating their comprehensive report on the subject. They are disgusted.

"This report outlines how the European Commission failed outright at protecting EU interests and upholding EU laws within the negotiations with the U.S. Government. As a result, the U.S. Government
managed to get the Commission to concede European privacy rights and burdening EU carriers, even while U.S. carriers and U.S. citizens are exempt from these rules..." The report goes on to say that

The US Dept for Homeland Security get access to data from EU airlines but does not require similar access to US airline databases

The US therefore gets to test CAPPS II with EU data. (The Commission "believe" that the data will be removed from CAPPS II when the tests are complete. The actual agreement with the US is silent on this point).

The Commission is contemplating a central EU database to make the transfer of this data to the US easier.

The Commission wants EU law changed to allow law enforcement access to airline passenger data.

The Commission want access to US airline passenger data but have not negotiated this yet (Currently there don't seem to be any grounds in US law to allow such transfers).

The Commission are supporting a global airline passenger surveillance system through the Internation Civil Aviation Organisation.

The report goes on to say that the case for collecting all this information has never been made and that it is neither necessary nor proportionate (especially the collection of information in the pretence that it is to combat terrorism, when it will also be used for other purposes).

It certainly paints the EU delegation as pretty poor negotiators at best or active conspirators in the dismantling of the EU's proud privacy-as-fundamental-right (or as Prof Kang would call them, 'dignity') principles at worst.

No comments: