The European Parliament will vote soon on an agreement to formalize US procedures for retaining and providing EU based Passenger Name Record (PNR) data of EU and US citizens traveling into, out of, and through the United States. The agreement will determine how the Department of Homeland Security (DHS) will be able to use the broad swath of sensitive PNR information that is based in the European Union. PNR data contains a passenger’s travel itinerary and consists of 19 different data metrics ranging from your name and address to your seat number and any general comments made by the ticketing agent. Travel agents, airlines, hotels, car rental companies, and railways collect the data whenever you make a reservation to travel or buy a ticket. The data is stored in central databases called Computer Reservation Systems (CRSs), and is pushed from the CRSs to DHS for passenger screening.

Until now, there has been little press on the agreement as European politicians were not informed of its evolution, were barred from reading the document outside of a "sealed room," and were only briefed by the commissioner responsible for negotiations a week after the commissioner gave public interviews. Edward Hasbrouck, of the US traveler privacy organization Identity Project, leaked an early version of the document late last month.

The draft agreement acknowledges privacy principles found in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and DHS's Fair Information Practice Principles (FIPPs), but relies heavily on DHS and US statutes in order to inform how EU and US citizens can obtain PNR data. Unfortunately, DHS has a poor track record when it comes to respecting travelers’ rights to their PNR data.

Timely Response

Despite an OECD guideline granting the right to obtain data from a data controller, the agreement only compels DHS to respond to a request for PNR data in a "timely" fashion. As of its last privacy report in 2008, DHS admitted that PNR data requests take longer than a year to answer.

As a result of one such delay, Hasbrouck initiated a lawsuit in 2007 to obtain PNR data that DHS refused to disclose. The case is ongoing, but DHS contends that the data and any related procedures for its handling can be withheld under Freedom of Information Act exemptions. A few years later, DHS exempted PNR data under federal regulations published in 2010. That same year, the Associated Press reported that senior political advisers at DHS prolonged FOIA records requests by probing information about the requesters and delaying disclosures deemed "too politically sensitive." These actions seem to contradict the proposed agreement’s requirement of "timely" response.

Equally troubling is citizens’ inability to correct their PNR data. The agreement mandates DHS inform citizens "without undue delay" whether DHS will correct any mistakes in the data. To correct passenger data, DHS relies on its Traveler Redress Inquiry Program (TRIP), a system that provides citizens with the ability to correct data and file a complaint over difficulties experienced while traveling. TRIP does not allow EU and US citizens to challenge an agency decision in court and is exempted from certain Privacy Act requirements, such as the right to "contest the content of the record."

The proposed agreement uses lofty language about traveler rights, but previous actions by DHS are discouraging. DHS has been slow to release PNR data, barred its release under the Privacy Act, and investigated citizens for requesting the data. If this is the norm for US citizens with explicit legal redress, what will be the norm for EU citizens requesting such data?

The Agreement and U.S. Statutes

The agreement references the Administrative Procedure Act, the Freedom of Information Act, and the Privacy Act as other avenues citizens can use to obtain and correct their PNR data. As shown above, citizens relying on the Privacy Act and the Freedom of Information Act face major obstacles, while the Administrative Procedure Act only allows for disclosure of the exact procedures and rules of the agency, not the actual data.

Even if DHS were to release procedures relating to PNR data, the agency is currently incapable of documenting precise access to PNR data. While DHS’s FIPPs assures the public that DHS will "audit" the use of personal information, and the agreement mandates documenting all access to PNR data, DHS admitted in court that DHS does not keep precise access logs and that it "would be unable to provide a list of employees who accessed a specific PNR." EFF is skeptical that DHS can or will satisfy the agreement’s mandate of documenting access precisely.

The Outcome

Despite these issues, last week the European Council approved the agreement, which now waits for the consent of the European Parliament. Sadly, the draft agreement focuses on what citizens are entitled to request, but not on what citizens are entitled to receive. EFF is concerned that DHS will continue its practices of failing to give users access to their own PNR data, of unduly delaying responses to data requests, and of failing to keep proper access logs.

EFF is not alone in raising these issues. In April of this year, an independent European advisory body created by the European Commission to comment on the use of PNR data issued a nine-page opinion on EU PNR agreements. The advisory body voiced concerns about the collection of huge amounts of personal passenger data, the length of time the data is kept, and the need to keep strict access logs. As recently as last week, the European Data Protection Supervisor and the German government voiced similar concerns. The issues raised are emblems of the large gap between the United States and the European Union approach to sensitive personal data.

In early December, 21 nonprofit advocacy groups issued a joint letter urging the European Parliament to reject the proposed agreement. They argued that "travelers are not informed which personal data is stored and processed" and "information requests to airlines travel agencies usually answered insufficiently." We echo these concerns and urge the European Parliament to reject the proposal, which does not live up to the standards of the FIPPs and OECD's guidelines for protecting privacy.