28 March 2012
did agree that PNR data can be used for CAPPS II testing, but
the question is why?
- contrary to Mr Bolkestein's claim a whole host of US agencies will have access to the data
- lifetime travel dossiers to be created and held for 100 years on every traveller
Tony Bunyan, Statewatch editor, comments:
very hard to see how the Commission can come to the conclusion
that the safeguards on access to PNR data are "adequate"
under Article 25 of the EC Directive on Data Protection. All
the evidence coming out of the USA shows that this data will
be: accessed by a multitude of agencies, is intended to be integrated
into the US-VISIT and CAPPS II projects, and will be used to
create lifetime travel dossiers on everyone flying to and travelling
within the USA."
The record of the meeting of the European Parliament's Committee on Citizens Freedoms and Rights on 16 December 2003 shows that EU Commissioner Bolkestein told the parliament that:
"We have agreed to run a trial, to make a trial run on CAPPS II, but this data will be immediately destroyed and any further exercise involving CAPPS II will be subject to a new and separate agreement"
CAPPS II is the Computer Assisted Passenger Pre-Screening System. This corrects our earlier story (USA to use EU PNR data for CAPPS II testing despite assurances the agreement would not cover it). The confusion arose because until 16 December - the day the agreement was signed - Bolkestein had said that the agreement on the transfer of PNR data to the US was, in part, on the understanding that: "The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II)." Although the data collected during the "trials" may not be retained by the CAPPS II project or the US Department of Homeland Security it will be retained by the airline computer reservation systems indefinitely. The question remains as to why did the Commissioner agree to this and is a matter that the European Parliament may choose to raise when the formal agreement is put before it in February.
However, replies by two Commissioners to questions put by MEPs on the Committee reveal other, deeper, problems. Commissioner de Palacio made the extraordinary statement that "the United States actually have a data protection system as well as a system for the protection of privacy". The USA does not have a data protection law and its Privacy Law only protects US citizens' rights not those of foreigners.
Commissioner Bolkestein also told the Committee that:
"only the Department of Homeland Security, not other agencies"
would get access to passenger data unless there was a court order. This statement is incorrect. The US-VISIT Program, Increment 1, Privacy Impact Assessment (dated 18.12.03) says that the information will be accessed by:
"employees of DHS components - Customs and Border Protection, Immigration and Customs Enforcement, Citizenship and Immigration Services and the Transportation Security Administration"
The US-VISIT report adds that access will also be given to:
"consular officers of the State Department. Additionally, the information may be shared with other law enforcement agencies at the federal level, state, local, foreign or tribal level, who in accordance with their responsibilities, are lawfully engaged in collecting law enforcement intelligence information (whether civil or criminal)"
Thus numerous US agencies, at all levels, will "share" the information and add their own observations. During the negotiations on data protection clauses in the EU-USA agreements on extradition and judicial cooperation the US side admitted that they had no idea how many law enforcement agencies would have access to data collected from airlines computer reservations systems (CRS) in the EU.
The data to be collected under the US-VISIT programme is wider than the 34 categories of data which have to be supplied under the US PNR "requirements". It will also include "complete US address" and "for the first time, a photograph and fingerprints". Moreover, an individual who "declines to provide biometrics is inadmissible to the United States".
The US-VISIT system will "integrate" and allow for exchange of data between three existing US systems:
1. The Arrival and Departure Information System (ADIS)
2. The Passenger Processing Component of the Treasury Enforcement Communications System (TECS) - this has two components: the Interagency Border Inspection System (IBIS) that interfaces with Interpol and the US National Crime Information Center (NCIC) databases and second, the Advance Passenger Information System (APIS).
3. Automated Biometric Identification System (IDENT)
These systems are being changed to "accommodate additional data fields, to interface with other systems, and to generate various types of report based on the stored data" and interfaces to "facilitate the transfer of biometric information from IDENT to ADIS and from ADIS to TECS".
The data will be used to "enhance the security of American citizens, permanent residents and visitors" by identifying those "known to pose a threat or are suspected of posing a threat to the security of the US" or who "violate the terms of their admission to the USA" - it is unclear what these "terms" are.
CAPPS II will replace the existing system under which passengers to be subject to additional screening found "SSS" or "***" on both portions of their boarding ticket. Armed with the PNR (Passenger Name Record) of all passengers leaving the EU their data will be checked first against state records and commercial databases and then against wanted criminals and suspected terrorists in security and intelligence databases. The results will then be used to give all airline passengers, both travelling to and already inside the USA, a number and a colour ranking their perceived threat. "Red" will mean denial of boarding, "Yellow" additional screening, questioning or surveillance and "Green" for boarding.
CAPPS II and the US-VISIT programme will also access the biometric identifiers (fingerprints and photos) now taken on entry to the USA for all visitors requiring a visa to enter the country. Although EU citizens are currently exempt as from October 2004 all new passports will be required to carry biometric data.
travel histories to be created and held for up to 100 years
"US-VISIT will be used to maintain a lifetime travel dossier for anyone who ever visits the USA, just as CAPPS-II will enable the maintenance of lifetime travel dossiers on anyone who ever travels by air to, from, or within the USA."
Hasbrouck says that these lifetime travel dossiers make "no sense as a security system, but a lot of sense as a surveillance system".
In addition there are no restrictions in the USA on the use of passenger data held by computerised reservations systems (CRS) who may use it for commercial purposes or give access to state agencies.
Officials in the USA say that negotiations with the EU have already started over the use of PNR data gathered in the CAPPS II system.
The next steps - a formal agreement has to be adopted by the Commission
1. The US-VISIT
Program, Increment 1, Privacy Impact Assessment (dated
2. See also Statewatch's Observatory on PNR
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.