Canadian prevented from flying because name was on US no fly list

The Economist reports that that a British man was prevented from flying home from Canada because his name was on America’s no-fly list. Dawood Hepplewhite was not allowed to board his Air Transat flight
from Toronto on February 13th when it was discovered that he was among
the 8,000 to 10,000 people prohibited by the US from flying over its
airspace. Even though Canadian airlines are not under any legal
obligation to give passenger information to the US, Mr Hepplewhite was
subsequently denied flights on Air Canada and British Airways.

It’s
unclear how Mr Hepplewhite’s name was given to American authorities.
Under existing Canadian privacy legislation, Canadian companies are not
supposed to supply customer information to foreign governments. But that
will change if a piece of Canadian legislation known as Bill C42, now
in its third reading in the House of Commons, is passed. The bill puts
in an exemption to the country’s privacy laws that will allow airlines
to divulge passenger information to the US, essentially giving American
authorities the final say on which passengers will be allowed on flights
due to pass over American airspace.

The Canadian Civil Liberties
Association has “serious concerns about the lack of legal safeguards in
Bill C42” and also the about the no-fly list’s fairness and the listing
process in general. “If a person believes they were wrongfully placed on
the US No Fly List, it is apparently very difficult to find out why
they were placed on the list, and difficult to get their name off of the
list,” the association said.
The American Civil Liberties Union, meanwhile, has brought a lawsuit
challenging the no-fly list as “unconstitutional” and “un-American”.

Two fundamental privacy problems with the SWIFT agreement and Europol’s role in it?

EUROPOL’s Joint Supervisory Body recently performed its first inspection at Europol regarding the TFTP Agreement, which entered into force in August 2010. The TFTP Agreement gave the JSB a new task – to monitor whether Europol respects the provisions of personal data protection principles in the TFTP Agreement when deciding on the admissibility of the US’ requests to SWIFT. Europol is tasked with verifying whether the US’ requests are proportionate and necessary – according to conditions laid down in the TFTP Agreement. Europol can therefore approve or deny the transfer of SWIFT data to the US.

Under Article 34(1)3 of the Europol Council Decision, the JSB is tasked with reviewing Europol’s activities in order to ensure that individuals’ rights are not violated by the storage, processing or use of data held by Europol.

At its meeting of 11 October 2010, the JSB mandated a team to inspect Europol’s implementation of the TFTP Agreement, including all related items. The inspection took place in November 2010.

The inspection team found that some data protection requirements were not being met. The most important finding of the inspection was that the written requests Europol received were not specific enough to allow it to decide whether to approve or deny them. It was found that the US requests were too general and too abstract to allow proper evaluation of the necessity of the requested data transfers. Despite this, Europol approved each request it received. One of the JSB’s recommendations is, therefore, that Europol should contact the US Treasury Department to ensure that all future requests for SWIFT data comply with the criteria set out in the TFTP Agreement. The JSB concluded that proper verification of whether the requests are in line with the TFTP Agreement – on the basis of the available documentation – is impossible.

Europol advised that orally-provided information plays a role in its verification of each request. This information is provided to certain Europol officials with the stipulation that no record is made. This kind of procedure prevents JSB from checking whether Europol could have rightly come to its decisions. The JSB was therefore unable to evaluate whether the amount of data transferred to the US from SWIFT was proportionate and necessary, as required by the TFTP Agreement. The significant involvement of oral information renders proper internal and external audit, by Europol’s Data Protection Office and the JSB respectively, impossible.

The report was a cause of concern at the European Parliament. MEP Alexander Alvaro said:

As Members of Parliament we feel betrayed reading this report.We voted in favour [of this agreement last year] in the trust that both parties would apply the adopted agreement”, which “concerns the transfer of sensitive data belonging to our citizens”, he stressed, adding that “the credibility of Parliament and of this committee are being jeopardised. This is about trust and confidence of the public in what the EU did and is capable of doing here”.

MEP’s also criticized Europol’s role in supervising the agreement:

Entrusting this task to Europol “is like putting the fox in charge of the chicken coop” said Sarah Ludford (ALDE, UK). Several MEPs questioned Europol’s credibility, given that it transfers data in response to oral requests by the US authorities. MEPs asked that the Director of Europol to come to the committee to explain his views on this.

“Europol should not have been the body to oversee this – we all underlined at the time that Europol should not have been entrusted with this role”, said Stavros Lambrinidis (S&D, EL), adding that the fact that the agency only has 48 hours to answer requests would only make sense it they are “super duper”, which does not always seem to be the case.

Rui Tavares (GUE/NGL, PT), considered this a bad precedent for further agreements in this area. He stressed that Parliament must have access to the full report, including the classified sections. “We might have to engage in another battle for access to documents, but we are used to that”, he added.

National data protection commissioners weighed in as well. Here‘s German Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar:

Even the very rudimentary public part of the inspection report confirms my fears. There are huge shortcomings. Political authorities at European and national level must immediately ensure that the shortcomings that were found will be eliminated. In Peter Schaar’s opinion, the findings of the inspection focus on the question already critically asked prior to the Agreement: Can and will Europol perform the assigned watchdog function properly at all?

One week later a second control mechanism seems to have failed. According to Article 15 of the SWIFT agreement, every EU citizen has the right to know if American authorities had access to personal banking data and if so, which authorities received that information.

For the past six months, Alexander Alvaro, a member of European Parliament from Germany’s Free Democrats, has been doing a test in an attempt to obtain the information entitled to him from German authorities. The result:

“The German authorities have not yet been able to find out whether data has been accessed at all. As such, the rights of EU citizens on correction, deletion or blockage of the data are being violated.”

Read the full story at Der Spiegel.

The always nuanced Steward Baker has another take on the issue though:

European Governments Screw Up; US To Suffer Consequences  That seems to be the theme of this article from the ever-predictable Der Spiegel, which recites a bunch of alleged failures by the German government in implementing the SWIFT data agreement, then raises the prospect of suspending the agreement, thereby cutting off US access to some financial data and making the world safer for funders of terrorism.

All in all, it seems clear that Europol is not the main culprit in this case. Europol has discharged its responsibilities as foreseen by the TFTP Agreement and implemented the necessary provisions correctly. The key recommendation in the Final JSB Inspection Report seeks to motivate the US Department of the Treasury to provide even more written documentation to Europol to carry out its verification role under Article 4. This is very similar to the findings and recommendations recorded by the review team. Read the Commission’s full assessment here.

EU Commission Proposes Mandatory Transfer of Passenger Name Records

The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU. Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism. The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences. The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.

Statewatch analysis here.

Freedom of expression and privacy risks across the ICT sector

The BSR report ‘Protecting Human RIghts in the digital age’ describes the evolving freedom of expression and privacy risks faced by information and communications technology (ICT) companies and how these risks can be more effectively mitigated by the industry.  It focuses on the issues for telecommunications services; cell phones and mobile devices; internet services; enterprise software, data storage and IT services, semiconductors and chips, network equipment, consumer electronics and security software.

CoE Secretary General Speech on the right to privacy

In his speech the SG stressed the importance of new social media, but he said that they have ‘changed our understanding of privacy’.

The fact is that the line between public life and private life is on the move, and if we do not act, this line will disappear.

Today, privacy is challenged, more than ever before in the history of mankind. Information and Communication Technologies have developed in such a way that information about us is constantly being recorded, communicated, stored and analysed, often without our knowledge, let alone our consent.

We easily overlook the fact that every action involving technology is recorded somewhere. We should remind ourselves that our way of life interferes with privacy. There is a “Big Brother” watching you almost everywhere you go!

Reflecting on this phenomenon, a statement from the Ministers of Justice from the 47 member states of the Council of Europe last year concluded that: “Modern information and communication technologies enable observation, storage and analysis of most day-to-day human activities, more easily, rapidly and invisibly than ever before”, but it also warned that this potentially creates a feeling of being permanently watched, which may impair the free exercise of human rights and fundamental freedoms.

Council of Europe: need for a global consideration of the human rights implications of biometrics

The CoE’s Committee on Legal Affairs and Human Rights is “increasingly concerned about the rapid and uncontrolled development of biometric technologies”. It stresses the need to strike an appropriate balance between security and the protection of human rights and fundamental freedoms, especially the right to privacy. In its report, the Commitee says:

Given that at European level the legal framework regarding the use of biometric data remains vague, Council of Europe member states should take further measures to improve it. In particular, they should adopt specific legislation in this area, produce a standardised definition of “biometric data”, put in place supervisory bodies and promote multi-disciplinary research.

The Committee of Ministers could, amongst other things, revise the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in order to adapt it to the challenges stemming from the development of biometric technologies.

Tightening links between the external and internal aspects of EU security

A note from the Hungarian EU presidency to the Standing Committee on operational cooperation on internal security (COSI) describes the desires of the Presidency to tighten the links between the external and internal aspects of EU security.  On the list is:

* Enhancing the exchange of personal and strategic information and criminal intelligence between EU civilian crisis management missions and relevant EU agencies, namely Europol, Eurojust and Frontex. How can data-sharing be enhanced in a context where civilian CSDP missions have no legal personality, information is often classified, Frontex is not allowed to exchange personal data, and only some of Europol’s formal agreements with third countries extend to the sharing of personal data?

* Involving JHA actors, including COSI and the relevant agencies in the early phase of the planning process, during the conduct and the review process of EU civilian crisis management missions including lessons learned. What are the main political and legal barriers that prevent FSJ actors from contributing to the planning and monitoring of CSDP civilian missions in third countries? How can FSJ actors be involved in the drafting of Crisis Management Concepts (CMC) and Concepts of Operations (CONOPS)?

* Integrating threat and risk assessments supplied by a variety of actors. The EU has anexcellent opportunity to utilise its current resources; crisis management missions, both civilian and military, have been developing their analysis capabilities, and it is suggested developing a toolkit to support the implementation of an ILP process in host countries where civilian CSDP missions are deployed. How can the various intelligence products supplied by specialised actors and agencies, such as SITCEN’s country and thematic reports, EUROPOL’s (S)OCTAs and TE-SAT reports, FRONTEX’s risk assessments and the Mission Analytical Capabilities’ (MAC) assessments, be streamlined so that actors dealing with the internal and externalaspects of European security have access to the relevant information? How does the confidentiality of reporting affect actors’ access to such products?

* Advocating the interests of CSDP and FSJ actors in the EU’s changing data protection landscape. Article 16 of the TFEU on data protection applies fully to the former first and third pillars, i.e. the internal market and police and judicial cooperation in criminal matters, but it only partially covers the CFSP area, including the CSDP. Europol, Eurojust and Frontex have their own data protection supervisory mechanisms. In view of the Commission’s intention to issue in 2011 a proposal on a comprehensive new legal framework on the protection of personal data in the EU, how will the EU’s changing legal landscape affect the exchange of personal data between CSDP and JHA actors?

Another note from the General Council secretariat to COSI includes an interesting report on the cooperation between JHA agencies in 2010. The agencies prepared a report focusing on ‘future cooperation and improvements’ in 2010, and used a scorecard to implement the provisions of this report.

The scorecard includes some interesting potential points of further cooperation, especially from the point of sharing of classified information between agencies.

1. Exploring the possible use of the secure communication link between Eurojust and Europol for the exchange of information between Eurojust national desks and Europol Liaison Bureaux. Eurojust is now exploring the possibility of exchanging information directly via a SIENA account. Europol offered Eurojust the possibility to install mailboxes for 27 Liaison Bureaux for Eurojust’s direct information exchange via SIENA.

2. Undertaking the necessary steps for a possible exchange of classified information above the level of ‘restricted’. In this context progress has been made between Europol and Eurojust to agree on a table
of equivalence to exchange classified information above the level of ‘EU
restricted’.

3. Frontex is implementing a Secure Area Network for up to the level of EU RESTRICTED, which is foreseen to implement the handling of classified information as of beginning of 2011. Once the network is stable and all the relevant applications are installed, the next step is to interconnect the network with Member States and third parties, such as Europol, which is foreseen to be fully available by May 2011. Europol has suggested Frontex consider the possibility of becoming part of, or that they make use of, the existing accredited Europol network, which provides a secure communication channel with Member States.

Frontex was subject to an EC/Council security inspection in September 2010: The exchange of information at level RESTRICTED can be permitted between SGC and Frontex or EC and Frontex. The fact that Frontex has implemented all the security measures to properly process RESTRICTED information was recognised by Europol even at an earlier stage. The cooperation agreement between Europol and Frontex, signed on 29 March 2008, approves the exchange of classified information at a RESTRICTED level.

Exchange of CONFIDENTIAL or above should only be envisaged after the recommendations are implemented. Recommendations were accepted by Frontex and are in the implementation phase. Frontex expects to be ready for the second EC/Council security inspection at the beginning of 2011. The outcome of the inspection may be used for concluding an agreement with Europol for exchanging classified information at level CONFIDENTIEL UE or higher.

Russian Federation Invests in Enhanced Surveillance

On January 28, 2011, Russian media outlets reported that on January 11, 2011, the government had issued a resolution approving a two-year program of investing in high technology in the field of security. The program, which was recommended by the President’s Commission on Modernization and Technological Development, entrusts the FSB with the responsibility of spending 633 million RUB (approximately US$30 million) in order to develop methods and equipment for advanced surveillance.

The program consists of two parts: voice biometrics, which is focused on voice synthesis and identification and better understanding of vocal messages transmitted by technical means; and automatic video recognition aimed at mechanical discerning of targets in real time. A database of targets, associated personal images, and identified voices must be created by 2012. Placing the FSB in charge of this program was viewed by Russian commentators as a further expansion of this secret service’s authority, in line with allowing it to conduct independent genetic analysis of remains allegedly belonging to terrorists and of those who have been identified as relatives of terrorists (id.). At present, independent forensic centers are performing these tasks. A relevant amendment to the FSB Law was introduced in the State Duma. (Bill No. 493009-5 (submitted on Jan. 27, 2011)

New European Commission proposal on the use of PNR data in the fight against terrorism

The proposal aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. It does not require air carriers to collect any additional information from passengers or to retain any data, nor does it require passengers to provide any data in addition to that already being provided to air carriers.

According to the Commission, the necessity of using PNR data, in a limited manner and subject to strict data protection guarantees, is supported by a number of factual elements, as reflected in the Impact Assessment.
(Summary of the impact assessment here.)

Under the proposal, intra-EU flights will not be covered for now, but “the commission is likely to propose that such a step may be taken into consideration in a few years’ time, if member states so require. “

The negotations on the PNR proposal are expected to last two years.

NGO report claims that data retention in Germany is not effective

According to the report:

With data retention in effect, more serious criminal acts (2009: 1,422,968) were registered by police than before (2007: 1,359,102), and serious offences were cleared less often (2009: 76.3%) than before the retention of all communications data (2007: 77.6%).

User avoidance behaviour can explain the counterproductive effects of blanket data retention on the investigation of crime: In order to avoid the recording of sensitive information under a blanket data retention scheme, users begin to employ Internet cafés, wireless Internet access points, anonymization services, public telephones, unregistered mobile telephone cards, nonelectronic communications channels and such like. This avoidance behaviour can not only render retained data meaningless but also frustrate more targeted investigation techniques that would otherwise have been available to law enforcement. Blanket data retention can thus be counterproductive to criminal investigations, facilitating some, but rendering many more futile.