Norwegian Research Center for Computers and Law

Privacy and Data Protection: Data protection in a particular context: Civil aviation Olga Mironenko Enerstvedt 13th March 2012

Disposition

• Development of anti-terror security measures • Regulatory framework • Personal data transfer • Body scanners

Background • The right to privacy and data protection are

fundamental human rights. • Effective security must be ensured in the civil

aviation sector. Security measures are intended to keep a high level of security and protect our lives.

• Some security measures have a serious impact on privacy and data protection.

↓ A conflict arises between the use of these security

measures and the protection of these rights.

History

• First flight - 17 December 1903, USA • The first recorded aircraft hijacking - 1930, Peru • First act of air sabotage:

• 10 October 1933, USA • Nitroglycerin bomb • 4 passengers and 3 crew members crashed near Chesterton, Indiana.

Terror against aviation: three phases 1. 1948 - 1968 “Escape from persecutors” 2. 1968 - 2001 “Political phase” 3. Aftermath of 9/11 and recent developments

Apart from terrorist threat:

• serious crime • attacks on the data integrity of

communications networks • attacks on the information and personnel

management systems • chemical, biological, radiological, and

explosive threats, etc.

International regulation overview • Chicago Convention (1944) – establishment of the ICAO • Tokyo Convention (1963) • Hague Convention - “Hijacking Convention” (1970) • Montreal Convention - “Sabotage Convention” (1971) • Chicago Convention, Annex 17 – Security (1974) • Bonn Declaration (1978) • Montreal Supplementary Protocol (1988) • Convention on the Marking of Explosives (1991) • Beijing Convention 2010 (transport of biological, chemical,

and nuclear weapons)

ICAO • established by Chicago Convention (1944) • a specialized agency of the UN charged with

coordinating and regulating international air travel • consists of government representatives of member

states (190) In the security field:

• policy initiatives • audits of its member states • assistance to states that are unable to address

serious security deficiencies highlighted by audits

ICAO • Annex 17:

• the foundations of an international aviation security program and minimum aviation security standards

• each state must have a civil aviation security organization

• each airport and airline must have a security program • ICAO Doc 8973 - the Security Manual for Safeguarding

Civil Aviation Against Acts of Unlawful Interference (Supplementing Annex 17 )

• Legal and technical regulations and procedures to prevent and suppress acts of unlawful interference

• Standards and Recommended Practices (SARPs)

ICAO’s regulations, guidelines and Standards and Recommended Practices (SARPs)

• According to the text they are mandatory for contracting states

• the states are obliged to report about deviations

• BUT there are no enforcement mechanisms ↓

Endeavors to make global standard approaches are facing major challenges

EU Regulation • First common rules in the field of civil aviation

security (Regulation (EC) No 2320/2002) - Now Regulation (EC) No 300/2008

• Regulation (EC) No 272/2009 supplementing the common basic standards on civil aviation security laid down in the Annex to Regulation (EC) No 300/2008

• Regulation (EC) No 185/2010 laying down measures for the implementation of the common basic standards on aviation security

National regulation • UK (EU member): Aviation Security Act (1982),

Airports Act (1986), Aviation and Maritime Security Act (1990), Terrorism Act (2000), Aviation (Offences) Act (2003), etc.

• Norway (EEA member): Aviation Legal Act (1993), Regulation on Security in Aviation (2004)

• USA: The US Aviation and Transportation Security Act (2001), US Homeland Security Act (2002), etc.

International organizations – European Civil Aviation Conference (ECAC) – International Air Transport Association (IATA) – International Air Carrier Association (IACA) – Association of European Airlines (AEA) – European Regions Airlines Association (ERA) – Airports Council International (ACI) – Aviation Security Services Association – International

(ASSA-I) – European Organization for Security (EOS) – Security Industry Association (SIA) – etc.

Security measures as a reaction to past situations

(2)

• 2001 - “shoe bomber” • 2004 - Madrid train bombings – API in the EU • 2006 - liquid explosives • 2007 - car-bomb attacks in Glasgow and

London – Plan of European PNR system • 2009 - “underwear bomber”

Security measures

• Metal detectors • Hand search • Camera surveillance and CCTV • Transfer of data • Profiling • Biometrics • Scanners • ???

Impact on human rights

• Privacy • Personal dignity • Data protection • Freedoms of thought, conscience and religion • Non-discrimination • The rights of child • Impact on health • etc.

Dilemma:

? BALANCE?

?

rights to life and safe travelling

rights to privacy and data protection

need for security privacy-related interests

The solution

• Security measures must be accompanied by strong and adequate safeguards which satisfy and ensure the human rights requirements.

• All aviation security measures should respect the principle of proportionality as justified and necessary in a democratic society.

• In addition to legal norms, the means for ensuring their effective application should be established as well. It is important that all actors implement the regulations, practices and measures.

Personal data transfer • The initial purpose of collecting passenger data by the

airlines is to document commercial air transportation. • 1944 - Chicago Convention. Art.29 requires every

aircraft to carry certain documents, including, for passengers, “a list of their names and places of embarkation and destination”.

• 1990s - Computer Assisted Passenger Prescreening System (CAPPS) in the USA

• 2001- The US Aviation and Transportation Security Act - the Passenger Name Records (PNR) system. All international airlines had to provide the USA with electronic access to data on all travelers registered in the airline's computer system.

(2) • 2003 - CAPPS II • 2004 - Secure Flight • 2004, 2006, 2007 - agreements on PNR transfer

between the EU and the USA • 2004 - API in the EU (Council Directive 2004/82/EC of

29 April 2004) • 2006 - PNR agreement between the EU and Canada, • 2008 - PNR agreement between the EU and Australia • Some countries are also using PNR data (the UK, New

Zealand, South Korea, Japan) • Many European states have enacted primary legislation

on PNR or are testing using PNR data, and other countries are considering the use of PNR

• 2007 - Proposal of the European PNR system

Advanced Passenger Information (API)

Passenger Name Record (PNR)

API Guidelines by WCO, IATA and ICAO (2003)

PNR Data Guidelines by ICAO (2005)

Collected on behalf of governments Airlines collect PNR for their own needs Serve border control and

immigration purposes Initially served commercial purposes

Derive from travel documents information (machine readable zone

of a passport)

All the data that the passenger submits to the reservation system (up to 60 fields). May include

sensitive data. Data cannot be deleted, even if cancelled. The system is not restricted to a

specific flight. Include data on other customers. Contain only validated biographical

data Completeness or accuracy not guaranteed. May not be fully updated on the date of departure.

The data is captured by the carrier prior to the departure

PNR may be created in a reservation system up to 360 days in advance

API records are created for each passenger

May include multiple passengers within the same record; data on several people: traveler,

agent, staff, person paying for the ticket...

PNR transfer between the EU and the USA

• Problems: • The data controller can process personal data only if

processing is compatible with the original purposes of data collection (DPD Article 6)

• The transfer of personal data from the EU/EEA to the countries lacking adequate level of protection is prohibited (DPD Article 25).

Protection afforded by the USA • The USA is not legally bound by any of the international

data protection instruments. • In the USA the right to privacy is protected by common

law mechanisms. • Privacy Act of 1974 protects personal information only

when it is processed by the federal government. • The USA has no general law protecting the privacy of

“commercial” data. • The airlines could allow the US government agencies to

look at the data without the knowledge or consent of the data subjects.

• The USA cannot be considered as a country with adequate level of data protection.

As the result: After the introduction of the new security measures

in the USA, the European airlines found themselves in a difficult situation:

,.

to fly from the EU to the US

refuse to transmit the data, thereby becoming

subject to US authorities’ sanctions

deliver the data in violation of the EU law

?

Solution

• The problem of the lack of adequate level of protection in the USA could be resolved by concluding an agreement, where adequate safeguards could be provided.

• For a contractual provision to provide adequate safeguards, it must satisfactorily compensate for the absence of a general level of adequate protection by including the essential elements of protection which are missing in the particular situation (Article 29 Working Party Opinion 12/98 of 24.07.1998).

PNR Agreement between EU and USA (2004, 2006 and 2007)

• The negotiations were pushy on the US side of the table. • Despite the parties tried to provide “safeguards”, the agreement

failed to offer an adequate level of data protection and left many problems open.

• The agreement was needed ASAP to avoid legal uncertainties for the EU member states, passengers and carriers, thus it was preferable to have an agreement with weaknesses and shortcomings, rather than not to have one at all.

• The agreement was more a political solution than a legal instrument. • The deal provoked widespread privacy and security concerns. • US is still trying to dictate tougher restrictions and get additional data

from EU member states individually.

The weakest points of the Agreement: • legal force and effect • inadequate data protection standards • scope of the agreement uncertainty • lack of purpose limitation • “pull”/”push” system issues • unclear joint review procedure • extended retention period • enlarged list of data fields (19) • sensitive data issues • no clear list of US authorities entitled to access PNR • problem of enforcement of rights by the EU citizens • dependence on change in the US legislation, etc.

Proposed European PNR System • Proposal for Directive on use of PNR data for purposes of

combating terrorism (Brussels, 2.2.2011, COM(2011) 32 final) - First Proposal in 2007, second in 2009. • Decentralized system of data collection • Passenger Information Unit (PIU) as recipient of the data in

each member state • 19 PNR data elements • flights to/from the EU, excluding intra-EU and domestic flights • two data transmissions: one 48 hours before the flight takeoff

and one when the flight has completed boarding • It is not mentioned but EU-USA PNR scheme is used as a

model

Proposed European PNR System (2) • The Proposal fails to demonstrate the necessity and the proportionality

of a system (?) The efficiency of the measures? • Unclear relationship with other measures, such as Electronic System

for Travel Authorization (ESTA), biometrics in passports, Schengen Information System (SIS), Visa Information System (VIS), national border protection schemes.

• The scope of application: “terrorist offences and serious crime”. • PIU can use the data for profiling purposes, may compare PNR data

against “relevant databases”, share with other PIU and agencies. • 30 days of retention, with an additional period of five years in archive • a certain amount of data is “masked out” after 30 days (data is not

anonymised; access to the full PNR data is always available to the Head of the PIU)

• sensitive data issues

Real-world experiences • The request to the US Department for Homeland

Security from a member of European Parliament Sophia In 't Veld to receive PNR information pertaining to her (2007).

• The request to KLM Airlines from an American privacy advocate Edward Hasbrouck to see the records of his trip from the US to the EU and back (2007).

In summary • Air passenger data have already become one of the most

important sources for surveillance in the air traffic. • There are doubts about whether the collection of data is

necessary and adds value to the fight against terrorism/serious crime.

• ICAO’s Guidelines are not binding and they deal insufficiently with data protection issues.

• Even if some protection to human rights is given, it is not necessary effective.

• Political issues and policies which effect the security and privacy regimes greatly. A lot of the decisions and rules are based on political approaches and are therefore more political solutions rather than legal instruments.

BODY SCANNERS • 1992 - The first body scanner was created by

Dr. Steven Smith in the USA - a technology that is capable of detecting objects carried under clothes.

• 2006 - The first airport with body scanners –Schiphol in the Netherlands.

• 25 December 2009 - “underwear bomber”. • The list of airports currently deploying

scanners is constantly growing and includes airports in the USA, the UK, Russia, etc.

• deemed to be one of the technical solutions required to keep a high level of security.

• impact on privacy and data protection as well as other fundamental rights and health.

Technologies: X-ray backscatter Active millimeter wave

Terahertz waves X-ray transmission scanners

Emerging technologies • a millimeter-wave system that would take up less space

and would not require passengers to stop and stand still • integrating the scans devices into airport building

structures, different objects of the checkpoints, etc. • Flight Assistance Security Trolley • 21 feet long “smart tunnel” combining all existing and

imminent security technology, including body scanners and liquid detectors in one place

BUT • over reliance on technology may have a negative effect • technology can never be the “sole solution”, but only a

means of reacting • 100% security can never be achieved

Regulation

• The ICAO does not give any guidance on scanners.

• No common definition of a “body scanner”. • Various terms are in use, such as “security

scanner”, “whole-body scanning”, “advanced imaging technology”, “naked scanners”, “digital strip searchers”, etc.

The USA

• The Transportation Security Administration (TSA) began deploying advanced imaging technology in 2007.

• There are currently 540 imaging technology units at 100 airports.

• By 2014 the USA plans to deploy 1800 scanners in order to gradually introduce them as a primary screening method

• There are several locations already where the scanners are used for primary screening

(2) • 22 April 2009 - the US House of Reps passed “Aircraft

Passenger Whole-Body Limitations Act of 2009”. • A bill introduced in the US Senate in 2010 - Securing

Aircraft From Explosives Responsibly: Advanced Imaging Recognition Act (S.A.F.E.R. A.I.R. Act) makes scanners the primary screening technology by 2013.

• In 2010, the TSA began testing the new software for millimeter wave body scanners

• Opinions of opponents (for ex., the incident in San Diego on 13.11.2010, “Ban the Scan” rally in New York 2011).

EPIC v. DHS • In 2009 and 2010 EPIC filed lawsuits seeking information pertaining

to the TSA body scanner program and to suspend the deployment of body scanners at US airports)

• On 15 July 2011 the appeals court upheld the use of body scanners to screen air travelers in the case EPIC v. DHS (N 10-1157).

• the Video Voyeurism Prevention Act does not apply to any “lawful law enforcement, correctional or intelligence activity”

• No violation of Privacy Act, because the TSA does not maintain data from AIT scanners in any system of records linked to names or any other identifier, nor had EPIC offered any reason to believe that the TSA had attempted to identify the images from any other sources.

• No violation of the Fourth Amendment which guards against unreasonable searches and seizures

• the TSA violated federal law when it installed body scanners in airports without first soliciting public comment (without conducting a “notice-and-comment rulemaking” procedure).

The EU • Commission Regulation (EU) No 1141/2011 of 10

November 2011 allows the use of scanners which do not use ionising radiation

• Before, member states could introduce the use of the scanners either by exercising their right to apply security measures that are more stringent than existing EU requirements (Article 6 of Regulation (EC) 300/2008) or by exercising their right to conduct trials of new technical processes or methods for a maximum period of 30 months (Chapter 12.8 of the annex to Commission Regulation (EU) No 185/2010)

• Formal trials of scanners were undertaken in Finland, the UK, the Netherlands, France, Italy and Germany

(2) • 5 September 2008 the European Commission proposed a

draft regulation including basic screening requirements to be further developed in legislation

• 23 October 2008 – Resolution of the EP requesting the Commission to carry out an impact assessment

• 15 June 2010 - the Commission’s Report which assesses the current situation with regard to the use of security scanning technology in terms of detection capacity, and compliance with fundamental rights and health protection regulations

• 6 July 2011 - EP resolution on aviation security, with a special focus on security scanners (2010/2154(INI)) to allow the full use of body scanners in the EU airports.

Right to privacy European Convention on Human Rights Article 8: • “1. Everyone has the right to respect for his private

and family life, his home and his correspondence • 2. There shall be no interference by a public

authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”

Privacy

Applicability of ECHR Art. 8 (1): • The European Court of Human Rights has given ECHR

Article 8 a very broad interpretation. • The concept of private life includes elements relating to a

person's right to their image. • The mere storing of data relating to the private life of an

individual amounts to an interference.

Safeguards for privacy Con arguments black and white silhouettes with blurred faces and other areas of the body

reveal very sensitive areas of private life and conditions, such as prostheses, breast implants, diapers, menstrual pads…

analysts are in separate rooms abuses

analyst of the same gender

automatic threat recognition can an algorithm replace a human being?

alternative screening methods not all airports have capacity and staff, a full hand search may cause more irritation and is more likely to be rejected

exemptions for the vulnerable groups risks

the image would not be saved and would be destroyed

the breach of privacy is constituted by first the production and then the analysis of the image

the right to privacy can be considered as waived by the passengers since the travelers make agreements with airlines which include security requirements

not all such waivers are automatically effective (ECtHR case law: a waiver, to be successful, must be unequivocal and attended by minimum standards)

Applicability of ECHR Art. 8 (2):

Given applicability of Article 8 (1), it is important to indicate:

• whether the interference is in accordance with the law.

• if the scans satisfy to the legitimate aim, proportionality and necessity principals.

In accordance with the law? • Commission Regulation No 1141/2011 allows the use of scanners

which do not use ionising radiation, but does it have the quality of law? • Gillan and Quinton v. UK (2010): the discretionary powers of stop and

search in the UK Terrorism Act 2000 to be a breach of Article 8, notwithstanding that it was provided for by a statutory measure.

• ECJ in Yassin Abdullah Kadi and Al Barakaat International Foundation v Council and Commission (2008): even provisions with an ostensible basis in European law may yet lack the qualities of law by contravening common European human rights standards and thereby may be contrary to common European law.

• The introduction of body scanners may be regarded as not being “in accordance with the law” if the regime fails to contain sufficient safeguards to protect fundamental rights from arbitrary interference (?).

Legitimate aim, proportionality and necessity? Pro arguments: • The use of the machines is justified and necessary in order

to heighten security measures at airports and better protect the traveling public.

• They are more effective than metal detectors as they are capable of identifying both metallic and non-metallic objects, including plastic and liquid items.

• They are supposed to improve passenger flow. In contrast to manual searches requiring 2–3 minutes, the machines take only seconds to produce and interpret passenger data.

• The use of scanners are thought to be less invasive than manual searches.

Contra arguments: • are not universally deployed in all member states, but

unilaterally in some of them, only at some airports and according to different rules and procedures

• are primarily taken on a preventive basis towards innocent persons

• it has to be demonstrated that other less intrusive methods were not available (see ECJ C-92/09 Volker and Markus Schecke GbR v. Land Hessen and C-93/09 Eifert v. Land Hessen and Bundesansalt für Landwirtschaft und Ernährung, 9.11.2010).

• if there is at least one type of body scanners which is less intrusive, why are the scanners providing a “naked” image of the body still in operation?

(2) • Cannot detect explosives carried inside the body. • May not be able to distinguish foreign objects such as

prosthetics and weapons. The percentage of false positives is high and it may increase the need for manual searches.

• An extremely finite period of time means evidence might be missed. Moreover, the operators may not have the required technical expertise to intercept the data.

False alarms Missing objects

(3)

• Price: EUR 100 000 - 200 000 per item, excluding training, installation, and maintenance costs.

• The scanners are being implemented as a reaction to past situations. According to many security experts, such an approach will fail to anticipate the next bomber.

• Measures taken to address privacy concerns over the use of the scanners may dampen the machines' effectiveness in locating arms and explosives.

Right to data protection Do the images constitute personal data? • It is stated that the image shall not be linked to any data concerning

the screened person and his/her identity shall be kept anonymous BUT • the image provided by the scanner will still allow for the indirect, if

not direct, identification of the data subject • identification is possible since the image will be used to decide

whether the passenger can access security restricted areas • the image itself might still be indirectly related to the data subject,

especially if the screener cannot determine whether or not the passenger is carrying prohibited articles or if the passenger is not cleared

• the images may include sensitive data, because they consist of data revealing the data subject’s racial or ethnic origin, religious beliefs, and data concerning health and sex life

Does the use of body scanner constitute the processing of personal data?

• the DPD defines “processing” as any operation performed upon personal data

• the use of the data, even if it is not recorded, falls within the definition of “processing”

The storage and retrieval of images • “the images cannot be stored, transferred, copied, or printed, and

are permanently removed” BUT • Lack of complete, comprehensive and reliable information • The agencies need to retain the images as evidence, for testing and

training purposes, or for later inspection to find out what went wrong with the scans if there were a successful terrorist attack.

• The TSA's Procurement Specs require that the machines have the ability to record and transmit images;

• TSA confirmed it possesses about 2000 scanner photos from devices that the TSA said earlier “could not store or record images”.

• The experts admit that the images are still being captured and stored by these “changed” devices.

• Lack of special legal provisions to regulate and limit storage (retention period)

Information to passengers

• According to the transparency and data subject participation principle, data subjects should be informed of the data processed, purposes of such processing and the identity of who is collecting their data.

• The US S.A.F.E.R. A.I.R. Act: passengers shall be provided with (i) information about the images; (ii) information regarding the privacy protections; (iii) sufficiently detailed notice and an explanation of the alternative option for primary screening.

• The EU Commission proposes that appropriate, comprehensive and clear information on all aspects of scanner usage should be provided to the public at airports, before travelling.

• These proposals do not give sufficient details about how appropriate, comprehensive and clear information can be provided to the passengers in reality, before travelling and before purchasing the tickets, and who will be responsible for the information provision.

In summary

• It can be concluded that deployment of scanners

cannot be currently regarded as in compliance with all the established data protection requirements and privacy standards.

Thank you for your attention!

Comments? Questions?