Wednesday 29 February 2012

The EU's PNR Directive in Parliament

As well as Sophie in ‘t Veld reporting on the proposed EU-US PNR Agreement on Monday, Timothy Kirkhope (ECR) presented his draft report on the EU’s own Passenger Name Record regime. The PNR Directive is technical, but it involves a huge amount of data collection on people not suspected of a crime, and the processing of data to create models used to identify unknown criminals. The law poses major questions on data protection, and there are also issues of how necessary and effective the system is, and how much of the costs airlines (and therefore consumers) will bear to pay for the system. I’ll divide this post into outlining and discussing the proposed directive and briefly looking at Kirkhope’s report to the Committee on civil liberties, justice and home affairs.

The PNR Directive.

The proposed PNR Directive (PDF) would introduce a system where a wide range of data gathered by airlines on passengers on flights into and out of the EU would be processed for the purposes of fighting terrorism and serious transnational crime. The data gathered includes the information on passports, flight arrival and departure times and destination, check in status, payment details, address and contact information, frequent flyer information, travel agent, travel itinerary, general remarks (including information on unaccompanied minors and their guardian’s contact details and relationship to the minor), seat number, baggage information, code share information, ticketing field information, and date of reservation/issue of ticket. This data would be collected from everyone on flights into and out of the EU regardless of whether or not they’re suspected of a crime and without distinction to how susceptible an air route is judged to be to use for terrorism of serious transnational crime (also the UK has suggested an amendment for the latter). This raises questions of proportionality.

PNR data is to be used in three different ways: re-actively, in real time, and pro-actively. The re-active use of PNR data is the use of data in the investigation or prosecution of a crime which has already taken place; use of PNR data in real time entails the use of data to arrest or place an individual under surveillance for a crime being committed or about to be committed; and the pro-active use of PNR data is using PNR data to build up criteria against to identify persons worthy of further surveillance or action. “Serious transnational crime” isn’t really harmonised by the Directive – it uses the list of crimes in the European Arrest Warrant, but Member States can decide to exclude some of these crimes from their transposing legislation if they think one is too “minor” – so the Directive can’t even decide what’s a “serious crime”!

The data is transferred by airlines to “Passenger Information Units” (PIUs) that will be set up to process and analyse the data, and alert national law enforcement agencies if necessary. PIUs can be national, or countries can set up joint PIUs if they want to share the costs. (The vast majority of EU Member States don’t have a PNR regime, so this PNR Directive will effectively introduce PNR systems into most Member States for the first time). The data will be retained for 30 days, after which it will be “depersonalised” (identifying data removed, but not deleted so it can still be restored and used) and retained in this masked state for a further 5 years. Data can be kept for longer if it’s used in criminal investigations or prosecutions. 5 years seems disproportionate if the data isn’t being used in an investigation or prosecution – and even the Council’s own legal service has suggested a maximum retention period of 2 years ("Draft Agreement on the Use of Passenger Name Records (PNR), Note for the Attention of Mr Stefano Manservisi Director General, DG Home, European Commission Legal Service, SJ.f(2011)603245, 18/5/2011").

Data subjects (people who own data that is being stored or processed) have rights of access, rectification and erasure, and the National Supervisory Authorities set up under EU data protection legislation (Framework Decision on Data Protection) monitor the PIUs’ use of data and assist data subjects with their requests to exercise their rights. However the purposes for gathering and processing the data is so wide that it’s debateable how much substance there is to these rights. For example, PIUs can use the data for general analysis work and to update and create criteria for “objective assessment criteria” to identify unknown criminals – a very wide purpose to use and process data, so PIUs could probably refuse under the Directive to erase a person’s data even if they aren’t suspected of a crime. Also, this use of objective assessment criteria means that the PNR regime is open to the profiling of individuals by law enforcement authorities, where they might be put under closer scrutiny simply because they happened to match a certain pattern of behaviour. There are no safeguards for independent external review of these objective factors (the National Supervisory Authorities don’t seem to have the power to do so), and nor has there been an assessment of the effectiveness of this method in identifying unknown criminals versus the false identification of innocent people.

There’s also little satisfactory evidence that PNR is necessary or effective for fighting terrorism and serious transnational crime. We already have the Schengen Information System, the Visa Information System and the Carrier’s Directive (Link) permitted the use of a less invasive Advance Passenger Information system in 2004, where airlines would transfer passport information of passengers and flight arrival/destination details (rather than the whole gamut of PNR information) – but there’s been no assessment of the effectiveness of API, or whether changes in it or the other systems could provide a cheaper and less invasive alternative. The main advantage offered by PNR is presumably the detection of unknown criminals. The Commission has used crime statistics to highlight the levels of serious crime and terrorism to establish the need for further security measures to be introduced and it has also used statistics on the of PNR data in drug seizures (see its impact assessment here: PDF) Interestingly, some of these impressive PNR statistics derive from some Member States which do not currently have a national PNR regime! (Like Belgium - PDF).

So PNR faces a lot of questions on several fronts: is it necessary, does it work, are there cheaper and less invasive alternatives? So how does the draft report in the Committee deal with this?

Timothy Kirkhope’s report.

The draft report (PDF) has contains a long list of proposed amendments to the directive (it should be noted that the report is open to amendments from the Committee before it votes on the report as a whole).

Some of these amendments would clarify the scope of the Directive – by stating that it applies to airlines incorporated in the EU and that store data in the EU, and expanding the Directive to include intra-EU flights as well as flights entering and leaving the EU. By including intra-EU flights, there would obviously be a much, much greater amount of data gathered on people. In Committee it was explained that the Commission wanted the Directive to avoid including intra-EU flights so it could test the system out first (the Directive includes provision for a review in 5 years on whether to include intra-EU flights), while Kirkhope countered that gradual introductions of schemes rarely work in his experience. The costs of transferring data to the PIUs would be borne by the airlines, while Member States would pay for the PIUs and their work. Kirkhope said that the estimated costs that would be passed on to consumers in ticket prices would be between 10 to 18 cents.

The report’s amendments insert provisions regulating the transfer of data between Member States to ensure that safeguard standards are maintained and that data is only shared in certain circumstances. There are also new provisions to more extensively regulate the transfer of data to third countries, though the assessment is still left to Member States so there isn’t a common decision on the adequacy of a third country’s data protection standards like there is for internal market matters.

The amendments would also clarify the state of data after the initial 30 day period – the Directive uses the phrases “masked” and “anonymised”. Unfortunately, the draft report decides to simply change the phrasing to a more unified “masked” terminology rather than changing the procedure so identifying data will be deleted after 30 days. Some amendments do aim to strengthen data protection by setting down punishment for data breaches such as demotion, denial of system access, formal reprimands, and removal form duty, as well as an obligation to inform data subjects that might be affected by a data breach. National Supervisory Authorities would be given powers to take disciplinary action against persons responsible for a privacy breach, increasing their powers of independent oversight.

Kirkthorpe believes that the use of a PNR regime is necessary and proportional. While the necessity of the Directive is probably best debated by the Committee and whole Parliament, there are still questions over how proportional the Directive would be even with the report’s amendments, particularly over the targeting (or lack of targeting) of air routes, the oversight of creating and use of objective assessment criteria, and the length of the retention period. It does provide some good improvements to people’s rights to access, rectify and erase their data and makes it easier and more effective to exercise these rights (though the problem of the content of these rights given the wide use of data remains).

I’m very sceptical of the necessity for a PNR system – a lot of the analysis backing up the proposal seems to be based on numbers on the increase of crime together with rhetoric on fighting crime and anecdotal examples of how PNR could be used, rather than an analysis of the benefits of PNR versus the existing EU databases. It seems that we are being asked to accept the creation of a massive information gathering system on trust, and I’m not convinced.

Irish Attorney-General: there must be a referendum

Ireland is set to have a referendum on the Fiscal Stability Treaty in June after the Irish Attorney-General advised that the treaty warranted one. The government has been hoping to avoid a referendum – the watering down of the treaty’s language on requiring constitutional debt breaks to only preferring them while also accepting normal legislation with the same content was clearly an attempt to avoid referendums by ensuring that countries could introduce the changes domestically by a package of legislation.

The referendum will probably be held in June, which will hopefully give time for a full debate, but I have to admit that the first thing I thought when I saw the June date was that it might be a godsend for the Irish government if Hollande is elected in France and he goes through with his plan to withdraw France from the treaty. Of course, the treaty does not require unanimity to come into force – it only requires 12 countries to ratify it before it starts to have effect. This will affect the dynamic of the ratification process across Europe and in the Irish referendum debate. The government might argue that Ireland could be left behind and even endanger its position in the Euro if it votes against (since it would be opting out of a Eurozone policy and this could make the economic situation in Ireland less politically certain in the eyes of busi – but if a core Eurozone country like France turns against the treaty, this will provide a more serious challenge to the treaty and encourage the movements against the treaty in Ireland and other parts of Europe.

It should be noted that 90% of this treaty was passed into European law at the end of last year by the European Parliament (the not-really-that-infamous “six pack” of legislation). Which proves that the EP really is more legislatively powerful in the EU than is generally thought, and that the media is rubbish at keeping track of important legislation in Brussels.

So one final point: the EP is debating the idea of “stability bonds” – it might be a good idea to have some debate on this outside the Brussels Bubble when we can still write to our MEPs and try to influence Parliament. That’s what it’s there for, after all...

Monday 27 February 2012

In 't Veld to propose EP rejection of EU-US PNR Agreement

Sophie in 't Veld (ALDE), rapporteur on the EU-US Passenger Name Record Agreement (Text) will present her report to the committee on civil liberties, justice and home affairs today. The PNR agreement will permit the transfer of Passenger Name Record data for passengers on flights from the EU to the US to fight terrorism and serious crime. PNR data is all the data from the machine-readable part of the passport (name, etc.) plus the times of departure and arrival, place of departure and arrival, check in time/status, payment details, luggage details, and other general information.

If the Parliament does vote for rejection, it will be a big blow to the US and those in the EU who have been trying to set the rules for this data transfer. In fact, the PNR saga has been going on for about a decade now, since the US adopted its PNR regime in the wake of the September 11 attacks, setting penalties for airlines that refused to transfer the PNR data they collect (airlines collect PNR data for commercial purposes). This left EU airlines in the position where they would be punished by the US if they didn't hand over the data, and by EU data protection laws if they did. An agreement in 2004 fell foul of an ECJ judgment over the legal base used, and an agreement in 2007 was never assented to by the EP (as required under the Lisbon Treaty after December 2009), so it only applied provisionally. The European Parliament called for new agreements with the US (and Canada and Australia) to bring them more into line with data protection rights (the Committee voted to assent to the new Australian agreement in October).

There have been several concerns raised over the agreement, mainly on data protection grounds. In her report, in 't Veld highlights that the necessity and proportionality of PNR systems haven't been satisfactorily established - in fact, with the EU's own proposed PNR Directive, this is also the case (PDF) - when information gathering could be done on a smaller scale (e.g. via an API system that just covers passport and flight departure/arrival data); that the agreement does not limit the use of data to fighting terrorism and serious crime; that data does not have to be destroyed, but can be held indefinitely: despite its use being restricted over time, it could still be accessed and used. It is also pointed out that the agreement does not provide a sufficient protection against the use of sensitive data by the US Department of Homeland Security (data indicating race, religion, sexual orientation, etc); that there aren't sufficient guarantees that data will be equally well protected if it's transferred to another country from the US; and that the agreement might not provide EU citizens with adequate means of judicial address.

She says (PDF):

"The call for a coherent approach and a single set of principles to govern international agreements on the transfer of PNR data was an approach embraced by the Commission and the Council. However, the Agreement with the US differs fundamentally from this approach as well as from the Agreement with Australia, concluded on 13 December 2011. This Agreement was considered to be sufficiently consistent with the criteria set out by Parliament, while the Agreement with the US departs from the approach that had been agreed by the European Parliament, the Commission and the Council in 2010. Additionally, compared to the first EU US PNR Agreement of 2004, this 2011 Agreement even represents a deterioration on many points. Having in mind that the European Parliament sought annulment of the 2004 Agreement before the Court of Justice, your Rapporteur will recommend the European Parliament to decline to consent to the conclusion of the Agreement."

I hope the Committee votes for this report - the case for PNR regimes is quite shaky, with high levels of data collection from people who aren't suspected of any crime, for no proven gains in effectiveness over less invasive and data protection-compliant alternatives. Rejecting the PNR Agreement would be the second time this parliament that the EP has blocked an US-EU Agreement - the first being over SWIFT I (which prompted heavy lobbying by the US). Blocking this agreement would not only put an end to invasive data gathering, but also raise the profile of the EP and of the importance of data protection rights in the US's security dealings with the EU.

The report will be presented to the Committee at 15:00 CET. The Committee will vote on the report on March 20th, and the plenary will vote on the agreement in April.

Friday 24 February 2012

"Greece could have had a referendum"

The Danish Minister for Economy and Interior Margrethe Vestager said that Greece could have had a referendum:

""No one else but the elected members of national parliaments can take the decisions when it comes to reducing the deficit, collecting more taxes or being more efficient in doing so."


Meanwhile, on the state of Greek democracy, where the idea to call a referendum on the second bail-out last year caused panic among EU leaders and led to Prime Minister George Papandeou's resignation and appointment of a technocrat premier, Vestager said: "I think they could have done that if they really wanted to."

"Each politician has to make up his or her mind, because these are very challenging times. People can recognise from their own lives that when you bring yourself in a situation where you have to take a huge loan in order to get things working - the one who's going to give you the loan will have conditions. It is not different on a European level.""

Formally, I think she's right: when Papandreou proposed a referendum, it could have been done, even if it had been quick to have the result before the next tranche of bail-out money was needed (at the time I favoured a general election since it would have given the Greek people a chance to change their government, whereas a referendum on which default to take might just be designed to bounce them into accepting the status quo). However Papendreou sprung this on his cabinet, who said no, and the Greek parliament lost confidence in him, so a caretaker government was elected by the parliament before elections could take place (elections that will take place in April).

Which is a second point: the technocratic governments. I'm not a fan of these technocratic governments and if they're ever put in place they should be quickly followed by an election, but the Greek and Italian governments weren't "imposed by Brussels" - rather it was the economic pressure of the market/debt situation and the lack of political confidence in the Prime Minister and government that led their parliaments to remove them and replace them with technocratic caretakers. (Notably this also happened to the Czech government when they held the rotating presidency back in 2009). Rather the democratic disconnect is the lack of democratic political power at a level that could respond effectively to the economic pressure applied by markets - in other words at the EU level, which has so far only delivered ineffectual summits, bad bail-outs and a Fiscal Stability Treaty that solves nothing and repeats legislation already passed by the European Parliament.

Thursday 23 February 2012

ACTA referred to the European Court of Justice

The Commission has decided to refer the Anti-Counterfeiting Trade Agreement to the ECJ to assess its compatibility with EU law, including the fundamental rights guaranteed under EU law. Commissioner Karel de Gucht said:

"We are planning to ask Europe’s highest court to assess whether ACTA is incompatible - in any way - with the EU's fundamental rights and freedoms, such as freedom of expression and information or data protection and the right to property in case of intellectual property.

As you are no doubt aware, within the EU institutional process, the European Commission has already passed ACTA to national governments for ratification. The Council has adopted ACTA unanimously in December and authorised Member States to sign it. The Commission has also passed on ACTA to the European Parliament for debate and a future vote.

That said, I believe the European Commission has a responsibility to provide our parliamentary representatives and the public at large with the most detailed and accurate information available. So, a referral will allow for Europe’s top court to independently clarify the legality of this agreement."

However he goes on to say:

"As I have explained before the European Parliament on several occasions, ACTA is an agreement that aims to raise global standards of enforcement of intellectual property rights. These very standards are already enshrined in European law. What counts for us is getting other countries to adopt them so that European companies can defend themselves against blatant rip-offs of their products and works when they do business around the world.

This means that ACTA will not change anything in the European Union, but will matter for the European Union.


So let me be clear: ACTA will change nothing about how we use the internet and social websites today – since it does not introduce any new rules. ACTA only helps to enforce what is already law today.

ACTA will not censor websites or shut them down; ACTA will not hinder freedom of the internet or freedom of speech.

Let's cut through this fog of uncertainty and put ACTA in the spotlight of our highest independent judicial authority: the European Court of Justice.

This clarity should help support a calm, reasoned, open and democratic discussion on ACTA - whether at the national or at the European level. We will also be in contact with the other European institutions to explain this step and why it would make sense that they make the same move."

It seems odd to subject ACTA to judicial review when its provisions are open to national interpretation in places, while not reviewing the current IPR regime in the EU. After all, if the current regime has already largely introduced the ACTA system domestically, would a negative judgment by the Court result in a major investigation into the existing laws...?

This judicial review is mainly aimed at providing a visible counter to the accusations leveled at the Agreement by the European public. Because of the secret nature of the negotiations and the timing of the SOPA and PIPA legislative battles in the US, the Commission hasn't been able to effectively put its side of the story across, so it's relying on a court judgment to solve this problem. Given the vague nature of some of the provisions and the false accusations that have been flying around, the ECJ's judgment will be able to refute some of these. However this avoids the issue of whether we aren't balancing rights correctly through our intellectual property rights regime. The criticisms of the Treaty aren't just based on fundamental rights.

This balance has been pushed for a long time simply in the direction of ever stronger enforcement in a way that doesn't take into account the the issues raised by the internet age, particularly via the new focus on indirect "economic advantage" as opposed to commercial advantage. There are many uses of media now that are different from both their commercial use and the use of physical goods - from classic commercial activities which do need to be protected. We need to think more about the purpose of IPR and how far we should restrict "indirect economic advantage"; whether or not it should be punished at the same level as commercial advantages, or if different approaches should be used to reflect the social and economic value and impact of the relevant activity. And what about setting damages at the level of the retail price rather than the more proportionate level of the loss suffered?

This isn't a simple, headline grabbing fight over fundamental rights (although it raises some questions over how we want to balance them in practice), but also over the usefulness, proportionality and effectiveness of our IPR laws. I hope throwing out some of the wilder claims about ACTA does not puncture a necessary debate - will the EP measure up?

Monday 20 February 2012

Xi Jinping visits Ireland

“Ireland has a rich history and culture as well as amazing natural beauty. It is a success story of moving, in a short period of time, from an agro-pastoral economy to a knowledge economy,” - Chinese Vice-President Xi Jinping.

...Wait, what?

The Chinese Vice-Premier's visit to Ireland this weekend has struck me as slightly surreal. Entering into the 5th year since the crash, with endless talk of austerity and hard times, it's a change to hear some of the old Celtic Tiger speak of Ireland's economic example. (Although given the China's industrialisation and size and the Irish crash, I wonder how much China has to learn from us). The government has seized on the visit with both hands: Ireland is the only Eurozone state to be visited by the Vice-President, and Xi was shown around Irish farms and countryside as well as Irish sport and culture. Trade and economics form the hard base of the relationship, with deals signed on business and the invitation for Irish visits to China in March (Ireland also apparently does quite well out of its Chinese trade: we've managed to run a trade surplus for the last 3 years).

To me this seems like it should be a bigger boost than the visits last year. As important as the British and US visits were for economic and historic reasons, Xi Jinping can hardly be accused of visiting as a way to boost his political profile among an Irish-Chinese community or to set the seal on the troubles of the relations of the past - so the interest in Ireland is a bit exciting (and the reported interest in Irish culture in China - though I don't know how far that extends. I don't expect to see a Beijing Gaelic football team to appear alongside the London and New York teams).

Of course, it would be naive to think that this relationship will ever be as deep as Ireland's traditional relationships (I can't see a cabinet minister presenting the Chinese President with a bowl of shamrocks every St. Patrick's Day), and Ireland's EU links are probably the most important political reason for the visit, but the sheer fact that a country of 4.5 million people can get so much global cultural and political notice probably says something about the national talent for self-promotion. Still, for all the government pushing of the line that we're the only EU country to get a visit, Ireland's EU links and the upcoming Irish presidency of the Council of Ministers probably helped convince Xi extend the Irish leg of his journey longer than a pit stop by the Shannon would usually warrant. I wouldn't be surprised if any Irish talk of human rights was a brief mention beside discussions of what the Irish Presidency agenda might be...

Friday 10 February 2012

The Anti-Counterfeiting Trade Agreement

I once had a work experience were I had to read through several contracts selling and assigning the right to turn a book into a TV programme and then give a presentation on who owned/did/does what. I'd only done a year at university and hadn't covered contract law or intellectual property law, so I was given a few textbooks on contract law and on copyright. As well as being one of the most interesting work experiences I ever did, it's also the only time I did anything to do with intellectual property law - while I was interested to read ACTA (PDF), I was a bit wary since I don't have the time to read into all the surrounding legislation and the debate on IPR. I do agree with this article over at The Atlantic, though: while some of the claims against ACTA might be a bit overblown, the trend in international IPR law is worryingly focused on the enforcement side, and ratcheting up enforcement standards without ever adapting to the issues brought up by our digital age. (A major debate is on whether copyrights do in fact encourage innovation and investment, or if the current laws actually detract from such innovation).

ACTA has rightly caused a huge reaction from the public, and the Party of European Socialists has come out attacking the treaty( PDF):

"The Party of European Socialists considers the Anti-Counterfeiting Trade Agreement (ACTA) to be fundamentally flawed in both content and process. There is a severe imbalance between the rights attributed to the users, service providers and rights holders.

The agreement, which is to be voted on by the European Parliament before summer 2012 and ratified by National Parliaments, is flawed in content for the following reasons; it gives undue power of oversight to internet providers; it infringes the privacy of internet users; and it will curtail developing countries access to generic medicines. It is flawed in process because of the secret manner in which the accord was agreed upon, and because of the significantly reduced time afforded to the European Parliament to scrutinise the final draft."

I haven't been able to find the positions of any other Europarties yet, but if you know them, let me know in the comments.

ACTA itself seems to raise a few questions over due process and the role of Internet Service Providers in policing IPR (which has serious implications for privacy and data protection - though it should be stressed that the actual role of ISPs would be decided by domestic legislation and ACTA does not require ISPs to take on a policing role). The EU has signed up to ACTA along with its Member States, but it has yet to be ratified and the European Parliament will make its decision this summer. The explanatory memorandum to the agreement makes clear that the Commission considers the agreement as adding noting new to current EU law on IPR, while leaving any additional obligations for judicial enforcement to be carried out by Member States as parties to the treaty. This doesn't strike me as a reason to be reassured by ACTA: if our legislation already goes further than ACTA, then where does that leave all our talk on this side of the Atlantic about being more enlightened about IPR and the internet? We still may have the safe harbour provisions that SOPA attacked, but ACTA clearly underlines that our approach is guided by a similar philosophy rather than being subjected to a serious debate about how the internet and digital media have changed the environment for IPR and how we should adapt (not to mention the price we might pay in terms of privacy and free speech to enforce these ever stricter laws).

So while not every evil assigned to ACTA finds backing in its vague provisions, it is another important step in the development of our IPR laws. We should take this opportunity to ask our MPs and MEPs to debate not just ACTA, but our approach to IPR in general. It's more than just this agreement.

You can sign the petition against ACTA here.

Also, Grahnlaw has been providing good coverage of this issue (see here, here and here for examples).