Russian PNR system: data protection issues and global prospects

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit: http://www.elsevier.com/authorsrights Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 Available online at www.sciencedirect.com ScienceDirect www.compseconline.com/publications/prodclaw.htm Russian PNR system: Data protection issues and global prospects Olga Mironenko Enerstvedt* Norwegian Research Center for Computers and Law (NRCCL), University of Oslo, Norway abstract Keywords: The usage of Passenger Name Record (PNR) for security purposes is growing worldwide. At PNR least six countries have PNR systems; over thirty are planning to introduce them. On 1 Passenger Name Record December 2013, a Russian PNR system will be implemented. But enhanced collection of Russia personal data leads to increased surveillance and privacy concerns. Russian authorities Privacy state that passengers’ rights will be respected, but a closer look at the Russian regime re- Data protection veals a number of critical points. From a global perspective, the Russian regime is only one Security of many PNR systems, including new ones to come in the future. Apparently, for the Aviation majority of them, similar challenges and problems will apply. At the same time, for the EU, Personal data with its strict data protection requirements, PNR requests by third countries (i.e. non-EU countries) create conflicts of laws. In order to resolve them, the EU concludes bilateral PNR agreements. However, the current deals, especially the one between the EU and the USA, involve a number of weaknesses. Accepting the latter, and having a pending proposal on the EU PNR system, the EU has weakened its position in negotiations with third countries. How will the EU deal with the Russian as well as with all the future requests for PNR? This paper provides legal analysis of the Russian PNR regime, pointing out common problems and giving prognosis on the global situation. ª 2014 Olga Mironenko Enerstvedt. Published by Elsevier Ltd. All rights reserved. 1. Introduction Today, security experts agree that aviation security requires a risk-based, pro-active rather than reactive approach, and this is already reflected in international and national policies.1 This strategy implies, among other things, advanced collection and analysis of personal data: since the vast majority of passengers pose no threat to civil aviation, information is critical to assess the risk. The goal is to find meaning in enormous amounts of data and then see connections and make predictions.2 A special role in these processes is played by Passenger Name Record (PNR).3 PNR are used by the state authorities for security purposes, to combat terrorism and crime. Moreover, the analysis of PNR data is valuable for threat and risk assessment and management; it may help not only to identify passengers who are a known threat, but to identify potentially dangerous persons who are an unknown threat. * Norwegian Research Center for Computers and Law (NRCCL), University of Oslo, Postboks 6706, St Olavs plass, 0130 Oslo, Norway. E-mail address: [email protected]. 1 See, e.g. Standard 3.1.3 of ICAO’s Annex 17. 2 Schneier Schneier on security (2008) p. 7. 3 PNR data will be elaborated on in Section 2. 0267-3649/$ e see front matter ª 2014 Olga Mironenko Enerstvedt. Published by Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.clsr.2013.11.003 Author's personal copy 26 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 According to IATA, as of 2013, access to PNR for security purposes is required in six countries and in the works in thirty more.4 At the end of 2013, a Russian PNR system is planned to be implemented. All airlines operating domestic or international flights or passing Russia will have to hand over passenger data to Russian security authorities. With the largest territory in the world, the Russian Federation is a natural boundary and a natural bridge between Europe and Asia as well as one of the fastest growing markets for international air travel. Many foreign airlines, including EU airlines, carry out flights into and out of Russia5; in addition, around 53,000 European flights transit over Russia to Asia each year. The key point for this paper is that usage of PNR for security purposes has a serious impact on the rights to privacy and data protection, so that these rights may be interfered with, limited or violated. Enhanced collection of passenger personal data leads to increased surveillance of mostly innocent and unsuspicious people. “Security versus privacy” has become a common expression. This dilemma generally implies balancing of these two values and definite trade-offs, usually at the price of privacy: it is obvious that security in the air must be provided, and that security, which is vital to survival, is more important than privacy. But in short, the dilemma does not necessarily imply that security needs and data protection interests cannot co-exist. Both are important for society; what is needed is to find a way to ensure both values, without loss to either. Is it possible to use PNR for security purposes and at the same time respect the passengers’ rights? Similar to other states justifying the introduction of PNR regimes, the Russian authorities explain that the new measure is warranted by the need to improve aviation security. As for the protection of passenger personal data, they state that Russia ratified the Council of Europe Convention No 108 and adopted law implementing the Convention into national law, thus, that the passengers’ rights will be respected. But despite these assurances, the EU Commission expressed concerns regarding the new Russian PNR regime. First of all, the EU became worried about the unilateral nature of the proposal. Since the EU was not familiar with the details of proposed measures and could not evaluate the impact (according to the EU officials, they raised the issue in Moscow early in 2013 and sent a letter in March, but never got a response),6 the EU asked Russia to postpone implementation of the PNR measures and to provide additional information on the regime.7 Secondly, according to the EU officials, the situation with human rights in Russia creates a potential for data abuse.8 For instance, in 2012 the EU was concerned about measures taken against members of the opposition, media freedom, the 4 IATA. Facilitation and Passenger Data http://www.iata.org/ whatwedo/security/facilitation/Pages/index.aspx (data accessed: 19.08.2013). 5 Currently, foreign air carries do not have access to the Russian domestic aviation market. 6 Nielsen EU tells Russia to drop air passenger data law (2013). 7 See Nielsen Russia blames EU for airline data fiasco (2013). 8 Nielsen (2013). situation in the North Caucasus, the children’s rights issues and issues of discrimination and racism, etc.9 With such a background, it will undoubtedly be difficult for the EU to believe that, in contrast to the above-mentioned issues, the PNR system will respect the rights of air passengers. Moreover, pursuant to the EU data protection legislation, transfer of PNR to Russian authorities by EU airlines will be illegal since the Russian Federation is not considered as a country providing an adequate level of data protection. Therefore, if the situation does not change, the EU airlines will find themselves in a difficult situation: to fly to or over Russia, they will need to comply with either EU or Russian law. They can either refuse to transmit the data, thereby becoming subject to Russian authorities’ sanctions, or they can deliver the data in violation of the EU law. The International Civil Aviation Organization (ICAO) Guidelines on PNR10 stipulate in xx2.4.3-5 that air carrier must comply with the laws of the state of departure and the state destination. If the laws of the state of departure do not allow an air carrier to comply with the requirements of the state of destination, both countries should settle the conflict of laws. Prior to the settlement, states are advised to apply no fines or other sanctions against air carriers taking into account the specific circumstances of the case. Although, in a response to the EU concerns, Russia stressed that the full text of the Order was published in September 2012 and the EU had sufficient time to prepare.11 As a reaction, taking into account international agreements and the need for additional time for foreign and Russian carriers to prepare,12 the term was postponed, as initially planned, from 1 July 2013 to 1 December 2013. In 2003, when a similar problem arose for the EU carriers flying to the USA, most EU airlines chose to provide PNR to the US authorities, being unable to simply stop flying across the Atlantic.13 However, later, this was regulated by a series of bilateral EUeUS PNR agreements laying down the legal basis for the transfer. To date, the EU has such agreements with the USA, Canada and Australia. On the one hand, formally, the agreements state that they ensure an adequate level of data protection. On the other hand, data privacy advocates argue that these agreements, especially the EUeUS one, fail to ensure appropriate data protection standards and contain a number of serious deficiencies and disturbing points. Clearly, compromises were made due to political and commercial needs: flights must go on. In addition, it is quite arguable whether the EU’s strict data protection requirements can be achieved in the security field. What will be the case for Russia? Will the dilemma for the EU airlines indicated above be solved, or postponed again, or 9 Council of the EU. EU Annual Report on Human Rights and Democracy in the World in 2012 (Country Reports). Brussels, 21 May 2013. 10 Document 9944 e Guidelines on Passenger Name Record (PNR) data of 2010 (ICAO PNR Guidelines). 11 See Nielsen (2013). 12 The Ministry of Transport of the Russian Federation, News, 2. 07.2013 http://www.mintrans.ru/news/detail.php?ELEMENT_ ID¼20434 (date accessed: 03.07.2013). 13 See: Ntouvas. Air Passenger Data Transfer to the USA: the Decision of the ECJ and latest developments. In: International Journal of Law and Information Technology. Vol. 16 (2008). Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 will the EU carriers have to choose which law to follow? Apparently, the time leading up to 1 December 2013 can be used to try to settle the conflict of laws. However, it depends greatly on how effective the time is spent and whether the parties are open and willing to dialog. If an EUeRussian dialog is established, what will the EU expect from Russia: compliance with the strict but practically unrealistic requirements of the EU data protection law, establishing compromise solutions similar to the current bilateral agreements, or requiring some additional, specific safeguards and guarantees, taking into account particular circumstances? In contrast to the USA, Canada and Australia, Russia is a nonWestern state. It is a question whether data protection weaknesses accepted by the EU in the EUeUS PNR agreement will be accepted for the EUeRussian deal. Another question is the Russian authorities’ ability to make the rules work in case guarantees are provided. In theory, Russian regulators may adopt rules on PNR which would formally satisfy to the EU data protection standards, but will they be implemented? The problem law-in-books versus law-inaction is particularly relevant for states like Russia, with relatively newly established democratic regimes and democratic values, where many legal rules are written on paper but are not fully enforced in reality, where the laws simply do not work. At the same time, the US regime raises doubts about the proper enforcement and lack of abuses as well (e.g. recent cases about the secret collection and use of personal data pursuant to NSA domestic surveillance programs). Who can stop a sovereign state if it suddenly decides to enhance security measures violating its previous promises on data privacy? This makes the problem even more complicated. Without going into political considerations, this paper will provide a legal analysis of the newly established Russian PNR regime. In order to see the broader picture, it will also discuss Russian general data protection regulation as well as current problems of its enforcement and realization. Further, it will analyze the selected elements of the PNR regime from a data protection point of view, taking into account the ICAO recommendations on PNR transfer (where applicable), the EU data protection requirements and current bilateral EUeUS PNR agreement which is officially acceptable to the EU. A more global point is that surveillance is increasing worldwide. Russia is not the only state demanding or planning to demand PNR, and the number of states is growing. At the same time, the list of states with “adequate data protection level” (according to the EU) includes the vast minority. The majority may suffer similar challenges and problems as those suffered by Russia, both with regard to the lack of legislation and the fact that the laws do not work. All this creates global possibilities for abuses and violations of air passengers’ data privacy rights. The Russian regime can thus be considered as only one example of many regimes, including future regimes. The paper hence endeavors to outline some prospects on the global development as well, pointing out possible common problems. 2. What is PNR? authorized agents for each journey booked by or on behalf of any passenger. These data are used by aircraft operators on commercial and operational purposes while providing air transportation services. PNR are contained in operators’ computer reservation systems (CRS), departure control systems (DSC), or equivalent systems providing similar functionality. PNR are created every time a traveler makes a reservation. Technically, they are not deleted from CRS and can be viewed even if a person never bought a ticket or canceled the reservation. The basic record may contain multiple passengers within the same record. But each entry, even for one passenger, contains data on other people as well: the passenger, the travel arranger or requester, the travel agent or airline employee, a person paying for the ticket, etc. The PNR system contains all passenger data of the whole airline company, thus, the system is not restricted to a specific flight. Most travel agencies also use the CRS as their primary customer database and accounting system and store all customer data in CRS profiles. Thus PNR also contain data on individuals who never travel by air at all, since lots of travel services, such as car rental and hotel reservations, are made through CRS.14 PNR can be captured up to 360 days in advance of flight; hence, PNR data are dynamic and are subject to change. The range of PNR is very wide and may constitute up to 106 elements of data. Although different systems provide varying facilities, and the number and nature of fields vary from airline to airline and even among individual PNRs from the same airline, all PNRs contain at least passenger name(s), itinerary, and contact information.15 The Annex to ICAO PNR Guidelines provides a list of possible PNR data elements. They can be categorized in the following groups: (i) Machine Readable Travel Document (MRTD) details (names, date of birth, etc.), (ii) contact details, (iii) passenger details; (iv) payment details; (v) other information (name of person making the booking, travel agent information); and (vi) data related to aircraft flight. Passenger details include OSI e Other service related information, SSI e Special Services Information, SSR e Special Service Requests, and General remarks. Through OSI/SSI/SSR, PNR may include requests for special medical service or special dietary meals, that is, they may contain details of travelers’ physical and medical conditions, indications of travelers’ religious practices, that is, data of a sensitive nature. General remarks may contain data on internal conversations and contacts between airline company’s employees and agents, including various comments and abbreviations.16 As for the completeness or accuracy, two types of information can be distinguished. The first group includes MRTD details (also known as API (Advance Passenger Information)) which derives from travel documents information. These data are official and validated, spellings and dates are transcribed accurately, offering objective and permanently valid information. Such information may be used to check against watch lists, that is, to identify already known persons. The second group includes the information that the passenger submits to 14 See Hasbrouck What’s in a Passenger Name Record (PNR)? (2009). IATA. Passenger Services Conference Resolutions Manual (PSCRM). 01 Jun 2007e31 May 2008 27th Edition. 16 x2.1.6 of ICAO PNR Guidelines. 15 According to x2.1.1 of ICAO PNR Guidelines, PNR is the common name given to records created by aircraft operators or their 27 Author's personal copy 28 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 the CRS himself or herself, thus, these data cannot be guaranteed in completeness or accuracy; such data may not be fully updated on the date of departure. Nevertheless, overall, PNR provides a comprehensive and extremely detailed record of every entry and include data on the basis of which aspects of the passenger’s history, conduct and behavior can be deduced. PNR can thus be used in profiling, offering information on the background of the individuals and their possible relationship to other persons being investigated. As such, PNR may be very useful for intelligence in identifying both known criminals and potentially dangerous persons who are not yet known from databases. 3. Usage of PNR The Chicago Convention (1944) rests on the notion that states are sovereign over their land and air space.17 The principle of state sovereignty constitutes the legal basis for the national security of the state. Moreover, Article 13 of the Chicago Convention stipulates that the laws and regulations of a state as to the admission to or departure from its territory of passengers shall be complied with by or on behalf of such passengers upon entrance into or departure from, or while within the territory of that state. Therefore, the state itself determines which information it requires from persons entering, departing or staying in this state.18 Taking into account the growing importance of PNR data transmission for aviation security purposes, the ICAO urges states to use PNR as an aid to aviation security.19 In order to harmonize the PNR usage worldwide, the ICAO issued PNR Guidelines which establish uniform measures for PNR data transfer and the subsequent handling by the states; IATA e Recommended Practice PNRGOV.20 In x2.2.2, ICAO PNR Guidelines provide a list of purposes for PNR analysis: improve aviation security; improve national and border security; prevent acts of terrorism and other serious crimes of transnational character, including organized crime, and fight against them; protect vital interests of passengers and population, including health; improve border controls at the airports; facilitate passenger flow. The principles of PNR transfer are as follows: minimization of costs of the industry; accuracy of the information; completeness; protection of personal data; timeliness; effectiveness and efficiency of data management/risk management.21 The Guidelines and PNRGOV provide other details as well. But the ICAO and IATA’s documents are not binding to the states, thus, it is up to the latter to establish concrete requirements and guarantees. In reality, different states establish different and sometimes conflicting PNR demands, and full harmonization is not achieved. The problems include various data exchange requirements (e.g. formats and methods of transfer), requests for data elements beyond existing international standards; 17 Art. 1e2 of Chicago Convention signed 7 December 1944, ICAO Doc 7300/6. The Convention is now in its ninth edition. 18 x1.2. of ICAO PNR Guidelines. 19 ICAO, 37th Assembly (2010) Resolutions. 20 IATA Recommended Practice 1701a, 2012 (PNRGOV). 21 x2.3.2 of ICAO PNR Guidelines. absence of common objectives and clear agreement on process among states.22 As a result, air carriers may face legal, technical and financial problems. For instance, according to IATA, a part of the data required in Russia (such as passport numbers), do not take into account international reservation systems.23 There appears a problem of collecting data on passengers flying over the territory of Russia: the CRS contains data on airports of departure and arrival, but no lists of countries whose air space is crossed by the plane during the flight.24 Further, according to the aviation industry, the composition and structure of passenger data protocol do not coincide with PNR and API files currently used in air transport, and some items cannot be filled because of lack of information.25 The requirement to transfer data in real time no later than 30 min after entering the data into the information systems does not take into account the fact that CRS provides passenger data to airlines in certain intervals.26 Data protections problems emerge as well. First of all, some states (e.g. the USA) use PNR for data mining and profiling e techniques which use statistical methods that cross-index randomly selected information from large databases and provide risk assessment of individuals or predict their future behavior.27 In profiling, the core idea is to record, store, process and retrieve personal data to create profiles in searchable databases in order to indicate potentially dangerous persons.28 According to many security experts, profiling, combined with use of intelligence, offers a huge potential for preventing terrorist acts.29 However, these techniques are not very accurate, with high number of false negatives and false positives,30 while the increased and unlimited use of personal data, with long-term or unlimited storage, creates enormous risks for data protection. Hence, privacy advocates argue that PNR data should not be used for data mining or profiling and its use must be limited to specific crimes or threats on a case-by-case basis.31 There are different views on how effective the use of PNR can be. Opponents (mostly data protection advocates and researchers) state that no substantial evidence is provided to prove that collection of PNR is necessary and proportionate and supports the fight against terrorist offenses and serious crime.32 22 PNRGOV. Elkova Russian sky will be closed to the lock (2013). 24 Elkova (2013). 25 Sirena-Travel Problems of realization of the Order of the Ministry of Transport N243 (2013). 26 Elkova (2013). 27 Poullet. Data protection legislation: What is at stake for our society and democracy? In: Computer Law & Security Review. Vol. 25 (2009). p. 214. 28 Lyon Surveillance studies: An overview (2007) p. 5. 29 Yehoshua. Terrorist profiling: analysing our adversaries personalities. In: Aviation Security International. Vol. 17 (2011). p. 23. 30 Solove. Data mining and the security-liberty debate. In: The University of Chicago Law Review (2008). p. 353. 31 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada. 32 E.g. see Article 29 Working Party on data protection: Letter to the Civil Liberties Committee of the European Parliament, Brussels, 6 January 2012. Ref. Ares (2012)15841 e 06/01/2012; Brouwer. The EU Passenger Name Record System and Human Rights: Transferring Passenger Data or Passenger Freedom. In: CEPS Working Document (2009). 23 Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 Proponents (mostly, security experts and law enforcements agencies) argue that PNR, if properly used for targeted passenger profiling, are extremely valuable, with a potential to reveal “clean skin” terrorists.33 According to British Conservative MEP Timothy Kirkhope, PNR data was “instrumental” in capturing collaborators of the 7 July 2005 London bombers and the 2008 Mumbai terror attackers, and “led to the capture of dozens of murderers, pedophiles and rapists” and “95% of all drug captures in Belgium and 85% in Sweden are caught using PNR data.”34 Nevertheless, no matter how this can be viewed, the collection and use of PNR for security purposes is already a reality worldwide and common practice. The countries which currently use PNR for law enforcement purposes include the USA, Canada, Australia, New Zealand, South Korea and the UK; Japan, Saudi Arabia, South Africa and Singapore, France, Denmark, Belgium, Sweden, the Netherlands and others have either enacted relevant legislation and/or are currently testing potential uses of PNR data; others are considering setting up PNR systems.35 According to Dutch Liberal MEP Sophie in ’t Veld, the countries also planning to implement PNR regimes include India, Malaysia, Qatar and the United Arab Emirates, and it is only a matter of time before China does the same.36 As mentioned previously, the Russian system will be implemented in December 2013. Apparently, all these states provide different data protection guarantees (if any), and have different opportunities to enforce them in reality. The data protection perspectives will be considered below. 4. PNR transfer: data protection perspective globally From the data protection perspective, the problem is that PNR contain personal data about air passengers, who are protected by law both nationally and internationally.37 Accordingly, if the security measures have an impact on the right to data protection, they need to be accompanied by strong and adequate safeguards. 33 Wolff. Are We Ignoring the “Risk” in Risk Based Screening? In: Aviation Security International. Vol. 18 (2012). p. 4. 34 BBC News Europe, MEPs back deal to give air passenger data to US, 19 April 2012, http://www.bbc.co.uk/news/world-europe17764365 (date accessed: 30.04.2012). 35 Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries, COM (2010) 492 final, Brussels, 21.9.2010, p. 4. 36 See Nielsen (2013). 37 International instruments include: the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 23.09.1980; United Nations Guidelines Concerning Computerized Personal Data Files of 14.12.1990; Article 8 of the European Convention on Human Rights, Articles 7 and 8 of the Charter of Fundamental Rights of the EU, Article 16 of the Treaty on Functioning of the EU; the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28.01.1981 (known as Convention No 108; it is open for ratification by states other than members of CoE); APEC Privacy Framework of 2005, etc. 29 This is already reflected in international recommendations: the ICAO, for instance, urges the states using passenger data for security purposes to ensure the protection of passengers’ privacy.38 x2.6.2 of ICAO PNR Guidelines contain minimum requirements on data protection: the states receiving PNR should:  use the data only for the purpose for which they were collected,  limit access to the data,  limit retention of data,  ensure the data subjects’ rights of access, rectification,  ensure redress,  ensure presence of data protocols and appropriate automated systems to access or receive data in a manner that is consistent with ICAO’s recommendations. General principles of PNR data protection are as follows: (i) the state should ensure that every state authority having access to PNR ensures the appropriate level of data protection; (ii) in the absence of national data protection legislation, states should establish procedures, develop laws or rules for protection of PNR data; and (iii) there should be a reasonable balance between the need to protect PNR data and right of the state to require the disclosure of passenger data. Therefore, states should not be overly restrictive concerning the transfer of PNR data by air carriers to foreign authorities, and states should ensure the protection of PNR.39 Since PNR often involves transborder data flow, governments are encouraged to reach an agreement with each other in order to provide protection of personal data.40 But as mentioned above, the ICAO’s Guidelines are not binding: ultimately, it is up to the states to establish concrete requirements and guarantees. Some national regimes or bilateral agreements already provide quite satisfactory guarantees. For instance, according to the EUeAustralian Agreement, PNRs are stored five and a half years; the use of sensitive data is prohibited; persons have the right to access his or her PNR data on request to the Australian Customs and Border Protection Service; the list of governments entitled to access PNR data is exhaustive; etc.41 But as said before, capabilities of various states are different. The EU plays a special role in this respect since data protection requirements are stricter and much higher than in other countries. First of all, it should be remembered that in the EU, the Directive 95/46/EC of 1995 (DPD)42 is the most comprehensive 38 High-Level Conference on Aviation Security (HLCAS, September 2012) as well as ICAO Document 9944 Guidelines on Passenger Name Record (PNR) data of 2010. 39 xx2.12.1-3 of ICAO PNR Guidelines. 40 IATA. Facilitation and Passenger Data. http://www.iata.org/ whatwedo/security/facilitation/Pages/index.aspx (date accessed: 19.08.2013). 41 Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, 29.09.2011. (L 186/4, 14.7.2012). 42 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of data. Author's personal copy 30 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 legal instrument on data protection.43 The transfer of personal data from the EU to the countries lacking adequate level of protection is prohibited. Pursuant to the DPD, determinations of adequacy which are binding on EU member states are made by the European Commission with input from Article 29 Working Party, the Article 31 Committee, and the European Parliament.44 Analysis of adequate protection comprises two basic elements: the content of the rules applicable and the means for ensuring their effective application.45 To date, only a few countries have met the criteria,46 and Russia is not on the list. In the case of PNR, if an airline transfers personal data of EU passengers to a country lacking an adequate level of protection, it violates EU data protection legislation and risks incurring liability in the form of fines established by national legislation of EU member states. To avoid this result and create a legal basis for the transfer, the EU followed the practice of concluding bilateral agreements between the EU and the states in question. Accordingly, it was sought to solve the problem of inadequacy by ensuring an adequate level of data protection in the agreements. The history of bilateral PNR agreements between the EU and non-member countries started in early 2000s, after the US requests for access to PNR data of European passengers flying to the USA came into conflict with the EU data protection principles. As of the present, the EU has three bilateral agreements on PNR, including an agreement with the USA (the first agreement was concluded in 2004.47 It was then ruled invalid by the European Court of Justice,48 and in 2006, an “Interim Agreement”49 was signed, followed by 2007 agreement50; on 19 April 2012, the European Parliament 43 For overview, see Bygrave Data protection law: approaching its rationale, logic and limits (2002). 44 Council Decision 1999/468/EC of 28.6.1999 laying down the procedure for the exercise of implementing powers conferred on the Commission (OJ L 184, 17.7.1999, 23). 45 Further, see Article 29 Working Party Opinion 12/98 of 24.07. 1998 Transfers of personal data to third countries. Applying Articles 25 and 26 of the EU Data Protection Directive as well as Article 29 Working Party opinions on concrete national regimes. 46 Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, United States (Transfer of Air Passenger Name Record Data and Safe Harbour), New Zealand, and Uruguay. http://ec.europa.eu/justice/ data-protection/document/international-transfers/adequacy/ index_en.htm (date accessed: 19.08.2013). 47 Agreement between the European Community and the USA on the Processing and Transfer of PNR Data by Air Carriers to the United States Department of Homeland Security and Bureau of Customs and Border Protection of 28 May 2004. 48 ECJ Judgment of 30 May 2006 on joint cases C-317/04 European Parliament v. Council of the European Union and C-318/04 European Parliament v. Commission (OJ C 228 of 11 September 2004), paragraphs 61, 70. 49 Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, 2006 O.J. (L 298) 29. This agreement was valid until 31 July 2007. 50 Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) of 29 June 2007. 4.8.2007. (L 204/18). gave its consent to a new agreement51),52 with Canada (the first one concluded in 2005, with a new one being negotiated),53 and with Australia (the first one of 200854 and a new one of 2011).55 The agreements were supposed to establish, ensure and guarantee an adequate level of protection for PNR transfer. The problem arose that EU PNR agreements were concluded on a case-by-case basis, and despite the fact that all the agreements addressed the same issues, the provisions were not identical, leading to different rules for air carriers and for data protection. Data privacy advocates still argue that the EU PNR agreements, especially the American one, fail to ensure an adequate level of data protection or proof that they are necessary and proportionate.56 In order to harmonize the PNR transfer and establish common requirements, in 2010, the European Commission published a strategy on the global approach to transfers of PNR to non-EU countries (the EU Strategy).57 Two basic elements are in place: first, basic principles for the protection of personal data for any PNR agreement with a non-EU country, secondly, the means for ensuring their effective application. However, for the longer term, if many more countries become involved with PNR, the Strategy declared the EU’s aim to set these standards on an international level.58 On the one hand, as Newman argues, although Europe does not always prevail in international regulatory debates, in the data privacy field it has acquired “regulatory capacity”, creating and expanding rules in Europe and around the world.59 It is a fact that during the past decades many countries, such as Russia, have established regimes based on the EU model (at least on paper) and the list of “adequate” states is slowly growing. On the other hand, with reference to 51 Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security Council of the EU (17434/11), adopted by Council 26.04.2012, on 19. 04.2012, the European Parliament gave its consent. The agreement entered into force on 1.06.2012. 52 For overview of EUeUS PNR agreements 2004e2007, see Mironenko Air passenger data protection: Data transfer from the European Union to the United States (2010). 53 Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information and Passenger Name Record data. 21.3.2006. (L 82/15). 54 Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service, 8.8.2008. (L 213/51). 55 Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, 29.09.2011. (L 186/4, 14.7.2012). 56 E.g. Article 29 Working Party on data protection: Letter to the Civil Liberties Committee of the European Parliament, Brussels, 6 January 2012. Ref. Ares (2012)15841 e 06/01/2012. 57 Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries. Brussels, 21.9.2010, COM (2010) 492 final. 58 Page 10 of Communication from the Commission On the global approach to transfers of Passenger Name Record (PNR) data to third countries. Brussels, 21.9.2010, COM (2010) 492 final. 59 Newman Protectors of privacy: regulating personal data in the global economy (2008) p. 8e9. Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 particularly PNR transfer, where the interests of national security are involved, and all the states are sovereign to impose requirements on their own, the EU can hardly possess economic or political powers to impose the EU standards. In addition, in reality, the complete compliance with the rules on global data transfer seems to be very difficult, as in the case of the EU PNR agreements. It is a question of whether it is possible to provide adequate safeguards at all. Moreover, there are some views which question whether the EU data protection requirements on global transfer are adequate at all. It is argued that some features of the current regime are “unrealistic, overly bureaucratic, costly, and inefficient.”60 As a result, the restrictions on data transfer were (and probably are?) ignored by many organizations.61 It is proposed that data transfer should be governed by accountability and ongoing responsibility, rather than arbitrary barriers and bureaucratic form filing.62 Finally, the enhanced surveillance and increased collection of personal data for security purposes, including PNR, reflects the worldwide tendencies. The Russian request raised concern that it may be followed by other states outside Europe. By 2012, eleven countries had filed a request at the European Commission for PNR data,63 and apparently, the number will continue to grow. All of them can be encouraged to act unilaterally; the EU may be faced with the same problems while dealing with each of them. The request also drew attention to the disputable and recently rejected (although not canceled) proposal on a European PNR system,64 which circulation and possible adoption may further weaken the EU’s position (already weakened by accepting the EUeUS terms) on any negotiations on PNR. The problem is, therefore, much wider than the EUeRussian relations regarding PNR transfer, and involve all the countries, both those requiring PNR and those which airlines have to provide PNR. 5. Russian PNR system: overview In 2007, the Ministry of Transport of the Russian Federation was required to create a unified state information system of transport security (USISTS), with automated centralized databases of personal data on passengers (ACDPDP) being its integrated part.65 The corresponding provisions were included into the Russian Air Code66 and other regulation. However, 60 See Article 29 Data Protection Working Party Opinion 3/2010 on the principle of accountability”, 13.07.2010, paragraphs 55e57. 61 Grant. Data protection 1998-2008. In: Computer Law & Security Report. Vol. 25 (2009). p. 48. 62 Tene. Privacy: The new generations. In: International Data Privacy Law. Vol. 1 (2011). p. 22. 63 European Parliament. Committee on Civil Liberties, Justice and Home Affairs. Draft Recommendation on the draft Council decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security. 30.01.2012. 64 In the meantime, EU PNR proposal was rejected in April 2013 by MEPs in the civil liberties committee. 65 The Federal law On Transport Security of 09.02.2007 N16-FZ (Article 11). 66 The Air Code of Russian Federation of 1 April 1997, Article 85(1). 31 only in 2012, the concrete provisions on ACDPDP were stipulated by an order of the Ministry of Transport (Order).67 With respect to air transport, initially, the Order was supposed to enter into force from 1 July 2013, but then was postponed until 1 December 2013. In contrast to other PNR schemes covering air transport only (e.g. the EUeUS system), the Order covers all modes of transport: domestic and international air transport (including flights into, out of, and over Russia), long-distance rail transport, international transport by sea, inland waterway and road transport. In addition to participants of transport infrastructure68 and carriers (“Suppliers of information”), the data will be provided by federal executive bodies as well as foreign governments and organizations in the framework of international cooperation on transport security. Suppliers of information incur liability for non-compliance with the transport security requirements pursuant to legislation of RF,69 namely, administrative and criminal liability, depending on the consequences of the violation. If the carrier simply did not transfer the PNR data, the penalty is a fine or grounding of the aircraft.70 If there are serious consequences of violation (e.g. large-scale damage, grave injury to human health, death of persons) then the carrier may incur criminal liability, including imprisonment up to seven years.71 Accordingly, if foreign carriers flying to/from Russia or over Russia to Asia choose not to transfer PNR to Russia due to prohibition by EU data protection rules, they risk being grounded, being subject to fines or more serious sanctions if non-compliance caused serious injuries or damages. As for the data protection issues, according to the Russian authorities, the right to data protection will be respected since, as mentioned before, Russia ratified the Council of Europe Convention No 108,72 and in order to implement the latter into national law, adopted Personal Data Law73 which is applicable to PNR transfer. The Order also declares in x3 that ACPDPD will be formed and operated according to the following principles: compliance with the constitutional rights of citizens, technological independence of the ACPDPD’s structure and its functioning from administrative, organizational and other changes in the activity of participants of information exchange; ensuring the confidentiality of information; ensuring the integrity and reliability of the data transferred. 67 Order of the Ministry of Transport of the Russian Federation of 19.07.2012 N 243 On approval of the formation and maintenance of automated centralized databases of personal data on passengers, as well as providing the data they contain. 68 Defined as legal and natural persons who are the owners of transport infrastructure objects and vehicles or use them on a different legal basis (Federal law On Transport Security of 09.02. 2007 N16-FZ Article 1(9)). 69 Article 12(3) of the Law on Transport Security. 70 Shadrina. Will not go far: From July next year it will not be possible to buy a ticket for a single mode of transport without a passport. In: Rossiyskaya Gazeta 26.09.2012 2012. 71 Article 263.1 of the RF Criminal Code. 72 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. 73 Federal Law on Personal Data of 27.07.2006 N 152-FZ. Author's personal copy 32 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 All these declarations sound fine, but what about concrete, more detailed data protection guarantees? This requires closer consideration: first, regarding Russian general data protection law, secondly, regarding specific elements for PNR transfer. 6. Overview of Russian data protection law In the Russian Federation, historically, in contrast to the western traditions, the public interests prevailed over private during many centuries. According to official Soviet ideology, personal data was considered solely as an information resource necessary for the state. In the absence of legal regulation mechanisms, various abuses occurred: duplication of powers of state and other bodies in the collection and processing of personal data, excessive collection, etc. The need to ensure the confidentiality of personal data was not even considered.74 In the 1990s, the spread of computer technology made the situation worse. Poor control over the use of personal data without establishing liability led to of the emergence of an illegal market for various personal databases75 and other abuses.76 The need to provide appropriate protection to personal data became clear. Moreover, the processes of European integration and globalization dictated the need to bring Russian legislation and practice into line with international standards: otherwise, Russia could be isolated from other countries in the data protection field. Today, the Russian Constitution recognizes the rights of privacy, data protection and secrecy of communications.77 Russia is a member of the Council of Europe and signed Convention No 108 on 7 November 2001. However, the process of ratification and implementation took years, and the Convention was ratified with several reservations, among other things, that it will not be applied to personal data constituting state secrets. Russia reserved the right to impose restrictions on the right of data subject to have access to his/ her personal data in order to protect national security and public order.78 The final stage of the Convention ratification was completed in 2013, when necessary amendments were made into federal laws.79 The Personal Data Law was designed to fulfill Russia’s obligation to implement the Convention No 108 into national 74 Petrykina Legal regulation of personal data flow. Theory and practice. (2011) p. 4. 75 See Beroeva. Who and how do they steal databases? In: Komsomolskaya Pravda 2006. 76 Petrykina (2011) p. 4. 77 Articles 23e25 of the Constitution of the Russian Federation of 12.12.1993. 78 Federal Law of 19.12.2005 N 160-FZ On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Convention is in force in Russia from 1.09.2013. 79 Federal Law of 7.05.2013 N 99-FZ On Amendments to certain legislative acts of the Russian Federation in connection with the adoption of the Federal Law On ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and Federal Law On Personal Data. law and to build Russian data protection law according to European and international standards. This would enable Russia to come closer to equal cooperation with foreign countries in the field of personal data protection and to solve internal problems in ensuring the right to data protection.80 National data protection rules are also contained in other acts81 and sector-specific federal laws.82 The Personal Data Law generally protects personal data from being collected and processed illegally and without consent of data subject. In comparison with the past, many positive changes are in place, and the law is constantly updated. For instance, substantial amendments were adopted in 2011, clarifying many important terms (e.g. personal data, controller, anonymization of personal data, etc.), updating responsibilities of the controller to secure the data, etc. However, there are still some deficiencies in the regulation; some provisions are not fully implemented in reality and are not effective. Pursuant to the Personal Data Law Article 23, the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) is the authorized body in the sphere of personal data protection responsible for supervising to ensure that respective activities are carried out in compliance with the Personal Data Law. However, in contrast to European data protection authorities which are independent bodies, the Russian counterpart was established under the Ministry of Communications83 and it is a body structurally subordinated to the latter. In addition, the Government, the Federal Security Service of the RF (FSB), and other executive agencies acquired substantial powers in the personal data field. Thus Roskomnadzor cannot be considered fully independent. One of the most critical points is that the Personal Data Law gives many exemptions to the state authorities on the basis of a wide range of grounds. In the context of PNR transfer, the applicable grounds will be transport security and security needs in general. Pursuant to these needs, the right of the data subject to access to his/her personal data may be restricted; the controller can be released from the obligations to notify Roskomnadzor about the processing and to obtain data subject’s consent even when processing sensitive data. As a result, data subjects can hardly know which state organs and officials are working with their data.84 Another critical point is that the legislation mainly focuses on technical requirements to personal data processing rather than on protection of data subjects.85 The data security 80 Tsadykova The constitutional right to privacy (2007). Federal Law On Information, Information Technologies, and the Protection of Information of 27.07.2006 N 149-FZ, Order of President of RF of 06.03.1997 N  188 on Approval of the list of confidential information (stipulates that the latter covers personal data, with a few exceptions), Resolutions of Governments, etc. 82 E.g. Labor Code (Chapter 17), Tax Code (Art. 84), Federal Law On Mass Media of 27.12.1991 N 2124-1, Federal Law On Operational-search activities of 12.08.1995 N144-FZ, etc. 83 x2 of Resolution of Government of RF of 16.03.2009 N 228 About Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications. 84 Modern Telecommunications Russia The Council of Federation adopted Personal Data Law (2011). 85 Chernova. We protect personal data through multi-stakeholder approach. In: Personal data (2013). 81 Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 requirements are very comprehensive and detailed, differing greatly from the respective rules of other states. For instance, both the EU and the USA do not provide any technical standards. The laws indicate that the methods of data protection must be reasonable and sufficient, leaving the implementation of these principles to the controller, who will take full responsibility if the measures taken are insufficient. In Russia, controllers must provide technical measures according to the security levels determined by the RF Government.86 The choice of means of protection of personal data is carried out by the controller in accordance with the regulations adopted by the FSB and the Federal Service for Technical and Export Control of the RF (FSTEC). In practice, concrete methods and techniques appear to be excessive and expensive: expenses for security equipment (which must be produced by companies licensed by the FSTEC and the FSB) constitute up to 200% of annual turnover and then 10e15% of the cost for the annual maintenance.87 But in reality, personal data in Russia are usually stolen by bribery of responsible employees rather than by breaking the security systems, so all these requirements may have no sense at all. Other problems are poor administration and failure of controllers to comply with the law.88 The annual report of Roskomnadzor of 201289 noted that leakages of personal data are caused by the failure of data controllers to ensure the confidentiality and security. The most typical violations of data protection requirements are violation of confidentiality in the processing of personal data, inappropriate form of data subject’s written consent, failure of the controller to ensure security of personal data and exclude unauthorized access to it, notification to the authority about the processing of personal data containing incomplete and (or) false information. Further, the researchers note that Roskomnadzor is concentrating on checking whether the controllers comply with the formal requirements of law instead of checking actual leakages of data; the controllers are punished for violating the rules rather than for causing damage to the citizens.90 At the same time, Roskomnadzor faces a number of difficulties: according to experts, it possesses insufficient resources and personnel; it cannot initiate administrative proceedings and does not receive help from other organs such as the Ministry of Internal Affairs which considers data protection offenses as not serious.91 One more challenge is the relatively low amount of fines. Today, sanctions for failure to observe the data protection requirements include administrative, civil, disciplinary, and criminal liability. However, the penalties are insufficient: for instance, fines for violation of collection, storage, use or distribution of personal data for legal entities amount to 5e10 000 rubles.92 Accordingly, it is more profitable for the controllers to pay the fines rather than implement the data protection legislation.93 Moreover, a large number of administrative cases are closed due to the expiration of the limitation period which lasts only three months. In the meantime, it is proposed to substantially increase the amount of fines94 and the limitation period. As a result of all the mentioned factors, constant attempts to make the law stricter in reality do not necessarily achieve the aims, but create additional problems, significantly complicating the life of controllers (many of them prefer simply not to follow the law, and are more concerned with avoiding problems with the authorities rather than with actually protecting personal data), the end users (who will be ultimately payers), and create opportunity for abuses and corruption.95 There are still cases of unauthorized disclosure of personal data on the Internet as well as thefts of databases from various public and social institutions, mobile operators, and other owners.96 Consequently, at present, the level of legal protection of personal data in Russia falls behind the Western countries where the legislation was passed decades earlier. Many factors make the right to data protection particularly vulnerable in Russia: historical traditions, a relatively short period of legal regulation, lack of an appropriate theoretical framework, weaknesses of legislation and lack of enforcement mechanisms, and lack of judicial practice.97 The aim to reach the data protection level of the EU and international standards is still to be achieved. Among proposed improvements, commentators suggest the establishment of a new independent data protection authority, to include provisions in law for control of personal data at all stages,98 to substantially increase penalties for data protection offenses and impose more serious criminal sanctions, etc. But some problems cannot be solved by improving data protection law only. For instance, the problem of the illegal database market is mainly caused by first the economic reasons (low salaries of state officials) and secondly lack of legal methods to obtain information, for example via special private firms such as in the USA.99 Therefore, a broader, 92 RF Code of Administrative Offences Article 13.11. From the explanatory note to the draft of Federal Law On Amendments to the Code of Administrative Offences posted on the Ministry of Economic Development website. Buh 1C Protection of personal data: The results of the control (2012). 94 ConsultantPlus. Roskomnadzor suggests to substantially increase the amount of fines for violation of personal data processing. 14.09.2012. http://www.consultant.ru/law/review/fed/ nw2012-09-14.html (date accessed: 27.09.2013). 95 Modern Telecommunications Russia (2011). 96 See Palamarchuck. Supervision over the implementation of the legislation on personal data on the Internet. In: Zakonnost. Vol. 12 (2010). p. 3e5. 97 Izmailova Privacy in civil law: the law of the UK, the USA and Russia. (2009). 98 Izmailova (2009). 99 See Beroeva (2006). 93 86 Requirements for the protection of personal data during their processing in information systems of personal data approved by Resolution of RF Government of 01.11.2012 N  1119. 87 Modern Telecommunications Russia (2011). 88 Modern Telecommunications Russia (2011). 89 The Ministry of Communications of Russian Federation. The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications. Report on the work of the Authorized body protecting rights of personal data subjects for the year 2012. Moscow, 2013. Available at http://rkn. gov.ru/docs/Otchet_2013_UZPSPD_RSPECTR.doc (date accessed: 26.09.2013). Pages 6, 11e15. 90 Chernova (2013). 91 Kovrigin Total non-compliance with data protection law in Russia (2012). 33 Author's personal copy 34 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 complex approach to the solutions is needed: from education and propaganda to repairing civil society systems and combating corruption (which is a never ending process). 7. Analysis of data protection elements In this section, the paper will analyze the concrete data protection elements of the Russian PNR regime as it is per date, taking into account the EU data protection requirements on PNR, the ICAO recommendations (where applicable), and current EUeUS PNR agreement. For the analysis, the author used legislation and documents available from open sources, correspondence with the Ministry of Transport and conversation with the Operator of the ACDPDP (however, the latter stressed that the Operator is responsible for the technical issues only and does not deal with data protection issues). It should be noted that a representative of the Ministry of Transport, in response to the author’s questions, informed that according to xx23e24 of the Order of the Ministry of Transport of 04.07.2008 N86, “the characteristics of the processing, storage, transmission and protection of data in the ACDPDP and USISTS as a whole, including personal data, are restricted information and can only be provided on the basis of a reasoned request from the organization, agency or enterprise, indicating the reasons for the need for the data, methods for their further use and the measures to be taken by the receiver to protect them.”100 Nevertheless, some answers were received. The list of considered elements is not exhaustive and present selected items which, in the opinion of the author, constitute the most critical and disputable ones. 7.1. Use of data According to the EU Strategy, the scope of the use of the data by a third country must be determined clearly and precisely and should be no wider than what is necessary for the aims to be achieved. The purposes for PNR data should include only law enforcement and security purposes to fight terrorism and serious transnational crime. Moreover, the terms terrorism and serious transnational crime should be defined based on the EU regulation. In the EUeUS Agreement Article 4, PNR data are be used to prevent, detect, investigate and prosecute terrorism and serious transnational crimes. Serious crimes are defined as crimes punishable by 3 years of imprisonment or more under US law. But the definition of transnational serious crime is very wide and, covering all crimes where more than one jurisdiction is involved.101 Additionally, PNR may be used “on a case-by-case basis where necessary in view of a serious threat and for the protection of vital interests of any individual or if ordered by a court” as well as “to identify persons who 100 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 101 Article 29 Working Party on data protection Letter to the Civil Liberties Committee of the European Parliament (2012). would be subject to closer questioning or examination.” This means that PNR can be used for other cases as well, (e.g. minor immigration or customs offenses), and may be used for profiling of passengers. According to the European Parliament, PNR may in no circumstances be used for data mining or profiling.102 As a result, data privacy advocates argue that the purpose limitation is too broad and disproportionate.103 In Russia, x63 of the Order stipulates that processing of passenger data in ACDPDP is carried out in accordance with Article 5(2) of Personal Data Law which provides that the processing of personal data should be limited to the achievement of specific, pre-defined, and legitimate purposes. The processing of personal data that is incompatible with the purpose of collection of personal data is not allowed. The purpose of PNR processing is “to implement measures to ensure transport security.”104 From the EU perspective, it can be argued that the purposes are not indicated clearly or precisely, for example, no specification is made that the security purposes are restricted to combating terrorism and serious transnational crime. In practice, “measures to ensure transport security” can include a very broad category of activities, including profiling. Moreover, different statements made by officials in the press may raise questions as well. For instance, according to Chertok, Deputy Head of the Ministry of Transport and Federal Service for the Oversight of Transport (Rostransnadzor),105 although the main purpose of the database is transport security, protection against acts of unlawful interference, probably, in the future, information from the database will be used for such cases as a passenger losing a ticket, or to recover damages from the carrier on request of the court.106 Clearly, these purposes may ensure passengers’ consumer rights, but what about narrow purpose limitation? In an interview of Smirnov, the suggestion was made that a database should not be used for other purposes, for example that it must not allow law enforcement agencies to take untargeted people (for instance those who avoid child support, etc.) from the flight.107 The rules of the Personal Data Law mentioned above prohibit the use of personal data incompatible with the purpose of collection, but will the security organs follow without any exceptions similar to the US case? It can be concluded that the Russian PNR system does not fully follow the purpose limitation principle as prescribed by the EU Strategy. However, by signing the EUeUS PNR Agreement, the EU accepted that this principle can be compromised. 102 European Parliament resolution of 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada. 103 European Data Protection Supervisor Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security (2011). 104 Article 11(1) of the Federal law On Transport Security. 105 Federal organ which will oversee the transfer of data to the database by transport companies. 106 Shadrina (2012). 107 Smirnov All the world has long been collecting the data this way (2007). Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 7.2. Data scope The EU Strategy requires that the exchange of data should be limited to the minimum and should be proportionate. There should be an exhaustive list of the categories of PNR data to be transferred; PNR containing sensitive data cannot not be used unless under exceptional circumstances. The ICAO PNR Guidelines contain the list of possible PNR elements. The EUeUS Agreement contains 19 PNR Data Types. In field 17, it contains SSR/OSI/SSI, which may include sensitive information. Moreover, a closer look reveals that many data fields contain multiple data. See, for example, line 7: “All available contact information (including originator information).” The same applies to other lines. According to the opinion of EDPS, the list of data to be transferred to the DHS is disproportionate and contains too many open fields; it should be narrowed and exclude sensitive data.108 In Russia, there is a common list of data for all transport modes and provides additional fields on every transport mode, hence, many data fields are repeated several times and the list looks much longer than the American one. As mentioned above, some technical problems arose with the composition and structure of the proposed protocol of passenger data and some items. However, in developing the rules of information exchange between a specific carrier and Operator of USISTS, some data elements may be excluded from the list or included, depending on technical possibilities. An essential point is that in contrast to the EUeUS list, the Russian system does not require any PNR data which may contain sensitive data. This was confirmed to the author in a letter from the Ministry of Transport.109 No collection of sensitive data means no problem with their processing. This fact makes the Russian list more proportional and reasonable in comparison with the EUeUS regime. 7.3. Data security Both ICAO and the EU Strategy state that PNR data must be protected against misuse and unlawful access by all appropriate technical, security procedures and measures to guard against risks to the security, confidentially or integrity of the data. The EUeUS Agreement stipulates the technical measures and organizational arrangements in Article 5(1e2). Additionally, in Article 5(3e4) it provides notifications of affected individuals in the case of a privacy incident and in the cases of “significant privacy incidents” involving PNR e relevant European authorities. The EDPS suggested that the recipients of the notification be clarified, to notify a competent US authority; to define what constitutes a “significant privacy incident”; to specify the content of the notification to individuals and to authorities.110 But obviously, there are no claims regarding security standards. As mentioned above, the Russian regulator provides detailed and comprehensive security requirements. The 108 European Data Protection Supervisor (2011). Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 110 European Data Protection Supervisor (2011). 109 35 Order follows this line. Security of personal data is provided by organizational measures and means (including cryptography), and information technologies. The Operator of USISTS is responsible for data security of ACDPDP.111 Accordingly, he is obliged to use security equipment determined by the FSB and the FSTEC and produced by companies licensed by the FSB and the FSTEC. According to the information of the Operator, all necessary attestation and certificates for securing data in ACDPDP have been obtained.112 The Ministry of Transport specifies that providing data to ACDPDP is carried out electronically via secure channels (VPN-channels of Internet or channels of protected branch networks).113 Formally, it can be argued that the Russian PNR system’s provisions on data security fall within the requirements of the international and EU requirements. But all the positive moments may be neglected, since, as mentioned before, personal data in Russia are usually stolen by bribery of responsible employees rather than by breaking the security systems. 7.4. Oversight and accountability According to the EU Strategy, a system of supervision by an independent public authority responsible for data protection with effective powers of intervention and enforcement must exist to exercise oversight over those public authorities that use PNR data. According to EUeUS PNR Agreement Article 14, compliance with the privacy safeguards shall be subject to independent review and oversight by Department Privacy Officers, such as the DHS Chief Privacy Officer. In addition, independent review and oversight is conducted by the DHS Office of Inspector General, the Government Accountability Office, and the U.S. Congress. However, the Chief Privacy Officer is appointed by and report to the head of the DHS, thus cannot be considered independent. Lack of independent supervision was indicated as one of the weaknesses of this Agreement.114 As mentioned above, pursuant to Personal Data Law, the authorized body in the sphere of personal data protection is Roskomnadzor. The status, role and powers of Roskomnadzor are closer to European data protection authorities than any of the US organs mentioned above. However, it cannot be considered as a fully independent body. This point may constitute the similar weaknesses in the EUeUS scheme. 7.5. Transparency and notice The EU Strategy provides that every individual shall be informed at least as to the purpose of processing of personal 111 The Operator is Federal State Unitary Enterprise “ZashshitaInfoTrans,” an enterprise subordinated to the Ministry of Transport. 112 Telephone conversation with the Operator’s employee 4.07. 2013. 113 Ministry of Transport. Information for entities of the transport infrastructure and carriers in connection with the entry into force of the Order of Ministry of Transport of Russia N  243. 20.06.2013. http://www.mintrans.ru/news/detail.php?ELEMENT_ID¼20360 (date accessed: 2.07.2013). 114 Article 29 Working Party on data protection (2012). Author's personal copy 36 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 data, the persons who will be processing that data, under what rules or laws, the types of third parties to whom data is disclosed and how and from whom redress can be sought. The ICAO suggests a typical form of such notification and stipulates that air carriers or their agents must properly notify passengers (for example, at the time of booking of flight or ticket purchase) that the carrier may be required to provide any or all of its available data PNR to the authorities of the state of departure, arrival or transit, and that this information may be shared with other authorities. The EUeUS Agreement Article 10 contains corresponding provisions. The Russian Personal Data Law provides that data subject has the right to be informed about processing of his/her personal data, including information about the legal basis, purposes of processing, the controller, terms of processing and storage period, etc. (Article 14(7)). Accordingly, the controller must, upon request of the data subject, inform him/her of processing of personal data (Article 18(1)). However, the new PNR system does not provide any specific rules about the air passenger notification. Clearly, the general rules obliging the controller to provide data “upon request of the data subject” cannot ensure proper notification of every individual involved. This constitutes a weakness in comparison with the EUeUS scheme and the ICAO and the EU’s recommendations. The legislation should oblige the authorities to ensure that the passengers are informed about the data processing at the earlier stages mentioned above. 7.6. Access, rectification and deletion The EU Strategy and ICAO PNR Guidelines suggest that an individual shall be provided with access to his/her PNR data, and where appropriate, with the right to seek rectification and deletion of his/her PNR data. The EUeUS Agreement Articles 11e12 state that any individual, regardless of nationality, country of origin, or place of residence will have the right to access their PNR data, correct or rectify the PNR, including the possibility of erasure or blocking, if the information is inaccurate. But some “reasonable legal limitations” under US law apply. As a result, the Working Party expressed doubts as to whether US law and the Agreement provide for the respective rights in line with requirements of the EU law.115 Articles 14, 20 and 21 of Russian Personal Data Law stipulate the rights of the data subject to obtain information related to the processing of his/her personal data, to access it, to cure breaches of personal data processing, to correct, block or destroy personal data. However, x5 of Article 14(8) of Personal Data Law provides that the right of the data subject to access to his/her personal data may be restricted according to federal laws if processing of personal data is carried out according to the legislation on transport security, in order to ensure the stable and secure functioning of the transport system, to protect the interests of individuals, society and the state in the transport sphere against acts of unlawful interference. Personal data collected according to the Federal law On Transport Security constitute elements of transport security 115 Article 29 Working Party on data protection (2012). information, thus, x5 of Article 14(8) restricts the data subject’s right to access.116 In contrast to the EUeUS Agreement, this is a general rule rather than exception. However, the risk of broad application of the restrictions and limitations in the US case makes the regimes quite similar. Taking into account the acceptability of the EUeUS regime for the EU, it could be argued that the Russian regime should be acceptable too. 7.7. Redress The EU Strategy stipulates that every individual shall have the right to effective administrative and judicial redress where his or her privacy has been infringed or data protection rules have been violated, on a non-discriminatory basis regardless of nationality or place of residence. Article 5(5) of the EUeUS Agreement states that administrative, civil, and criminal enforcement measures are available for privacy incidents under US law. Article 13 provides redress for individuals regardless of nationality, country of origin, or place of residence. Administrative and judicial redress in accordance with US law is provided. The EDPS noted that Article 21 explicitly states that the agreement “shall not create or confer, under US law, any right or benefit on any person,” hence, even if a right to redress is granted in the US under the agreement, such right may not be equivalent to the right to redress in the EU.117 In Russia, the data subject’s rights are protected according to Personal Data Law,118 stating that if the data subject believes that the data controller infringes his/her rights and liberties, he/she is entitled to contest controller’s actions or failure to act with the authorized data protection body or in court. The data subject has the right to protect his/her rights and legal interests, including the right to require compensation for losses and/or compensation for moral damage, in court (Article 17). Formally, although this is not stipulated with reference to the PNR system, according to the principle of equality of individuals before the law, the right to administrative and judicial redress under the Russian law may apply for individuals regardless of race, origin, nationality, etc. However, it is unknown whether effective enforcement measures will be available for privacy incidents involving PNR as long as there are problems with human rights enforcement in general. It is hence questionable if redress mechanisms correspond to the standards of the EU law. Accordingly, the problem of failure to provide the right to effective judicial redress may appear. However, the EU accepted this risk in the EUeUS case. 7.8. Retention of data Both the ICAO and the EU recommend that the period of retention of PNR should not be longer than necessary for the 116 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 117 European Data Protection Supervisor (2011). 118 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 performance of the defined tasks. The EU Strategy notes that the period of retention should take into account the different ways in which PNR data are used and the possibilities of limiting access rights over the period of retention, for example by gradual anonymization of the data. ICAO adds that the state should, in accordance with national laws or regulations, have a system for monitoring, ensuring appropriate deletion of the PNR data. Under the EUeUS Agreement, US authorities will keep PNR data in an active database for up to five years. After the first six months, all information which could be used to identify a passenger would be “depersonalized.” After the first five years, the data will be moved to a “dormant database” for up to ten years, with stricter access requirements for US officials. Thereafter, data would be fully “anonymized” by deleting all information which could serve to identify the passenger. Data related to any specific case will be retained in an active PNR database until the investigation is archived. According to the EDPS and the Working Party, the storage of all data for up to 15 years is excessive and disproportionate. Moreover, after 15 years, only anonymization of the data is provided. Taking into account the difficulty of truly anonymizing data and the lack of explaining why the anonymized data is needed, it should be deleted.119 The EDPS goes even further and suggests that the data should be anonymized (irreversibly) or deleted immediately after analysis or after a maximum of 6 months.120 In Russia, Article 5(7) of the Personal Data Law states that personal data shall be stored in a way that allows verification of the identity of the data subject no longer than it is necessary for processing purposes, if the retention period of personal data is not set by federal law or the treaty a party (or beneficiary, guarantor) to which is the data subject. Processed personal data shall be destroyed or anonymized upon achieving the set purposes or in the case if such purposes cease to be relevant, unless otherwise provided by federal law. In the case of PNR data processing, the retention periods are not determined,121 providing options for unlimited storage. Clearly, this contradicts international and the EU recommendations on data protection, and is weaker overall than the (although controversial) EUeUS scheme. 7.9. Domestic sharing The EU Strategy states that PNR data should only be disclosed to other government authorities with powers to combat terrorism and serious transnational crime, and which afford the same protections as those afforded by the recipient agency under the agreement in accordance with an undertaking to the latter. PNR data should never be disclosed in bulk but only on a case-by-case basis. According to ICAO PNR Guidelines x2.12.1, the state must take steps to ensure that every public authority having access to PNR must provide the appropriate level of data management and data protection. 119 Article 29 Working Party on data protection (2012). European Data Protection Supervisor (2011). 121 This was also stated in the Letter of 5.08.2013 N 07-05-01/1277is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 120 37 The EUeUS Agreement provides corresponding provisions in Article 16. However, according to the Working Party, the agreement is not specific on how compliance with the safeguards can practically be ensured, particularly with respect to retention periods; the agreement does not provide that transfers shall be done on a case-by-case basis only.122 The EDPS believes that the list of authorities that might receive PNR should be specified, and the DHS should not transfer the data to other agencies unless they guarantee an equivalent level of protection.123 In Russia, according to Article 11(4) of the Federal law On Transport Security, information resources of the USISTS are restricted information. The Order in x13 provides that federal executive bodies authorized by the Government of the Russian Federation to carry out functions in the field of transport security, the Russian Interior Ministry, and the Federal Security Service (FSB) (“consumers of information”) use the data contained in the ACDPDP. But what actually are the “federal executive bodies authorized by the Government of the Russian Federation to carry out functions in the field of transport security”? Logically, it should be found in the Government’s resolutions. As for aviation security, the development and implementation of the state policy in aviation security is fulfilled by the Federal Air Transport Agency.124 But actual aviation security activities eproviding measures to protect civil aviation against acts of unlawful interference e are performed by this agency in cooperation with the Federal Security Service of the Russian Federation (FSB), Ministry of the Interior, Ministry of Defense, Ministry of Foreign Affairs, Federal Customs Service of the Russian Federation.125 In addition, according to the Program of Civil Aviation Security of the Russian Federation, some functions are carried out by the Ministry of Transport and Federal Service for the Transport Oversight (Rostransnadzor), as well as other interested federal organs of the executive branch.126 It can be seen that the list can hardly be exhaustive. Moreover, for other transport modes, additional organs may be relevant. Taking into account that the database is common for all transport modes and that all the organs authorized to carry out security functions on other transport modes (rail, sea, etc.) also will have access to the data, the scope of organs having access to the data is quite broad. At the same time, according to the information of the Operator,127 the organs authorized to use the data contained in the ACDPDP are limited to the Interior Ministry, FSB, and security department of the Ministry of Transport (i.e. not even the whole 122 Article 29 Working Party on data protection (2012). European Data Protection Supervisor (2011). 124 x7, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of Civil Aviation from Acts of Unlawful Interference. 125 x8, Resolution of Government of RF of 30.07.1994 N 897 About Federal System of Protection of Civil Aviation from Acts of Unlawful Interference. 126 Program of Civil Aviation Security of the Russian Federation, Order of the Ministry of Transport RF of 18.04.2008 N 62 (with amendments of 10.03.2011). 127 Telephone conversation with the Operator’s employee 4.07. 2013. 123 Author's personal copy 38 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 ministry, but a special department), while a representative of the Ministry of Transport, in response to the author’s request, noted that the list of organs authorized to access data from the ACDPDP is contained in the Order128 e see above. Since the information is quite controversial, it is not possible to draw any certain conclusions. Apparently, the same problems as those indicated with reference to the EUeUS scheme above may be relevant. It would be helpful if the regulator provided an exhaustive list of authorized agencies and obliged them to provide safeguards. 7.10. Onward transfers to third countries The EU Strategy stipulates restrictions on use and further dissemination of PNR data to another third country. Such onward transfers shall be subject to appropriate safeguards. In particular, the receiving third country should transfer this information to a competent authority of another third country only if the latter undertakes to treat the data with the same level of protection as set out in the agreement and the transfer is strictly limited to the purposes of the original transfer of the data. PNR data should be disclosed only on a case-by-case basis. The EUeUS Agreement provides rules on third countries transfer in Article 17(1). They refer to the terms of the agreement, but the latter does not specify how compliance with these terms can be ensured; the agreement does not provide that transfers shall be done on a case-by-case basis only.129 The EDPS recommends that data transfers to third countries should be subject to prior judicial authorization; the DHS should not transfer the data to third countries unless they guarantee an equivalent level of protection.130 Other comments include the following: there is no obligation to make sure that third countries do not forward the information to other parties/countries; no penalty if the third country uses the data for something else; no obligation to ensure that the onward transfer is proportionate; no need to keep records of the transfer; no role for any data protection authority.131 The Russian Order does not contain any terms and provisions on the other countries’ transfer. The Personal Data Law Article 12 contains general rules: cross-border transfer of personal data to foreign countries that are parties to the Convention No 108, as well as to other foreign countries providing adequate data protection is carried out in accordance with this federal law, and may be prohibited or limited in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and lawful interests of citizens, national defense and state security. The list of foreign countries that are not parties to Convention No 108 and provide adequate data protection is adopted by the authorized body (Roskomnadzor). The Ministry of Transport did not provide to the author any further details on the possibilities of onward transfer of PNR 128 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 129 Article 29 Working Party on data protection (2012). 130 European Data Protection Supervisor (2011). 131 Amberhawk Training Limited A review of some important aspects of the EUeUSA PNR agreement (2011). referring to restricted information.132 According to the information of the Operator, the PNR data will not be transferred from Russia to other countries.133 No transfer means no problems similar to those indicated for the EUeUS scheme. However, lack of concrete provisions does not constitute grounds for concluding that there will be no transfer for sure; additional legal guarantees are needed. 7.11. Methods of transfer The EU Strategy and PNR Guidelines of ICAO suggest that to safeguard the data in the databases and to maintain airlines’ control thereof, data should be transmitted using the “push” system.134 The Strategy adds that the number of times that data is transferred before each flight should be limited and proportionate. Article 15(1) of EUeUS Agreement states that data will be transferred using the “push” method. However, Article 15(5) requires carriers to “provide access” to PNR data in exceptional circumstances. The Working Party argued that if the pulling of data remains technically and legally possible, there should be rigorous independent monitoring (of the log files).135 EDPS suggested prohibiting the “pull” system.136 Article 15(3) requires carriers to transfer PNR to DHS initially at 96 h before the scheduled flight departure and additionally either in real time or for a fixed number of routine and scheduled transfers as specified by DHS. This provision fails to determine the frequency of PNR transfers clearly.137 According to the Russian Order, the suppliers of information provide data to ACDPDP in electronic form automatically on a schedule on a time scale close to real by selecting the required data from their information systems and unloading them into the exchange file of agreed format. This means that the “push” method is used. Data transfer mode is 24 h a day/7 days a week. The suppliers must provide data to ACDPDP no later than 30 min after entering the data into their information systems (unless otherwise provided by the regulation of passenger data transfer of a particular mode transport). For air carriers, API and PNR data collected before the passenger check-in at the airport must be transferred to ACDPDP 36 h before passenger check-in at the airport of departure. Transfer of API data received during check-in at the airport is done in interactive regime (if such regime is available) or 15 min before the departure of the aircraft. Transfer of PNR data obtained in the course of boarding of the passengers on the aircraft and after the departure of the aircraft is done immediately after fixing these events in the air carrier’s systems. 132 Letter of 5.08.2013 N 07-05-01/1277-is signed by Druzhinin A.A., Head of Department of Legal Support and Legislative Activities, Ministry of Transport of RF. 133 Telephone conversation with the Operator’s employee 4.07. 2013. 134 The “push” method of transfer implies that the data are selected and transferred by airlines to the authorities upon request of the latter. The “pull” method means that the authorities have direct and immediate access to airlines’ databases. 135 Article 29 Working Party on data protection (2012). 136 European Data Protection Supervisor (2011). 137 Article 29 Working Party on data protection (2012). Author's personal copy c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 It can be seen that the, in contrast to the EUeUS scheme, frequency of PNR transfers is defined, and only the “push” method is used, thus, stronger protection is given. 8. Conclusion It is clear that PNR exchange is becoming worldwide practice. Not only Russia, but many other countries are using or planning to impose PNR regimes. The international community represented by such organizations as ICAO and IATA, realizing that this process will grow, is endeavoring to establish common rules which would standardize and harmonize PNR collection for security purposes, including data protection standards. However, their recommendations are not obligatory and there are no enforcement mechanisms. The EU, with its strict data protection regulation, also endeavors to establish common standards for PNR transfer to third countries, but the EU hardly possesses economic or political powers to enforce these standards in the rest of the world. It is also questionable whether the EU requirements are realistic at all: the already concluded bilateral agreements show that full compliance with the EU data protection requirements has not been achieved. The analysis of the Russian PNR regime discovers that many elements of the system are based on the ICAO PNR Guidelines. As for the data protection, the Russian Personal Data Law is applicable, which is based on the international and the EU standards. Some data protection guarantees, at least formally, are provided. The positive features are nonprocessing of sensitive data and usage of only the “push” method of transfer (both of which constitute better protection if compared with the EUeUS PNR regime) and strict requirements to data security. Some elements are provided, but various weaknesses remain: The purposes of transfer are established, but they are broad. Provisions on oversight and accountability are contained in the Personal Data Law, but the data protection authority is not completely independent. Rules on redress are provided, but in practice they may be weaker than the EU level of protection. The list of organs authorized to access the data is provided, but its exhaustiveness is questionable. The data subject’s right to access to his/her personal data is restricted on the grounds of transport security needs. However, these weaknesses are quite similar to the EUeUS system. The points which are weaker than the EUeUS scheme are the lack of terms on transparency and notification and the fact that the retention periods are not determined. Finally, terms of onward transfer to other countries (if any) are restricted information. Some of the indicated weaknesses could be repaired if the Russian regulators provided further legal rules on this matter, that is, more specified and concrete provisions and guarantees regarding the PNR system in addition to general rules of the Personal Data Law. This concerns in particular the redress mechanisms, oversight and accountability, transparency and notification. Other weaknesses concern mainly the security demands and needs (the purposes of processing, the right to access, retention period, the list of organs, and transfer to other countries). Apparently, for any change, 39 balancing between data protection and security interests is required. But the analysis of Russian PNR rules “on paper” is not enough. One more challenge relates to specific Russian realities. Historical background as well as the situation with human rights and civil society in Russia in general make data protection rights particularly vulnerable. The problems indicated with reference to general data protection law, if not solved, may be applicable to the PNR regime as well. Providing effective law enforcement mechanisms depends greatly on the whole system, including legal, judicial and other systems and integral parts of the civil society, and the weaknesses of these parts may play a negative role. Thus, simply establishing legal norms to protect passengers’ data protection rights may not be enough. Overall, no matter if the Russian PNR system is considered to be better, worse or same as the EUeUS one, from the EU’s perspective, Russia is not a country providing an adequate level of data protection; thus, transfer of PNR by EU airlines to Russian authorities would be illegal. From 1 December 2013, if the situation does not change (by settlement of the conflict of laws, or if the new measure is canceled or postponed again), the EU airlines will find themselves in a difficult situation: to fly to or over Russia, they will need to comply with either EU or Russian law. Therefore, a dialog between Russia and the EU is expected. Of course, the conflict of laws can be approached with the help of political or economic pressure. For example, the review of the visa facilitation deal with Russia could be used “as leverage” to counter Russia’s demands.138 There are a number of other pending issues which could be used as well, but it is quite doubtful that they may help the EU to “cancel” the Russian PNR regime or solve the data protection problems. Another solution could be a bilateral EUeRussian PNR agreement. Apparently, it will be problematic to resolve all the data protection problems discussed above by a contractual solution. In addition, the EU, accepting the EUeUS PNR scheme, weakened its position in the negotiation with Russia (as well as other countries requiring PNR data): it would be the politics of double standards to deny to others what was accepted to the USA. Moreover, the EU’s own proposed PNR regime raises similar questions and disputes; if adopted, the data protection positions will be further weakened. But an agreement could at least create a legal basis for the transfer, not leaving the EU airlines alone with the dilemma, thus, it is preferable to have an agreement than not to have one. However, the author cannot exclude the possibility that the EUeRussian negotiations might be pending for an unknown period of time. But again, no matter what will be stipulated in the Russian law and/or in a contractual solution (if any) between the EU and Russia, a separate question will be whether Russia is capable in reality of ensuring the established rules, safeguards and guarantees. From a global perspective, the Russian PNR regime is not the only one to emerge e as stated; many states require or will require PNR data. The majority of states will be considered as failing to provide an adequate level of data protection in EU terms. For a part of them, the dilemma of law-in-books versus 138 The Portugal News Euro MPs raise grave concerns over Russia’s demand for EU air passengers’ data (2013). Author's personal copy 40 c o m p u t e r l a w & s e c u r i t y r e v i e w 3 0 ( 2 0 1 4 ) 2 5 e4 0 law-in-action will be relevant. Consequently, similar challenges and difficulties may concern any state. Further, no state is guaranteed from more and more enhanced surveillance and possible abuses by law enforcement authorities in the name of security. Even within the established and negotiated with the EU PNR frameworks, who can guarantee that the USA will keep its promises, and that abuses and violations will not happen? The recent cases of the NSA’s secret use of personal data-pursuant surveillance programs do not add optimism to the picture. As a result, the question formulated above e Is it possible to use PNR and at the same time respect the passengers’ rights? e cannot be answered in a simple way. Clearly, globally, the PNR case, upon closer look, reveals a number of critical issues: the security versus privacy dilemma, privacy and data protection concerns, problems of internal regulation and law enforcement, enhanced and unlimited surveillance, underdevelopment of democratic values, etc. How to deal with these problems? Further dialogs between the states, including discussions on the international level, could be helpful. The ICAO PNR recommendations are already used as models for PNR transfer, but deficiencies remain, and there are no enforcement mechanisms. Bilateral agreements, although providing a legal basis for transfer, fail to resolve all the problems. The point is that PNR processing is a part of national security strategies, where the powers of the international community or other states are limited. The majority of the problems have internal, national roots. Thus, national endeavors constitute the key factors, and a broader, more complex approach is needed. Acknowledgment The author would like to thank Prof. Dag Wiese Schartum and Prof. Lee Andrew Bygrave for their valuable comments to an earlier version of this article. references Amberhawk Training Limited. A review of some important aspects of the EUeUSA PNR agreement; 2011. Article 29 Working Party on Data Protection. Letter to the Civil Liberties Committee of the European Parliament. Brussels; 2012. Beroeva Nigina. Who and how do they steal databases? Komsomol Pravda 2006. Brouwer Evelien. The EU passenger name record system and human rights: transferring passenger data or passenger freedom. CEPS working document; 2009. Buh 1C. Protection of personal data: the results of the control. http://buh.ru/document.jsp; 2012. Bygrave Lee A. Data protection law: approaching its rationale, logic and limits. The Hague/London/New York: Kluwer Law International; 2002. Chernova Aleksandra. We protect personal data through multistakeholder approach. Pers Data. http://www.privacy-journal. ru/article/122/2/1516; 2013. Elkova Olesya, Kolobkov Sergey. Russian sky will be closed to the lock. http://www.rbcdaily.ru/industry/562949987318547; 2013. European Data Protection Supervisor. Opinion of the European Data Protection Supervisor on the proposal for a council decision on the conclusion of the agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security; 2011. Brussels. Grant H. Data protection 1998e2008. Comput Law Secur Rev 2009;25:44e50. Hasbrouck Edward. What’s in a passenger name record (PNR)?. http://hasbrouck.org/articles/PNR.html; 2009. Izmailova NS. Privacy in civil law: the law of the UK, the USA and Russia; 2009. Moscow. Kovrigin VV. Total non-compliance with data protection law in Russia. http://can-work.ru/index.php/neews/press-tsentrkompanii/145-law-on-personal-data-if-it-works; 2012. Lyon David. Surveillance studies: an overview; 2007. Mironenko Olga. Air passenger data protection: data transfer from the European Union to the United States; 2010. Oslo. Modern Telecommunications Russia. The Council of Federation adopted personal data law. http://www.telecomru.ru/article/? id¼606; 2011. Newman Abraham. Protectors of privacy: regulating personal data in the global economy; 2008. Nielsen Nikolaj. EU tells Russia to drop air passenger data law http://euobserver.com/justice/120387; 2013. Nielsen Nikolaj, Rettman Andrew. Russia blames EU for airline data fiasco. http://euobserver.com/justice/120450; 2013. Ntouvas Ioannis. Air passenger data transfer to the USA: the Decision of the ECJ and latest developments. Int J Law Inf Technol 2008;16:73e95. Palamarchuck AV. Supervision over the implementation of the legislation on personal data on the Internet. Zakonnost 2010;12:3e5. Petrykina NI. Legal regulation of personal data flow. Theory and practice. Moscow; 2011. Poullet Y. Data protection legislation: what is at stake for our society and democracy? Comput Law Secur Rev 2009;25:211e26. Schneier Bruce. Schneier on security. Indianapolis, Ind.; 2008 Shadrina Tatiana. Will not go far: from July next year it will not be possible to buy a ticket for a single mode of transport without a passport. Ross Gaz 2012. 26.09.2012. Sirena-Travel. Problems of realization of the order of the Ministry of Transport N243. http://www.ato.ru/content/problemyrealizacii-prikaza-mt-rf-no243-formirovanie-i-vedenieavtomatizirovannyh; 2013. Smirnov Oleg. All the world has long been collecting the data this way. http://www.aviaport.ru/digest/2007/04/09/118983.html; 2007. Solove DJ. Data mining and the security-liberty debate. Univ Chic Law Rev 2008:343e62. Tene Omer. Privacy: the new generations. Int Data Priv Law 2011;1:15e27. The Portugal News. Euro MPs raise grave concerns over Russia’s demand for EU air passengers’ data. http://www. theportugalnews.com/news/euro-mps-raise-grave-concernsover-russias-demand-for-eu-air-passengers-data/28637; 2013. Tsadykova Elvira A. The constitutional right to privacy; 2007. Moscow. Wolff Steve. Are we ignoring the “risk” in risk based screening? Aviat Secur Int 2012;18. Yehoshua Sagit. Terrorist profiling: analysing our adversaries personalities. Aviat Secur Int 2011;17.