UNITED24 - Make a charitable donation in support of Ukraine!

Homeland Security

24 September 2003

U.S., EU Discuss Terrorism, Passenger Data Issues

DHS's Hutchinson in talks with EU in Brussels

Asa Hutchinson, under secretary for border and transportation security in the U.S. Department of Homeland Security, was in Brussels for talks September 22 with European Union officials on homeland security issues, including the transfer of some passenger data by airlines to U.S. authorities.

The United States and the EU are currently engaged in talks to ensure that U.S. systems for collecting this data, necessary in the fight against terrorism, are compatible with EU personal data protection rules.

Calling his meeting with Internal Market Commissioner Frederik Bolkestein "productive," Hutchinson said they had a frank discussion on the need to balance data privacy concerns with security, and they hoped to find an agreement by the end of 2003 so that the European Commission can declare the U.S. data protection system in compliance with EU rules (an "adequacy finding").

"We reached a commitment to pursue an adequacy finding by the end of the year," Hutchinson told reporters September 23, adding that technical experts would be meeting in the coming weeks.

In meetings with Justice and Home Affairs Commissioner Antonio Vitorino, other senior Commission officials, and Italian Ambassador to the EU Umberto Vattani (representing the Council presidency), Hutchinson thanked the EU for its cooperation in the fight against terrorism. He also took the opportunity to discuss Department of Homeland Security initiatives in the areas of aviation and container and border security, and to talk about ways that the United States and the EU could increase their cooperation in those areas.

Following is the transcript of Hutchinson's September 23 press availability at the U.S. Mission to the EU in Brussels:

(begin transcript)

U.S. Mission to the European Union

Asa Hutchinson, Under Secretary for Border and Transportation Security U.S. Department of Homeland Security

Press Availability
September 23, 2003

HUTCHINSON: It is very good to be in Brussels this morning and for this trip. I'll make a couple of brief comments and then turn it over to your questions. Yesterday I had a series of meetings with leaders in the European Commission; they were very productive meetings. I took advantage of the opportunity to thank our European allies for their cooperation in the fight against terrorism.

Wherever you look at homeland security issues the fact is that we've been able to capture or detain or otherwise incapacitate two-thirds of the Al-Queda senior leadership and operational managers across the globe, and the fact that they have been put out of business has enhanced our homeland security efforts at home. I was able to discuss with the various commissioners, leaders that I met with, initiatives of the Department of Homeland Security in terms of aviation security and border security, and discuss ways that we could increase our cooperation in those areas.

I emphasized to them the balance that we are trying to achieve in homeland security, the fact that we're trying to emphasize that we want to continue being a welcoming country, welcoming our foreign guests to the United States. It's important for us to continue to have an interchange from foreign students, this is (inaudible) tourists of the United States. So we want to facilitate that travel, but at the same time to be able to increase the security, and we had good discussions about that balance that we hope to achieve in the Department of Homeland Security.

We obviously talked about passenger information from the airlines and how it's needed to ensure the safety of our air passengers. I recognize legitimate privacy issues that have been raised by the European Commission. We had very frank discussions about those, to look for ways to resolve the concerns that had been legitimately expressed, and we also discussed the necessary safeguards that could be put into place that would give assurance to air passengers, not only their safety, but also the appropriate protection of their privacy.

I was pleased with the progress of those meetings. We reached a commitment to pursue an adequacy finding by the end of the year, which is a significant statement and point of agreement. We also received a commitment for our technical teams to meet in the coming weeks, to further make progress and hopefully leading to an adequacy finding. And I pledge, certainly, our support for those meetings and look forward to a successful conclusion of those and continue to discuss our mutual concerns in looking for a solution that will address both our countries' needs. With that I'm happy to turn it over to questions.

Q: Did you offer something better than seven years of the length of data conservation?

HUTCHINSON: We had discussions about the length of time that the information need to be available. Initially there was a term of 50 years that was discussed in terms of needing this information. Obviously that was in my judgment not necessary, and we reduced that to a period of seven years. And it was really an opportunity for [European Internal Market] Commissioner Bolkestein to respond to that, so that was a proposal that we had put on the table and there was a response at this meeting to that, and there will be further discussions as to what is the appropriate length of time.

I'll tell you that the question was asked as to why seven years, and I used the illustration that that was similar to the length of time between the first attack on the World Trade Center and the second attack on the World Trade Center. And so if we would've had information in the year 2000 that we were trying to investigate and see (inaudible) terrorism, it's a very short amount of time in law enforcement circles. And I think that puts it in perspective that there might not be anything magical about seven years, but it's a very short amount of time if they're trying to investigate terrorism. The sleeper cells that exist are sometimes in operation and in training for even longer periods of time than that before they take action, and so being able to review previous slides and previous information going after terrorists, it's helpful and could be useful in protecting air passengers.

Q: You are going to see the EC [European Commission] again in October. If you don't reach an agreement at that time would you be prepared to go to the WTO [World Trade Organization]?

HUTCHINSON: In reference to this issue, I believe that between now and that meeting in October, that our technical teams will meet and I expect them to make progress and that we will make additional progress whenever we meet again with Commissioner Bolkestein. Now, our objective would be by the end of the year to reach an adequacy finding, so we still have time after that. It would be nice to conclude the discussions then but that would be a very, very early time frame and it might take longer -- we'll have to wait and see.

Q: Would that mean there is no WTO question (action...) from your side?

HUTCHINSON: No. From our standpoint we expect and are hopeful that we can resolve these issues with the European Commission and there's no further plans beyond that.

Q: What is the state of play now and what is the reality for airline passengers and airlines coming from Europe? What are the United States administrations doing about that?

HUTCHINSON: Well, under an interim agreement, we are receiving from the airlines some passenger information and that has been used for their safety. And I think that that should be reassuring to the European travelers, that there's not been any bad experience there that I'm aware of, and I think it's been helpful to facilitate legitimate travelers and we've taken steps during that time to make sure that information is protected and only used for their safety.

Q: Some of the airlines, for instance, Alitalia, do not give to you information. What about these airlines?

HUTCHINSON: There has been a recognition that there is a conflict in the demands that has been put on the airlines and so we're trying to work with them. I wouldn't want to get into the details of each airline as to what's been transferred and not be transferred, but that information is important for the safety of the passengers and we're asking the airlines to help us to provide that safety. Sometimes we are giving some flexibility there because of some of the concerns we've raised with the European Commission. But we certainly need that information and we are receiving it by most of the carriers.

Q: Can you say what the three main issues that separate you and the Commission are? Would one of them be the seven-year period? Could you list the two others?

HUTCHINSON: Well, the purpose limitation is an issue that's discussed. There's a general consensus that this is important information to fight terrorism. And so the discussion is, how do you appropriately define what would be terrorist type of offenses that you would look at? Obviously, we think it's important when it comes to, for example, narcotics offenses, which have historically been a link to terrorism. That's a safety issue and important tool to fight terrorism. When you're looking at financial crimes and money laundering, that is an important tool of terrorism and you would not want to eliminate that from the purpose of these adequacy findings. And then you look at the safety of the passengers, do you want to exclude the capability of using this information to capture a wanted murderer?

So these are the discussions and we hope that we can resolve those, but I make the point that there will always be gray areas as to how you properly define the terrorism link and the appropriate crime to look for the safety of the passengers. And the most important thing is that you have checks and balances, you have protections in there to make sure the information is not used inappropriately. And so that was the approach that I was taking.

So, the purpose limitation is one issue. Another issue is sensitive data. Obviously there is sensitive information, such as dietary requests that a passenger would make, that we have no business knowing, we don't want to know. And so we were certainly giving assurances that there's certain sensitive information that should be protected and we have no need and do not want to know. So, there were discussions in that area.

The third area was the length of time the data would be retained. And then the recourse for the passengers if an error was made. And we have taken significant steps to give recourse to a passenger that wants the information to review it or believes that it is inaccurate. We have put in place a chief privacy officer in the department that would handle these types of issues. We would have an ombudsman for the passengers, an advocate to look at these issues. The chief privacy officer would have independence, be responsible back to Congress for reports, and so those are the types of protections and recourse that that we discussed.

Q: These safeguards that you're offering, are these the same safeguards that you're offering to your own citizens traveling within the country. Because I have a feeling maybe they can, you know, if they feel they've been unlawfully held and maybe missed their plane they can challenge this to court and there is feeling that if the European passenger finds himself in the same situation then this might not be possible. So, I would like to know what are the differences. And secondly, I was just wondering if this thing drag on, beyond the year end, and there is still no resolution, would you take stronger action, maybe not the WTO, but will you fine the airlines that are still refusing to give data on the basis of our own privacy laws?

HUTCHINSON: In reference to any distinctions, American travelers have recourse. The European travelers would have the ability to get the information and to correct any inaccurate information that would be necessary. I want to put this in perspective as to what is at issue here. The whole purpose is to assure safety of the passengers who travel on the airplanes. This is information that is given to a travel agency or airlines to facilitate that passenger's travel. We need that information as well, some of the non-sensitive information, to do the same thing. For safety and to facilitate their travel. And we want to be able to screen the passengers that come on but to not concentrate on legitimate travelers but to concentrate our secondary inspection, more complete baggage screening of those people that may pose a risk. So this is for safety and to facilitate legitimate travel. And so what will happen if someone is targeted for inspection, that simply means that they will go through the screening and then they will be pulled over for a more complete check of their shoes or their bags to make sure they're going to be a safe traveler. So we're not talking about arresting people. We're talking about closer examination to assure safety.

Q: ...ask you a question about the fines, if airlines refuse to cooperate...?

HUTCHINSON: I think it's appropriate at this point to look at resolving the issue and not what we're going to do if we don't resolve the issues. I just emphasized that we were in agreement on this yesterday that there is a sense of urgency about resolving this issue. It's not a comfortable position for the airlines. It's necessary for the safety of passengers and it's important to address privacy concerns. All of that has a sense of urgency and we're working to resolve that and we're not looking at what happens if we don't. We're committed to resolving it.

Q: You said it was a series of very productive meetings but what you expressed here is like a sense of goodwill over mutual goodwill from both sides, but even if you talk about the seven years...the other side is asking for as little as three years in some cases. Could you also give us some information on the number of items that will have to be explained from the personal data? I think it's like 39, while the European Union wants 20? Has there been any specific progress made on these points?

HUTCHINSON: Yes. Before yesterday's meeting, we were seven years apart. Now we're four years apart. So some specific proposals came back. We narrowed the gap and I'm confident we can at the end come closer together on our position. I think the same is true for the number of fields of information or, you know, what is sensitive information that needs to be protected. We again narrowed that issue. We made progress on that so it wasn't just healthy discussions, it was actual progress. But to me the progress also came in a better understanding of what we're trying to accomplish. Both sides concerns. I used the illustration of why seven years was important. The same is true for other areas of discussion.

Q: ... seven years or four years. What about U.S. citizens on internal flights? How long is the data left for them? And if I may ask you a more philosophical question, you explained part of this issue. Do you think that part of the issue is a different perception of privacy, a deep cultural gap in some ways between the U.S. and Europe? Do you find this in your negotiations?

HUTCHINSON: Actually, no. I don't think there is a difference of view of privacy. For example, when I was in the United States Congress -- I served in Congress from Arkansas -- I worked on privacy issues. I studied what the European Commission did on privacy. I thought they were really a leader in that area. And we worked on those issues as well. So at the same time you were engaged in debates on privacy we were engaged in debates in the United States Congress on privacy, and we enacted some very significant privacy protections. So I think culturally we're just as concerned about privacy issues and protecting civil liberties.

I make the point that homeland security is supposed to protect America. But America is not just about tall buildings and airplanes and electrical grids. America is also about values and civil liberties and my responsibility is to protect those as well. And that's one of the reasons we have a chief privacy officer. So I don't think there's a difference in those values that we're trying to protect. I think that our approach is very practical here. We have to be practical Americans right now because we have to work with these privacy issues and concerns consistent with security.

There's a lot of economic consequences here. If a plane went down, just think of the economic consequences to Europe, and our airline, and our transatlantic commerce. We don't want that to happen. We want people to be safe and so we're looking for a practical solution that can protect those values but still provide the safety of our passengers. I think we're very close to resolving that and I'm hopeful that we can. I think I answered the second part of your question.

Q: And the first one, the data for U.S. citizens internal flights, how long is that held for?

HUTCHINSON: As far as I know there's not any limitation there. We're looking at...I'll probably need to get back to you on a specific answer there. I'm not aware of any distinctions but I'll have to get back to you on that.

Q: So do you have the feeling that the Europeans are not careful enough with their security? That they are too naïve because you said you would have to be pragmatic or practical Americans right now? And secondly, if there is no cultural gap, what is the problem?

HUTCHINSON: I didn't really mean to cast any difference there. I think both sides are trying to be practical to resolve these issues and so I think there's a recognition certainly in Europe about the importance of passenger safety and security issues. But there's a process that you have to go through. We have to have discussions, we have to reconcile what we're doing with the European privacy laws and data protections. That's what we're doing. So I think we're figuring out how to respond to all the legal requirements that exist. Our legal requirements for information that are safety related with the privacy protection rules. So we're all looking for a practical solution here. I'm hopeful that we can achieve that. We need to have more discussions.

Sometimes I think there's confusion about what we're trying to do, that we're trying to intrude upon sensitive information, so we're trying to correct that misunderstanding that might've existed there. And also I think among the European Commissioners, the discussion is helpful balancing the privacy protection needs with the legitimate law enforcement and safety concerns of air passengers. So this is all new territory for us. We've only been really engaged in these high-level security and safety concerns since September 11, two years ago, so it's new territory and we're trying to work through these. I think it is just manifest that we're going through a new experience more than (through) ultimate differences.

Q: Could you create a system where instead of taking the data from the database of airlines, the airlines in the European Union would give you the data (inaudible) push and pull system.

HUTCHINSON: That is a technical question and this relates to whether, since the data should be transferred at all, if you have 39 fields of information, can the airlines delete the information before it is sent on. How much does it cost? They have to design new systems to transfer only limited data, or is it better for the information to be transferred and then we delete the information that we guarantee should have protection. We don't want the information. We are happy for the airlines to delete it in advance. But it is really a technical issue as to what kind of system has to be developed, what the airlines can do, and how quickly they can do it. So we are working through those technical questions, but the important thing is we don't need this sensitive information, we don't want it, we're not asking for it, and we are happy for any solution that would protect it.

Q: Could you tell us anything about data processing, because before September 11 you had enough (dietary?) data but the problem was that they weren't combined? So, how would you process all this data which you collect from more airlines, if you get them?

HUTCHINSON: I don't know that I want to go into all the details of that, but it is information that can be used, one, to assure identity. If you have got someone who is traveling under a false passport, fraudulent passport, by the fact that we might have their name and address in advance, allows us to do a data check to see whether they are really who they say they are, and whether they are traveling on a legitimate passport. So that is the type of safety and security measure. Traveling, I would not want to sit by someone who is traveling under a fraudulent passport. That is a means that terrorists use and so that is an important safety mechanism. That is the type of data processing that we would try to do.

Q: Where does it stand for the moment?

HUTCHINSON: Within our Agency, it would be Customs and Borders Protection, as well as the Transportation Security Administration. Those are the two that are both responsible for protection of the air traveler and assurance, as to the traveler who enters our country, that they are there for a legitimate purpose. So those are the two agencies within the Department of Homeland Security that would receive the data, would analyze it, and take the appropriate safety steps for the air passengers.

Q: Is the Commission asking for reciprocity?

HUTCHINSON: They will certainly have reciprocity. We are not going to be asking for any information that we are not willing to give. That is something that can be discussed, we're certainly willing to discuss, and we understand that there will be a need for that type of information not just in European nations but also across the globe. This is not just a United States issue. Canada has asked for this information, South Korea, I understand, has asked for the information. Australia has asked for the information. So this is not a United States issue. So I think the solution we are looking for is something that is an international solution, and we might be the first in line here having to take the brunt of this, but our solution hopefully will be beneficial to everyone.

Q: Could you just tell us exactly how the information is being retrieved? There seems to be a lot of confusion about this during last week's hearings at the European Parliament. The Commission could not explain.... Are you taking this information directly from the computer reservation systems?

And the second thing is the cost. As I understand it, the airlines initially wanted this "pull" system where (inaudible) you retrieve the information because they thought it wouldn't cost them that much. But in fact it turns out it is costing them a lot. So obviously somebody's making money off this. So is the government prepared to cover the cost of implementing a system such as this?

HUTCHINSON: No, this is a responsibility that we believe the airlines have for assuring the safety of passengers. What we are trying to do is to minimize the cost burden. We understand that any time that you put a regulation on business, there is a cost that goes with that. But this is information that is in a database. The cost is minimal for the transfer of that information. As to how that is technically done does have a cost impact. Whether you require them to develop a completely new system that deletes certain information and provides the government limited information could have a cost impact, and that is what we are trying to work with the airlines on, as well as the European Commission on. That is very important to us that we consider the cost of business, and we have that responsibility. But we have a partnership here with industry. We have a common goal, both the aviation industry -- the airlines -- and government want to work together to ensure the safety of passengers and that is our mutual objective.

Q: What is the state of play with other countries in the world? Which countries are ready to give you the required information? What happens to the minor European countries, like Switzerland? Will you negotiate with them after you have finished with the Commission?

HUTCHINSON: I could not go through every specific country and airline as to the exact state of the transfer of information. Most airlines that travel to the United States provide us this information that is needed for safety. There may be a few exceptions to that, and this is under the interim agreements. We're not trying to put this burden on airlines that do not serve the United States, but these are travelers with various airlines that wish to visit the United States. They may have to get a visa, they may have to get a passport, if it's a visa-waver country. But as a safety measure for coming to the United States, they provide information to the airline or the reservation system and they understand that that information might be provided to the government for safety purposes, so that's the way it's working. And so whether it's Switzerland or whether it's Australia, we need that information from the airlines that bring visitors to our country.

Q: You mentioned South Korea, Canada, Australia. Do you have similar agreements already with such countries?

HUTCHINSON: When I said that, those are like if you're having a flight into Canada, they're interested in getting information to protect those passengers. Now, I don't know, I know they've made a request for the information, I don't know whether that information is being transferred and what the arrangements are on that, but it's been widely publicized that they have made those requests for information.

Q: Have you been able to detect any terrorists or any sort of dangerous persons since March through this system, since the airlines are giving you their data?


Q: To stop someone before he actually boards the plane in Europe?

HUTCHINSON: There are two purposes. One is to stop a terrorist from entering the United States, and getting more information in advance. Secondly, to protect the air passengers themselves. As part of that we need the information not while the plane is en route, we need the information prior to departure, and we're working through those. Again it's technical, it's adjusting some systems so we get the information earlier.

As to whether we have detected terrorists based upon this information, I don't want to compromise anything, but first of all, the answer is yes. That might be from entering the United States, but I know that even the airlines use the information that's provided to them. And just recently, I saw an airline which stopped an Iraqi citizen from using a Netherlands passport that was fraudulently altered, and a smuggler, from traveling on the airplane, and it was based upon the passenger information and analysis of it and suspicions that were raised. Were they terrorists? - I don't know. Might have been; might have been trying to hurt somebody, or they might have just been trying to illegally enter the country, but certainly this information is useful to assure safety of passengers.

Q: Don't you think that it's more appropriate to have a sort of global system? Because what is interesting, for example, is somebody who is traveling many times between Saudi Arabia and Sudan, and then he is flying only once to the U.S. You are trying to protect yourself, but the problem is more global. What do you think about international (inaudible), making the system global?

HUTCHINSON: An international standard of some sort? Certainly, we would be open to having some type of -- I don't want to open up an international process. This is important for us now, and we want to resolve this issue with the European Commission because that's the issue on the table. And now I would hope that all international air carriers and governments would see this as an important safety measure as well, and take similar steps. I think that is helpful.

Q: Yes, as regards the type of information you're looking for, the sensitive information. There seems to be a kind of mixed message on the credit card information, and whether that would be deleted or held. Can you clean that up first or do you want to have a European consumer's credit card information or not?

HUTCHINSON: I think there's agreement that it's important to have the method of payment -- whether it's cash, whether it's credit card, or some other form of payment perhaps, but the form of payment is important information. Now, as to what information is transferred to establish that is still subject to discussions. Some of it might be sensitive -- that might not be appropriate -- but we want to make sure sufficient information is transferred that would give us that capability, because obviously that's an important factor.

Thank you very much for this opportunity to have this discussion with you. I appreciate it very much.

(end transcript)

(Distributed by the Bureau of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)

Join the GlobalSecurity.org mailing list