Aviation security, privacy, data protection and other human rights technologies and legal principles

The aim was to research broader issues in civil aviation security versus privacy, data protection and other human rights and – on a global level – to write a book.. Enerstvedt, Aviation

Law, Governance and Technology Series

Sub-series: Issues in Privacy and Data Protection 37

Law, Governance and Technology Series

Issues in Privacy and Data Protection

Volume 37

Series editors

Pompeu Casanovas, Barcelona, Spain

Giovanni Sartor, Florence, Italy

Serge Gutwirth, Brussels, Belgium

manuscripts that focus upon issues that engage into an analysis or reflexion related

to the consequences of scientific and technological developments upon the private sphere, the personal autonomy and the self-construction of humans with data pro-tection and privacy as anchor points The objective is to publish both disciplinary, multidisciplinary and interdisciplinary works on questions that relate to experiences and phenomena that can or could be covered by legal concepts stemming from the law regarding the protection of privacy and/or the processing of personal data Since both the development of science and technology, and in particular information tech-nology (ambient intelligence, robotics, artificial intelligence, knowledge discovery, data mining, surveillance, etc.), and the law on privacy and data protection are in constant frenetic mood of change (as is clear from the many legal conflicts and reforms at hand), we have the ambition to reassemble a series of highly contempo-rary and forward-looking books, wherein cutting edge issues are analytically, con-ceptually and prospectively presented

More information about this series at http://www.springer.com/series/8808

Olga Mironenko Enerstvedt

Aviation Security, Privacy, Data Protection and Other Human Rights: Technologies and Legal Principles

ISSN 2352-1902 ISSN 2352-1910 (electronic)

Law, Governance and Technology Series

ISSN 2352-1929 ISSN 2352-1937 (electronic)

Issues in Privacy and Data Protection

ISBN 978-3-319-58138-5 ISBN 978-3-319-58139-2 (eBook)

DOI 10.1007/978-3-319-58139-2

Library of Congress Control Number: 2017941081

© Springer International Publishing AG 2017

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors

or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims

in published maps and institutional affiliations.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Aviation and ICT Law Consulting

Langhus, Norway

Preface

When I was finalizing this work, the worst incident in Russian/Soviet history of civil aviation occurred On 31 October 2015, terrorists blew up Airbus A321 during its flight from Sharm el-Sheikh to St Petersburg, killing 224 persons on board, mostly Russians Tragically, I found I needed to update my research with new sad facts and figures When people are killed, it hurts When fellow citizens are killed, the pain is doubled

As a participant of a student exchange programme, I was in the USA at the moment of the 9/11 attack I flew from New York to Moscow in October 2001 and experienced the more stringent security measures A pair of small scissors was con-fiscated from my hand baggage I was living in Moscow when the worst terrorist events occurred there, such as the Dubrovka Theatre siege in 2002 and bombing of two flights by suicide terrorists in 2004 On 22 July 2011, I was living in Norway and personally heard the explosion of bombs in government buildings in Oslo One

of the guests invited to my wedding party a week later was unable to attend; her close relative had been killed in the bombings of the government quarter in Oslo There have been other terrorist-related events in my life

Turning from the personal to a more general perspective, I must say that although not all these catastrophic events were aviation-related, almost all of them had some influence on security regimes, including aviation Flying from Oslo to Moscow and back quite frequently, as well as other routes, I could not help but notice direct or indirect consequences such as restrictions on liquids, having to remove shoes, metal detectors at the entrance of the airport or body scanners As a researcher in the field

of aviation security and data privacy, however, I know that these measures are only the tip of the iceberg The emerging mass of security-related data and the corre-sponding impact on individual privacy are only in the beginning stage of development

My interest in aviation grew as a result of my work as a lawyer in a business tion company, Moscow Sky, operating internationally I worked there during 2005–

avia-2008 I have fond memories of my colleagues and the time I spent there When I then took the LLM degree in ICT law at the University of Oslo, I was very fortunate

to be able to combine aviation and data protection issues in my master’s thesis The topic concerned passenger name record agreements between the EU and the USA.  My master’s thesis was published by the Norwegian Research Center for Computers and Law (NRCCL) I was privileged to have Professor Jon Bing as my supervisor Very sadly, he passed away in 2014.

Inspired by conversations with Jon Bing and the director of NRCCL, Professor Dag Wiese Schartum, I decided to further develop the topic The aim was to research broader issues in civil aviation security versus privacy, data protection and other human rights and – on a global level – to write a book I completed the work in 2016

First of all, I would like to thank Professor Dag Wiese Schartum He has always been very supportive, available for help and advice at any time and willing to pro-vide valuable comments and ideas I am also very thankful to Professor Lee Andrew Bygrave, for his invaluable advice and comments, in particular on data privacy issues

I would like to thank Peter Burgess from PRIO for his encouragement of my work at the initial stage, inviting me to relevant seminars and sharing contacts in the civil aviation field I would like to thank the Norwegian Civil Aviation Authority for hosting a meeting at which they presented their organization and work Many thanks

go to the personnel of the Norwegian airport operator Avinor, in particular to senior security advisor Ole Folkestad, who was especially helpful in providing me with an

of understanding the use of technologies in modern airports My gratitude also goes

to other relevant entities and persons, in particular from Norway and Russia, who took the time to answer my questions

I would also like to thank all colleagues at the NRCCL who have always been very kind and friendly towards me Special thanks go to the head of administration

of the Institute of Private Law, Eva Modvar, and then to her successor, Eli Knotten, for their kindness and help with every practical issue I faced and for always being available to provide support and advice I would like to specially thank Tim Challman for proofreading the final text and for offering valuable comments and advice regarding the English language

I am indebted to my family, especially to my mother, my husband Håken and our children, Maria, Anna and Aleksander Håken has been very kind and extremely patient He has been a willing babysitter and took good care of our small children, while I was busy with the book and was unable to spend as much time with them as

I wished This work is dedicated to my family I love you

Langhus, Norway Olga Mironenko Enerstvedt

1 Introduction 1

1.1 Background and Subject Matter 1

1.2 Aims of the Research 8

1.3 Approach of the Research 9

1.4 Overview of the Structure 13

Part I General Part 2 Protection of Privacy and Data Protection in Aviation Security 19

2.1 Introduction 19

2.2 What Is Privacy and Data Protection 22

2.2.1 The Concept of Privacy 22

2.2.2 The Concept of Data Protection 32

2.2.3 Relation Between Privacy and Data Protection 39

2.3 Privacy and Data Protection Regulation 41

2.3.1 International 41

2.3.2 EU 44

2.3.3 National 51

2.4 Concluding Remarks 61

3 Other Human Rights in Aviation Security 65

3.1 Introduction 65

3.2 The Concept of Human Rights 67

3.2.1 Protection of Human Rights 67

3.2.2 Limitations of Rights 70

3.3 Right to Life 74

3.4 Right to Health 78

3.5 Right to Freedom of Movement 80

3.6 Right to Equal Treatment and Non-discrimination 85

3.7 Right to Freedom of Thought, Conscience and Religion 88

3.8 Rights of the Child 91

3.9 Concluding Remarks 94

Contents

4 Civil Aviation Security 97

4.1 Introduction 97

4.2 Security and Its Relation to Safety 99

4.3 Civil Aviation and Civil Aviation Security by Numbers 101

4.4 Snapshots from History 108

4.4.1 The Earliest Days of Aviation – 1968 108

4.4.2 1968–9/11 109

4.4.3 Aftermath of 9/11 111

4.4.4 Recent Developments 114

4.5 Aviation Security Concept 117

4.5.1 Introduction 117

4.5.2 Risk Assessment 118

4.5.3 Assets 121

4.5.4 Threats 122

4.5.5 Benefits 131

4.5.6 Conclusion 136

4.6 Principles of Aviation Security 137

4.7 Aviation Security Regulation 140

4.7.1 International 140

4.7.2 EU 144

4.7.3 National 147

4.8 Concluding Remarks 154

5 Legal Principles of Privacy and Data Protection 157

5.1 Introduction 157

5.2 What Are Principles in This Research? 158

5.3 General Principles 163

5.3.1 Legality 164

5.3.2 Proportionality Principle 174

5.4 Principles of Data Protection 187

5.4.1 Purpose Limitation 191

5.4.2 Minimality 194

5.4.3 Non-retention of Data Beyond a Certain Period of Time 195

5.4.4 Data Quality 196

5.4.5 Data Security 197

5.4.6 Data Subject Influence 198

5.5 Concluding Remarks to Chap 5 and to General Part 201

Part II Special Part 6 Aviation Security Technologies 205

6.1 Introduction 205

6.2 Types of Aviation Security Measures 206

6.3 Body Scanners 212

6.3.1 Introduction 212

6.3.2 Millimetre Wave 215

6.3.3 Transmission X-Ray 230

6.3.4 Concluding Remarks 233

6.4 Camera Surveillance 234

6.4.1 Introduction 234

6.4.2 Camera Surveillance at Airports 238

6.4.3 Biometrics, in Particular Facial Recognition 247

6.4.4 Profiling 257

6.4.5 Behaviour Analysis, in Particular via CCTV 262

6.4.6 In-Flight Camera Surveillance 266

6.4.7 Concluding Remarks 268

6.5 Passenger Name Records Systems 269

6.5.1 Introduction 269

6.5.2 Effectiveness 273

6.5.3 Data Protection and Privacy Issues 276

6.5.4 Other Human Rights Issues 281

6.5.5 Concluding Remarks 281

6.6 Technology and Freedom of Movement 281

6.7 Technology and Discrimination 284

6.8 Modern Trends in Aviation Security 291

6.8.1 Introduction 291

6.8.2 Intelligence-Led, Pro-active and Risk-Based Approach 292

6.8.3 Global Information Sharing 296

6.8.4 Randomness and Unpredictability 297

6.8.5 Combination of Security Measures 298

6.8.6 Concluding Remarks 301

6.9 Concluding Remarks 302

7 Analysis of Privacy and Data Protection Principles 307

7.1 Introduction 307

7.2 Legality 308

7.2.1 Introduction 308

7.2.2 Information Openness and Transparency 308

7.2.3 In Accordance with the Law 317

7.2.4 Legitimate Aim 334

7.2.5 Conclusion 334

7.3 Proportionality 335

7.3.1 Introduction 335

7.3.2 Suitability (Effectiveness) 336

7.3.3 Necessity 337

7.3.4 Non-excessiveness 343

7.3.5 Conclusion 343

7.4 Purpose Limitation 343

7.4.1 Introduction 343

7.4.2 Scans 344

7.4.3 CCTV 344

7.4.4 PNR 347

7.4.5 Conclusion 357

7.5 Minimality 357

7.5.1 Introduction 357

7.5.2 Scans 360

7.5.3 CCTV 361

7.5.4 PNR 366

7.5.5 Conclusion 370

7.6 Non-retention of Data Beyond a Certain Period of Time 371

7.6.1 Scans 371

7.6.2 CCTV 371

7.6.3 PNR 373

7.7 Data Quality 375

7.7.1 Scans 376

7.7.2 CCTV 377

7.7.3 PNR 378

7.8 Data Security 378

7.8.1 Scans 379

7.8.2 CCTV 379

7.8.3 PNR 380

7.9 Data Subjects’ Rights 382

7.9.1 Consent 382

7.9.2 Access, Rectification and Deletion 383

7.10 Concluding Remarks 387

Part III Conclusion 8 Conclusion 397

8.1 Returning to Research Aims 397

8.2 Regulation Issues 398

8.2.1 Introduction 398

8.2.2 Legal Regulation 399

8.2.3 Enforcement of Regulation 402

8.2.4 Legal Principles 404

8.2.5 Privacy Impact Assessment 409

8.2.6 Concluding Remarks 412

8.3 Privacy by Design 413

8.4 Improving Passenger Experience 417

8.4.1 Impact on Passengers 418

8.4.2 Impact of Human Rights Concerns on Security 419

8.5 Concluding Remarks 421

Abbreviations 423

Annexes 425

Annex 1: ICAO PNR Guidelines, PNR Data Elements 425

Annex 2: EU-US PNR Agreement, PNR Data Types 426

Annex 3: EU PNR Directive, Passenger Name Record Data as Far as Collected by Air Carriers 427

Annex 4: Russian PNR System, PNR Data Types 428

Selected Sources and Materials 431

Table of Legislation and Other Legal Texts 431

International 431

European Union 432

UK 434

Norway 434

USA 434

Russian Federation 434

Books and Articles 435

Reports and Other Resources 450

Table of Cases

European Court of Human Rights

A and Others v the United Kingdom, No 3455/05, 19 Feb 2009

Ahmet Arslan and Others, No 41135/98, 23 Feb 2010

Aksoy v Turkey, No 21987/93, 18 Dec 1996

Aktas v France, No 43563/08, declared inadmissible 30 Jun 2009

Amann v Switzerland, No 27798/95, 16 Feb 2000

Bayatyan v Armenia, No 23459/03, 7 Jul 2011

Brannigan and McBride v the United Kingdom, No 14553/89, 25 May 1993

Campbell v the United Kingdom, No 13590/88, 25 Mar 1992

Case “Relating to certain aspects of the laws on the use of languages in education

in Belgium” v Belgium, No 1474/62; 1677/62; 1691/62; 1769/63; 1994/63; 2126/64, 23 July 1968

Česnulevičius v Lithuania, No 13462/06, 10 Jan 2012.

Cyprus v Turkey, No 25781/94, 10 May 2001

Dahlab v Switzerland, No 42393/98, declared inadmissible 15 Feb 2001

El Morsli v France, No 15585/06, declared inadmissible 4 Mar 2008

Erçep v Turkey, No 43965/04, 22 Nov 2011

Fedorov and Fedorova v Russia, No 31008/02, 13 Oct 2005

Gillan and Quinton v the United Kingdom, No 4158/05, 12 Jan 2010

Huvig v France, No 11105/84, 24 April 1990

Ireland v the United Kingdom, No 5310/71, 18 Jan 1978

Kervanci v France, No 31645/04, 4 Dec 2008

Khan v the United Kingdom, No 35394/97, 12 May 2000

Klass and others v Germany, No 5029/71, 6 Sep 1978

Kopp v Switzerland, 13/1997/797/1000, 25 Mar 1998

Kruslin v France, No 11801/85, 24 Apr 1990

Lawless v Ireland, No 332/57, 1 July 1961

Leander v Sweden, No 9248/81, 26 Mar 1987

Leyla Sahin v Turkey, No 44774/98, 10 Nov 2005

Liberty and Others v the United Kingdom, No 58243/00, 1 July 2008.

Lingens v Austria, No 9815/82, 8 July 1986

Luordo v Italy, No 32190/96, 17 Mar 2013

Malone v the United Kingdom, No 8691/79, 2 Aug 1984

Marper v the United Kingdom, No 30562/04 and 30566/04, 4 Dec 2008

McFeeley v the United Kingdom, No 8317/78, 15 May 1980

Miazdzyk v Poland, No 23592/07, 24 Jan 2012

Ollson v Sweden, No 10465/83, 24 May 1988

Peck v the United Kingdom, No 44647/98, 28 Jan 2003

Prescher v Bulgaria, No 6767/04, 7 Jun 2011

Rangelov v Germany, No 5123/07, 22 Mar 2012

Riener v Bulgaria, No 46343/99, 23 May 2006

S and Marper v the United Kingdom, No 30562/04 and 30566/04, 4 Dec 2008

Sejdić and Finci v Bosnia and Herzegovina, No 27996/06 and 34836/06, 22 Dec

2009

Shimovolos v Russia, No 30194/09, 21 Jun 2011

Soering v the United Kingdom, No 14038/88, 7 Jul 1989

Stamose v Bulgaria, No 29713/05, 27 Nov 2012

Uzun v Germany, No 35623/05, 2 Sep 2010

Paul and Audrey Edwards v the United Kingdom, No 46477/99, 14 March 2002

Bromiley v the United Kingdom (dec.), No 33747/96, 23 Nov 1999.

Finogenov and others v Russia, No 18299/03 and 27311/03, 20 Dec 2011

European Court of Justice

Case C–70/10, Scarlet Extended SA v Société belge des auteurs, compositeurs et

éditeurs SCRL (SABAM), 24 Nov 2011

Case C-73/07, Satamedia, 16 Dec 2008.

Case C 362/14, Maximillian Schrems v Data Protection Commissioner, 6 Oct 2015 Case C-101/01, Lindqvist, 6 Nov 2003.

Case C-131/12, Google Spain SL, Google Inc v Agencia Española de Protección

de Datos, Mario Costeja González, 13 May 2014

Case C-465/00, Rechnungshof decision, 20 May 2003.

Case C-524/06, Heinz Huber v Bundesrepublik Deutschland, 16 Dec 2008.

Case T-13/99, Pfizer Animal Health SA v Council of the European Union, 11 Sep

2002

Joined Cases C 293/12 and C 594/12, Digital Rights Ireland Ltd v Minister for

Communications, etc., 8 Apr 2014

Joined Cases C-317/04 and C-318/04, European Parliament v Council of the

European Union, European Parliament v Commission, 30 May 2006

Joined cases C-402/05 P and C-415/05 P, Yassin Abdullah Kadi and Al Barakaat

International Foundation v Council and Commission, 3 Sept 2008

Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke GbR and Hartmut

Eifert v Land Hessen, 9 November 2010

Joined Cases C-141/12 and C-372/12, YS v Minister voor Immigratie, Integratie en

Asiel and Minister voor Immigratie, Integratie en Asiel v M and S., 17 July 2014

USA

Arizona v Evans, 514 U.S 1 (1995), 1 March 1995

EPIC v DHS, 653 F.3d 1 (D.C. Cir 2011), 15 July2011

Gilmore v Gonzales, 435 F 3d 1125  - Court of Appeals, 9th Circuit 2006, 26 January 2006

Hasbrouck v U.S. Customs and Border Protection, Case number C 10-03793 RS, U.S. District Court, Northern District of California, filed 25 August 2010

Pavesich v New England Life Insurance Co Supreme Court of Georgia, 122 Ga 190; 50 S.E 68; 1905 Ga., 3 March 1905

Schmerber v California, 384 U.S 757 (1966), 20 June 1996

Sima Prods Corp v McLucas, 612 F.2d 309, 312–13 (7th Cir 1980), 3 January1980

United States v Aukai, 497 F.3d 955-963 (9th Cir 2007), 10 August 2007

United States v Dionisio, 410 U.S 1, 14 (1973), 22 January 1973

United States v Epperson, 454 F.2d 769, 771 (4th Cir 1971), 7 February 1972

UK

Durant v FSA [2003] EWCA Civ 1746, Court of Appeal (Civil Division) decision

of Lord Justices Auld, Mummery and Buxton (8 December 2003)

R v Rooney [2006] EWCA Crim 1841 (12 July 2006)

Fig 1.1 Privacy and data protection: overlap 4

Fig 4.1 Aviation security system of Russia 149

Fig 5.1 Proportionality principle applied to privacy and security 183

Fig 6.1 Aviation security measures in a standard airport 209

Fig 6.2 Aviation security measures in standard aircraft 211

Fig 6.3 Aviation security measures scope 212

Fig 6.4 Explosive in rectum; ceramic knife, metal knife, phone, scissors and screw driver 230

Fig 6.5 Privacy undertakings 232

Fig 6.6 Video Analytics Processing 245

Fig 6.7 Profiling processing 261

Fig 6.8 Standard PNR system 276

Fig 6.9 New security layers 292

Fig 6.10 Combination of aviation security technologies and sources 299

Fig 7.1 Proportionality principle applied to scans, CCTV and PNR 392

List of Figures

Table 2.1 Summary of national regulation and other features 62Table 4.1 Aircraft safety occurrences worldwide (1921–2015) 105Table 4.2 Aviation security and other relevant regulation

in the selected states 152Table 6.1 Profiling in relation to selected aviation security measures 258Table 6.2 Privacy/data protection application for CCTV 269Table 6.3 Aviation security measures’ impact on privacy

and data protection 303Table 6.4 Aviation security measures’ impact on human rights 304Table 7.1 Aviation security measures and suitability and necessity 391Table 7.2 Relation between aviation security measures

and privacy and data protection principles 391Table 7.3 Relation between aviation security measures

and other human rights 392

List of Tables

© Springer International Publishing AG 2017

O.M Enerstvedt, Aviation Security, Privacy, Data Protection and Other Human

Rights: Technologies and Legal Principles, Law, Governance and Technology

Series 37, DOI 10.1007/978-3-319-58139-2_1

Introduction

1.1 Background and Subject Matter

As the title of this work explicitly reflects, the discussion will mainly deal with two groups of issues: aviation security and privacy, data protection and other human rights While aviation security is mainly aimed at preventing acts of unlawful inter-ference with civil aviation1 and relates to the state’s undertakings to protect persons, aircraft, airport facilities and other material assets from harm, there are also various fundamental human rights instruments aimed at protecting not only the right to life, but also other rights and freedoms of individuals

“Individuals” or “persons”2 in both cases, within the civil aviation field, mean people: air passengers, crew, and people on the ground.3 This research concentrates

on air passengers, since this category is the principal concern when it comes to security screenings, personal data collection and transfer, as well as other methods that impact on human rights Although statistically only a small part of the worlds’

1 It is common to differentiate between two types of aviation: civil aviation and state aviation Civil aviation mainly refers to commercial and other needs of the citizens and economy In this research, civil aviation will mainly imply the commercial aspect and will refer to transportation of passengers.

2 Used as synonymous.

3 People on the ground (non-passengers) may include different persons: those meeting their tives or friends at the airport arrival halls (they may be subject to a part of security control such as metal detectors at the airport entrance, e.g in Moscow), airport staff (are usually subject to special control) or just people who can suffer being in the neighbourhood of a terrorist attack (e.g if the bomb is put in a car near the airport, or if the exploded airplane falls onto civil buildings, etc.) Aviation security certainly endeavours to protect all these people as well As I will explain in Sect

rela-4.5.3 , aviation security covers the airport infrastructure too, thus, it extends to such elements as airport train stations, taxi areas, etc However, people on the ground are usually subject to a much lesser degree of control/surveillance than passengers.

population travels by air, this number is constantly growing,4 thus, aviation security measures may potentially concern a substantial part of people.

Screenings and other aviation security measures at airports have become a part

of day-to-day life and culture for millions of people all around the world, so that people seem to accept that there is no other way to keep them safe in the air.5 The scope of these procedures, their obligatory nature, as well as possible negative con-sequences in the event of failure to be subject to the security measures are outlined for instance, in the airlines’ carriage conditions available on the websites:

Passengers and/or their baggage are subject to security screening, including but not limited

to, security profiling, physical pat-downs and inspections, x-ray screening, manual bag searches, questioning of Passengers, and use of electronic or other detectors or screening or security devices, in the sole discretion of the government, airport or UA (United Airlines), and with or without the Passenger‘s presence, consent or knowledge Neither UA nor its employees or agents is liable for any damage, loss, delay (including refusal to transport), confiscation of property, injury or other harm relating to or arising out of security screening conducted by an agent of the airport or any local, state, or federal agency or a Passenger’s failure to submit to or comply with such security screening 6

On the one hand, the general public often considers aviation security measures that are designed to enhance security as positive developments On the other hand,

it is clear that they have a heavy impact on the processing of passengers at the port For most travellers screening and other procedures constitute an additional inconvenience and the most uncomfortable part of their entire journey.7 They are time-consuming: before 9/11, the average checkpoint processed 350 passengers per hour; today fewer than 150 per hour are processed,8 in some cases intrusively, with increasing costs that are ultimately passed on to passengers

air-The inconveniences to passengers definitely may include problems connected with their rights as human beings This is particularly important for this work: some aviation security measures, technologies, or methods may have impact on the indi-viduals’ rights, so that these rights may be interfered with, limited or violated Civil rights organizations and advocates cry out against violations of individuals’ liberties and freedoms in aviation security.9

It should be noted that despite the fact that human rights are under threat in eral, i.e this is a concern of all persons, only some individuals will ultimately bear the full (or any) cost of the violations.10 Clearly, only a small selection of the air passengers will be subject to additional screening due to profiling techniques or will

gen-4 E.g 3.3 billion passengers were transported in 2014 worldwide See Chap 4

5 Simmons Searching for Terrorists: Why “Public Safety” is not a Special Need (2009) p. 912.

6 Rule 20 Screening of passengers and baggage United Air Lines, Inc Contract of Carriage (revised 31 December 2015), https://www.united.com/web/format/pdf/Contract_of_Carriage.pdf

7 Ghee Recommendations for airports and airlines to improve baggage, security, immigration,

arrivals and more in 2015 (2015).

8 IATA. Remarks of Tony Tyler at the IATA Ops Conference in Vienna, 15 April 2013 http://www iata.org/pressroom/speeches/Pages/2013-04-15-01.aspx

9 See, e.g websites of ACLU: http://www.aclu.org and EPIC: http://epic.org

10 McDonagh Risk, human rights and the bureacratisation of counter-terrorism (2011) p. 10.

be prohibited from flying due to their names appearing on a black list However, hypothetically, no one can be guaranteed that their name might appear on such a list

by mistake, or they might otherwise be targeted due to technologies’ false positives Thus, the fact that the potential rights violation pertains to only a few does not make the problem of possible violations less important

The key word for security measures is surveillance, which can be defined as “the focused, systematic and routine attention to personal details for purposes of influ-ence, management, protection, or direction”.11 There are multiple forms of surveil-lance; for aviation security, most common forms include camera surveillance (CCTV – Closed Circuit Television),12 the use of biometrics, the use of data mining and profiling.13

At the same time, a dual nature of surveillance can be noted: on the one hand, surveillance, if properly used, can contribute to security, protection from crimes, but

on the other hand, surveillance itself may present a threat to individuals, ties and societies because of its ubiquity, intensity and use of personal data; more-over, it is argued that “broad surveillance is a mark of bad security”.14 Government surveillance is directed at all of persons, including innocent people, and this is nor-mally done in secret, with little or no oversight.15 Although there are democratic procedural constraints, effective oversight and control may be very difficult to ensure as long as the power is exercised by large companies, state organizations and intelligence agencies.16

communi-As a result, citizens are often unaware of the most questionable surveillance methods, such as camera surveillance, creation and storage of different dossiers and black lists that may affect the ability to fly, require additional screening, etc In a state of mass surveillance, personal rights and freedoms are severely limited, as clearly predicted in Orwell’s book “1984”

In the public debates, the right to privacy is frequently the first to be mentioned

in this regard Many security measures and technologies provoke “anxiety, protest, and resistance”17 specifically in relation to privacy “Security versus privacy” has become a common expression In 2013, the enhanced discussion of privacy, mainly

in connection with PRISM and the Edward Snowden revelations as well as the removal of “naked” body scanners from American airports and other events, made

Dictionary.com declare “privacy” word of the year.18 However, is it merely a word

11 Lyon Surveillance studies: An overview (2007a) p. 14.

12 In the literature, “CCTV” is used as generic term camera surveillance Although CCTV does not amount to camera surveillance, as explained in Chap 6 , these terms will be used as synonymous

in this research.

13 All these terms will be elaborated in detail in Chap 6

14 Wright [et al.] Questioning surveillance In: Computer Law & Security Review Vol 31 (2015)

pp. 281–282, Schneier Schneier on security (2008) pp. 8, 69.

15 ACLU. Surveillance and Privacy http://www.aclu.org/national-security/surveillance-privacy

16 Wright et al (2015) p. 282.

17 Nissenbaum Privacy in context (2010) p. 3.

18 Dictionary.com : http://blog.dictionary.com/author/dictionary-com-blog/ 17 December 2013.

of the year? Schneier calls security versus privacy “the battle of the century:” which

of these values is more important, how much privacy are you willing to give up for security?19

In this respect, it should be stressed that the rights to privacy and data protection are interrelated and partly overlap, as shown in Fig. 1.1

The key words for this research from Lyon’s definition of surveillance are sonal details” The point is that personal data have direct relation to the rights of privacy, which protects, among other things, private information20 pertaining to individuals, and data protection, which can be seen as one of the dimensions of privacy or as a separate right

“per-It is not surprising, then, that the term “data privacy” is commonly used, or the term “dataveillance” used in reference to the phenomenon of data being used to monitor and surveil citizens.21 Through extensive data protection regulation, at least

in the EU and some other states, it is quite clear that data – if they satisfy the ments of being personal and being processed22 – should be protected The term “pri-vacy”, however, is less clear

require-Consequently, a question arises as to what privacy is Numerous theoretical ceptions have been advanced as definitions for the term, but none of them has become common or universally accepted Moreover, persons’ views on this value

con-do not remain static and can change according to the context, other needs and other factors In many books and articles, the death or the end of privacy is predicted,23

mainly due to total surveillance and pervasive databases Everything depends, of course, on what one means by the term privacy Clearly, privacy as total secrecy is not the most suitable today,24 nor applicable, especially in public places such as airports However, privacy nevertheless can be protected, but this should be done taking the new contexts into account In the airports, the context – providing aviation

19 Schneier (2008) p. 69.

20 Data and information are used as synonyms in this research.

21 Clarke Information technology and dataveillance In: Communications of the ACM.  Vol 31

(1988) p. 498–512.

22 See Chap 2

23 E.g Garfinkel Database nation: the death of privacy in the 21st century (2000), Rubenfeld The

End of Privacy In: Stanford law review (2008) In January 2015, Science dedicated its special issue to “The end of privacy”.

24 Solove The end of privacy? In: Scientific American Vol 299 (2008b) p. 104.

Fig 1.1 Privacy and data

protection: overlap

security to the passengers – and distinguishing between different types of privacy are key factors for defining privacy.25

From a broader perspective, privacy can be considered a component of other human rights, a necessary condition for them to function: without privacy, “it is much harder for dissent to flourish or for democracy to remain healthy and robust”.26

The status of the right to privacy in a particular society can demonstrate, first, what

is being sacrificed to security, and secondly, the status of all human rights as the whole, since this right is “the fundamental precondition so that other rights and liberties can be exercised”.27 The right to privacy is not only an individual value, but

a common, political value as well, since the abuse of privacy by surveillance nologies may lead to authoritarian regimes having an impact on the population as a whole.28 In this situation, on the one hand, privacy can be seen as an antidote to surveillance29: raising its status can contribute to upholding all human rights On the other hand, the weakness of privacy in a particular society is as a rule accompanied

tech-by other human rights concerns

The point is that all human rights are interdependent, indivisible and

interrelat-ed.30 This means that violating one right may often impair the enjoyment of other human rights, and vice versa This idea can be well illustrated by the aviation secu-rity measures: in addition to privacy/data protection concerns, they often have impact on other fundamental human rights, in particular, the right to equal treatment and non-discrimination, freedom of movement, etc Accordingly, the right to pri-vacy alone cannot accommodate all of the negative effects of aviation security.Hence the scope of the issue is argued to be broader – human rights versus secu-rity or liberty versus control31 – since humans are interested in both security and other human rights, and it is the state and other agencies’ control and surveillance functions that interfere

It should be noted that the term “aviation security” can be seen in two sions First, aviation security is ultimately aimed at protecting, among other things, the right to life of passengers and other persons In other words, all human beings have the right to be safeguarded from harms – it is also possible to speak about the individuals’ right to security.32 Therefore, security involves elements of human rights Effective security in this sense contributes to the right to life The latter

dimen-belongs to peremptory norms or jus cogens, that is, not being subject to any

25 See Chap 2

26 Vermeulen and Bellanova European ‘smart’surveillance: What’s at stake for data protection,

privacy and non-discrimination? In: Security and Human Rights Vol 23 (2013) p. 305.

27 Poullet Data protection legislation: What is at stake for our society and democracy? In:

Computer Law & Security Review Vol 25 (2009) p. 226.

28 Vermeulen and Bellanova (2013) p. 305.

29 Amicelli Report on Theoretical Frameworks and Previous Empirical Research (2012a) p. 14.

30 See Vienna Declaration and Programme of Action (A/CONF.157/23), adopted by the World Conference on Human Rights, held in Vienna, 14–25 June 1993.

31 Schneier (2008) p. 70.

32 See Lyon Surveillance after september 11 (2003a).

derogation Taking into account the threats of terrorism and the amount of harm that may cause a successful attack on an aircraft, the right to life may be used as a strong argument for the enhanced security.

Secondly, aviation security, as defined in legal instruments, involves in general different measures and human and material resources intended to safeguard civil aviation against acts of unlawful interference that may jeopardize the security of civil aviation.33 In the civil aviation sector, the necessity of safeguarding people from terrorism and crime is obvious Moreover, this sector has immense importance

to the world economy Its assets, aircraft, airports and infrastructure, constitute siderable economic value and should be protected as well At the same time, the threat of terrorist attacks against civil aviation is deemed to be heightened Hence, the connection between the threats and advanced security measures seems to be clear The latter is a logical consequence of the former

con-The aviation security-privacy dilemma is quite visible here: implementation of different measures, procedures and methods is designed to protect individuals, but may have tensions with the individuals’ rights A clear result is what Lyon calls a paradox – the side effect that many aviation security measures justified by security risks and fight against terrorism actually produce risks themselves – in relation to privacy, data protection and other liberties.34 Compromises to privacy/data protec-tion/other human rights can be considered as the costs to be paid for a security decision

Actual surveillance may start long before you enter the airport, for instance, at the moment you reserve a plane ticket and fill out various personal data fields Different systems collect personal data of passengers, use and share them with other systems for further checks, data mining, profiling and so on The opportunities for surveillance are constantly growing along with technological developments: high- tech “smart” camera surveillance using biometrics, body scanners, security tunnels and so on

What is next? How much security is enough? How far can the states and security organs go in their attempts to find the most effective measures? To illustrate an absurd situation, security professionals ironically demonstrate a picture of “security

of the future” showing naked passengers on board the aircraft, i.e deprived of any privacy at all In general, “If passengers are divesting items and holding their arms

up like criminals, then the terrorists have won by fundamentally changing our core values”.35

A common suggestion is the idea of finding a balance between the privacy and security values In other words, we should balance privacy or, broadly stated, liberty against security using the so-called trade-off model More details will be elaborated

in Chap 5, but in general, it is not possible to increase one of the values without decreasing the other

This is easy to understand It is obvious that security, which is vital to survival,

is more important than privacy, which is a social and political need but is not an immediate matter of survival.36 To the contrary: in the worst case, privacy can be seen as “a mere abstraction, a luxury with little concrete value”.37 Only when the security needs are satisfied is it possible to consider the privacy needs at all.38 Thus, frightened by terrorist attacks, people tend to choose security over privacy In these circumstances, the process of balancing became a strategy of the security measures proponents,39 where the risks of terrorism and crime are supposed to rationalize the need for enhanced security measures, typically exemplified by the enhanced mea-sures introduced after the 9/11 attacks

The balancing concept is subject to criticism, first because it justifies the promises to privacy and other human rights.40 It is proposed that instead, the test of proportionality should be used By using the latter, it can be evaluated whether a concrete security measure is suitable, necessary, without any other less intrusive alternatives, non-excessive, and so on Applying these criteria allows us to assess whether the privacy risks caused by this measure are proportionate to its security benefits and other factors.41 In addition, mechanisms of protection, including redress for abuses, are actually provided by the concept of human rights in general and privacy/data protection regimes in particular.42

com-To summarize: aviation security as an element of human rights contributes to the right to life (or freedom from harm), constituting a good argument for enhanced security At the same time, aviation security as such, i.e as broader security demands including measures, resources, security decisions, evaluation of threats, risk assess-ment, etc. – overall leads to enhanced surveillance and control and, consequently, to human rights concerns

The dilemma to be examined in this work conveyed through the widespread expression “security versus privacy” is the aviation-security-versus-privacy-data- -protection-and-other-human-rignts dilemma The rights to privacy and data protec-tion are the focus of this research and are used to evaluate the selected security measures But, since other human rights may be relevant, and, as discussed, aviation security is a matter of human rights, they will also be discussed on an additional basis to better reflect the situation: simultaneous violation of a number of human rights makes the whole aggregated impact of aviation security measures on an indi-vidual more serious For the convenience of the reader, further, the term “security

36 Schneier (2008) p. 70.

37 Spencer Security Versus Privacy: Reframing the Debate In: Denver University Law Review

Vol 79 (2002) p. 519.

38 Aquilina Public security versus privacy in technology law: A balancing act? In: Computer Law

& Security Review Vol 26 (2010) p. 135.

versus privacy” will be used as synonymous to “aviation security versus privacy, data protection and other human rights”.

Since this research will use the proportionality test rather than balancing as an approach to the dilemma, the latter cannot be considered exclusively as a tension between opposites Both values are important for society; what is needed is to find

a way to ensure all of them, without losing one or the other The “ideal” model of interactions between aviation security and privacy, therefore, will be aviation secu-

rity plus privacy, aviation security and privacy.

1.2 Aims of the Research

As a result of existing research, it is quite well known that security measures, ing those in aviation security, have tensions with human rights in general and with privacy and data protection specifically However, the pro-privacy side focuses on privacy interests rather than aviation security interests The latter tends to remain in the “shadows” In addition, substantial research covers mainly the EU, the USA and the Western states in general There is some lack in the research at the international level and at the national level of non-Western states

includ-Using existing research extensively, this work analyses different security sures, methods and technologies in civil aviation from the perspective of their impact on the rights to privacy and data protection as well as related individuals’ rights, including the right to health, freedom of movement, the right to equal treat-ment and non-discrimination, freedom of thought, conscience and religion, and rights of the child In short, the main objective is to discuss what can be considered proportionate security, taking into account privacy/data protection other human rights concerns

mea-The following sub-aims can be indicated

1 To discuss whether the use of the selected aviation security measures: body ners, camera surveillance and Passenger Name Record (PNR) systems43

scan-(“selected measures”), in particular their impact on privacy and data protection, corresponds to legal principles of privacy and data protection Thus, to some

extent, the research will analyse the situation de lege lata – but subject to

limita-tions and on an illustrative basis.44

2 To describe the selected measures, their background, emergence and

contempo-rary usage In other words, the situation will be analysed de facto This is

particu-larly important, since for privacy/liberty-security debate, not only privacy/liberty interests, but also security interests should be better understood and more

43 Transfer of air passenger data from airlines to state authorities, with further analysis of these data for security and other purposes See more details in Chap 6

44 See more details below.

meaningfully evaluated.45 This is the reason for the fairly detailed analysis of aviation security background, importance of civil aviation, aviation security con-cepts, effectiveness matters etc and the specific aviation security measures in this research.

3 To analyse options for rectification and recommendation – i.e., to discuss legal

policies, how the situation should be – de lege ferenda Legal principles of

pri-vacy and data protection will be used as the basis I stress that this aim refers mainly to general insights rather than to proposing a comprehensive framework for the reform

I will also draw attention to specific issues relating to legal, technological and other developments in aviation security and privacy/data protection which, in my opinion, present the most controversial and problematic issues relating to aviation security-privacy dilemma

As will be explained in Chap 5, legal principles can be applied to any tions considered in this work Since technological development is rapid and legisla-tion is not, to evaluate selected aviation security measures, we can apply legal principles to aviation security measures on a case-to-case basis in an effort to iden-tify problems and deficiencies, to identify and analyse the options for rectification and recommendation Moreover, principles enable an easier exchange of views across legal regimes and between various professions involved in the aviation security- privacy debate Thus, for research like this, which implies various jurisdic-tions and interests, the analysis of legal principles rather than legal regulation has a pragmatic goal, and is aimed to suggest an effective model for approaches to the aviation security-privacy dilemma

jurisdic-Respective legal regulation, in particular, applicable international and EU ments, along with relevant case law, will be used as the sources of the legal princi-ples For illustration of principles, “regulatory cases” from the EU and some national regimes: the United Kingdom of Great Britain and Northern Ireland (UK), Norway, the United States of America (USA), and Russian Federation (Russia, RF) (“selected states”) will be used

instru-45 Solove Nothing to hide: The false tradeoff between privacy and security (2011) p. 3.

Civil aviation can be characterized by strong international character and increased travel Globalization46 and technological developments have led to increased avail-ability and circulation of personal data worldwide Due to these and other global trends, and keeping in mind that fundamental human rights belong to every person independently of any citizenship, the analysed aviation security-privacy dilemma is (or should be) a relevant topic anywhere in the world where civil aviation and avia-tion security exists The analysis of international dimensions is therefore of a great importance In order to improve privacy and data protection under the new security regimes, it is necessary to have the knowledge of the international context and inter-national efforts in both privacy and security.

The choice of the EU’s framework is not accidental First, as mentioned above, legal principles of privacy and data protection which are central tools for this research derive from international and/or EU law Secondly, in the field of data pro-tection, Europe is known as the world leader The EU Data Protection Directive has been implemented across EU Member States and served as model law for many other states

National perspectives are important too National illustrations will ensure a broader and a more comprehensive picture Clearly, the aviation security measures are concentrated at the airports related to definite states; passenger personal data ends up at national law enforcement, security and intelligence organs, etc Thus, for concrete illustrations of aviation security regimes, definite national regimes will be used as examples This concerns both regulatory and technological “cases”

Four states were chosen for this purpose: the UK, Norway, the USA, and Russia The choice of the states was greatly influenced by my language capabilities (English, Russian and Norwegian),47 which played a key role in providing access to the mate-rials available

I acknowledge that illustrations from national regimes will be given without rying out a legal comparative analysis that includes a systematic and extensive com-parison of the jurisdictions I also acknowledge that a problem arose pertaining to the availability of materials at different levels, especially national ones that differ greatly both quantitatively and qualitatively, leading to asymmetry of information at different levels and consequently asymmetry in the analysis The difference also may occur due to the need to cover specific issues in more detail

car-The selected aviation security measures were chosen due to a number of factors: they relate to air passengers; they all are argued to enhance security; their use is growing, and they all may have significant impact on privacy/data protection/other human rights Moreover, they all are emerging technologies, that is, technologies

46 Globalization is a multidimensional phenomenon, which involves a deepening and broadening of rapid transboundary exchanges due to developments in technology, communications, and media

Such exchanges create a more interdependent world See Shelton Protecting Human Rights in a

Globalized World In: BC Int’l Comp L. Rev Vol 25 (2002) p. 275.

47 Whenever possible, the research uses English versions of Russian and Norwegian sources or their official translations into English, with indication of sources In all other cases, unless speci- fied otherwise, the translations are the author’s.

under development; they may present central future security measures, not only within civil aviation These measures are hence central aviation security measures for this research.

At the same time, there are other security techniques and methods that may serve

a part of the selected measures, or be connected to them directly or indirectly What

is important is that they may have influence on the aviation security and privacy dilemma, for instance, by increasing effectiveness or by raising additional concerns, contributing to the measure’s aggregated impact on passengers’ rights Hence, they will be discussed as well, in the amount necessary to understand the technique in general, focusing on some specific features in the context of the selected measures This includes biometrics, profiling, and behaviour analysis Moreover, more general trends and approaches in modern aviation security may have additional impact on the dilemma and will therefore be discussed too

It should be noted that in contrast to other legal works whereby the legal ments influence and determine the relevance of technological features,48 in this research, technological descriptions are determined by the technology’s functions with potential impact on individuals’ rights In other words, the technology descrip-tion is first functional, with the primary aim to show the “meeting point” of the technologies and human beings

require-Obviously, for these purposes, not all technical and operative capabilities are

essential, but only those which may have impact on human rights, including cal safeguards to protect these rights Hence, only selected relevant features are chosen and analysed, with subsequent evaluation of the applicability of human rights and operation of legal principles: how effective is the technology for protec-tion of the right to life?; which other concerns for human rights arise?; how serious are they?; are there technical safeguards that are able to protect the rights? etc The technology may entail different applications, different safeguards and thereby pro-duce different impacts These different variants should also be described

techni-As a result, the technological and operational description in this research is broader than is usually found in legal works This can be considered an advantage, since details about aviation security technologies are not thoroughly addressed by legal research In addition, people in general are unaware of many aviation security technologies’ capabilities and usage, and not all passengers regularly read Aviation Security International and similar journals Thus, this work can contribute to better awareness, at least for its readers

At the same time, there is a problem of missing information in respect of aviation security An important aspect here is the degree of openness of information in avia-tion security This issue will be discussed in more detail in Chap 5 on the subject of the principle of legality, but in short, aviation security, which falls within national security, is characterized by a high amount of restricted information This can be understandable, since security must be safeguarded It is essential for the security system to keep many of its elements confidential: the more information about the

48 See e.g Ibid.

security system is made available, the more vulnerable it is Release may constitute

a threat of security

As the result of limited information, a legal researcher with specific requirements

to the study faces a problem with description of some facts.49 In the case of this research, information about many processes and issues in aviation security is miss-ing, in particular, where exactly some of the discussed technologies are used, the details about technical and operative characteristics of the measures, criteria of risk assessment and effectiveness, etc Indeed, it can be difficult to rely on facts lacking some essential details or that are unclear or controversial This leads to a degree of uncertainty when analysing the proportionality of the regimes in this work

Another challenge is that aviation security measures as well as technologies and operational procedures designed to ensure the individual’s rights are subject to quick and constant changes and further development Thus, while finalizing this research, I tried to update references to all legal sources, facts, figures, technological features, etc on which the research is built The presentation of law in this book is current law as of 5 October 2016 Unless otherwise specified, all cited websites were last accessed on that date

However, not all sources could be sufficiently updated This creates a potential risk that some facts/numbers used in this research might be outdated Nevertheless, this problem can be seen mitigated by a global and general character of this work, where details are used mainly as illustrations, and the fact that changes in the anal-ysed spheres are inevitable anyway

In summary, due to the presented challenges and reasons, the research cannot be considered an all-encompassing and comprehensive evaluation of the current regimes capturing all the relevant details and presenting “the ultimate truth”, but should rather be seen as a contributing perspective, suggesting that further research

is needed

At the same time, the research is aimed to concentrate on principal issues on aviation security versus privacy rather than details, thus, can be applicable to future regimes as well as regimes beyond aviation security field, wherever/whenever the individual’s rights may be compromised under the motto of security needs/precautions

As a matter of contribution to the existing research, a number of features of this research can be highlighted

1 This research endeavours to present the aviation security interests more oughly than is usually done in privacy-security debates Thus, it is an attempt to

thor-go deeper into aviation security perspectives than is usually done in security- privacy debates Civil aviation is a sector in which the risks of terrorism are highlighted, and with the most advanced and sophisticated security measures if compared with other transport modes or other public places For better under-standing of how the situation became what it is, why this sector requires enhanced protection, as well as the logic of aviation security decisions (which exactly

49 Andersen Edb og ansvar Jurist-og Økonomforbundets Forlag (1988) p. 29.

aviation security measures should be used and why), aviation security will be discussed more thoroughly, taking into account the importance of civil aviation for the world economy, historical background, threats and risks concepts, etc.

2 This research addresses a number of the most controversial aviation security measures used worldwide; it discusses their additional features, connections between them as well as global trends such as the risk-based approach, the com-bination of various technologies, global information sharing, etc Technological and operational descriptions of the measures are broader than what is usually done in legal research

3 I also include, along with examples from the UK, Norway and the USA, ples from Russia In contrast to others, belonging to the West and “old democra-cies”, Russia is a non-Western and post-authoritarian state, a “new democracy” Since there are many more countries outside the West that have similar features and traditions and may face similar problems, Russia can be considered as an example from a substantial part of the world.50 The conclusions on Russia, there-fore, may have global dimensions, e.g as is the case that not only Russia, but also more and more non-Western countries demand PNR for security purposes

exam-I believe that this research may contribute to further research in security versus privacy/liberty, not only in respect of civil aviation, but security in a broader sense, since many issues are common or similar This work may also assist in providing a more detailed analysis of some particular issues and problems discussed in this work

1.4 Overview of the Structure

This book is divided into three substantial parts Part I – General Part – includes Chaps 2 3 4 and 5 and is dedicated to presenting general issues for this research, going from more broad and general to more specific issues

Chapter 2 is dedicated to privacy and data protection in aviation security First, it discusses the essence of the rights to privacy and data protection, relation and con-nection between each other Since there are many different approaches and concepts

of what privacy is, this work will present those which can be used as tools to analyse applicability of privacy right to specific aviation measures in Part II. Similarly, the concept of data protection will be presented

Secondly, Chap 2 provides an overview of general legal regulation of privacy and data protection as well as technology-specific privacy/data protection regulation and soft law which may be applicable in aviation security Three levels of the selected states will be discussed: international, EU and national Although the research will use legal principles of privacy and data protection (Chap 5) as a basis for analysis of privacy/data protection concerns in civil aviation, discussion of legal

50 Including post-Soviet states, many “developing” states in Asia, Latin America, and Africa.

regulation serves as a necessary basis for the understanding of principles, the basis for illustrations used in Part II.

Chapter 3 will discuss the human rights concept with general mechanisms of human rights protection as well as grounds for their restrictions and limitations Furthermore, it is a discussion of a number of particular rights which are relevant in the aviation security area

Indicating the status of the whole picture of security versus human rights in tion to privacy/data protection is particularly important, since, as mentioned above, (i) security serves to protect the passengers’ right to life, i.e contributes to human rights positively, and (ii) privacy alone cannot reflect all of the negative effects of the security measures on human rights other than the right to life – other human rights concerns are applicable too Accordingly, the other human rights perspectives enables the visualization of a broader picture, to better understand the extent and actuality of the security-privacy problem, since impact of aviation security mea-sures on other human rights ultimately have an effect on the proportionality of avia-tion security measures and privacy interests

addi-Chapter 3 will provide an indication of the applicability of the respective human rights with respect to the selected measures, and in so doing, determining particular concerns It will also contribute towards finding and developing approaches for sub-stantiating human rights concerns These particular concerns the principle of pro-portionality and other principles that will be discussed further in Chap 5, and then applied in Part II

Chapter 4 will analyse what aviation security is, the reason why civil aviation gets so much security, and why and how the security measures which have an impact

on privacy and data protection were developed and implemented This can be sidered from different perspectives This chapter will start with discussing the term aviation security along with the related and sometimes confusing term safety Then,

con-it will analyse the importance of civil aviation to the world economy, growth in tion and in aviation security in numbers It will discuss historical development of aviation security measures, the rationale of aviation security decisions, including threats and risks, principles of aviation security and finally, general regulation – as discussed above, on a limited basis

avia-First, this chapter constitutes an important background for understanding the role and essence of aviation security Secondly, it provides necessary tools for analysis

of proportionality of aviation security regimes For instance, threats, especially rorism, are usually used to substantiate the interference to human rights, while effectiveness is a prerequisite for evaluating if benefits of a measure are proportion-ate to the harms At the same time, privacy can be considered as one of the aviation security costs: if this cost is excessive, a measure may be cancelled or amended, which may be seen as disadvantage for security

ter-Chapter 5 is dedicated to legal principles of privacy and data protection For research like this, which implies various disciplines, jurisdictions and languages, the analysis of applicable legal principles has a pragmatic goal; it is aimed to sug-gest an effective model for approaches to the privacy-aviation security dilemma

This objective makes this chapter a key source for the Special Part, where the ciples will be used with reference to particular aviation security measures.

prin-Accordingly, the General Part will provide an introduction and general edge, core dimensions of the relationship between aviation security and privacy/data protection Information, terms, principles and findings from the General Part will serve as a necessary and important basis, vocabulary and tools for the Special Part, for a further and more detailed analysis of the rights to privacy and data protec-tion as well as other individual rights applicable to particular aviation security measures

knowl-Part II – Special knowl-Part – includes two chapters – 6 and 7 It will analyse threats to privacy and data protection from a narrower, but deeper perspective, indicating con-crete problems

Chapter 6 will describe the selected aviation security technologies It will focus

on three of them  – body scanners, camera surveillance, and PNR systems Nevertheless, some related technologies will be discussed as well, including bio-metrics, in particular, facial recognition, profiling and behaviour analysis, as well as common modern trends: pro-active, risk-based and intelligence-led aviation secu-rity, including trusted traveller programmes, global information sharing, random-ness in screening, and a combination of aviation security measures The point is that any of these additional items may have additional effects on the dilemma

The discussion will focus on technological and operative features having impact

on human rights, provision of safeguards, and issues of effectiveness, since the latter may have direct impact on proportionality of the regimes Simultaneously, the applicability of privacy/data protection/other human rights will be assessed using tools from Chaps 2 and 3

All measures are different, with different levels of intrusiveness from the spective of privacy and data protection, but all these will be “screened” by the pri-vacy and data protection principles in Chap 7 in order to indicate which specific problems arise and if there are adequate safeguards, etc

per-Importantly, the general principles discussed in Chap 7 are common for tion of interference regarding all the applicable human rights Thus they can be used not only in respect of aviation security versus privacy/data protection, but also in respect of aviation security versus human rights Accordingly, the ultimate question

evalua-is whether the selected measures can be considered proportionate, i.e whether intrusiveness is justified by the level of threat in civil aviation and the corresponding benefits of the aviation security measure

Part III is Chap 8  – the conclusion It will return to the “general” level with additional knowledge from Part II. It will discuss selected findings relating to regu-lative, technological and other development in aviation security and privacy/data protection which, in my opinion, present the most controversial and problematic issues relating to aviation security-privacy/liberty dilemma They will reflect cur-rent and future prospects

Part I

General Part

© Springer International Publishing AG 2017

O.M Enerstvedt, Aviation Security, Privacy, Data Protection and Other Human

Rights: Technologies and Legal Principles, Law, Governance and Technology

Series 37, DOI 10.1007/978-3-319-58139-2_2

Protection of Privacy and Data Protection

in Aviation Security

2.1 Introduction

As discussed, the notions of privacy and data protection are central for this research

In order to analyse the impact of a particular aviation security measure on privacy and data protection and particular consequences in the Special Part, it should be explained how the terms “privacy” and “data protection” will be used in this research, how they are connected and how the interests that they denote are regulated

Since Chap 6 will determine applicability of privacy and data protection rights with respect to particular aviation security technologies, it is important to establish approaches and necessary tools That is why the description of these approaches/tools in this chapter is quite detailed

The first problem is that there may be some confusion because of the common use of the term “data protection” in the EU through which the law normally distin-guishes these two terms, whereas in the USA, the term “privacy” tends to be used instead In addition, on both sides of the Atlantic, the term “data privacy” is increas-ingly used.1 Data privacy sounds in some ways more logical than “data protection”, since it refers to the right itself rather than the “protection” process In comparison with the other two terms, it reflects more accurately “the focus, thrust, and rationale

of the relevant norms”.2

Secondly, there are difficulties with the term “privacy” The problem concerns not only vagueness of this term and absence of its universally agreed and/or widely acceptable definition, i.e the formal indication of a specific human right or free-dom, but also the broad use of this term outside the legal or human rights sphere It

is often used to denote political, social, psychological privacy, among other aspects

1 See Bygrave Data privacy law: an international perspective (2014) pp. 23–26.

2 Ibid p. 26.

Thus, apart from human rights, “privacy” may imply a concept, idea, value, interest,

or something else As the result, there are many different interpretations of what privacy is This work will present those that can be used as tools to discuss the prob-lems in this research

Thirdly, data protection may involve disputable issues as well, including what exactly makes data “personal” and what amounts to “processing” Additionally, a part of aviation security is information security, which is aimed at protecting cor-responding systems against cyber-attacks and cyber-terrorism, creating a certain overlap

The next part of this chapter is dedicated to an overview of privacy and data tection regulation, in particular in the aviation security context In general, aviation security is dedicated to protection of passengers’ lives and other assets from acts of unlawful interference.3 However, a basic rule is that if the states want to use an avia-tion security technology, they must comply with other relevant legal regulation, including that which applies to privacy/data protection The question that arises is how privacy and data protection requirements should be applied to security technol-ogy practices, especially new ones

pro-As will be discussed in Chap 4, civil aviation has a strong global character, and there are endeavours to achieve more harmonized international regulation, includ-ing of aviation security At the same time, as discussed above, globalization and technological developments caused personal data issues to become international concerns Thus, international instruments on privacy/data protection in aviation appear to be necessary Applicable instruments will be discussed first

Then, the level of the EU law will be discussed, as a region with the most damentalist” approach to data protection in the world, where data protection law is driven from the human rights perspective, and personal data protection is a funda-mental right.4 As Newman argues, although Europe does not always prevail in inter-national regulatory debates, it has acquired “regulatory capacity” in the field of data privacy, creating and expanding rules in Europe and around the world.5

“fun-It is a fact that during the past decades many countries have established regimes based on the EU model The point is that processes of integration and globalization dictate their need to bring national legislation and practice into line with interna-tional standards: otherwise, they can be isolated in the data protection field, in par-ticular in personal data flows In addition to these national endeavours, the EU influences data protection rules of other countries by exporting its data protection standards via Europol cooperation agreements, PNR agreements with the USA,

3 See Chap 4

4 See, e.g Privacy Law and Business EU Commissioner V ĕra Jourová says protection of personal data more than a “European” fundamental right http://www.privacylaws.com/Int_enews_30_10_15 (30 Oct

2015) and Cline Global CRM Requires Different Privacy Approaches (2005).

5 Newman Protectors of privacy: regulating personal data in the global economy (2008) pp. 8–9.

Canada, and Australia,6 ongoing negotiations for an EU-US Umbrella Data Protection Agreement,7 etc.

The next section is dedicated to national regulation in the selected states Issues relating to privacy/data protection are solved in many countries at the level of law, soft law, including administrative measures, and mechanisms of self-regulation In general, the following models of legal regulation can be distinguished8:

• The Continental (European) model, designed to ensure a balance between state control and private initiative The latter is strictly regulated: any code of practice developed by industry group cannot derogate from standards of data protection law The use of industry-developed codes of practice is limited.9

• The American model is characterized by liberalization of the market of tion technologies, minimum control of the state, encouraged private initiative and very flexible legislation The key idea is self-regulation implying that it is up

informa-to the market informa-to come with regulation initiative, not through legislation

• The Asian model: the state is involved in the provision of large-scale investment

in the development of information technologies; creation of both material and social structures; regulation is based on a hierarchical society.10

At the national level, the perceived level of surveillance, which may have effect

on both privacy and aviation security regimes, will be mentioned too Additionally, some specific national features – in particular, those that concern privacy regulation

in the USA specifically, and in Russia, a state outside the Western world – will be mentioned These additional needs justify to some extent a degree of asymmetry in national-level discussions

Another point – common to all levels – is that globalization, technological opments, widespread use of enhanced security and surveillance measures, as well as other factors, substantiated the fact that application of general privacy and data pro-tection norms in aviation security can be a problem without more specific and detailed rules on how these general provisions should be applied in this particular area Thus, in addition to providing an overview of general privacy and data protec-tion regulations, this chapter will also analyse relevant technology-specific laws or other instruments

devel-6 See Special Part.

7 Agreement between the USA and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences As of September 2015, nego- tiations on this agreement were finalized http://europa.eu/rapid/press-release_MEMO-15-5612_en

8 Kovaleva Informational Law of Russia (2007) p. 14.

9 Bygrave Privacy and Data Protection in an International Perspective In: Scandinavian Studies

in Law (2010) p. 189.

10 For more detail on data privacy laws across Asia see Greenleaf Asian Data Privacy Laws: Trade

& Human Rights Perspectives (2014).

2.2 What Is Privacy and Data Protection

2.2.1 The Concept of Privacy

In the aviation security sector, with reference to a number of measures, one may often hear: where does privacy come into the picture here and what is the problem with interfering with privacy? We are looking for terrorists and protecting your lives; what are you talking about?

For instance, the main purpose of the body scanners is to see objects carried under clothes, an invasion of a very intimate and personal sphere; a tension between protection and privacy seems to be clearly present Nevertheless, with regard to other security measures, e.g collecting and analysing personal data, the invasion of privacy may not be so clear: for ordinary air passengers, physical privacy is defi-nitely more visible than informational privacy This uncertainty leads to the ques-tion of what constitutes air passengers’ privacy in each particular situation, in particular, with reference to technologies

The concept of privacy has broad historical roots in sociological, philosophical and anthropological discussions; first of all, in the context of contrasting private and public spheres Probably the first philosopher who tried to separate the private and the public was Aristotle (384–322 B.C.).11 While the public realm is normally asso-ciated with political activity of citizens, the community and the state, the private realm is associated with family and personal life

There were many attempts to define privacy, to indicate whether privacy as such

is best characterized as a state/condition, a claim, or a right,12 an interest, a value, a preference,13 with different conceptions developed

This research is legal, thus, it is logical that privacy as a right is the most tant dimension The point is that if it is established as a human right or constitutional right privacy would require protection by the state, as the guarantor of human rights, and serve as an instrument of protection against abuses by the state,14 even if a per-son is doing nothing wrong at the time of surveillance.15

impor-In aviation security, it is the state’s security organs that intrude into passengers’ private sphere during screening, surveillance and other procedures, and privacy pro-tection can be seen as a way of drawing the line for how far they can go Thus, pri-vacy is considered in this research as primarily a human right

In contrast to other “traditional” fundamental rights that were formulated in the XVIII century, privacy was moved from the sphere of philosophy into the legislative sphere only in the late XIX century It was first defined as “a right” in 1890, in the

11 Aristotle Politics ([ca 330 BC], 1983).

12 Bygrave Privacy Protection in a Global Context–A Comparative Overview In: Scandinavian

studies in law Vol 47 (2004) p. 323.

13 Nissenbaum (2010) p. 2.

14 See Chap 3  – the concept of human rights.

15 Schneier (2008) p. 63.

USA, in an article by Warren and Brandeis.16 This article also addressed theoretical and legal issues about the relationship between technology and privacy in relation

to portable photography equipment.17 Fifteen years later, the right to privacy was expressly recognized by American courts.18 In the middle of the twentieth century, the right to privacy began to be recognized as one of the fundamental human rights

in official legal instruments, international, regional and national Today, it is nized around the world in diverse nations, regions and cultures

recog-However, having deep philosophical roots and due to its vagueness and cated scope, the right to privacy is very difficult to define and understand There is

compli-no clear legal or commonly accepted legal definition of privacy; the process of legal formation of this right is not finalized, and privacy is “a concept in disarray”.19 Thus, for a better understanding of privacy, in addition to analysis of legal regulation and case law addressing the right to privacy, the theoretical concepts of privacy will be considered too

According to Bygrave, there are four principal ways of defining privacy: non- interference, limited accessibility, information control, and incorporation of various elements of the other three sets but linking privacy exclusively to intimate or sensi-tive aspects of persons’ lives.20 These four conceptions can be considered as basic, having many variants and interpretations

Moor and Tavani, for instance, distinguish nonintrusion, seclusion, limitation, and control theories of privacy,21 developing an incorporative theory, so-called Restricted Access/Limited Control (RALC) The “incorporative” theories include the RALC theory, which, according to the authors, has three components: an account

of the concept of privacy, an account of the justification of privacy, and an account

of the management of privacy.22 Solove mentions, in addition, the concepts of privacy- as-secrecy and privacy-as-intimacy,23 also falling into the basic four approaches The key theories will be briefly discussed below in relation to aviation security

The first one – non-interference or nonintrusion – is presented by what Warren and Brandeis term the “right to be let alone”.24 According to the seclusion theory of privacy, privacy is also identified with “being alone”25; e.g Gavison describes a

16 Warren and Brandeis The Right to Privacy In: Harvard Law Review Vol 4 (1890) p. 193.

17 Finn [et al.] Seven types of privacy In: European data protection: coming of age (2013) p. 3.

18 Pavesich v New England Life Insurance Co Supreme Court of Georgia, 122 Ga 190; 50 S.E 68;

1905 Ga., 3 March 1905.

19 Solove Understanding privacy (2008c) p. 1.

20 Bygrave Data protection law: approaching its rationale, logic and limits (2002) pp. 128–129.

21 See, e.g.; Moor The ethics of privacy protection In: Library Trends Vol 39 (1990) p. 69; Tavani

Philosophical theories of privacy: Implications for an adequate online privacy policy In: Metaphilosophy Vol 38 (2007) p. 2; Solove (2008c).

22 Tavani (2007) pp. 9–10.

23 Solove (2008c).

24 Warren and Brandeis (1890) pp.193, 205.

25 Tavani (2007) p. 5.

person as enjoying “perfect privacy” when that person is “completely inaccessible

to others” that is, when no one has “physical access to [the individual]”.26

However, if applied to technologies in general and those used in aviation security

in particular, obviously, this “ideal” condition can never be fulfilled Airports and aviation security as a whole belong to areas where anonymity may constitute threat

or result in undesirable behaviour (see more detail below) Thus, persons who wish

to have 100 per cent privacy and be let alone should sit at home rather than travel by means of public transportation

This means inadequacy of the non-interference concept for this sphere Apparently, instead of a radical “all or nothing” approach, other approaches should

be used Moreover, all the cited scholars recognise that privacy is relative rather than absolute, and you cannot treat privacy according to an all-or-nothing approach

Accordingly, it is more appropriate to speak about some control, some privacy, etc.

Within the limited-access conception, the core idea is that privacy is a matter of restricted access to persons or information about them  – “limited access” to the self.27 According to Gavison, privacy is a condition of “limited accessibility” con-sisting of three elements: “secrecy” – “the extent to which we are known to others”,

“solitude” – “the extent to which others have physical access to us”, and ity” – “the extent to which we are the subject of others’ attention”.28

“anonym-The privacy-as-secrecy conceptions, e.g “concealment of personal information”29

can be understood as a subset of limited access to the self, but this conception is narrower because secrecy involves only one dimension of access to the self – the concealment of personal facts.30

The control-over-information conception is presented, for example, by Westin’s definition of privacy as “the claim of individuals, groups, or institutions to deter-mine for themselves when, how, and to what extent information about them is com-municated to others”.31 According to Fried, “Privacy is not simply an absence of information about us in the minds of others, rather it is the control we have over information about ourselves”.32 Accordingly, privacy is a matter of one’s control over oneself without external interference As Solove notes, this concept can be viewed as a subject of the limited-access conception.33

The theory of intimacy also states that privacy consists of some form of limited access or control, but it locates the value of privacy in the development of personal relationships; all relationships are formed with differing degrees of intimacy and self-revelation, and people value privacy so that they can maintain the desired levels

26 Gavison Privacy and the Limits of Law In: Yale LJ. Vol 89 (1979) p. 428.

27 Solove (2008c) p. 18.

28 Gavison (1979) pp. 421, 428–436.

29 Posner The economics of justice (1983) p. 268.

30 Solove (2008c) p. 22.

31 Westin Privacy and freedom (1970) p. 7.

32 Fried Privacy In: Philosophical dimensions of privacy (1984) p. 209.

33 Solove (2008c) p. 25.

of intimacy for each of relationships.34 Iness defines privacy as “the state of ing control over a realm of intimate decisions, which includes decisions about inti-mate access, intimate information, and intimate actions”.35

possess-As noted above, privacy is relative rather than absolute A good illustration of such relativeness is the situation with aviation security measures: the passenger‘s choices are limited: to fly or not to fly, to book a ticket and release personal details

or not to book, to be scanned or manually searched, to go through the airport and be watched by CCTV cameras or not go, etc If he or she opts to fly, he/she must undergo exposure to security measures, typically without knowing the details of the used technologies and without access to collected data At that point, the passenger loses control over herself.36 Hence, body scanners, for instance, harm privacy because they require people to give up control over their own body.37 However, within the control theory, the options for rectifying the situation are quite radical and not very practical: in order to return 100% control, the recommendation is not

to fly at all

Although describing the situation of aviation security versus privacy, these ries focus on harms that already take place and must be stopped.38 Thus, they fail to suggest more realistic solutions on how to prevent harms, and there may appear problems when applying them specifically to aviation security The point is that even in the latter sphere, where security needs may limit some human rights deemed

theo-to be less important than the right theo-to life/security, privacy should still be provided, and therefore defined

This leads to conclusion that specifically the aviation security sector, with cific technologies, probably requires some specific privacy considerations, captur-ing the complexity of privacy issues within the challenges that technologies present.39

spe-Two helpful tools can be noted: first, types of privacy, which categorize privacy

in logical, structured and coherent ways,40 secondly, consideration of privacy in the context

Four basic types of privacy are privacy of person (physical privacy), of personal communication, of personal behaviour (or psychological) and of personal data.41

Physical privacy is the degree to which a person is physically accessible to others;

it is based on the human biological need for personal space.42 Communicational

34 Ibid p. 34.

35 Inness Privacy, intimacy, and isolation (1992) p. 140.

36 Tirosh and Birnhack Naked in Front of the Machine: Does Airport Scanning Violate Privacy? In:

Ohio State Law Juornal Vol 74 (2013) p. 1301.

37 Tirosh and Birnhack (2013) p. 1268.

38 Finn et al (2013) p. 6.

39 Ibid p. 3.

40 Ibid p. 4.

41 It is believed that four types were first categorized by Clarke Introduction to Dataveillance and

Information Privacy, and Definitions of Terms (1997).

42 Joinson and Paine Self-disclosure, privacy and the Internet In: The Oxford handbook of Internet

psychology (2007) p. 241.