2. Protection of Privacy and Data Protection in Aviation Security

See Chap. 4.

See, e.g. Privacy Law and Business. EU Commissioner Vĕra Jourová says protection of personal data more than a “European” fundamental right. http://​www.​privacylaws.​com/​Int_​enews_​30_​10_​15 (30 Oct 2015) and Cline. Global CRM Requires Different Privacy Approaches (2005).

See Special Part.

Agreement between the USA and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences. As of September 2015, negotiations on this agreement were finalized. http://​europa.​eu/​rapid/​press-release_​MEMO-15-5612_​en.

Nissenbaum (2010) p. 2.

See Chap. 3 – the concept of human rights.

Schneier (2008) p. 63.

Finn [et al.] Seven types of privacy. In: European data protection: coming of age (2013) p. 3.

See, e.g.; Moor. The ethics of privacy protection. In: Library Trends. Vol. 39 (1990) p. 69; Tavani. Philosophical theories of privacy: Implications for an adequate online privacy policy. In: Metaphilosophy. Vol. 38 (2007) p. 2; Solove (2008c).

Tavani (2007) pp. 9–10.

Solove (2008c).

Warren and Brandeis (1890) pp.193, 205.

Tavani (2007) p. 5.

Solove (2008c) p. 18.

Gavison (1979) pp. 421, 428–436.

Solove (2008c) p. 22.

Solove (2008c) p. 25.

Tirosh and Birnhack (2013) p. 1268.

Finn et al. (2013) p. 6.

Burgoon [et al.] Maintaining and restoring privacy through communication in different types of relationships. In: Journal of Social and Personal Relationships. Vol. 6 (1989) p. 132.

Joinson and Paine (2007) p. 241.

Finn et al. (2013) pp.8–10.

Finn et al. (2013) p. 26.

Tirosh and Birnhack (2013) p. 1267.

See Leander v. Sweden, No. 9248/81, 26 March 1987; Kopp v. Switzerland, 13/1997/797/1000, 25 March 1998; Amann v. Switzerland, No. 27798/95, 16 February 2000.

Nissenbaum (2004) p. 154–155.

EPIC. EPIC Framework for Protecting Privacy & Civil Liberties If CCTV Systems Are Contemplated. https://​epic.​org/​privacy/​surveillance/​epic_​cctv_​011508.​pdf, 2008.

Application No. 44647/98, 28 Jan 2003.

Leese (2013) p. 483.

COPRA. Aviation Security Research Roadmap (2013) http://​www.​copra-project.​eu/​Results_​files/​D5.​1%20​Copra%20​Aviation%20​Security%20​Roadmap%20​V1.​0_​download.​pdf.

Woodward (2002) p. 3.

Zoufal (2008) p. 10.

Badii et al. (2012) p. 367.

Zoufal (2008) p. 46.

Bygrave (2004) p. 327.

Wright et al. (2015) p. 290.

Badii et al. (2012) p. 366.

Wright et al. (2015) p. 290.

Raab (2012a) p. 261.

Solove (2008c) p. 74.

Data and information are used as synonyms in this research.

Bygrave (2014) p. 26.

Schneier (2008) p. 61.

Kovaleva (2007) p. 11.

C-101/2001, Lindqvist, 6 Nov 2003, §§ 82–90; C-73/07, Satamedia, 16 December 2008, § 50–62.

Article 4(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In force 24 May 2016, shall apply from 25 May 2018.

Bygrave (2014) p. 165.

See Chap. 6.

Article 29 Data Protection Working Party (2007) section III.

Dynamic IP addresses refer to situations in which a new address is assigned to each computer every time it connects to the Internet.

Clifford and Schroers. Personal data and dynamic IPs – time for clarity? 23 Jan 2015. http://​blogs.​lse.​ac.​uk/​mediapolicyproje​ct/​2015/​01/​23/​personal-data-and-dynamic-ips-time-for-clarity/​.

Article 29 Data Protection Working Party (2007).

E.g. in Russia.

Tanti-Dougall. Cyber security in aviation: legal aspects. In: Aviation Security International. Vol. 21 (2015) p. 14. See also Asllani and Ali. Securing information systems in airports: A practical approach. In: ICITST (2011).

See below and Sect. 2.3.

Increasing Resilience in Surveillance Societies (IRISS) (2013) p. 32.

Gellert (2013) p. 525.

Increasing Resilience in Surveillance Societies (IRISS) (2013) p. 32.

See, e.g. General Comment 16, issued 23.03.1988 (UN Doc A/43/40, 181–183; UN Doc CCPR/C/21/Add.6; UN Doc HRI/GEN/1/Rev. 1, 21–23). For more details, see Bygrave (1998) p. 1.

Gellert (2013) p. 530.

Increasing Resilience in Surveillance Societies (IRISS) (2013) p. 32.

Adopted by General Assembly resolution 217 A (III) of 10 December 1948. UDHR is not a treaty itself, it was explicitly adopted for the purpose of defining the words “fundamental freedoms” and “human rights” in the United Nations Charter, which is binding on all 153 member states.

Adopted by General Assembly resolution 2200A (XXI) of 16 December 1966, was opened for signature on 19 December 1966, entry into force 23 March 1976.

The OECD member countries are: Australia, Austria, Belgium, Canada, Chile, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Japan, Korea, Luxembourg, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, the UK and the USA. The EU takes part in the work of the OECD.

OECD. 2013 OECD Privacy Guidelines. http://​www.​oecd.​org/​internet/​ieconomy/​privacy-guidelines.​htm.

OECD. Privacy Expert Group Report on the Review of the 1980 OECD Privacy Guidelines, 2013.

OECD Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) (OECD Privacy Framework 2013).

OECD. 2013 OECD Privacy Guidelines. http://​www.​oecd.​org/​internet/​ieconomy/​privacy-guidelines.​htm.

See more detail in Bygrave (2014) pp. 51–53.

Members include Australia, Brunei, Canada, Chile, China, Hong Kong, China, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, Philippines, the Russian Federation, Singapore, South Korea, Taiwan, Thailand, the USA and Vietnam.

Bygrave (2014) p. 76.

Bygrave (2010) p. 200.

See Chap. 4.

ICAO Document 9944 – Guidelines on Passenger Name Record (PNR) data of 2010 (ICAO PNR Guidelines).

IATA Recommended Practice 1701a, 2011 (PNRGOV).

EOS. Position Paper on EU policies on privacy and data protection and their impact on the implementation of security solutions. September 2010.

Security Industry Association. Privacy Framework https://​www.​securityindustry​.​org/​SiteAssets/​GovernmentRelati​ons/​gr-privacy-framework.​pdf (Last modified 28 March 2014).

Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950, effective 3 September 1953.

Charter of Fundamental Rights of the European Union, proclaimed on 7 December 2000, entry into force from the date of entry into force of the Treaty of Lisbon on 1 December 2009, Official Journal of the European Union (2010/C 83/02), 30 March 2010. The Treaty on European Union (TEU) Article 6(1) (Official Journal of the European Union (C 83/13), 30 March 2010) provides it “same legal value” as EU’s Treaties thus it is legally binding. However, the CFREU applies only if and to the extent that EU member states implement or enforce EU law over their respective national laws.

Clarke. What’s Privacy? Prepared for a Workshop at the Australian Law Reform Commission on 28 July 2006. Version of 7 August 2006. http://​www.​rogerclarke.​com/​DV/​Privacy.​html.

Kilkelly (2001) p. 25.

The details about applying these criteria in general will be discussed in Chap. 5.

Consolidated Version of the Treaty on the Functioning of the European Union, Official Journal of the European Union (C 83/47), 30 March 2010.

ETS No.108, 28 Jan 1981 (Entry into force: 1 Oct 1985).

ETS No. 181 (Opened for signature on 8 November 2001).

The Consultative Committee of the Convention for the protection of individuals with regard to automatic processing of personal data [Ets No. 108], Modernisation of Convention 108: new proposals, T-PD-BUR(2012)01Rev2_en, Strasbourg, 27 April 2012.

Ad hoc Committee on data protection of the Council of Europe (CAHDATA), Abridged Report, Strasbourg, 3 Dec 2014.

Bygrave (2014) p. 53.

It applies to the EEA member states which are not members of the EU (Norway, Lichtenstein and Iceland). The DPD was incorporated into the 1992 Agreement on the EEA (Decision of the EEA Joint Committee No 83/1999 of 25 June 1999 amending Protocol 37 and Annex XI (Telecommunication services) to the EEA Agreement; OJ L 296/41, of 23 Nov 2000).

See DPD Article 3(2), Recital 16. The exclusions and limitations of DPD are based on the pre-Lisbon so-called three “pillar” structure of the EU. The First Pillar governed the regulation of the common market, where the EU acquired a lot of power, and the Member States had lost a lot of power. The Second (common foreign and security policy) and the Third Pillars (the area of police and judicial cooperation) applied to defence and other types of foreign policy and fighting crime and protecting against internal security threats like terrorism. The EU had powers in these areas, but it was limited by Member States preserving national sovereignty (see the Maastricht Treaty: Treaty on European Union, 7 February 1992, OJ C 191, 29 July 1992.)

See more details in Hijmans (2009).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In force 24 May 2016, shall apply from 25 May 2018.

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. In force 5 May 2016; EU Member States have to transpose it into their national law by 6 May 2018.

Hijmans (2010) p. 223.

EDRi-gram 13.24, 16 December 2015, https://​edri.​org/​edri-gram/​13-24/​.

See more details: European Commission. Security Scanners. http://​ec.​europa.​eu/​transport/​modes/​air/​security/​aviation-security-policy/​scanners_​en.​htm.

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Proposal for a Regulation of the European Parliament and of the Council establishing a Registered Traveller Programme, COM (2013) 97 final – 2013/0059 (COD), Brussels, 28 Feb 2013.

Council of Europe (2010) p. 50.

Cunningham. Big Brother is watching EU: As the US moves towards privacy reform, Europe enacts sweeping new spying powers, 20 May 2015, http://​www.​politico.​eu/​article/​eu-privacy-surveillance-us-leads-act/​.

Clarke (2006).

Blackburn. Britain’s unwritten constitution. 2015. http://​www.​bl.​uk/​magna-carta/​articles/​britains-unwritten-constitution.

Increasing Resilience in Surveillance Societies (IRISS) (2013) p. 57.

Grant (2009) p. 49.

See Bichard Inquiry, Final Report regarding problems of police understanding the DPA rules (2004), http://​dera.​ioe.​ac.​uk/​6394/​1/​report.​pdf.

Study European Privacy and Human Rights by Privacy International (2010), the Electronic Privacy Information Center (EPIC) and the Center for Media and Communications Studies (CMCS), funded by the European Commission’s Special Programme “Fundamental Rights and Citizenship”, 2007–2013. Page 810.

Privacy International (2011).

Study European Privacy and Human Rights by Privacy International (2010), the Electronic Privacy Information Center (EPIC) and the Center for Media and Communications Studies (CMCS), funded by the European Commission’s Special Programme “Fundamental Rights and Citizenship”, 2007–2013. Page 806.

Killock. Legal challenge to UK Internet surveillance. 10 March 2013. https://​www.​privacynotprism.​org.​uk/​news/​2013/​10/​03/​legal-challenge-to-uk-internet-surveillance.

Cunningham (2015).

Kingdom of Norway’s Constitution of 17 May 1814.

Act of 21 May 1999 No 30 relating to the strengthening of the status of human rights in Norwegian law (the Human Rights Act).

Bygrave (2010) pp. 172–173.

Act of 14 April 2000 No. 31 relating to the processing of personal data.

Regulation of 15 December 2000 No. 1265 on the processing of personal data.

Act of 29 May 2010 No. 16 regarding the processing of personal data by the police and the prosecutors.

Act of 20 June 2014 No. 43.

Datatilsynet, Technologies. https://​www.​datatilsynet.​no/​Teknologi/​.

Privacy International (2011).

Statewatch. Police testing surveillance drones in Oslo. 26 October 2013. http://​www.​statewatch.​org/​news/​2013/​oct/​drones-police-oslo1.​htm.

Bygrave (2010) p. 191.

The Fourth Amendment to the Bill of Rights in the U.S. Constitution (1791).

Woodward (2002) p. 3.

Privacy Act of 1974, 5 U.S.C. § 552a (2000).

E.g. Fair Credit Reporting Act 1970, Right to Financial Privacy Act 1978, Health Insurance Portability and Accountability Act 1996.

Clarke (2006).

According to the Act, “private area” is the naked or undergarment clad genitals, pubic area, buttocks, or female breast of an individual (§1801 (3)).

Department of Homeland Security (2012b). However, this PIA concerns CCTV at DHS’ facilities rather than CCTV in airports.

Section 222 (a) of the Homeland Security Act of 2002. 6 U.S.C. 142.

Steinhardt. The EU-US PNR Agreement – A Legal Analysis of Its Failures. 26 December 2011. http://​www.​papersplease.​org/​wp/​2012/​01/​03/​the-eu-us-pnr-agreement-a-legal-analysis-of-its-failures/​.

Bygrave (2004) p. 328.

Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.

This incorporates Fair Information Practice Principles to govern public-sector processing of personal data in commercial contexts. See more details in Bygrave (2014) p. 115.

EPIC Alert, Volume 22.21, 11 Nov 2015, http://​www.​epic.​org/​alert/​epic_​alert_​22.​21.​html

Constitution of the Russian Federation of 12 December 1993.

Article 23 (1) incorporates the right to the inviolability of private life, personal and family secrets, and the right to protection of honour and good name. Here and further, the English translation of the Constitution is done by Garant-Service. http://​www.​constitution.​ru/​en/​10003000-01.​htm.

Article 23 (2) provides the right to privacy of correspondence, of telephone conversations, postal, telegraph and other messages; only in relation to this paragraph, the Constitution determines possible limitations (“Limitations of this right shall be allowed only by court decision.”). Article 22 provides the right to freedom and personal immunity. The right to inviolability of home is enshrined as a separate right (Article 25); no one shall have the right to get into a house against the will of those living there, except for the cases established by a federal law or by court decision. The right to access the documents and materials directly affecting rights and freedoms is provided by Article 24 (2). Article 24 (1) stipulates that “the collection, keeping, use and dissemination of information about the private life of a person shall not be allowed without his or her consent”. According to Article 21, “human dignity shall be protected by the State. Nothing may serve as a basis for its derogation. No one shall be subject to torture, violence or other severe or humiliating treatment or punishment. No one may be subject to medical, scientific and other experiments without voluntary consent”.

Federal law of 19 December 2005 N 160-FZ On ratification of the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data.

Federal law of 27 July 2006 N 152-FZ On personal data.

Federal law of 27 July 2006 N 149-FZ On information, information technologies, and the protection of information, Presidential decree of 6 March 1997 N 188 On approval of the List of confidential information (stipulates that the latter covers personal data, with a few exceptions), Resolutions of Government, etc.

E.g. Labour Code of 30 December 2001 N 197-FZ (Chapter 17), Tax Code of 31 July 1998 N 146-FZ (Art. 84), Federal law of 27 December 1991 N 2124-1 On mass media, Federal law of 12 August 1995 N 144-FZ On operational-search activities, etc.

Federal Law of 7.05.2013 N 99-FZ On Amendments to certain legislative acts of the Russian Federation in connection with the adoption of the Federal Law On ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and Federal Law On Personal Data.

§2 of Resolution of Government of 16 March 2009 N 228 About Federal service for supervision in the sphere of telecom, information technologies and mass communications.

Kovrigin. Total non-compliance with data protection law in Russia (2012) http://​can-work.​ru/​index.​php/​neews/​press-tsentr-kompanii/​145-law-on-personal-data-if-it-works.

Izmailova. Privacy in civil law: the law of the UK, the USA and Russia (2009) Abstract, and Omelchenko and Kosterina. Private life: a sociological perspective (2005) http://​www.​pgpalata.​ru/​reshr/​privacy/​deb_​02.​shtml.

Soldatov and Borogan. Russia’s Surveillance State (2013) http://​www.​worldpolicy.​org/​journal/​fall2013/​Russia-surveillance.

Huey. When This Stuff Gets Personal! A Response to the Moscow Airport Bombing 27 January 2011 (2011b), http://​www.​noquarterusa.​net/​blog/​55860/​when-this-stuff-gets-personal-a-response-to-the-moscow-airport-bombing/​.

Izmailova (2009) Abstract.

Carli (2008) p. 11.

Kovaleva (2007) p. 11.