Blog post by Dr Elif Mendos Kuskonmaz, University of Portsmouth and Professor Elspeth Guild, Queen Mary University of London.
On 30 January 2020, the World Health Organisation declared that the outbreak of Coronavirus which began in Wuhan, China in December 2019 was a global emergency. The WHO is always careful about using this category as it has worldwide implications. The immediate reaction in China has been to lock down Wuhan and then other cities as the virus appeared across the country. This has included curfews, prohibitions on travel and the ending of all bus, train and air travel to the cities. Already cases of coronavirus have appeared across the world including in the UK though deaths have been limited so far. Viruses, like other diseases, have no respect for the borders of state sovereignty. They are transmitted as easily across borders as within them so long as they are transmitted in people to people contact and people move.
As a result, air carriers have reacted quickly to the outbreak. A number of them including British Airways, Lufthansa, Swiss Air and Austrian Air have suspended flights to and from mainland China though British Airways is still running services to Hong Kong. A number of countries have been evacuating their nationals (and their family members) from Wuhan notwithstanding substantial practical obstacles in assisting them.
One aspect of the outbreak which has received attention in the media has been the problem of tracking passengers who were on planes from China where one or more passengers have subsequently come down with the virus. This has been reported as a problem in Australia, the UK and elsewhere. In this blog we will examine what are the possible tools which can be brought into play to assist health officials to find people who may be at risk of the virus from the perspective of border guards’ powers.
Who is responsible?
The WHO provides information to national health authorities about international health risks. National health authorities coordinate with other national authorities regarding the proper response in light of WHO guidance. Border authorities, are therefore subordinate to health authorities in determining the correct course of action to combat a health crisis. However, they do have roles of assistance to health authorities in the context of border crossing. By and large this role is fairly limited in recognition of the importance of a medical response to the situation rather than a coercive one.
A Magic Solution: Passenger Name Records?
Since the early 2000s, and primarily as a result of terrorism concerns, a number of states, led by the US have sought to have access to passenger information held by airlines. This has raised tensions between the US and EU states over data protection and passengers’ right to privacy. The solution was to enter into Passenger Name Record Agreements which permit border guards to have access to personal data held by airlines collected for commercial purposes. This data, known as Passenger Name Record (PNR), includes information such as seat numbers, contact telephone numbers, credit card details and addresses. However, the purposes for which border guards are permitted access to this data are strictly limited in the agreements.
The Grounds for use of PNR
PNR data have been initially promoted to assist law enforcement authorities for preventing, detecting, investigating, and prosecuting terrorist offences in building up risk profiles in entry screening procedures. PNR agreements thus limit grounds for use of PNR data to anti-terrorism related purposes while also allowing for using data for the protection of vital interest of individuals (EU-US PNR Agreement, art 4(3)) such as threat to health (EU-Australia PNR Agreement art 3(4)); the grounds of which would include responding to and prevention of potential infection of communicable diseases such as Coronavirus. Including such public health related purposes along with anti-terrorism purposes may invoke questions on whether this would contravene with rules on personal data protection (specifically purpose limitation principle) since these purposes are unconnected. As far as EU law is concerned, the Court of Justice of European Union gave the greenlight to processing of data for protection of vital interests of individuals provided that this could be done in ‘exceptional cases’ and subject to authorisation of border control authority (Opinion 1/15, paras 179-180).
In the absence of an agreement between the EU and third country, EU-based airlines are prohibited from sending PNR data outside the EU (GDPR, arts 44). They are, however, allowed to send data if certain conditions exist (e.g. based on existing European Commission adequacy decision or; on the condition that the recipient puts appropriate safeguards in place) (GDPR, arts 45-50).
Can Border Guards Share PNR Data with other authorities?
There can be legal barriers for border guards to share data with other authorities. Each PNR agreement stipulates rules for which PNR data might be shared with other national authorities. As a whole, the agreements are in unison in granting their national border control authorities power to share data with other authorities on the condition that this subsequent sharing is done according to purposes for which they can access to data. Moreover, this sharing must carried out on a case-by-case basis, and on the condition that the receiving authority afford the same or ‘equivalent’ protection to PNR data as set out in the agreement (EU-US PNR Agreement, art 16; EU-Australia PNR Agreement, art 18).
However, border guards cannot share PNR data to authorities in third countries, if those countries have not signed a specific agreement with the EU or level of protection afforded in those countries has not been declared ‘adequate’ under EU law (GDPR, art 45; Opinion 1/15, paras 213-215).
Examples from the Past
A number of countries resorted to PNR data during the Ebola virus outbreak in order to identify passengers for a suspected case of infection. The US enhanced in five of its international airports its entry screening procedures, which involved using PNR data, to identify passengers travelling from Ebola affected countries. A report on the issue describes the procedure as the following:
When a passenger (including a U.S. citizen) whose travel originated in one of the four countries arrives, the passenger is escorted to a separate area for additional screening, fills out an extensive questionnaire, and has his or her temperature taken. If there are any concerns, [Customs and Border Protection] refers the person to [Center Disease Control and Prevention] personnel at the airport who decide whether the person should be quarantined or allowed to continue to the final destination. Travelers without fever or symptoms consistent with [Ebola virus] are required to be monitored daily by the state and local health authorities for 21 days from the date of their departure from West Africa.
(Lister, Preventing the Introduction and Spread of Ebola in the US: FAQs, 5 December 2014).
From 11 October 2014 to 17 February 2016, 36,300 passengers were automatically referred to secondary screening based on their PNR data (DHS, 21 June 2016). Around 1,600 passengers were referred to secondary screening based on initial interview by border guards. At the end of secondary screening and additional assessment, 49 passengers were transported to a medical facility. Finally, over the period of July 2013 through May 2015, Customs and Border Protection shared 21 PNR data with the Centers for Disease Control and Prevention (European Commission, Joint Review of EU-US PNR Agreement, 19 January 2017).
Among EU Member States there was a strong consensus to reinforce exist screening procedures at countries affected by Ebola virus, but no agreement was reached on tightening entry screening procedures (Reuters, 16 October 2014). The UK, France and Belgium, which had already been using PNR as part of their border control process at the time, started to implement entry screening procedures (AFP, 20 October 2014).
International Air Transport Association (IATA), however, was against creating new burdens of PNR data sharing upon airlines. It cautiously urged that ‘[those burdens] are invariably disproportionate to the potential benefits they could derive’ (IATA, Guidance Note on Ebola, 29 October 2014). Key to their argument was the WHO’s recommendation on focusing on exist screening, instead of entry screening because of how Ebola virus had spread. Also, IATA was sceptical of how PNR data would actually enable authorities to track passengers because according to the organisation:
[T]hose seeking to flee Ebola affected States will actively evolve their strategies. They will start booking separate tickets (i.e. Western Africa to a European transfer hub and then a separate reservation from that EU hub onward). In those cases –the PNR will not show the true origin and the carrier boarding the person at the EU hub will have no access to up-line data.
Viruses and other health risks present particular issues to states’ programmes of border controls on persons. While interior ministries often have something of a knee jerk reaction, seeking to use border controls and the prevention of movement of persons as a ‘solution’, health ministries are much more knowledgeable and their responses better informed to address global crises like the Coronavirus. The temptation to use all available tools to address a health crisis is understandable. In the case of PNR data, clearly this tool might be useful in assisting health services to identify persons potential at risk as a result of their position on airplanes. But EU rules on privacy limit the grounds on which interior ministries in the first instance are allowed access to this information and in the second with whom they may share personal data. Those bodies which are responsible for the travel industry are clearly aware of the dangers of allowing wider use of PNR data for reasons unrelated to the limited grounds set out in the relevant agreements. The tendencies of interior ministries to reduce global health crises to border problems (the exclusion of people who are possible infected) must always be resisted. It does not work and in fact it is counterproductive. This is just as true about 17th century walls built to exclude the plague (and people suspected of carrying it) as it is now regarding identification of people travelling who might have contracted Coronavirus.
The views expressed in this article belong to the author/s and do not necessarily reflect those of the Refugee Law Initiative. We welcome comments and contributions to this blog – please comment below and see here for contribution guidelines.