The right to an effective remedy is recognised by international and regional human rights instruments. It should make it possible for individuals to hold institutions accountable for right violations. However, exercising the right remains difficult, if not impossible, in many situations. This is particularly so with regard to international organisations, which have a growing role in drafting, shaping and implementing counter-terrorism and security policies but cannot be held legally accountable by individuals.

There are notable situations in which people have managed to hold international organisations accountable, to a degree. This includes the UN Security Council and Interpol, as examined below. However, these situations are the exception, rather than the rule. As the transnational security architecture continues to grow, supported by the work of international organisations and powerful states, finding ways to hold these institutions to account remains an urgent task.

Key points

• International organisations are playing a growing role in developing and implementing counter-terrorism and security norms, policies and practices, but their legal immunity makes it extremely difficult to hold them directly to account
• There are examples that demonstrate the possibility of some accountability and due process from international organisations – changes to the Security Council’s terrorist sanctions regime were introduced following legal challenges from a listed person
• Despite some positive change to Interpol’s systems, which have frequently been used by states to pursue dissidents and political opponents abroad, vast parts of its communications infrastructure remain untouched by accountability mechanisms
• The UN offers security and counter-terrorism support to countries that have consistently violated civil liberties by abusing counter-terrorism powers – but it is entirely unaccountable for any part its support may play in rights violations
• Until ways are found to address these problems, it will remain the case that the power of the state to surveil, monitor, harass and detain people is globalised, but individual rights remain largely trapped within national boundaries

International organisations – the UN, the Organisation for Security and Cooperation in Europe, the Council of Europe, Interpol and many others – were all formally founded with the aim of upholding and protecting human rights. However, they are not signatories to international human rights treaties and are not bound by them.

International organisations are also tend to be immune from prosecution. For the UN, the principle is laid out in Articles 104 and 105 of its Charter. It covers the organisation itself, its specialised agencies, representatives of the members of the UN, and the organisation’s officials. [1]

This prevents UN agencies and their employees from being held externally accountable for human rights violations. They are immune from prosecutions led by states, or any form of domestic legal proceedings brought by individuals, unless they choose to lift their own immunity.

There is a good reason for that immunity. As explained by the academic Kristen E. Boon: “without immunity, the U. N. would be subject to pesky lawsuits, retaliatory acts by member states against its representatives and organs, and suits that could drain its resources.” [2]

With immunity, however, there are minimal prospects for accountability when international organisations are involved in wrongdoing. The UN’s military missions are a case in point. The EU’s military missions are also exempt from judicial scrutiny. The role of the International Organisation for Migration (IOM, a UN agency) in the detention and deportation of migrants has also come under scrutiny. [3]

This issue also arises in relation to the transnational security architecture. The UN is actively involved in developing security norms and infrastructure in member states that have consistently abused counter-terrorism laws and policies, such as Nigeria and the Philippines. Interpol has also become the autocrat’s repressive tool of choice, and despite reforms, accountability and redress remain extremely difficult to achieve.

The fundamental problem is that the power of the state to surveil, monitor, harass and detain people is being globalised and dispersed through systems for the collection, analysis and exchange of data. Individual rights, meanwhile, remain largely trapped within national boundaries.

The organisations and agencies that are supporting the globalisation of those powers remain unaccountable, and redress mechanisms for affected individuals are weak or unenforceable. One challenge in the years to come will be finding ways to change this situation.

Leandro Neumann Ciuffo, CC BY 2.0

Key points

• International organisations increasingly exercise counter-terrorism powers that directly affect individuals, leading to attempts to hold those organisations legally accountable for their actions
• One notable case revolved around the UN’s procedures for placing people on its terrorism sanctions lists, which ultimately led to reforms to those procedures, offering greater opportunities for redress to listed individuals
• Interpol, another key organisation in the transnational security architecture, has proven more difficult to hold to account
• Interpol has reformed its own internal procedures for redress in response to campaigning work, but lawyers and affected individuals have repeatedly warned that these fail to provide meaningful accountability
• Changes to Interpol’s rules on processing data mean it is increasingly likely it will be used for political repression, with no meaningful reform in sight

The first UN-level terrorist list was drawn up in 1999, after the 1998 attacks by Al-Qaida on US embassies in Kenya and Tanzania. The UN Security Council adopted Resolution 1267 to pressure the Taliban to surrender Osama Bin Laden, and to stop providing shelter to Al-Qaida.

The Security Council set up a committee to oversee the sanctions imposed by the Security Council against alleged members of those groups. This is now known as the ISIL (Da’esh) and Al-Qaida Sanctions Committee or the 1267 Committee, [1] and is one of many such sanctions committees. [2]

UN member states can submit requests for individuals or groups to be listed by the committee, including citizens or entities domiciled in other states. Dick Marty, a Swiss politician, characterised the effect of being listed as a “civil death penalty.” [3] Listed persons and companies are prevented from engaging in any financial transactions, from travelling abroad, and “it is a criminal offence for anyone to give money to help you get by.” [4]

The ISIL (Da’esh) & Al-Qaida Sanctions list, also referred to as the 1267 list, initially relied on closed intelligence materials that were kept secret from anyone but the intelligence agencies that filled it. It is a preventative tool, relying not on criminal conviction but on the possibility that the person is involved or will be involved in terrorism. In The Law of the List, the academic Gavin Sullivan described it as:

…a preemptive legal weapon for disrupting global terrorist networks and their perceived supporters worldwide, with unprecedented powers (temporally and spatially unlimited in scope) for the Security Council to target individual terrorism suspects using secret material suggesting potential ‘association with’ Al-Qaida. [5]

The list currently contains the names of some 250 individuals and almost 90 entities. Given the drastic effects of being listed, individuals have sought to challenge their inclusion. Two cases in particular provided, in Sullivan’s words, a “powerful judicial rebuke” to the listing regime. The cases are known as Kadi I and Kadi II.

The Kadi cases

P. Yassin Abdullah Kadi, a Saudi national with substantial economic interests in the EU, was identified as an alleged financial supporter of Al-Qaida. Along with one of his companies, Al Barakaat, Mr Kadi was listed by the Security Council in October 2001.

Security Council sanctions measures are implemented in the EU by the Council of the European Union, which brings together representatives of the EU’s member states. The Council approved a measure that deprived Kadi of the ability to travel and to access any of his funds in EU territory.

In December 2001, the applicant sought the annulment of the regulation at the Court of Justice of the EU, in a case that would come to be known as Kadi I. He argued that he was the victim of a miscarriage of justice, had never been involved with the financing of terrorism, and had been given no opportunity to contest the allegations that led to him being placed on the sanctions list.

His case was initially rejected. The court argued that an act implementing a Security Council decision into EU law enjoyed immunity and could not be the subject of judicial review. [6]

On appeal, however, the court found that it should be able to review any act of EU law to assess its impact on fundamental rights. [7] It ruled that the Council had failed to respect Kadi’s right to be heard and his right to an effective remedy, and annulled the measure implementing the Security Council decision.

This was the first successful challenge to the sanctions regime at the Court of Justice of the EU. [8] One observer viewed it as striking at the core of the UN’s terrorist sanctions system, arguing that the case would force UN member states “to tackle difficult legal questions or else face [the] possible collapse of the U.N.’s terrorist sanctions regime.” [9]

The case did not see Kadi removed from the terrorist list, however. Immediately after the court’s judgement on the appeal, Kadi was placed back on the EU list implementing the 1267 sanctions. This time, however, he was sent a letter by the European Commission with a summary of the reasons provided by the 1267 Committee, and an invitation to provide comments.

Kadi’s response to the Commission did not change its decision. He went back to the Court of Justice, once again arguing that no effective remedy had been offered. The Security Council tried to save face by reforming the sanctions regime, arguing before the court that it had made changes that provided an effective remedy to listed individuals. Amongst these was the introduction of an Ombudsperson to assist in the de-listing of individuals. [10]

This was not enough to convince the Luxembourg court. In a 2013 judgment that became known as Kadi II, it ruled that the changes introduced by the Security Council “cannot be equated with the provision of an effective judicial procedure for review of the decisions of the Sanction Committee’s findings.” [11]

The judges also went into the reasons used to justify the listing and assessed their legitimacy. This was an unprecedented step, and one that made it the first court to review the reasons for which an individual had been placed on the 1267 list.

The judges concluded that courts in the EU must be able to ensure that listing decisions were taken on “a sufficiently solid factual basis.” [12] In this case, the court found that the allegations against Kadi were either insufficiently reasoned, or did not hold in the face of his rebuttals.

The Kadi rulings reshaped the global counter-terrorism system, forcing the Security Council to introduce a number of procedural reforms. Nevertheless, the system in place does not equate to judicial review.

The rulings also resulted in a regional exception in the EU, where judges are capable of challenging Security Council listings. On the contrary, in the US, where Kadi also filed an appeal, the court dismissed the action. [13] Nevertheless, the cases demonstrated the possibility – depending on jurisdiction – of ensuring judicial review for the actions of an international organisation.

Interpol plays a key role in the transnational security architecture. Its counter-terrorism efforts have been praised and encouraged by the UN Security Council, and it is at the forefront of supporting the gathering and exchange of data on known, suspected or alleged terrorists and criminals. [link to watchlisting piece]

However, it has also been the subject of extensive criticism. States continue to use Interpol’s databases and watchlists to pursue dissidents and political opponents around the globe – for example, by disseminating “red notices” that list them as a wanted person. Despite internal changes at the agency, the problem persists.

From paper to digital

Interpol, the International Criminal Police Organisation, was founded in 1923. It is formally committed to political neutrality, a point reiterated at its centenary assembly. There, officials agreed that the agency should focus “on practical tools to help law enforcement fight crime beyond their borders and a commitment to neutrality.” [1]

Every member of the organisation has a national central bureau (NCB), which is connected to every other member state’s NCB and the organisation’s general secretariat. Through this communications network, crime-related information is transferred in the form of notices or diffusions. [2]

For decades, this process was rather slow. In 2009, it was radically transformed. Previously, every NCB shared information with the general secretariat, which examined it and, if it met the relevant requirements, added it to the relevant database. According to the academic Mel Stalcup, Interpol “had previously taken four to six months to transmit even high-profile requests for arrest between member nations. Notices were sent as photocopies, mailed by the cheapest and lowest priority postage available.” [3]

The introduction of the i-Link communications system and offered states the possibility to enter the alert directly into Interpol’s systems. [4] The goal, according to Michelle Estlund, a lawyer “was to provide its member countries with near-instant access to one another’s shared information about wanted subjects.” [5] On top of the swiftness in obtaining information, the reform resulted in an increase in the number of notices filed. [6]

Increasing abuse of Interpol’s files

The Commission for the Control of Interpol’s Files (CCF) was created in 1983 to assist the general secretariat in determining whether member states respect Interpol’s constitution. Two years after i-Link was deployed, the CCF noted a key problem – it meant that data entered in Interpol’s databases was not being reviewed. [7]

This prophetic warning was ignored, and in 2013 it was made mandatory for member states to use i-Link. [8] The same year, the criminal justice organisation Fair Trials published a report detailing how “countries are, in fact, using INTERPOL’s systems against exiled political opponents, usually refugees, and based on corrupt criminal proceedings.” [9]

The report documented abuse of Interpol’s red notice system. Red notices are a request for law enforcement authorities worldwide to locate and provisionally arrest a person, though the decision to do so rests with national law enforcement agencies. The problem documented by Fair Trials took two forms: political abuse and corruption.

Political abuse refers to the filing of a notice about political opponents to prevent them from seeking protection abroad and to facilitate their deportation to the persecuting country. Indeed, the UN refugee agency highlighted the issue as far back as 2008. [10] Abuse of Interpol’s systems related to corruption concerns an individual having a red notice filed so as to damage a business rival’s reputation or ability to travel.

Fair Trials denounced the fact that Interpol did not offer sufficient safeguards and remedies against abuse. The report highlighted a lack of transparency, inequality of arms in the complaint procedure made available by the CCF, and no appeal rights against CCF decisions.

The CCF responded that “an individual’s primary mechanism for recourse is the national government who is seeking them. The root issue is the actions of the national body, and not Interpol.” [11] These comments were, to say the least, unrealistic.

A persecuted person cannot safely launch proceedings against the state that is persecuting them, and a state offering them refuge cannot remove another state’s alert from the Interpol system. In fact, there have been numerous cases documented by the organisation where a person with a refugee status is still listed on Interpol red notices despite being warned about it by the state having granted refugee status. [12]

Indeed, even when national courts recognised that a red notice was politically-motivated, Interpol often retained the notice in its systems. Automatic exchange of information on draft red notices to all member states through the i-Link system also meant that information about individuals were still being shared and potentially copied, even when the notice was subsequently refused.

Reform without resolution

Fair Trials’ research, campaigning, press coverage, alongside interventions from international organisations, eventually led to changes. These came at the behest of Jürgen Stock, who was elected as Interpol secretary general in 2014.

A task force was set up to review notices and diffusions submitted by member states. Guidance was issued on removing red notices for people who had been recognised as refugees. The CCF budget and staff were increased, with separate supervisory and advisory chambers set up. Its decisions would from now on be reasoned, public and binding on the general secretariat.

Almost a decade after these changes were put in motion, new amendments have been proposed to address ongoing problems facing the agency’s oversight bodies. There has been a 2,133% increase in requests to the task force. In around 50% of cases, those requests are found to be justified, demonstrating substantial abuse of Interpol’s systems.

Both the task force and the CCF lack the funding and staff needed to carry out their work properly. In 2017, the lawyer Yuriy L. Nemets said: “a team comprising 30-40 staff members, was reviewing up to 40,000 Red Notices recorded in the organization’s databases to determine if they were politically motivated.” [13]

Repression beyond red notices

However, the issue of red notices may actually be a tree hiding a forest. States are also abusing lesser-known types of alerts – diffusions – that can completely escape the accountability processes built by the organisation.

Diffusions can be shared directly with another member state or with a group of member states. While they can be reviewed by the general secretariat and its task force, this is only the case if a state chooses to share the diffusion with them.

Indeed, a change made in 2024 to Interpol’s data processing rules explicitly forbids the secretariat from accessing data exchanged directly between NCBs, leaving “a vast dimension of INTERPOL’s communication system operating with minimal oversight.” [14]

The Stolen and Lost Travel Documents (SLTD) database is also frequently abused by states seeking to persecute opponents abroad. The database exists to prevent people from travelling with stolen, lost, revoked or invalid travel documents. There is no requirement for the CCF or task force to review entries in this database.

The Turkish authorities, well aware of this issue, decided to use this system to “bypass [the] set of restrictions imposed on Turkey’s access to the Red Notice database.” Since December 2017, the government has revoked some 300,000 passports. [15]

Critics have observed that the aim is to have the holders of those passports “deported to Turkey where they face political reprisals,” and have called for Turkey to be suspended from the SLTD database until safeguards are put in place. [16]

Indeed, the elephant in the room that the reforms have so far ignored are the authoritarian states behind the abuse of Interpol’s systems. Civil society organisations have called for “a caucus of democratic states to push reforms for… naming and shaming abuser countries,” for increased transparency, and for compensation for victims of “Interpol abuse.” [17]

At the time of writing, there was an ongoing review process for the legal framework governing the work of the CCF. Observers have pointed out that because key Interpol officials were elected with the support of known abusive states, “the fate of Interpol’s reform agenda is very much in doubt.” [18]

This presents a fundamental issue. While national authorities can introduce practices to limit the potential impact of the abuse of Interpol’s systems, [19] this can only go so far. As a 2021 judgment of the Court of Justice of the EU noted, Interpol’s immunity prevents national authorities from requesting the deletion of data filed by another member state. [20] As with the reforms to the Security Council’s listing procedures that followed the Kadi cases, effective redress with Interpol itself remains out of reach.

The problem is compounded by the increasing amount of data being filed and exchanged via Interpol’s systems – a process that is actively being encouraged through the agency’s digitalisation projects. [link to watchlisting piece] Similar issues can be seen in the UN’s programme for “countering terrorist travel,” a key plank of the transnational security architecture.

Doug Hay, CC BY 2.0

Key points

• The UN’s Countering Terrorist Travel Programme (CTTP) helps states draft travel surveillance legislation, change police practices so they can analyse travel data, and even offers states a bespoke software “solution”, called goTravel
• There is no way for the CTTP to hold states accountable for any misuse or abuse of the systems it has helped to establish, and there is no way for individuals to hold the CTTP to account
• Legal challenges have led to some reform of bilateral and multilateral travel surveillance agreements, but the agreements remain in place due to binding international legal obligations
• Individual attempts to obtain redress for misuse and abuse of travel data face significant barriers, ranging from the exclusion of foreign nationals from redress procedures to a lack of legal or language aid
• Now the airline industry is proposed harmonised global data protection rules, which could provide some protection – but should not distract from the fundamental problem of global security norms that require mass, indiscriminate, automated surveillance and profiling of all mass travel and travellers

To comply with UN Security Council resolutions on terrorism and organised crime, all UN member states are obliged to set up systems for the surveillance of travel and travellers. The rules are currently aimed at airlines. They have to submit certain types of data on the passengers they carry to law enforcement agencies:

• Advance Passenger Information (API) is used to conduct searches against databases and watchlists;
• Passenger Name Record (PNR) data is used in more extensive and experimental ways, to detect people who match certain profiles or algorithmic categories, examine the travel patterns or companions of individuals, and to generate ‘risk profiles’ about particular routes, categories of person or other factors.

The rules are gradually being extended beyond air travel, to cover maritime, rail and, possibly, eventually coach and bus travel as well. [link to travel surveillance piece]

To help states comply with these requirements, the UN’s Countering Terrorist Travel Programme (CTTP) provides support with drafting legislation, building Passenger Information Units (the law enforcement entities that receive data), engaging with airlines and “technical support and expertise in software solutions,” including through the provision of software called goTravel. [1] The CTTP has three overall objectives:

• building countries’ API and PNR collection and analysis capacities;
• improving the use of international databases of known and suspected terrorists and criminals; and
• enhancing international information exchange. [2]

The 2024 report for the UN Office of Counter Terrorism, which runs the CTTP, says that 83 UN member states have become “partners” since it was launched, with 62 of those receiving “comprehensive technical assistance.” [3] The UN has taken on a key role in the establishment of a worldwide network of travel surveillance and passenger profiling systems. These offer new ways for states to monitor, inhibit or prevent the movement of people deemed ‘risky’ or dangerous.

Despite the potential for misuse, there is no structure for holding the UN accountable for its work. Meanwhile, existing transnational agreements on the exchange of PNR data have failed to deliver effective transnational redress mechanisms for individuals.

Travel surveillance and fundamental rights

Counter-terrorism policies are supposed to be deployed by states with attention to international refugee law, international human rights laws and international humanitarian law. Guidance and good practice documents also emphasise the need to prevent discriminatory profiling, and to uphold privacy and data protection rights.

There are some global rules on travel surveillance systems, set out in the Chicago Convention on international aviation. Its data protection and privacy provisions contain significant weaknesses and are unlikely to lead to harmonised global protections for individuals – particularly given the vastly-differing political systems into which they will be embedded. [4]

Beyond the possibility of misuse by authoritarian states, risks to individual rights also come from errors in the data stored, bias and error in automated and algorithmic processing, and the huge numbers of people involved. With “billions of air travellers every year, even a miniscule error rate of a tenth of one percent would mean millions of false positives/negatives.” [5]

In 2003, the Security Council stated that States should ensure that counter-terrorism measures are adopted in compliance with their obligations under international human rights laws. [6] In 2014, the Security Council noted in a resolution that set the first international obligations on travel data systems that when States’ measures fail to deliver on their human rights obligations, they can become “one of the factors contributing to increased radicalization to violence and fosters a sense of impunity.” [7] The difficulty of holding transnational capacity-building programmes such as the CTTP accountable for their work risks compounding these problems.

UN technical assistance and (un)accountability

Through the CTTP, the UN can provide support, advice and even a bespoke software solution to states seeking to set up travel data systems. However, once that support, advice and assistance has been provided, there is no way for the CTTP to hold states accountable for any misuse or abuse of the systems it has helped to establish.

The former UN Special Rapporteur on counter-terrorism and human rights, Fionnuala Ní Aoláin, produced a detailed report on the CTTP’s provision of goTravel software to UN member states. A central concern raised in the report was a lack of due diligence by the CTTP with regard to the states receiving the technology – for example, with regard to counter-terrorism policy and practice, or human rights protection more broadly.

As research for this project highlights, there are states with established track records of committing violence, abuse and other rights violations in the name of counter-terrorism, that are nevertheless partners with the CTTP.

One recipient state highlighted by Ní Aoláin is Sudan, currently in a state of civil war and subject to UN Security Council sanctions. While the CTTP is nominally committed to protecting human rights, the special rapporteur noted in this case that “rigorous analysis of human rights concerns cannot have been conducted, or, if conducted, cannot have been afforded sufficient weight.”

Moreover, while the CTTP is supporting the establishment of a global travel data infrastructure, it has no access to that infrastructure. Once the goTravel software has been deployed, the UN has no capacity itself to access any passenger data or to verify, for instance, non-discriminatory application of the risk-based criteria used to assess that data. [8]

As the special rapporteur explained, there is no “kill switch” that could stop a country from using the infrastructure provided by the UN to target political opponents, journalists or others, in violation of international law. [9]

There are global norms in place for the establishment of travel surveillance and passenger profiling systems, but the longest-established systems are based on bilateral and multilateral agreements. There have been legal challenges seeking to overturn or reform some of these agreements. Despite their successes, they also show the limits of challenging national and regional laws that are ultimately governed by global security norms.

Existing bilateral and multilateral agreements also show some of the shortcomings of existing systems for individual redress, whose promise extends no further than the paper they are written on. There is some pressure for a global reform of data protection laws – but this is coming from private industry, rather than through public pressure.

Challenges to transnational data exchange regimes

The EU has signed PNR agreements with Australia, Canada and the US. While the agreement with the US has long been controversial, it is only the agreement with Canada that has been examined by the Court of Justice of the EU. In 2014, the European Parliament asked the court to assess the agreement’s compliance with EU fundamental rights standards. The aim was to set “a benchmark for future agreements with other countries which involve the mass collection of European citizens’ personal data.” [1]

One issue placed before the court was whether data on all air passengers had to be transferred to Canada, or just those deemed to pose a potential risk. The court determined that the rules in the Chicago Convention on international aviation meant that transfer had to take place “regardless of whether there is any objective evidence permitting the inference that the passengers are liable to present a risk to public security in Canada.” [2]

In other words, according to commentator Arianna Vedaschi, “the Court of Justice definitively accepted mass surveillance, albeit only to a certain extent and under strict conditions.” [3] Underlying this acceptance was the existence of international security norms – namely, Annex 9 to the Chicago Convention on international aviation.

Nevertheless, the court’s opinion should have led to changes. Nearly a year after the opinion was issued, the EU’s national data protection bodies told the Commission there had been no real change resulting from the opinion. The envisaged agreement with Canada had not been adjusted, nor had existing PNR agreements with Australia and US. [4] While a new agreement with Canada was subsequently reached – eight years later [5] – there have still been no changes to the other two.

The EU’s own system for collecting, processing and sharing PNR data on flights entering or within the EU has also been examined by judges. Belgian and German courts referred questions to the Court of Justice of the EU about the fundamental rights compliance of the EU’s 2016 law on PNR, and the national measures implementing it. [6]

One of the lawyers who brought the case in Belgium, Catherine Forget, has said that it was expected that the court would not invalidate the law, but would “specify the conditions” it should meet. This was indeed the response of the court. The academic Christian Thönnes considered the ruling confused, unfounded and fundamentally wrong. [7]

The ruling restricted the ways in which EU member states could apply the law in relation to flights within the EU, between one member state and another.  For example, it limited the collection of passenger data to “terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air.” [8]

Member states were faced with the task of revising national laws in line with the court’s ruling – but they refused to play along. Discussions at EU level were focused on how to circumvent the court’s judgment, which was seen as imposing overly-onerous restrictions on law enforcement action. [9] Three years after the ruling, an EU data protection body found that “there is still a substantial lack of implementation efforts throughout the Member States.” [10]

The two cases summarised here – regarding the EU-Canada agreement and the EU’s own PNR law – highlight two crucial issues that are likely to become increasingly prominent as the transnational security architecture is further developed and embedded in different national contexts.

The opinion on the EU-Canada agreement invoked international security norms to justify the indiscriminate mass surveillance of air travellers. When the EU court restricted authorities’ ability to store, analyse and exchange data in the name of protecting fundamental rights, national law enforcement agencies and interior ministries sought to find ways around the judgment, rather than comply with it. These dynamics have seen accountability efforts squeezed from both sides, limiting the scope for legal action.

Transnational policing, national redress

In 2001, the US adopted the Aviation and Transportation Security Act. This requires airlines to transmit passenger data to the US authorities in relation to flights to, from or through US airspace. [11] Non-compliance can lead to penalties, including the removal of landing rights and substantial fines. [12]

Airlines flying from the EU to the US were faced with a problem. Under EU law, entities based in the EU can only send personal data to jurisdictions that offer an equivalent level of data protection to the EU itself. The European Commission initially prevented EU airlines transferring personal data to the US, but was subsequently forced to enter into negotiations with the US to reach an agreement on the matter. [13]

Data protection experts emphasised that the US did not offer “possibility of appeal to an independent authority in the United States or elsewhere that would have authority to review data transfer.” [14] Nevertheless, in May 2004 the Commission adopted a decision that authorised the transfer of passenger data to the US. This was re-negotiated after the entry into force of the Lisbon Treaty in 2009, and it remains in force.

This is despite the fact that the availability of redress for non-US citizens and residents remains largely non-existent. The 1974 Privacy Act is only applicable to US citizens and permanent residents. The law has been described by Edward Hasbrouck, a long-time analyst and critic of travel surveillance policies, as “so limited and riddled with exceptions that it is almost worthless.” [15]

Some changes were made in 2016, through the Judicial Redress Act, a response to another EU-US data protection disagreement. [16] These came in response the EU’s data protection concerns. They granted “certain rights of judicial redress established under the Privacy Act of 1974… to citizens of certain foreign countries or regional economic organizations.” Hasbrouck argues:

All of the limitations and exceptions that always rendered the ‘protection’ of the Privacy Act inadequate — even for US citizens — will continue to render the protection of the Judicial Redress Act inadequate for foreigners, in all of the same ways, and in additional ones. [17]

For example, the Judicial Redress Act gives people covered by it “the right to sue to enforce only some, but not all, of the rights that US citizens can sue to enforce under the Privacy Act.” [18] Challenges on the grounds that US agencies have failed to maintain accurate, relevant and up-to-date information about people are barred. Challenges are only permitted in relation to data transferred from certain countries for criminal law purposes, excluding other activities, such as immigration screening. Records can be exempted from the coverage of the law, even retroactively. [19] In practice, the ‘rights’ provided to non-citizens mean very little. This problem will likely be compounded by the data-sharing agreements being promoted by the US through its Biometric Data Sharing Partnership (BDSP) model.

This is not the case everywhere. The EU extends to all individuals the right to access, correct or delete personal data that is held on them within its jurisdiction. Australia, Canada and many other jurisdictions do the same. While undoubtedly welcome, this also has its limits. Anyone seeking to exercise their rights effectively will need language skills and legal knowledge, or funds to pay for both. For many people, neither will be within reach.

Global data rights for the convenience of industry?

Travel data systems place obligations on private actors, airline companies, to transfer data between different jurisdictions that may have significantly differing legal frameworks. This subjects travellers to indiscriminate and unjustified forms of surveillance and automated profiling.

It also raises issues for the airline industry. Here, the problem is one of increased compliance costs and the risk of legal action from both passengers and states – for example, for data transferred without an adequate legal basis, or data protection failings. Airlines have thus begun lobbying for government action that will decrease the costs and risks they face.

The International Air Transport Association (IATA) is the principal lobby group for the world’s airlines. In a May 2024 white paper, it noted the “overlapping patchwork of data protection laws with different substantive requirements, each of which may interact with or conflict with the data protection and other laws of other states.” [20]

It also underscored that these laws “frequently conflict with other laws such as United Nations (UN) mandated obligations to provide Passenger Name Record (PNR) information for the prevention of serious crime and terrorism.”

The paper applauded the amendments to the Chicago Convention that introduced international standards on API and PNR data. This “was successful in establishing the baseline of a multilateral approach to the provision of PNR data,” the IATA noted.

However, data protection law in many states and regions imposes higher standards than those in the Chicago Convention. The EU has filed a “notification of difference” with the International Civil Aviation Organisation (ICAO), responsible for the maintenance and implementation of the Convention.

This means that despite the existence of international standards, the EU still requires bilateral agreements with other states to enable the transfer of API and PNR data. The IATA notes that more than 60 states have similar requirements in place.

This bilateral approach to PNR agreements is, the IATA concludes, wholly insufficient. Bilateral agreements are slow to negotiate, and even where two countries make an agreement, a “third country’s laws may still apply to the airline asked to provide the data and may prevent the provision of such data.”

The organisation’s preferred response to these problems is a new multilateral process through ICAO that can find “implementable solutions.” Ultimately, this would likely have to be some form of binding global agreement. At the same time, however, they also recommend the establishment of “technical solutions that reduce the role of airlines in the transfer of data.” This would mean that “governments take the primary role of collecting data within their own states and then providing it onwards to other states.” An ICAO working group met for the first time in June 2025 to begin studying the topic. [21]

Binding global norms for cross-border transfers of data could, in theory, increase privacy and data protection standards for anyone affected – though much would still rest on their effectiveness in practice. This would not be an unwelcome development.

However, such a prospect should not distract us from the issues underlying the industry’s proposals: global security norms that require mass, indiscriminate, automated surveillance and profiling of all mass transport. It is dealing with these more fundamental problems that will remain the key long-term issue for those seeking meaningful forms of accountability and redress.