Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

Choose an application

• Reference Manager
• EndNote
• RefWorks (Direct export to RefWorks)

An increasing number of security practices involve the processing of personal data. The underlying rationale is that these practices would permit a fine-tuned and targeted action, able to both maximize information and to produce new knowledge. While public authorities’ ambition to rely on data to govern people and things is not a novelty, the growing and systematic use of personal data previously collected for commercial purposes can be considered a new phase of this art of government. Since the 1970s, a series of principles and legislations have been formulated (and adopted) with the purported goal of channeling and countering what was considered a disproportionate increase of governmental power . In the European Union (EU), these privacy laws have been translated into personal data protection, especially with the adoption of the EU Data Protection Directive in 1995. Nowadays, data protection has become one of main ways of framing controversies about the processing of personal data for security purposes. The two case studies that I analyze in this thesis can be considered classical examples of the conflictual relation between data protection and security practices. Both cases concern the processing of passenger name records for security purposes. Passenger name records (PNR) are information provided by prospective passengers at the moment of booking a flight. These data have progressively become a key element of the business model of commercial aviation . Since the 1990s, they have also attracted the attention of law enforcement authorities, especially in the United States of America (USA). Yet, the use of PNR by law enforcement authorities is at the centre of many controversies. This is especially the case since the enactment of the Aviation and Transportation Security Act in 2001, which provided the legal basis for requiring all air-carriers to provide PNR to the US Customs and Border Protection of the Department of Homeland Security for all US-bound flight. Few years later, in 2007, a proposal to establish a similar PNR program at EU level was tabled by the European Commission. In both cases, many controversies emerged, ranging from the impact of these security systems on fundamental rights to the negotiation of transatlantic relations; from the scope of EU data protection law to the broadening range of surveillance measures. In other words, passenger data becomes the site of the encounter and interaction of both data protection and security practices. Apart from this specific case, data protection and security measures can often be found in the same speeches, the same documents, the same legislative proposals. Then, how to describe and make sense of their relation, of their continuous echoing? Are these two potentially opposed objects of research, or rather possible companions? In other words, what are the problems concerning data protection and the processing of passenger name records for security purposes? So far, most of the academic literature and of the political debates have focused on two sets of issues. On the one hand, the attention is on the (negative) impact of these security measures on what has become a fundamental right. Here, the problem with data protection becomes, often, the ethical question of the deployment of surveillance measures. On the other hand, the attention is not even on data protection and PNR measures, which are considered technicalities, but on policy-making or high-politics issues, such as transatlantic relations and Europeanization. Then, the problem with data protection and passenger data is political only insofar they can be considered as tools in the hands of classical institutions. This research proposes a different approach. It starts from an apparently trivial question: what does data protection do? To address this question, it investigates what happens when data protection meets passenger name record (PNR) security measures, and what can be learnt from these encounters. The short answer to the main research question, and the thesis that I feel now confident to defend, is that data protection displays itself as a mode of government, as a proper form of governmentality. In other words, data protection actively participates both to the government of people and things trough data, and to the questioning of specific forms of governing. It is both government – a continuous effort of dis/ordering – and mentality – the reflexive effort to make sense of the different forms of dis/ordering. At the same time, the governmentality of data protection is neither univocal nor self-sufficient. Data protection interrogates the way in which specific security practices are deployed, and the way in which they capture, enroll and bend many diverse elements (such as passengers, regulations, commercial services, software). But data protection takes also a substantial role in the deployment of these security practices: it can legitimize, influence and smooth their design and implementation. The encounters between data protection and PNR processing are such that it is often difficult to disentangle the two, to understand one without the other. At the same time, these encounters are so diverse that it is impossible to speak of data protection in the singular form. The point is not that data protection is a contested concept due to a lack of a commonly accepted definition. What emerges from this research is that the proper power of data protection resides in its very undecidability: in it not being a unique entity but a series of different (and even contradicting) declinations. Data protection is a type of dispositif that, at the same time, fosters controversies and attempts to provide arrangements. In general terms, it problematizes other forms of government, such as preemptive security and mass-surveillance, by highlighting the critical role played by (personal) data in the making of security, and of contemporary societies at large