European Data Protection Supervisor (EDPS) Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.
The European Commission proposed a new agreement between the EU and US on the exchange of passenger name record (PNR) data last month. PNR is basic information about a traveller such as that person's name, age, nationality, home address, mobile phone number, frequent flyer information, email address and credit card information.
The proposed agreement states that airline carriers flying from the EU into the US must share PNR data about all passengers with the US Department of Homeland Security (DHS) with the main purpose of the "prevention, detection, investigation and prosecution of terrorism and certain transnational crimes".
PNR transfers are currently taking place on the basis of a 2007 agreement, which Hustinx said was being "applied provisionally" because the European Parliament had decided not to give its consent until its data protection concerns were met. While the new agreement contained safeguards on data security and other improvements in comparison with its predecessor, "a number of concerns remain", the watchdog said in a formal opinion (8-page / 61KB PDF).
"Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfil strict conditions. Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the Member States have not been met," he said.
In his opinion, Hustinx said that the maximum retention period outlined in the proposed agreement was "clearly disproportionate". The draft agreement states that PNR data will be retained for up to five years in an active database and then transferred to a dormant database and stored for up to 10 years.
Hustinx said that it was irrelevant that this data would be "depersonalised and masked" six months after being received by the DHS. "Both 'masked out' data and data stored in a 'dormant database are personal data as long as they are not anonymised. The data should therefore be anonymised (irreversibly) or deleted immediately after analysis or after a maximum of six months," he said.
The list of 19 types of data to be transferred to the DHS was also disproportionate, Hustinx said. This list should be narrowed and exclude "sensitive" data, such as meal preferences or a request for a wheelchair. In addition, this data should only be processed in relation to a "specific list" of crimes.
A catch-all reference to 'other crimes that are punishable by a sentence of imprisonment of three years or more' was particularly problematic, Hustinx said, as this threshold "includes different crimes in the EU and the US and in the different EU Member States and US States". Minor offences should also be "explicitly excluded" from the purpose of the agreement, he said.
The draft agreement states that data will be transferred to the DHS using a 'push' method, through which data is transmitted automatically from the airlines' databases. The EDPS welcomed this inclusion, but expressed concern over exceptions allowing the US authorities to access the data directly. "In order to definitively preclude the use of the 'pull' system... we strongly advise that the agreement expressly prohibits the possibly for US officials to separately access the data," the opinion said.
The watchdog also welcomed a provision in the draft agreement stating that the DHS should not transfer the data to other US authorities or third countries unless those authorities guarantee "equivalent or comparable" safeguards to those set out in the agreement. However, Hustinx said that the list of authorities that might receive PNR data should be further specified.
In his opinion, Hustinx said that he "regretted" that the agreement had been proposed a few weeks before the expected adoption of proposals for a review of the general data protection framework in the EU. The agreement should be reviewed once that new data protection framework comes into force, he said.
The Commission has proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-EU flights. The UK already has a separate PNR data sharing arrangement with the US which Justice Secretary Ken Clarke described earlier this year as "absolutely critical to improving US and EU security".