Out-Law News 4 min. read
22 Nov 2011, 2:13 pm
Jan Philipp Albrecht said that "cosmetic changes" to the EU-US passenger name record (PNR) agreement do not address "fundamental rights concerns", according to media reports.
Last week the European Commission announced that the EU and US had agreed a new deal on the transfer of PNR data. PNR data is basic information about a traveller such as their name, age, nationality, home address, mobile phone number, frequent flyer information, email address and credit card information.
The new agreement specified that airline carriers flying from the EU into the US must share PNR data about all passengers with the US Department of Homeland Security (DHS) with the main purpose of the "prevention, detection, investigation and prosecution of terrorism and certain transnational crimes," the Commission said.
Under the agreement DHS will be allowed to access PNR data in relation to terrorism offences for 15 years and for 10 years in relation to transnational crimes. Stricter access requirements will also be placed on PNR data after it has been stored for five years when the data is moved to "a dormant database," the Commission said.
Under the agreement DHS will be able to store identifying information about passengers for six months after it is sent. After this period the information will be "depersonalised," it said.
The agreement, which would replace the existing PNR deal the EU and US agreed in 2007, must be approved by the European Parliament and Council of Ministers before it can come into effect.
Albrecht said that he expects Germany to vote against the proposals, according to a report by IT World. Other EU countries, including France, could also vote against the agreement, according to a report by news service ZDNet.
"The 'new EU-US PNR' agreement presented is nothing more than a repackaging of the old agreement and fails to address the fundamental rights concerns repeatedly raised by the European Parliament and various European courts," Albrecht said, according to the IT World report.
"They have tried to make it look better, but have only made cosmetic changes. The substance of blanket data retention has remained. The Commission also paid for these changes with concessions to the US and there is now widened scope on border checks," Albrecht said.
"Even if they say personal data will be 'anonymized' after six months, the US still keeps all the records for 15 years. This goes way beyond what is allowed by the EU treaties," he said. "I think it likely that Germany may block the deal as it violates fundament rights. When looking at transposing the Data Retention Directive, the German Constitutional Court ruled that even six months blanket retention is not compatible with German law. So when it comes to 15 years, there could be a major problem between the German court and the EU legislator. And I think other member states will have trouble with it too."
The Data Retention Directive was established in 2006 to make it a requirement for telecoms companies to retain personal data for a period determined by national governments of between six months and two years. The Commission decided to regulate following terrorist attacks in Madrid in 2004 and London in 2005.
Under the Directive telecoms firms are required to retain identifying details of phone calls and emails, such as the traffic and location, to help the police detect and investigate serious crimes. The details exclude the content of those communications.
The European Commission hailed the revised PNR arrangements as a "big improvement" on the 2007 agreement and said that it contained "robust safeguards" to citizens' privacy. However, Albrecht said that allowing passenger data to be stored for 15 years was "disproportionate and problematic" and raises the "danger" of law enforcement building personal profiles about people, according to ZDNet.
DHS will not be able to access the PNR data directly from airline carriers' databases except if "it is necessary to prevent an urgent and serious threat" or if the airline suffers a "technical failure" that prevents the data being sent, the Commission said last week.
Albrecht said that airline carriers would not be able to check whether PNR data had been lifted from its database, according to ZDNet's report. "The huge problem is that this is not logged, so the carrier could not check if the agreement has been executed in the right way," he said.
The Commission last week said that the agreement had established "new data protection guarantees", including requiring a human to be present when PNR data is being processed in order to "prevent illegal profiling" by a computer. It also said that DHS had agreed to log all PNR data processing and that its activity would be overseen by independent bodies, including the US' Chief Privacy Officer and US Congress.
Gus Hosein of privacy lobby group Privacy International said that the agreement would enable PNR data to be shared amongst US law enforcement agencies, according to ZDNet.
"Everything that has been agreed between the European Union and the US seems to have been written in disappearing ink. Once data is in the hands of the US government, it's shared across the US government, and shared right down to the tribal level of law enforcement," Hosein said.
MEPs have been banned from speaking, or taking notes, about the revised PNR agreement with the US and can only access the text in a "sealed room," according to the IT World report. Dutch Liberal MEP Sophie In't Veld said that EU citizens should "have access to what is decided about their rights," the report said.
The EU's PNR arrangements have previously been criticised by privacy watchdogs. Earlier this year the European Data Protection Supervisor said that PNR data should be deleted after 30 days in order to meet EU data protection safeguards.
The Commission has proposed a Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-EU flights.
The UK already has a separate PNR data sharing arrangement with the US which Justice Secretary Ken Clarke described earlier this year as "absolutely critical to improving US and EU security".
