Since March this year most European airlines have been handing
over transatlantic passenger details to US Customs. These include
such details as: the date of your reservation, the travel agency
where you booked your trip, your credit card number, expiry date
and billing address, your affiliation to a particular group, your
e-mail address, your work address, medical data, and possibly your
religion or ethnic origin. And this data might be shared with other
US agencies. Understandably, this has been causing some
concern.
The controversy began with the US Aviation and Transportation
Security Act. Passed on 19th November 2001, this law introduced the
requirement that airlines operating passenger flights to, from or
through the US, provide the US Customs Border Protection Bureau
(CBP), upon request, with electronic access to passenger data
contained in their reservation and departure control systems, which
can be linked up not only with identification data but with other
information of the type described above.
In the EU the Data Protection Directive of 1995 provides that
personal data may only be transferred to third countries if the
specific country ensures an adequate level of protection.
The Directive also allows the Commission to adopt a decision
confirming the adequacy of the data protection provisions of a
particular country, by reason of its domestic law or the
international commitments it has entered into. Very few countries
qualify for this accolade: Canada, Switzerland, Argentina and
Hungary are the only non-EU countries to which EU businesses can
currently transfer personal data without the need for additional
guarantees.
However, data relating to transatlantic passengers has been
passed over to US Customs since 5th March this year, on the basis
of an unenforceable agreement between the Commission and US
Customs.
This took the form of a Joint Statement and provided that US
Customs would give information to other US law enforcement
authorities "only for purposes of preventing and combating
terrorism and other serious criminal offences," and that,
basically, further protections would be added.
These further protections have still not been added and,
according to reports, the Commission announced on Tuesday that it
had now rejected US demands for the transfer of passenger data.
According to Reuters, Commission spokesman Reijo Kemppinen said:
"The US side has refused to limit the use of data to combat
terrorism". In other words, agencies investigating other crimes
would have access to the data too.
There are also difficulties over the length of time the data is
kept. The EU expects the data to be retained for a period of weeks,
or months, while the US reportedly wants to keep it for around
seven years.
At a daily media briefing, Frits Bolkestein, the Commissioner
responsible for customs matters, issued copies of a letter he had
sent to the US Homeland Security Secretary Tom Ridge. This said
that the transfer of data highlighted "fundamental rights and
liberties which are constitutionally protected in the law of
several member states", adding, "These liberties are fiercely
cherished in the European Union".
Referring to the protections promised by the US, Reuters reports
that Bolkestien wrote, "The US undertakings fall short of what we
need."
The deepening EU/US rift will do nothing to help airlines, which
are likely to face action by EU data protection agencies if they
hand over passenger data, but will face action by US authorities if
they do not.
Finnish airline Finnair is to begin transferring data to the US
next week, despite the recent announcement by the Commission. It
plans to get round the data protection problem by only transferring
the data of those passengers who consent to the transfer – but will
not issue a ticket to those passengers who do not consent. Finnair
says it has no choice in the matter.
