Out-Law News 4 min. read
25 Jan 2012, 2:01 pm
The Article 29 Working Party said that the new EU-US Passenger Name Record (PNR) agreement enables overly-prescriptive collection of personal data to achieve the purpose of preventing terrorism and transnational crimes. PNR data may include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The group of EU data protection officials has written to the European Parliament to express its concerns about the transfer of EU passengers' personal information to US authorities.
In November the European Commission announced that it had come to a new EU-US PNR agreement with US authorities requiring airline carriers flying from the EU into the US to share PNR data about all passengers with the US Department of Homeland Security (DHS). The main purpose of the data transfer is the "prevention, detection, investigation and prosecution of terrorism and certain transnational crimes," the Commission said.
However, the Article 29 Working Party said that there was no evidence that collecting all that information about passengers was necessary or proportionate in order to tackle terrorism and serious crime. The Working Party, which is made up of the data protection watchdogs from the EU's 27 member states, has previously complained about the way the previous EU-US PNR agreement was drafted. It said its concerns about the legitimacy of the scheme have not been addressed by the new agreement.
"Since the negotiations of the first PNR agreement, the Working Party has expressed its doubts that sufficient evidence has been provided to demonstrate the necessity and the proportionality of mass transfer and use of PNR data for law enforcement purposes ...The Working Party notes that no new evidence is offered now. The Commission proposal only contains the statement that 'the fundamental rights [are respected] and the principles [are observed]' without further explanation in what way or to what extent this is the case," the Working Party said in a letter (5-page / 39KB PDF) to the European Parliament's Civil Liberties, Justice and Home Affairs committee (LIBE) posted by data protection blogger Chris Pounder.
Under the EU's Charter on Fundamental Rights individuals have the right to privacy and the right to the protection of their personal data.
The Working Party also outlined its concerns about how DHS uses the data it collects. It said the agreement does not sufficiently specify what the DHS can do with the information. Definitions contained in the agreement were also too broad and lacking in clarity over the limits in which PNR data can be used, the watchdogs said.
"It is troubling that all definitions provided are not exclusive," the Working Party said.
Concern was also expressed about the "open" extent that PNR data could be used for purposes other than preventing terrorism or serious transnational crimes. Under the agreement PNR data can also be used "on a case-by-case basis for the protection of vital interests of passengers, for example to protect against communicable diseases, or if ordered by a US court". The agreement also enables PNR data to be used in relation to other crimes if they are uncovered "in the course of using PNR for the purposes of the agreement," according to the Working Party.
Using PNR data other than in relation to terrorism and serious transnational crime would be "disproportionate," the Working Party said.
Parts of the agreement that are "of particular obscurity" should be explained so as their purposes can be understood, the watchdogs said. Doing so would help address concerns that the information collected is being used to build up profiles of individuals, they said.
Airline carriers should be responsible for "sensitive data filtering" but the PNR agreement does not state this, the Working Party said. It said it was "especially worrying" that the DHS could receive "masked" sensitive data that was not deleted.
The amount of time the agreement states DHS can legitimately store data is not justified, the Working Party said. Under the new agreement US security will be able to store identifying information about passengers for six months after it is sent. After this period the information will be "depersonalised" and can be retained for another 14 and a half years, the Commission said.
"What the European Commission has reached in the negotiations are limitations in terms of accessibility and use of the PNR data. In other words: the improvements of the agreement do not remove the fact that data of unsuspected citizens is stored for up to 15 years, only its use would be more limited. The Working Party cannot see how these long retention periods can be substantiated and justified. It considers them to be excessive and disproportionate," the Working Party said in its letter.
"In addition, it should be noted that the agreement does not require the deletion of the data after 15 years, but only its anonymisation. Taking into account the difficulty of truly anonymising data and the lack of further explaining why the (anonymised) data is still needed, the Working Party thinks it should simply be deleted," it said.
The Working Party also expressed concern that EU citizens do not have access to redress over the use of their PNR data. It called on the European Commission to share the reasons why it believes such a right to redress is contained in the EU-US PNR agreement.
The way that PNR data is transmitted has also caused unease among the privacy watchdogs. The Working Party said restrictions contained in the agreement over when DHS can "pull" data from airline carriers should already be in operation and that carriers should not have been given two years to ensure their "push" methods for sending the information are in place. The circumstances in which DHS will still be allowed to "pull" data under the agreement are "not entirely clear" and should be monitored by an oversight body, the Working Party said.
The Working Party said that there were "modest" improvements contained in the new agreement as opposed the previous drafts but that it broadly agreed with the European Data Protection Supervisor's criticisms of the new agreement published last month.
The European Commission has proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-EU flights. The UK already has a separate PNR data sharing arrangement with the US which Justice Secretary Ken Clarke described earlier this year as "absolutely critical to improving US and EU security".
