Out-Law News 2 min. read

EU Commission outlines passenger data swap principles


The European Commission has published guidelines that will govern the air passenger data-swap agreements that security services are increasingly using as a terrorism prevention measure.

Passenger name records (PNR) are documents containing some of the information (including personal information) travellers use to book flights. Some countries, including the US, demand that airlines hand over PNR to that country's authorities before allowing planes to land.

Data protection advocates and watchdogs have warned that PNR can threaten passengers' data protection rights, and the EU Commission's negotiations with the US over PNR have proved controversial in the past.

The Commission has said, though, that it wants to stop negotiating with countries on an individual basis, coming to different PNR arrangements with different countries. It has published guidelines for all PNR agreements, it said.

"Currently the exchange of PNR data with third countries is done under different frameworks," said a Commission statement. "Continuing this situation when PNR data is an increasingly popular security tool, would adversely affect legal certainty and the protection of passengers' personal data."

The Commission has published a set of 'general principles' that will govern all future deals.

Those principles demand that: PNR data should be used exclusively to fight terrorism and serious transnational crime; the categories of the PNR data exchanged should be limited to what is necessary for that purpose, and be clearly listed in the agreement; and passengers should be given clear information about the exchange of their PNR data, have the right to see their PNR data and the right to effective administrative and judicial redress.

The principles also say that: decisions having adverse effects on passengers must never be based on an automated processing of PNR data. A human being must be involved before a passenger is denied boarding. This seeks to prevent 'profiling'; third countries must ensure a high level of data security and an effective independent oversight of the authorities which use PNR data; and the PNR data cannot be stored longer than necessary to fight terrorism and serious transnational crime.

PNR should only share the data with third countries if that country also acts in accordance with the EU's terms, the principles also said.

"In this strategy, we set the general principles that any PNR agreement with a third country should be based on," said EU Commissioner for Home Affairs Cecilia Malmström. "PNR data has proven to be an important tool in the fight against serious transnational crime and terrorism, but at the same time, it raises important issues about protection of personal data."

The EU has provisional agreements with the US and Australia on PNR, but the European Parliament said earlier this year that it would not ratify agreements, as is required, until the Commission laid out the guidelines that should govern all PNR deals.

The Parliament said that the Australian and US deals should be renegotiated on the basis of these principles once they are published.

The Parliament agreed not to reject the PNR deal proposed earlier this year on the condition that a set of principles would be formulated which would respect demands it made on data protection issues in 2008.

EU Commissioner Viviane Reding said in July that she wanted to end the 'piecemeal' approach to data sharing with the US, and that she would create an 'umbrella' data protection agreement to cover all sharing, including the sharing of financial records and PNR data.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.