Out-Law News 6 min. read

EU accused of failing to protect air passengers' privacy


In a scathing report published yesterday, human rights watchdog Privacy International claimed that the European Commission has failed to live up to its responsibilities in protecting the privacy rights of air passengers travelling to the US.

The report claims that the Commission is using its ongoing negotiations with US authorities on the transfer of passenger data to further its own plans for an EU surveillance system.

The history

The controversy surrounding the transfer of air passenger data began shortly after the terrorist atrocities of September 2001, when the US passed the Aviation and Transportation Security Act.

This new law introduced the requirement that airlines operating passenger flights to, from or through the US, provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems.

The problem in Europe is that its Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. The Commission decides which countries have adequate laws, but to date, only a few countries have met the criteria. Transfers of data to other countries need additional guarantees.

Airlines found themselves in a catch-22 position: to fly from Europe to the US, they would need to comply with either European law or US law, but they could not find a way to comply with both. So European and US authorities negotiated.

The European Commission agreed, temporarily, to waive aspects of its privacy regime and, on terms agreed with the US, data relating to transatlantic passengers has been transferring to US Customs since 5th March 2003.

Negotiations continued between the Commission and the US Department of Homeland Security to find a formula that would satisfy the US anti-terrorist requirements, and allow the EU to issue an "adequacy finding" in respect of the US data protection provisions. But the negotiations were tricky.

In particular, the US had refused to limit access to the data to agencies seeking to combat terrorism – agencies investigating other crimes were to have access too. There were also difficulties over the length of time the data should be kept. The EU expected the data to be retained for a period of weeks or months, while the US wanted to keep it for around seven years.

The deal

In December last year the Commission finally announced that it had reached agreement with the US. The main points of the deal were as follows:

Limits are placed on the amount of data to be transferred, with a closed list of 34 elements. Furthermore, the US has undertaken not to require airlines to collect any data where any of these 34 elements would be empty. In practice, the Commission says that most would consist of no more than 10-15 items.

The data will be stored for no more than 3.5 years – exactly the same length of time that the agreement, unless extended, will last – the 'sunset clause'.

The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II) – the proposed domestic airline passenger screening system. This will be discussed at a later date. The US has since confirmed that the PNR data will be used for testing CAPPS II.

There will be a joint review of US compliance by US and EU authorities each year.

EU passengers will have redress to the Department of Homeland Security (DHS), and if not resolved satisfactorily EU data protection authorities will be recognised as having the right to represent EU citizens in the US.

All categories of sensitive data will be deleted, and there will be no bulk sharing of data with other agencies. In particular, the data will be used only for the purposes of preventing and combating:

terrorism and related crimes;

other serious crimes, including organized crime, that are transnational in nature; and

flight from warrants or custody for the crimes described above.

The arrangements have yet to be put into formal terms, or approved by the European Parliament. As part of the formal process the deal has been scrutinised by the Commission's Article 29 Working Party, which issued a formal Opinion on the issue on 29th January. This raised several major concerns about the agreement.

The Opinion

The Working Party has issued two previous Opinions on the "Adequate Protection of Personal Data Contained in the PNR (personal name record) of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection", stating that the

"transfer of data to US authorities raises public concern and has broad and sensitive implications in political and institutional terms, as well as having an international dimension."

The Opinion issued last week does not reveal any alleviation of these concerns.

In particular the Working Party is concerned about the following:

Data quality:

the purposes of the data transfer should be limited to fighting acts of terrorism and specific terrorism-related crimes to be defined;

the list of data elements to be transferred should be proportionate and not excessive;

data matching against suspects should be performed according to high quality standards with a view to certainty of the results;

the data retention periods should be short and proportionate;

passengers' data should not be used for implementing and/or testing CAPPS II or similar systems.

Sensitive data should not be transmitted.

Data subjects' rights:

clear, timely and comprehensive information should be provided to the passengers;

rights of access and rectification should be guaranteed on a non discriminatory basis;

there should be sufficient guarantee that passengers would have access to a truly independent redress mechanism.

Level of commitments by US authorities:

the US commitments should be fully legally binding on the US side;

the scope and legal basis and value of a possible "light international agreement" should be clarified.

Onward transfers of passenger PNR data to other government or foreign authorities should be strictly limited.

Method of transfer: a "push" method of transfer – whereby the data are selected and transferred directly by airlines to US authorities – should be put in place."

But further criticisms of the Commission/US agreement were made yesterday, when Privacy International, in association with European civil rights groups Statewatch and the European Digital Rights Initiative (EDRi), published a scathing attack on the deal. The groups allege that the Commission has engaged in a process of systematic deception and subterfuge in the latter stage of negotiations.

The Report

Privacy International claims that not only has the Commission allowed key privacy rights to be extinguished in the negotiations, but it has also failed to disclose its own intention to establish a more extensive regime in the EU. In summary the report alleges:

The US Department of Homeland Security (DHS) gets access to EU airline database records even though the DHS does not require similar access to US carriers' computer systems and records.

The US now has data to test and implement its controversial Computer Assisted Passenger Pre-Screening System, using European passenger data instead of American passenger data. The European Commission believes that the Department of Homeland Security will remove this data once testing is complete. This is an unacceptable risk taken by the Commission, say privacy groups.

The European Commission is now speaking of creating a centralised database of all passenger records so that the records can then be transferred to the US, creating further privacy and security concerns.

The European Commission wishes to see the development of EU-based laws that will grant database access to EU member states for law enforcement purposes. The EU also wishes for access to U.S. passenger data, but has not yet negotiated this with the Americans.

After establishing European surveillance laws, the European Commission is also seeking to create a global regime on passenger records surveillance through the UN agency, the International Civil Aviation Organization, thus permitting all countries to gain access to this data.

The report's principal author, Dr Gus Hosein, Senior Fellow at Privacy International, said:

"This is a case of opportunism by the Commission. The EU is blaming the U.S. for an admittedly unjust law, but then going further than the U.S. to establish a global system of surveillance of movement."

Privacy International has expressed its concern and anger at the actions of the Commission and urges the European Parliament to conduct a comprehensive investigation into the affair, with a view to taking legal action against the Commission.

Privacy International's Director, Simon Davies, warned that the Commission had overstepped its mandate and had breached the trust of European citizens:

"The European Parliament and the people of Europe have been deceived by the Commission. A full-scale investigation is now necessary. We believe legal action should be taken against the Commission to ensure that this dangerous subterfuge does not occur in the future."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.