The draft resolution by Dutch MEP Johanna Booger-Quaak criticised the as yet informal agreement on data transfer, and called for a proper international agreement to be negotiated. Failing this, said the draft resolution, airlines should be required to obtain passengers' consent before the transfer.
The controversy surrounding the transfer of air passenger data began shortly after the terrorist atrocities of September 2001, when the US passed its Aviation and Transportation Security Act.
This new law introduced the unilateral requirement that airlines operating passenger flights to, from or through the US provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems.
The problem in Europe is that its Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. The Commission decides which countries have adequate laws, but to date, only a few countries – not including the US – have met the criteria. Transfers of data to other countries need additional guarantees.
Airlines found themselves in a catch-22 position: to fly from Europe to the US, they would need to comply with either European law or US law, but they could not find a way to comply with both. So European and US authorities negotiated.
The European Commission agreed, temporarily, to waive aspects of its privacy regime and, on terms agreed with the US, data relating to transatlantic passengers has been transferring to US Customs since 5th March 2003.
Following delicate negotiations between the Commission and the US Department of Homeland Security, the Commission announced in December that it had reached agreement with the US. This placed limits on, for example, the nature of the data to be transferred and on the period for which data would be stored.
These arrangements have yet to be put into formal terms.
Reaction to the agreement
Criticism of the agreement has been fierce. In February, human rights watchdog Privacy International claimed that the European Commission has failed to live up to its responsibilities in protecting the privacy rights of air passengers travelling to the US.
This followed the formal Opinion of one of the Commission's own committees – the Article 29 Working Party – that the agreement raised several serious concerns about data protection issues. Earlier this month the European Parliament indicated its displeasure at the agreement by voting in favour of a report that criticised the data transfer policy.
The Citizens' Rights Committee
The latest attack came in the form of a draft resolution put before the Citizens' Rights Committee. This was passed yesterday by 25 votes to 9 with 3 abstentions, and will be put before Parliament in a few weeks time. Such resolutions are influential, albeit lacking legal force.
The draft resolution raises the following concerns:
- the number of Passenger Name Record (PNR) items (34) the US wants to obtain;
- the purposes for which the data might be used (not only for fighting terrorism, but also for fighting "serious crime");
- the lack of redress mechanisms for people who are denied entry to the US on the basis of the information in the PNR records;
- the lack of opportunities for passengers to correct errors in their personal data;
- the fact that a "pull" instead of a "push" system is used to obtain the data, meaning that the US does not have to ask for the data but has immediate access to it;
- the number and kind of agencies that have access to the personal data.
In the draft resolution, MEPs point out that there exists no specific EU legislation for using PNR data for public security purposes and that, in the US, the protection of privacy is not regarded as a fundamental right. In the US, only US citizens are granted the right to data protection.
MEPs also see the current agreement as unreliable, since it keeps open the option of amending the rules at any given time. They consider the importance of the issue to be such that they urge the Commission to reach a proper international agreement with the US that would offer genuine guarantees for passengers or, at the very least, the same protection as provided for US citizens.
Such an agreement would need to stipulate:
- the guarantees to be offered to passengers in order to enable them to correct their data;
- the list of serious crimes for which an additional request for information could be made;
- the list of authorities and agencies which would share the data and the data protection conditions to be respected;
- the data retention period;
- the right to appeal to an independent authority and redress mechanisms in the event of infringements of passengers' rights.
Pending a permanent legislative solution or the conclusion of an international agreement, the committee calls upon the Member States to require immediate compliance with EU and domestic privacy laws and to require airlines and travel agencies to obtain passengers' consent for the transfer of data. Furthermore, MEPs urge the Commission to block the pull system and to apply the push system.
The MEPs warned that unless the criticism is heeded by the Commission, and changes made, then they reserve the right to appeal to the European Court of Justice – an action that, if successful, would void the agreement.