Airlines operating passenger flights to, from or through the US have been transferring passenger data contained in their reservation and departure control systems to US Customs since March last year, in order to comply with US anti-terror requirements.
The transfer has been controversial, not only because the US does not meet general EU data protection requirements, but because a proposed agreement setting out the terms of the transfer has also been found wanting.
The problem in Europe is that its Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. The Commission decides which countries have adequate laws but, to date, only a few countries – not including the US – have met the criteria.
The Commission and the US have been negotiating since March 2003 over the specific protection required for air passenger data transfers, and in December last year the Commission announced that an agreement had been reached that would allow it to issue the required data protection 'adequacy finding'.
Civil liberties groups and the European Parliament have taken issue with the finding, and with an international agreement that is designed to sit alongside it, arguing that they do not provide sufficient protection for European passengers travelling to the US. The criticisms have been consistent, culminating late last month in a vote by MEPs to refer the agreement to the Court of Justice for an opinion.
Meanwhile, negotiations and data transfers between the EU and the US have been continuing. Yesterday the Commission and the Council announced that they had separately approved a formal Decision indicating that the data transfers to the US enjoy the 'adequate protection' required under the EU's data protection Directive.
According to the Commission, US Customs will provide undertakings that "significantly improve" the protection provided to data being transferred, as compared to the situation at present.
- Less data will be collected and retained by the US authorities. A list of 34 categories has been agreed (some airlines' current Passenger Name Records (PNR) contain more than 60 fields) and in most individual records only a limited number of these fields will be filled;
- Sensitive data, such as meal orders or special passenger requirements that may reveal, for example, race, religion or personal health, will either not be transferred or, if transferred, will be filtered and deleted by US Customs;
- PNR will be used only to combat and prevent terrorism, terrorism-related crimes and serious crimes, including organised crime, of a trans-national nature, instead of a much wider range of law enforcement uses previously sought by the US;
- There will be no bulk sharing of PNR. This addresses concerns about the use of PNR in generalised surveillance schemes believed to be under preparation in the US. US Customs will share data from the PNR they collect only on a limited case by case basis and only for the agreed purposes; when data originating from the EU are transferred under these strict conditions to law enforcement authorities in a country outside the US, a designated authority in the EU will be systematically notified;
- Most PNR will be deleted after three and a half years (compared with up to fifty years originally proposed by the US). Files that have been accessed will be kept in a deleted data file for a further eight years for auditing purposes (compared with indefinitely as originally intended); and
- EU Data Protection Authorities will be able to raise with the Chief Privacy Officer at the Department of Homeland Security (DHS) the cases of passengers whose complaints, for example about possible abuses of their data or failure to rectify inaccuracies, are not satisfactorily dealt with by the DHS.
To underpin compliance with the undertakings, says the Commission, a joint review will be conducted at least once a year by the DHS and a Commission-led team from the EU, including representatives of Member States' data protection and law enforcement authorities.
According to the Commission, the package agreed between the two sides provides for reciprocity, when the EU or its Member States establish similar requirements for PNR concerning flights from the US. The US also undertakes not to discriminate unlawfully against non-US citizens and residents.
The whole package has a three-and-a-half year lifetime and will expire unless the two sides agree to renew it. It is therefore a further interim arrangement which the Commission hopes will be replaced in due course by international standards currently being discussed by the International Civil Aviation Organisation.
The Decision approved yesterday by the Commission and the Council will not immediately change matters. The bilateral international agreement between the EU and the US has also to be completed. This is intended to deal with such issues as non-discrimination, reciprocity and direct access for the US Customs to the airlines' databases for as long as there is not an EU system in place to transfer such data.
It is the responsibility of the EU's Council of Ministers to conclude the international agreement and until this is in place the US undertakings and the improvements they bring will not take effect.
But once concluded, the European Parliament is entitled to seek the annulment of the international agreement or the adequacy finding or both. MEPs are already seeking a judicial ruling on the agreement and, outraged by the yesterday's Decision, may well take the matter further.
According to the Scotsman newspaper, Dutch MEP Johanna Boogerd-Quaak, a leading opponent of the transfer agreement said: "Refusing to wait for the Court's opinion is disrespectful to the authority of the Court and a breach of the duty of loyal co-operation between EU institutions."
"I believe that this agreement is legally flawed and when Parliament reconvenes in July, I will recommend pursuing the matter further: One way or the other, this issue will end up before the European Court of Justice, " she warned.
Internal Market Commissioner Frits Bolkestein, who led the negotiations on the Commission side, called the agreement "a balanced solution, which the Member States have supported."
"We are not seeking a confrontation with the Parliament," he said, and explained that the alternative "would not have been any further concessions from the US but would rather have been legal uncertainty and the potential withdrawal of US commitments to protect the data transferred – in other words chaos for EU passengers and airlines."