Privacy experts take on Commission over US data deal[fr][de] 

In a hearing organised by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on 26 March 2007, MEPs, data-protection officers and privacy experts criticised the terms of the first two agreements which the Commission dealt out with the US and expressed concern on a follow-up agreement, which the Commission is currently negotiating in camera with the US side. 

Under the terms of the first two agreements, the US could access 34 different kinds of personal information, including credit-card data, phone numbers, frequent-flyer habits, meal preferences and pets taken on board. Data-protection experts said that the data contained in this list does not meet the requirements of the Charter of Fundamental Rights and of the EU data-protection Directive . 

According to the Charter and the Directive, all data-processing must be for specified, explicit and legitimate purposes only, adequate, relevant and not excessive in relation to those purposes. It must also be accurate and kept for no longer than is necessary for the purposes for which the data were collected. 

With respect to the new agreement currently under negotiation, Peter Schaar, chairman of the  Article 29 Working Party of national data protection commissioners, expressed "concern that also the new agreement will not respect European data protection requirements". He added: "Any new agreement must of course meet legal requirements, but we also have to look at possible technical safeguards, such as anonymising or pseudonominising the data. Wouldn't it be sufficient if the identity of a passenger were revealed to the US authorities only once their screening systems have found indications for a suspect? There must be proof that practices meet the requirements, including the requirement that thy are necessary, not just useful for the US side. The way to ensure this is an independent audit of the practices, to be carried out jointly by both sides and including data- protection authorities."

MEP Stavros Lambrinidis (PES, Greece) said that he was "concerned about the amount of data transferred as well as about the unclear purposes for which the will be used". He said that what concerned him most was the way in which the agreement tore down the separation between private and public data, by using data that passengers provided voluntarily in order to obtain a better service for screening purposes. Lambrinidis said: "The transfer of PNR data has only been scrutinised by the Parliament once, and we were critical about it. We ask to evaluate a future agreement."

Data-protection expert and Commission adviser Professor Spiros Simitis said that the Commission had "clearly breached its obligations" by negotiating agreements that were in breach of EU data-protection laws. As an example he mentioned that under EU law, the purpose for the collection of personal data must be defined in advance. "There can't be such a thing as a data magnet, which collects data without a clear definition of the purpose," adding that the purpose given by the US would be considered insufficient under EU law. "Undefined terms like 'terrorism' and 'public interest' are completely counterproductive and inadmissible for any functioning data- protection rules." 

Marc Rotenberg  of the  Electronic Privacy Information Center   in Washington, DC, pointed out what he called "a critical shortcoming of the US Privacy Act", namely that it contains "no protection at all for non-US citizens". This data, he stressed, is being used by US authorities for a range of purposes other than the fight against terrorism, including for example immigration control. Rotenberg pointed out that even US government audits have found flaws in programmes dealing with this data, such as Secure Flight and the  Automated Targeting System  (ATS ), which possibly exceeds the terms of the PNR agreement. 

Commission Director-General Jonathan Faull replied that "on ATS the situation is clear. I got a letter signed by Stewart Baker (US Department of Homeland Security ) assuring us that the use of ATS in no way violates the PNR agreement."

Gus Hosein of the NGO  Privacy International said that he was shocked by the confidence that the Commission placed in US assurances of compliance with the terms of the various agreements. He quoted former US defence secretary Donald Rumsfeld, who said: "There are things that we know and things that we don't know, but what concerns us most is the things we know that we don't know." 

One such example, Hosein said, is the question of "what is happening to our data once it has been transmitted to US authorities", a question that occurs even more when someone is travelling with a US air carrier, who is subject to different, even more intransparent data-forwarding schemes. On the other hand, Hosein questioned the role of the commission, who, he said knew before the US Congress of the existence of ATS.