Données privées : Deux accords transatlantiques ravivent les inquiétudes[en] 

On 29 June 2007, final EU-US agreement is set to be reached on the passenger-name records (PNR) deal, bringing to a conclusion the lengthy back-and-forth over how Washington can gain, store and use information about every European traveller crossing the Atlantic. 

Under the draft agreement, the 34 pieces of data that US law-enforcement authorities can at present collect will be reduced to 19 - including name, contact information, payment details, travel agency, itinerary and baggage information, but excluding sensitive data on factors such as ethnicity.

A further agreement was reached on 28 June concerning how the US will be allowed to handle data on European financial transactions operated by Belgian consortium SWIFT. 

European Data Protection Supervisor Peter Hustinx has indicated his belief that the privacy rights of air passengers between the EU and US will be threatened by the information-sharing deal to be struck on 29 June that seeks to prevent terrorist attacks.

Passenger information will now be able to be kept by the US for 15 years, up from the previous maximum of three. But EU officials have rejected the assertion, saying the agreement, which will come into effect at the end of July, has more safeguards than previously. While the US maintains the exchange of letters that will seal the deal is not legally binding, Brussels regards it as an international agreement that could be revoked if not complied with.

EU citizens will also be covered by the US Privacy Act for the first time, meaning they could enforce their rights in US courts.

The new deal must be ratified by national parliaments before taking effect.

Concerning access to financial data, June 2006 saw Belgian financial transfer association SWIFT in the headlines, as it was revealed that officials from the CIA, the FBI and other US agencies had since 2001 been allowed to inspect the transfers as part of their global fight against terrorism.

SWIFT, which stands for the Society for Worldwide Inter-bank Financial Telecommunications, manages the codes for international payments and handles around 11 million financial transactions per day in more than 200 countries worldwide.

Commissioner Frattini called on respective financial institutions "to take all the necessary steps to ensure their quick compliance with European data protection law."

From now on, all banks using SWIFT will have to inform their customers about such transfers.

Commission Vice-President Franco Frattini, commissioner responsible for justice, freedom and security said: "The EU and its most important strategic partner in the fight against terrorism, the US, have to join forces in this fight, including the financing of terrorism. However, these activities should be done in full respect of fundamental rights, including notably data protection rights and the right to privacy of EU citizens.

"I am therefore now looking to SWIFT and to the financial institutions that use its services to take the necessary steps so that SWIFT will be in compliance with the Data Protection Directive and may have recourse to the Safe Harbour mechanism, that allows limitations on its data protection principles for important public purposes 'to the extent necessary to meet national security, public interest or law enforcement requirements'."

European Data Protection Supervisor Peter Hustinx, in a letter to German Interior Minister Wolfgang Schäuble, who has been instrumental in securing the PNR deal, said: "The agreement will allow the US to retain information about passengers for 15 years, up from three at present, while placing no limitation to what US authorities are allowed to do with the data." 

The European Parliament's rapporteur for the PNR-agreement, MEP Sophie in ´t Veld (D66, Netherlands) expressed her concern about "the threat to the privacy of Europeans as a result of this PNR deal": "The PNR deal is simply bad. The purposes for which the personal data can be used is not sufficiently defined. Furthermore, data are being used not only for investigations but also for profiling and data mining (automated computer system) that makes profiles of individuals based on the collected data. 

"Furthermore, the US authorities can store the data for up to 15 years (against 3,5 years in the current agreement), they will be allowed to log directly onto European computer reservation systems and the US can renege upon the agreement unilaterally."

She was less critical over the SWIFT agreement: "The purpose is strictly limited to fighting terrorism, the data will not be used for profiling, the retention period is shorter and there is slightly better monitoring of compliance. Furthermore, the national parliaments have no other option than to approve."

"However, it remains unacceptable that such a sensitive agreement has been treated as a mere administrative formality negotiated by civil servants without a debate in the European Parliament or indeed in national parliaments. PNR and Swift are only the tip of the iceberg; each individual measure is not only an infringement of privacy but the accumulative effect is that the authorities have access to a wide range of data from Google, emails, credit card data, insurance companies, medical files and so on."

MEP Alexander Alvaro (FDP, Germany) who authored a report for the Parliament on international financial transactions considered the 28 June agreement on SWIFT to be broadly acceptable:"It is a balanced agreement with high hurdles to be overcome before sensitive data can be released to authorities not connected specifically with the fight against terrorism. It also provides for supervision and an external auditor to ensure it is being correctly implemented," he said.