Privacy experts take on Commission over US data deal

EU news & policy debates
- across languages -

Click here for EU news »

Monday 28 May 2012

BROWSE ALL SECTIONS

NEWS
EU-Argentina disputes escalate

The European Union filed a suit against Argentina's import restrictions with the World Trade Organization (WTO) today (25 May), intensifying the disputes between the South American nation and its trading partners.

News | MEPs blast Switzerland over workers quota, taxi restrictions
News | Europe’s airline CEOs blast “crazy” carbon pricing scheme
News | Ukraine asks EU to be patient for Tymoshenko solution
News | Parliament backs resource-efficiency roadmap
News | MEPs want stronger consumer rules for seniors, children
Hot topics
SPECIAL REPORTS
Special Reports
LINKSDOSSIERS

REACH chemical safety review: Re-opening a can of worms?
Five years after its adoption, the European Commission is preparing to review the controversial REACH regulation, which for the first time required chemical manufacturers to justify that their products are safe for consumers before placing them on the market.

LinksDossier | Cutting energy use in Europe's old building stock: Mission impossible?
LinksDossier | Visa-free travel for the EU's East: The next frontier
LinksDossier | Austerity: Healthcare in hardship
LinksDossier | Cloud computing: A legal maze for Europe
LinksDossier | Digital agenda: Connecting the EU
INTERVIEWS

EUrid: Being green pays off in increased competitiveness

It is not by making new regulations that policy-makers will force ICT companies to reduce their carbon footprint, but rather pushing member states to implement existing rules and convincing companies that they gain in competitiveness, argues Marc Van Wesemael, EURid CEO, in an interview with EurActiv.

Interview | Packaging boss: 'Paper for recycling is short in Europe'
Interview | Foreign Minister: 'Lithuania could adopt the euro after some time'
Interview | Internet guru warns users to play safe
Interview | Industry chief: Pricing, policies should promote water efficiency
Interview | Seeber MEP: Improve water efficiency without price spikes
OPINIONS

Greece's choice: a hard landing or a crash

Even though austerity depresses economic output, the Adjustment Programme is not the root of Greece's woes, argues Nikos Chrysoloras, a Brussels-based correspondent for Kathimerini, Greece’s leading newspaper and a Robert Bosch Stiftung “EU Journalism Fellow” for 2012, on a journalism practice with EurActiv.com. The op-ed was first published on the Euro Crisis blog.

Opinion | Energy efficiency: a clear path to a green future
Opinion | Europe Needs a Real Growth Agenda
Opinion | Energy savings: The stimulus Europe needs
Opinion | The water crisis is now
Opinion | François Hollande will lead Europe into a new era
BLOGS

Another monopoly of “Gazprom” level will appear in the RF
Upon the initiative of the President of the RF V.Putin and signature of the Prime-minister D.Medvedev, one of the greatest energy companies “Ros..

Blog | The safety of patients: what role for the EU?
Blog | Why Green Week is no longer Green
Blog | Euro-Bond
Blog | The impasse continues whilst the UK gets stuck in
Blog | The day of Cyril and Methodius
VIDEOS

^-A ⁺A

Published 28 March 2007 - Updated 08 June 2007

Tags

Data protection PNR Privacy

Data-protection practitioners and legal experts have criticised the Commission's lack of standing in negotiations with the US over the advance transfer of personal data concerning airline passengers crossing the Atlantic.

In a hearing organised by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on 26 March 2007, MEPs, data-protection officers and privacy experts criticised the terms of the first two agreements which the Commission dealt out with the US and expressed concern on a follow-up agreement, which the Commission is currently negotiating in camera with the US side.

Under the terms of the first two agreements, the US could access 34 different kinds of personal information, including credit-card data, phone numbers, frequent-flyer habits, meal preferences and pets taken on board. Data-protection experts said that the data contained in this list does not meet the requirements of the Charter of Fundamental Rights and of the EU data-protection Directive.

According to the Charter and the Directive, all data-processing must be for specified, explicit and legitimate purposes only, adequate, relevant and not excessive in relation to those purposes. It must also be accurate and kept for no longer than is necessary for the purposes for which the data were collected.

Positions:

With respect to the new agreement currently under negotiation, Peter Schaar, chairman of the Article 29 Working Party of national data protection commissioners, expressed "concern that also the new agreement will not respect European data protection requirements". He added: "Any new agreement must of course meet legal requirements, but we also have to look at possible technical safeguards, such as anonymising or pseudonominising the data. Wouldn't it be sufficient if the identity of a passenger were revealed to the US authorities only once their screening systems have found indications for a suspect? There must be proof that practices meet the requirements, including the requirement that thy are necessary, not just useful for the US side. The way to ensure this is an independent audit of the practices, to be carried out jointly by both sides and including data- protection authorities."

MEP Stavros Lambrinidis (PES, Greece) said that he was "concerned about the amount of data transferred as well as about the unclear purposes for which the will be used". He said that what concerned him most was the way in which the agreement tore down the separation between private and public data, by using data that passengers provided voluntarily in order to obtain a better service for screening purposes. Lambrinidis said: "The transfer of PNR data has only been scrutinised by the Parliament once, and we were critical about it. We ask to evaluate a future agreement."

Data-protection expert and Commission adviser Professor Spiros Simitis said that the Commission had "clearly breached its obligations" by negotiating agreements that were in breach of EU data-protection laws. As an example he mentioned that under EU law, the purpose for the collection of personal data must be defined in advance. "There can't be such a thing as a data magnet, which collects data without a clear definition of the purpose," adding that the purpose given by the US would be considered insufficient under EU law. "Undefined terms like 'terrorism' and 'public interest' are completely counterproductive and inadmissible for any functioning data- protection rules."

Marc Rotenberg of the Electronic Privacy Information Center in Washington, DC, pointed out what he called "a critical shortcoming of the US Privacy Act", namely that it contains "no protection at all for non-US citizens". This data, he stressed, is being used by US authorities for a range of purposes other than the fight against terrorism, including for example immigration control. Rotenberg pointed out that even US government audits have found flaws in programmes dealing with this data, such as Secure Flight and the Automated Targeting System (ATS), which possibly exceeds the terms of the PNR agreement.

Commission Director-General Jonathan Faull replied that "on ATS the situation is clear. I got a letter signed by Stewart Baker (US Department of Homeland Security ) assuring us that the use of ATS in no way violates the PNR agreement."

Gus Hosein of the NGO Privacy International said that he was shocked by the confidence that the Commission placed in US assurances of compliance with the terms of the various agreements. He quoted former US defence secretary Donald Rumsfeld, who said: "There are things that we know and things that we don't know, but what concerns us most is the things we know that we don't know."

One such example, Hosein said, is the question of "what is happening to our data once it has been transmitted to US authorities", a question that occurs even more when someone is travelling with a US air carrier, who is subject to different, even more intransparent data-forwarding schemes. On the other hand, Hosein questioned the role of the commission, who, he said knew before the US Congress of the existence of ATS.

Next steps:

On 10 and 11 April 2007, the Civil Liberties Committee will face the Council and the Commission in a political debate on PNR and other data-protection issues.
In mid-April, a Parliamentary delegation will visit the US to discuss the issues.
On 31 July, the interim agreement on PNR will run out, raising the pressure for a new agreement.

External Links

European Union

Eur-Lex: Data Protection Directive
Parliament (Committee on Civil Liberties, Justice and Home Affairs): Programme - Public Seminar: PNR/SWIFT/Safe Harbour: Are transatlantic data protected? (26 March 2007)
Parliament (press release): Transatlantic relations and data protection: a never-ending story? (27 March 2007)
[FR] (95/46/EC; 24 October 1995) [DE]
Council: Decision on the conclusion of an Agreement with the United States of America on the processing and transfer of PNR data (17 May 2004 )
Eur-Lex: Council Directive on the obligation of carriers to communicate passenger data (2004/82/EC; 29 April 2004) [FR] [DE]
Commission: Factsheet 'Passenger Name Record' (25 June 2003)
DG JAI: Commission decisions on the adequacy of the protection of personal data in third countries - United States - Transfer of Air Passenger Name Record (PNR) Data (Provides links to key documents) [FR] [DE]
DG External Relations: European Commission / US Customs talk on Passenger Name Record (PNR) transmission
Article 29 Data Protection Working Party: Pull - Push factsheet (21 March 2007)
Article 29 Data Protection Working Party: Factsheet 'US Watch lists : Passenger no-fly lists/ Selectee lists' (21 March 2007)
Article 29 Data Protection Working Party: Factsheet 'Automated Targeting System (ATS)' (21 March 2007)

Governments

Department of Homeland Security: Undertakings regarding the handling of Passenger Name Record Data (9 July 2004)
Michael Chertoff, Secretary of Homeland Security: A Tool We Need to Stop the Next Airliner Plot (Commentary published in the Washington Post newspaper; 29 August 2006)
Department of Homeland Security: US-VISIT: Keeping America's Doors Open and Our Nation Secure

Business & Industry

Association of European Airlines (Arnaud Camus): PNR access - Present situation and future developments (22 March 2007)

Think tanks & Academia

Professor Stefano Rodotá: The European Constitutional Model for Data Protection (26 March 2006) Background document [FR]
Professor Marc Rotenberg: Recent Privacy Developments in the United States, particularly with Respect to Travelers Using Air Transport (21 March 2007)
Professor Yves Poullet: Transborder Data Flows and Extraterritoriality : The (21 March 2007)
Professor Yves Poullet: The US 'Safe Harbor Principles' in the EU regulatory Privacy environment (21 March 2007)
Professor Yves Poullet and Franck Dumortier: La protection des données à caractère personnel dans le contexte (21 March 2007)

Blogs

Bruce Schneier: Automated Targeting System (22 December 2006)

Background:

Following the 11 September 2001 terrorist attacks, the United States requested access to the personal information that passengers provide when booking a ticket (Passenger Name Record (PNR)), claiming that this data is necessary for combating terrorism. The US threatened airlines that refused to provide the requested data with a withdrawal of their landing authorisation.

The Commission entered into negotiations with the US and came up with a first agreement, under which the US could access 34 different kinds of personal information under a so-called pull scheme. This means that the US can access the data stored in airline booking systems directly instead of having the information transferred and possibly filtered, anonymised or pseudonominised (a 'push' scheme). In spite of the concerns of data protection authorities, the Commission found the agreement adequate (which means that it expected EU citizen's data to be treated in line with EU data-protection law). The US store the data for 42 months and, in certain cases, much longer. They promised to use it only within the Department of Homeland Security and not to pass it on to other agencies. There is, however, no verification mechanism for this promise, neither is there one for the deletion of the data at the end of the agreed storage period.

The agreement entered into force on 28 May 2004.

Two years later, it was ruled illegal by the European Court of Justice. The Court ruled that "neither the Commission decision finding that the data are adequately protected by the United States nor the Council decision approving the conclusion of an agreement on their transfer to that country are founded on an appropriate legal basis".

Since the US maintained its threat to non-compliant airlines, an intermediary scheme entered into force when the first agreement ended at the end of September 2006. This second agreement, which was under the same terms as the agreement already ruled illegal, will end on 31 July 2007.

Four months prior to that date, the Commission is in secret negotiations on a new agreement. The US has already indicated that it will not settle for anything less - namely for better privacy standards - than in the previous agreements.

See EurActiv, 01/02/07, 06/10/06, 31/08/06, 31/05/06.

According to airlines, 140 million PNR transactions were made by US authorities from the six largest airlines in 2006 alone.