This article is part of our special report Data protection.
EU home affairs ministers yesterday (13 December) gave the go-ahead to a controversial agreement between the EU and the US on passenger data records, sparking some criticism in the European Parliament which is now set to consider the deal.
“This agreement fails to address the fundamental rights concerns repeatedly raised by the European Parliament and various European courts,” said German MEP Jan Philipp Albrecht (Greens), promising a fight in the Parliament.
The deal allows US authorities to access and store data, including credit card numbers, of passengers flying to the United States. Despite privacy concerns from Germany over one clause that allows personal data to be accessed for up to 15 years in the event of a terror investigation, 10 years in other cases, EU ministers gave the green light to the agreement.
Passenger name record, or PRN, transfers are currently taking place under a 2007 agreement that is being applied provisionally because the European Parliament decided not to give its consent until its data protection concerns were met.
If the Parliament does not approve the new agreement, it will have to be renegotiated again.
"Passenger data will be stored for up to 15 years under this agreement and there are insufficient provisions to protect against the odious practice of profiling. This flies in the face of court rulings across Europe and is at odds with EU data protection rules,” added Albrecht, who is the home affairs spokesman for the Greens in the European Parliament.
“This new agreement would compromise the data protection of EU citizens and as such is unacceptable. The European Parliament must not endorse any agreement under these conditions and the Greens will push to ensure it does not. The EP has already shown that it can play the role of defending the rights of EU citizens during the SWIFT agreement debacle. It must again rise to the challenge.”
SWIFT – the Society for Worldwide Interbank Financial Telecommunications – is a banking cooperative that facilitates international currency transactions.
EU ministers rushed through the deal just hours after European Data Protection Supervisor Peter Hustinx expressed concern about the EU-US agreement.
"Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfil strict conditions. Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the member states have not been met. The same applies to the conditions required by the European Parliament to provide its consent," Hustinx said on the new data transfer deal.
Hustinx had a number of reservations and found the 15-year retention period excessive.
“Data should be deleted immediately after its analysis or after a maximum of six months,” reads the EDPS opinion, which also stresses the air passenger data should be used only to combat terrorism or a well-defined list of transnational serious crimes.
Deal with Australia a good precedent?
In October, the European Parliament gave its consent to the conclusion of a passenger name record deal with Australia, tightening the safeguards, and data will be retained by the Australian authorities for a maximum of five-and-a-half years.
At the time, British MEP Claude Moraes (European Parliamentary Labour Party) noted that the agreement with Australia was a good precedent for other similar agreements, like the one being negotiated with the US.