Parliament slams PNR deal as ‘substantively flawed’

In adopting a Resolution on the Agreement between the European Union and United States on the transfer of EU citizens’ private data when flying to the US (Passenger Name Records, PNR), the European Parliament nevertheless concluded that the 10 July 2007 deal fails to offer an adequate level of data protection.

The draft Agreement between the EU and US on the processing and transfer of passenger name record (PNR) data by air carriers to the US Department of Homeland Security (DHS) is due to be formalised in the coming days by the Council.

In adopting their Resolution, MEPs acknowledged the difficult conditions under which the negotiations took place, but expressed their concern that the EU-US Agreement for the transfer of Passenger Name Records (PNR) was “substantively flawed”, in particular by “open and vague definitions and multiple possibilities for exception”.

“The Agreement is supposed to provide a legal basis for carriers to transfer personal data to US authorities, as well as ensure adequate protection of personal data and rights of EU citizens. On the latter it fails miserably,” said European Liberals and Democrats PNR Rappporteur Sophie in ‘t Veld (Netherlands, D66).

Even though Parliament welcomed the provision that existing data protection law for US citizens (US Privacy Act) will be extended administratively to EU citizens’ data processed in America, MEPs felt there was still much more to be improved. Their main concerns regarding the new Agreement are:

• Use: The handling, collection, use and storage of personal data from air passengers by the US Homeland Security Department is not founded on a legal agreement but on non-binding assurances remitted in a letter, which can be unilaterally changed.
• Purpose: PNR transfer is not limited to fighting terrorism, it can also be used for other “unspecified additional purposes” by the US government.
• Sensitive data: Information regarding ethnic origin, political opinions, sex life of the individual, etc. will be also made available and can be used by the US Homeland Security Department in exceptional cases.
• Access: The fields of data that can be accessed from each PNR file have been reduced from 34 to 19, but “the reduction is largely cosmetic due to the merging of data fields instead of actual deletion”.
• Retention period: Data can be retained for longer periods with the new agreement: from three and a half years to 15. Besides that, PNR data will be kept for seven years in “active analytical databases”, leading to a substantial risk of massive profiling, contrary to EU principles.
• Third countries: Parliament strongly opposes the fact that third countries in general may be given access to PNR data if adhering to specified conditions by the US government. The EU has accepted “not to interfere” concerning the protection of EU citizens’ PNR data shared by the US with third countries.

Finally, MEPs demanded that the Commission clarify Justice and Security Commissioner Franco Frattini’s statements regarding the possible creation of an EU PNR system to be used in Europe and called on member states’ national parliaments to examine the present draft Agreement carefully.

Read more with Euractiv

Air passengers to face EU anti-terror screening

In a bid to step up the fight against terrorism, airlines flying to the EU could be obliged to share private data on their passengers, such as passport numbers and credit card details, with Europe’s secret services, Justice Commissioner Franco Frattini has announced.