US and EU stitch up airline passenger data deal

And data protection law

Then the US had wanted to keep the data it collects about people for at least eight years. The EU got it to settle with three and a half years. But Baker's letter said that as the new agreement only ran for nine months anyway, that restriction had been invalidated.

The real stickler was the EU's lauded "push" system for giving the US data about its citizens. US border control has been pulling the data, which means it takes what it needs straight from airlines' passenger databases. In 2004, the US agreed to a push system, which would mean that airlines handed over only the relevant passenger information.

The Department of Homeland Security still hasn't got round to giving up its pulling habit. But it has agreed to do so. Faull presented this as a way to ensure the US could get its hands on only that data it had agreed with the EU.

But Baker's letter, said the US push system was not going to be so restrictive: "The design of the system itself must permit any PNR data in the airline reservation or departure control systems to be published to DHS in exceptional circumstances where augmented disclosure is strictly necessary," he said.

Also, the EU's requirement that the US query only 34 fields of data about each passenger, was to be ignored (not forgetting a desire in Europe for the US to query no more than 15).

"The undertakings authorize DHS to add data elements to the 34 previously set forth...if such data is necessary," Baker said.

In other words, the US would take whatever data it wanted from the airlines, regardless of what it had agreed with the EU.

This could prove to be a difficult test for Europe's data protection law. Member states, through the Council of Ministers, have unanimously endorsed the US view of PNR signed up to in the new agreement. (They have yet to pass the agreement on Thursday, but have already given diplomatic approval enough for it to have been struck).

The test will centre on whether EC data protection law has competence over the transfer of data to countries without adequate data protection when the purpose of the transfer is security. The ECJ already ruled in June that the EC administration did not have the competence to strike the old PNR agreement, thus invalidating it.

It neglected to decide on the wider issue of whether the law was competent. That's next on the menu. And the ECJ advocate general has already indicated that he might prefer to side with the security hawks if he was required to intervene again. ®

Sponsored: Network DDoS protection