Feeds

US and EU stitch up airline passenger data deal

And data protection law

Beginner's guide to SSL certificates

Then the US had wanted to keep the data it collects about people for at least eight years. The EU got it to settle with three and a half years. But Baker's letter said that as the new agreement only ran for nine months anyway, that restriction had been invalidated.

The real stickler was the EU's lauded "push" system for giving the US data about its citizens. US border control has been pulling the data, which means it takes what it needs straight from airlines' passenger databases. In 2004, the US agreed to a push system, which would mean that airlines handed over only the relevant passenger information.

The Department of Homeland Security still hasn't got round to giving up its pulling habit. But it has agreed to do so. Faull presented this as a way to ensure the US could get its hands on only that data it had agreed with the EU.

But Baker's letter, said the US push system was not going to be so restrictive: "The design of the system itself must permit any PNR data in the airline reservation or departure control systems to be published to DHS in exceptional circumstances where augmented disclosure is strictly necessary," he said.

Also, the EU's requirement that the US query only 34 fields of data about each passenger, was to be ignored (not forgetting a desire in Europe for the US to query no more than 15).

"The undertakings authorize DHS to add data elements to the 34 previously set forth...if such data is necessary," Baker said.

In other words, the US would take whatever data it wanted from the airlines, regardless of what it had agreed with the EU.

This could prove to be a difficult test for Europe's data protection law. Member states, through the Council of Ministers, have unanimously endorsed the US view of PNR signed up to in the new agreement. (They have yet to pass the agreement on Thursday, but have already given diplomatic approval enough for it to have been struck).

The test will centre on whether EC data protection law has competence over the transfer of data to countries without adequate data protection when the purpose of the transfer is security. The ECJ already ruled in June that the EC administration did not have the competence to strike the old PNR agreement, thus invalidating it.

It neglected to decide on the wider issue of whether the law was competent. That's next on the menu. And the ECJ advocate general has already indicated that he might prefer to side with the security hawks if he was required to intervene again. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.