EU privacy watchdog pans passenger data plans
Still not good enough
What you need to know about cloud backup
The European Commission's rules for transferring air passengers' details to destination countries are still not entirely justified, according to EU privacy watchdog Peter Hustinx.
Hustinx is the European Data Protection Supervisor (EDPS) and has published an official opinion calling into question the need to transfer passenger name records (PNR) on every passenger to a destination country for every flight.
"The EDPS considers that the bulk transfer of data about innocent people for risk assessment purposes raises serious proportionality issues," said the opinion. "The EDPS questions in particular the proactive use of PNR data. While 're-active' use of data does not raise major concerns, as far as it is part of an investigation of a crime already committed, real time and proactive use lead to a more critical assessment."
Hustinx, in the opinion, said that it was not reasonable to disclose one person's personal data because they might cause harm in the future.
"Neither the notion of risk indicators, nor the notion of 'risk assessment' is sufficiently developed, and the latter could easily be confused with the notion of 'profiling'," said the opinion. "This similarity is even strengthened by the alleged objective which is to establish 'fact based travel and behavioural patterns'."
"The EDPS questions the link between the original facts, and the patterns deduced from these facts. The process aims at imposing on an individual a risk assessment – and possibly coercive measures – based on facts which are not related to this individual," it said.
The EDPS is the watchdog for EU bodies themselves and provides data protection advice to EU bodies on policies they develop.
The opinion said that the EU Commission's development of rules was not proceeding logically. It should develop rules for inside the EU first, then use those as a basis for rules on transfers to third countries. Instead, it said, the Commission is doing the reverse.
"To ensure consistency, the EU should agree on its internal instruments and on the basis of these internal instruments it should negotiate agreements with third countries. The global agenda should therefore concentrate first on the general EU data protection framework, then on the possible need for an EU PNR scheme, and finally on the conditions for exchanges with third countries, based on the updated EU framework," said the opinion.
"The EDPS is aware of the fact that, for different procedural and political reasons, this ideal order is not being followed in practice," said the opinion.
It said that negotiations on third country transfers should take account of decisions made relating to transfers within the EU, and that negotiations with the US should be linked to an ongoing negotiation on data sharing for general law enforcement.
The opinion deals with issues raised in an official Commission Communication on PNR outlining general principles it will apply in negotiating with third countries about transfers.
Hustinx said in the opinion that parts of the Communication ignored advice given by him in the past and by the Article 29 Working Party, which is made up of all the EU nations' data protection watchdogs.
"PNR schemes presented in the Communication do not per se meet the necessity and proportionality tests as developed in this opinion and in previous opinions of the EDPS and the Article 29 Working Party," it said. "To be admissible, the conditions for collection and processing of personal data should be considerably restricted. The EDPS is in particular concerned about the use of PNR schemes for risk assessment or profiling."
The EDPS also objected to the Communication's treatment of sensitive personal data.
"The Communication indicates that sensitive data shall not be used unless in exceptional circumstances. The EDPS deplores this exception," it said. "He considers that the conditions of the exception are too broad and do not bring any guarantees ... he therefore calls for a complete exclusion of the processing of sensitive data, as a principle."
PNR deals have proved controversial, with the European Parliament rejecting Commission plans on deals with the US and other countries. The Commission is in the process of complying with Parliament demands that it lay out principles to govern all PNR deals with third countries.
See: The Opinion (9-page / 60KB PDF)
Copyright © 2010, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.
COMMENTS
Law and Safety
To my knowledge all the flights involved in 9/11 were all domestic flights, non were international but okay then, can the UK government have the same information on US citizens visiting the UK, on the grounds of looking for possible links to terrorist groups(IRA/Real IRA) or will US citizens start bleeting that it infinges on their constitutional righrs.......
The new Godwin?
"The United States has every right to demand that if you put someone on an airplane bound for the United States, you will have to disclose to the United States the information it requests about that person"
Does the reverse also apply? Will the US provide the EU with same level of detail for each of its citizens that fly to Europe? Would it not be easier for the US authorities to provide the details of people it didn't want coming in, rather than demanding the details of millions of innocent people and having to trawl through them?
"After the events of September 11, 2001, the reason for that should be obvious."
Why? The aircraft involved were on domestic flights. How would the EU providing PNR data have helped?
"If European authorities wish to risk bringing about a situation in which direct flights from Europe to the United States are no longer possible - instead, people wanting to go to the U.S. would need to go to, say, Newfoundland, and then transfer there - well, it wouldn't hurt the Canadian airport industry to have their bluff called."
It wouldn't hurt the Canadian tourist industry if transit passangers found Canada to be a nicer place to visit than its paranoid neighbour to the south?
Mentioning 11/09 is the new Mentioning Hitler. What do we call this new Godwin Law?
Reciprocity
The Commission is a completely undemocratic appointed body. The European Parliament should take priority as it is directly elected.
Regarding the data transfer, we should insist on the same data for all flights from the US. While we're at it, we should form two queues, one for US passport holders to be fingerprinted and iris scanned and the other to allow people swift travel to reclaim their luggage.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Steps to Take Before Choosing a Business Continuity Partner
Enabling efficient data center monitoring
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
