Feeds

EU-US name-swap deal actually gives passengers MORE privacy

Better than interim deal ... but still keeps your data for 5 years

Intelligent flash storage arrays

The European Parliament has approved a controversial new agreement allowing the EU to exchange airline passenger information with the US, it has announced.

The EU said that the agreement (37-page/138KB PDF), which sets out the conditions under which passenger name record (PNR) data can be transferred, would provide "legal certainty" to airlines. However, it acknowledged that a "significant minority" of MEPs had voted against the agreement due to concerns over data protection safeguards, including Dutch MEP Sophie in 't Veld, who authored the Parliament's initial report into the agreement.

The new agreement, which will be formally approved by justice ministers next week, replaces a provisional arrangement which has been in place since 2007. The UK announced that it had opted in to the agreement in a ministerial statement last month.

EU privacy watchdogs the European Data Protection Supervisor (EDPS) and Article 29 Working Party have both expressed their concerns about certain aspects of the agreement. However, Home Affairs Commissioner Cecilia Malmström said that the three European institutions had created an agreement that they could be "proud of".

"[The agreement] providers stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-US PNR Agreement from 2007," she said. "At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism. It will be made anonymous six months after a passengers' flight."

The agreement requires airline carriers flying from the EU into the US to share PNR data about all their passengers with the US Department of Homeland Security (DHS) for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases. The DHS is similarly "obliged" to share PNR data with EU law enforcement for the same purposes.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details. US authorities will be able to store this information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data will be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

The agreement contains new data protection provisions, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens will also have the right to access their own PNR data and seek corrections or possible erasure by the DHS where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.

Earlier this year the Article 29 Working Party, which is made up of representatives from the data protection authorities of the EU's 27 member states, said that the new agreement enabled overly prescriptive collection of personal data. In December, EDPS Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.

The European Parliament adopted a PNR agreement with Australia in October 2011, and is currently negotiating a similar deal with Canada. The Commission has also proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-UK flights.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.