Feeds

EU-US name-swap deal actually gives passengers MORE privacy

Better than interim deal ... but still keeps your data for 5 years

Secure remote control for conventional and virtual desktops

The European Parliament has approved a controversial new agreement allowing the EU to exchange airline passenger information with the US, it has announced.

The EU said that the agreement (37-page/138KB PDF), which sets out the conditions under which passenger name record (PNR) data can be transferred, would provide "legal certainty" to airlines. However, it acknowledged that a "significant minority" of MEPs had voted against the agreement due to concerns over data protection safeguards, including Dutch MEP Sophie in 't Veld, who authored the Parliament's initial report into the agreement.

The new agreement, which will be formally approved by justice ministers next week, replaces a provisional arrangement which has been in place since 2007. The UK announced that it had opted in to the agreement in a ministerial statement last month.

EU privacy watchdogs the European Data Protection Supervisor (EDPS) and Article 29 Working Party have both expressed their concerns about certain aspects of the agreement. However, Home Affairs Commissioner Cecilia Malmström said that the three European institutions had created an agreement that they could be "proud of".

"[The agreement] providers stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-US PNR Agreement from 2007," she said. "At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism. It will be made anonymous six months after a passengers' flight."

The agreement requires airline carriers flying from the EU into the US to share PNR data about all their passengers with the US Department of Homeland Security (DHS) for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases. The DHS is similarly "obliged" to share PNR data with EU law enforcement for the same purposes.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details. US authorities will be able to store this information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data will be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

The agreement contains new data protection provisions, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens will also have the right to access their own PNR data and seek corrections or possible erasure by the DHS where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.

Earlier this year the Article 29 Working Party, which is made up of representatives from the data protection authorities of the EU's 27 member states, said that the new agreement enabled overly prescriptive collection of personal data. In December, EDPS Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.

The European Parliament adopted a PNR agreement with Australia in October 2011, and is currently negotiating a similar deal with Canada. The Commission has also proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-UK flights.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.