Feeds

EU-US name-swap deal actually gives passengers MORE privacy

Better than interim deal ... but still keeps your data for 5 years

Secure remote control for conventional and virtual desktops

The European Parliament has approved a controversial new agreement allowing the EU to exchange airline passenger information with the US, it has announced.

The EU said that the agreement (37-page/138KB PDF), which sets out the conditions under which passenger name record (PNR) data can be transferred, would provide "legal certainty" to airlines. However, it acknowledged that a "significant minority" of MEPs had voted against the agreement due to concerns over data protection safeguards, including Dutch MEP Sophie in 't Veld, who authored the Parliament's initial report into the agreement.

The new agreement, which will be formally approved by justice ministers next week, replaces a provisional arrangement which has been in place since 2007. The UK announced that it had opted in to the agreement in a ministerial statement last month.

EU privacy watchdogs the European Data Protection Supervisor (EDPS) and Article 29 Working Party have both expressed their concerns about certain aspects of the agreement. However, Home Affairs Commissioner Cecilia Malmström said that the three European institutions had created an agreement that they could be "proud of".

"[The agreement] providers stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-US PNR Agreement from 2007," she said. "At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism. It will be made anonymous six months after a passengers' flight."

The agreement requires airline carriers flying from the EU into the US to share PNR data about all their passengers with the US Department of Homeland Security (DHS) for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases. The DHS is similarly "obliged" to share PNR data with EU law enforcement for the same purposes.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details. US authorities will be able to store this information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data will be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

The agreement contains new data protection provisions, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens will also have the right to access their own PNR data and seek corrections or possible erasure by the DHS where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.

Earlier this year the Article 29 Working Party, which is made up of representatives from the data protection authorities of the EU's 27 member states, said that the new agreement enabled overly prescriptive collection of personal data. In December, EDPS Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.

The European Parliament adopted a PNR agreement with Australia in October 2011, and is currently negotiating a similar deal with Canada. The Commission has also proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-UK flights.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.