Original URL: http://www.theregister.co.uk/2011/06/22/pnr_eu/
US plan to hold EU passenger data for 15 yrs 'unlawful'
Database likely to be used against non-serious crimes
A reported plan to allow the US to retain the personal details of inbound EU air passengers for 15 years would be unlawful, lawyers for the European Commission have said, according to a newspaper report.
The Guardian, which reported last month that the US wanted to keep the information for 15 years, has reported that Commission lawyers have advised against acceding to the US's reported request.
The European Commission and US have an agreement to share passenger name data, a record of data on every air passenger. Data is collected by airlines and passed to authorities at the destination to aid counter-terrorism activities.
Data protection laws in the EU state that member countries must protect individuals' rights to freedom and privacy when handling personal data.
The EU also has PNR agreements with Australia and Canada and is developing a PNR Directive to govern the transfer of PNR to other countries.
Lawyers have advised the Commission that allowing the US to retain details about passengers for 15 years would be disproportionate to the security threat countries face, according to the Guardian. According to papers published the data would be held in an active database for five years and a 'dormant database' for up to a further 10 years.
"It appears highly doubtful that a period of 15 years can be regarded as proportional," the lawyers said in an opinion, according to the Guardian report.
Any new US PNR agreement would have to be approved by EU law makers. The European Parliament has questioned the need for PNR arrangements with the US in the past, and has previously blocked transfer deals with US authorities.
"Despite certain presentational improvements, the draft agreement does not constitute a sufficiently substantial improvement of the agreement currently applied on a provisional basis, the conclusion of which was refused on data protection grounds by the European Parliament," the lawyers said, according to the Guardian.
The lawyers are concerned that allowing PNR data to be used to target offences that carry a year's jail sentence would allow the information to be used for wider purposes than to combat terrorism and serious crime that the agreement defines.
"Given the low maximum penalty, it is likely to include a very large number of crimes which cannot be regarded as serious. This point alone puts the proportionality of the agreement in question," the lawyers said.
Wording in the draft agreement which says passenger information will be used to "ensure border security" means the passenger database will be used for other minor offences not linked to terrorism or serious crime, the lawyers said as per the report.
"For these reasons the legal service does not consider the agreement in its present form as compatible with fundamental rights," the lawyers were quoted as saying.
The lawyers also expressed concern whether passengers would be able to obtain compensation if their personal data was mis-used under the terms of the agreement, the report said.
"All redress is made subject to US law, while the forms of redress explicitly guaranteed are administrative only and thus at the discretion of the department of homeland security," the lawyers said, according to the Guardian.
Privacy officials working for the US department of homeland security do not represent independent observers of how PNR data is used, the lawyers said, according to the report.
Opinion is split among EU countries over the contents of the PNR agreement with the US, the Guardian said. A leaked document from an EU meeting last week showed that France, Germany, Italy, Holland and others are opposed to the proposed deal with the UK, Ireland, Sweden and Estonia the only countries backing it, the Guardian report said.
According to the report, the European Commission said that finalised agreement could be tested in the European courts.
The EU is acting against its own legal advice by agreeing to increase the time passenger data can be retained, a member of the European Parliament's civil liberties committee said, according to the Guardian.
"The commission cannot simply continue to stick its fingers in its ears, and it is high time that it dropped its obsession with PNR," Jan Philipp Albrecht, a German Green party MEP said, according to the Guardian report.
"This means going back to the drawing board and renegotiating the draft agreements with the US, Australia and Canada on passenger record retention, ensuring these agreements are in line with EU data protection law," Albrecht said, according to the Guardian.
"It also means dropping the proposed legislation on the retention of passenger data within the EU".
Plans to create new laws covering the recording, use and storage of airline passenger data are currently being developed by EU countries. Last year the European Commission said a new PNR Directive was needed to prevent passengers travelling if they are suspected of being involved in terrorism or serious crime.
Under the proposed Directive airlines would have to send information such as passengers' home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details to countries before its planes can land.
The Commission initially outlined plans to make the Directive applicable to flights in and out of the EU. Recent negotiations between EU members suggest that the Directive's remit may be expanded to cover flights within the EU, though.
In May the UK Government opted to support the EU proposals after it said 15 other countries supported an extension of the plans to include passenger tracking on flights within the EU.
The UK, US, Canada and Australia already require PNR data to be sent, but the Directive would extend PNR collection across Europe for the first time.
Copyright © 2011, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.