Original URL: https://www.theregister.com/2012/04/23/us_eu_passenger_data_agreement/

EU-US name-swap deal actually gives passengers MORE privacy

Better than interim deal ... but still keeps your data for 5 years

By OUT-LAW.COM

Posted in Legal, 23rd April 2012 08:04 GMT

The European Parliament has approved a controversial new agreement allowing the EU to exchange airline passenger information with the US, it has announced.

The EU said that the agreement (37-page/138KB PDF), which sets out the conditions under which passenger name record (PNR) data can be transferred, would provide "legal certainty" to airlines. However, it acknowledged that a "significant minority" of MEPs had voted against the agreement due to concerns over data protection safeguards, including Dutch MEP Sophie in 't Veld, who authored the Parliament's initial report into the agreement.

The new agreement, which will be formally approved by justice ministers next week, replaces a provisional arrangement which has been in place since 2007. The UK announced that it had opted in to the agreement in a ministerial statement last month.

EU privacy watchdogs the European Data Protection Supervisor (EDPS) and Article 29 Working Party have both expressed their concerns about certain aspects of the agreement. However, Home Affairs Commissioner Cecilia Malmström said that the three European institutions had created an agreement that they could be "proud of".

"[The agreement] providers stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-US PNR Agreement from 2007," she said. "At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism. It will be made anonymous six months after a passengers' flight."

The agreement requires airline carriers flying from the EU into the US to share PNR data about all their passengers with the US Department of Homeland Security (DHS) for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases. The DHS is similarly "obliged" to share PNR data with EU law enforcement for the same purposes.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details. US authorities will be able to store this information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data will be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

The agreement contains new data protection provisions, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens will also have the right to access their own PNR data and seek corrections or possible erasure by the DHS where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.

Earlier this year the Article 29 Working Party, which is made up of representatives from the data protection authorities of the EU's 27 member states, said that the new agreement enabled overly prescriptive collection of personal data. In December, EDPS Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.

The European Parliament adopted a PNR agreement with Australia in October 2011, and is currently negotiating a similar deal with Canada. The Commission has also proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-UK flights.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.