EU--U.S. passenger data deal a "severe blow to civil liberties"

Summary:The EU--U.S. Passenger Name Records Agreement has been passed, despite the agreement's rapporteur recommending that it should not be passed. Another blow to civil liberties.

A couple of weeks since Europe's Committee for Civil Liberties (LIBE) voted in favour of passing the new EU--U.S. passenger data deal, the European Parliament followed suit in what was an inevitable passing of the new agreement.

But it did not go ahead without controversy or extreme opposition from the Member of the European Parliament (MEP) who was tasked with investigating the deal.

The deal --- which was to renew a provisional 2007 agreement --- passed with 409 votes in favour, 226 against, and 33 abstentions. MEPs rejected a proposal to refer the agreement to the European Court of Justice, the highest court in Europe, after the controversial bill was dubbed by Dutch MEP and LIBE committee vice-chair Sophie in 't Veld as a "severe blow to civil liberties".

Prior to leaving the airport, airlines must make passenger data available to the U.S., so if need be they can be detained at their U.S. destination airport.

Names, dates of birth, addresses, credit or debit card details and seat numbers are amongst the data --- even though critics say the information has never helped catch a suspected criminal or terrorist before.

However, the new agreement also includes 19 other pieces of sensitive passenger information, such as sexual orientation, medical records, and even religious data.

The deal allows the U.S. government to access passenger name record (PNR) data on those flying to or from the United States. It allows U.S. authorities to retain the data indefinitely, but for up to 15 years in its current format --- an increase of a decade since the 2007 agreement --- while the data is "depersonalised" after six months.

While names and addresses will be redacted after this time period, it does not restrict the U.S. from accessing that data again.

After the first five years, the data is moved to a dormant database after the first five years, and all data is anonymised once the 15-year deadline is up.

But only last year, the European Commission's own legal staff said the agreement was "unlawful," and expressed "grave doubts" that the deal would fall in line with Europe's strict data protection rules.

There are, however, no guarantees that the data will not be deleted, because European data protection laws do not cover the United States. in 't Veld's main concern is what the data will be used for outside the realms of what it was intended for.
Take two minutes, sip your tea, and get angry:

The fact of the matter is that the U.S. is well outside of Europe's jurisdiction --- though Europe is not outside the U.S.' jurisdiction --- the data collected on millions of people per day can be used for any number of purposes, like racial profiling or financial analysis. European citizens' data can be exploited for the U.S.' means and goals, despite less than a handful of cases being noted where passenger data has ever gone on to solve serious and organised crime, or terrorism offences.

But the vote comes as a surprise for many --- more so from the LIBE committee itself. Up until recently, the committee had been pushing for the agreement to be weighted evenly in Europe's favour, and attempted to push back plans to allow the U.S. to access more of European citizens' data.

What changed? Was U.S. lobbying to blame? It wouldn't be the first time after all, knowing how the U.S. conducted itself in SOPA-style laws, as well as "fierce lobbying" described by the EU Justice Commissioner Viviane Reding in Brussels earlier this year.

in 't Veld, the agreement's rapporteur --- or the person appointed by the Parliament to investigate the deal --- heavily disagreed with the terms, and advised that the LIBE committee should reject it. It comes only a few months since an "acceptable" agreement was set up between the EU and Australia.

"I don't understand why we managed to get an acceptable agreement with our Australian friends, but not with our American friends and allies?" she said, speaking during the current plenary session of the European Parliament in Strasbourg.

"The decision of the European Parliament does not reflect my recommendation. Therefore I choose to distance myself from it." Granted, should the agreement not have gone ahead, it may have meant "the visa privileges for European travellers to the U.S. fell," in 't Veld noted.

"To reduce the data exchange is not limited to information necessary for the fight against terrorism and serious trans-national crime, as stipulated by the Parliament, but the U.S. may also use the data for other, less-explicitly defined purposes such as immigration and border controls."

Simply put, they can use the data for whatever they like.

It would have also left at least two airlines in a legal quagmire: either they can violate U.S. law, or violate EU law.

But we have had this dilemma before, and it continues to cause legal headaches.

U.S.-based cloud computing providers often have as many or more European users than it does at home. These providers often have datacenters in Europe to comply with EU law, whereby effectively EU data should not leave the EU unless a third-country can guarantee the same level of data protection as a European country can. Not many of them exist.

But if the U.S. government requests the data, it can pass a law enforcement request to the parent company, which in turn passes it to its wholly-owned European subsidiary, forcing it to hand over data back to its U.S. based parent company where the data automatically falls under U.S. law, making it vulnerable for U.S. inspection.

This was proved when Microsoft UK's managing director Gordon Frazer admitted it to ZDNet last year.

Nobody is denying that there is an ongoing fight against terrorism. In the last few years, there have been numerous attempts to detonate explosives on airliners across the Atlantic and in the United States. But at what point does this become a gross invasion of one's privacy?

"We've seen numerous attempts to blow up transatlantic airliners in recent years, how stupid would we look if we had the chance to stop one of these things, and one of the terrorists actually got through, so we have to err on the side of public safety on this," said Martin Callanan, the leader of the European Parliament's Conservative group.

No, we do not have to "err on the side of public safety." There has to ultimately be a balance, and that balance has not been met. Once again, European citizens are at the behest of the U.S. authorities, and Europe's sovereign territory ultimately becomes an extension of North America.

But politics is politics. After all, it's only the ordinary people getting hurt.

Image credit: Wikimedia Commons, CC.

Related:

Topics: EU, Legal, Microsoft, Travel Tech

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.