EU and US sign draft passenger data pact

The European Commission has said that the draft EU-US agreement strengthens data protection for people using airlines in Europe, but a number of MEPs say the data-sharing agreement still may not be legal
Written by Tom Espiner, Contributor

The European Union and the US government have agreed to give European member states more control over air passenger data.

Plane in flight

The European Union and the US government have agreed a draft pact on the exchange of air passenger data.

The draft pact, which replaces a 2007 agreement that may have been illegal under European data laws, was signed on Thursday. The agreement will become binding if adopted by the European Parliament and Council.

"Protection of personal data has been my priority since the beginning of the negotiations in December 2010, and I am satisfied with the result, since it represents a big improvement over the existing agreement from 2007," said Cecilia Malmström, European commissioner for home affairs, in a statement. "The new agreement contains robust safeguards for European citizens' privacy, without undermining the effectiveness of the agreement in terms of EU and US security."

The new deal has "stricter safeguards on data protection, and clearer processes," Commission home affairs spokesman Michele Cercone told ZDNet UK on Friday. The agreement has been checked by the European Commission legal services department for possible legal issues.

The new agreement contains robust safeguards for European citizens' privacy, without undermining the effectiveness of the agreement in terms of EU and US security.
– Cecilia Malmström, European commissioner

Passenger Name Record (PNR) data is among the information that is shared with US authorities by airlines operating in the European Union. Data includes name, names of fellow travellers, address, financial details, contact information, and general remarks. Data such as Advance Passenger Information (API), including flights and hotel reservations, is also shared.

Decisions that adversely affect passengers based purely on the automatic processing of data will be prohibited under the draft agreement, to address concerns that passengers are being illegally profiled, according to a European Commission document seen by ZDNet UK.

Passengers will have the right to access their data under the US Freedom of Information Act, and have the right to request the correction or deletion of incorrect data, rights which were not part of the 2007 agreement, according to the document.

'Depersonalised' data

Data will be held for six months before being 'depersonalised'. After five years the data will be moved to a 'dormant' database, requiring stricter access requirements for US officials. US law enforcement has up to 10 years to access the data to investigate serious crime, and 15 years for terrorist investigations.

ZDNet UK understands that 'depersonalised' data is not anonymised, but certain data fields are masked, and can be unmasked. In addition, data that remains in unmasked fields, such as credit card information, can be used to identify people.

Processing of PNR must be logged for audit purposes, and be subject to independent oversight by the US chief privacy officer, the DHS Office of Inspector General, the Government Accountability Office, and the US Congress, provisions which were not in the 2007 agreement, according to the Commission document.

The draft agreement limits the use of data to detection and prevention of terrorism and transnational crime, a scope that was not defined in the 2007 agreement. For the US to use the data, the suspected crimes must carry a penalty of at least three years under US law, rather than the one-year limit that the US had previously used.

The 2007 agreement between the European Union and the US was set out in an agreement document and a number of letters, whereas the new draft agreement is set out in one text.

Draft concerns

ZDNet UK understands that some members of the European Council, notably France and Germany, are not happy with the revised agreement, and plan to vote against accepting the draft.

Everything that has been agreed between the European Union and the US seems to have been written in disappearing ink.
– Gus Hosein, Privacy International

European Parliament MEPs from the liberal, green and left group also have concerns about the revised draft, according to German Green MEP Jan Philipp Albrecht.

"The main concern is the blanket retention of data for 15 years," Albrecht told ZDNet UK on Friday. "Fifteen years is seen to be disproportionate and problematic. The danger of law-enforcement authorities building personal profiles gets higher and higher."

There have been a number of court cases that reinforce this view, including a German Constitutional Court case in March 2010 regarding the retention of telecoms data, said Albrecht.

The three-year imprisonment threshold of a suspected crime to justify law enforcement accessing the data is also a concern. "This is a very intrusive measure for a really wide range of crimes," said Albrecht.

US permissions

In addition, a sticking point is also a provision that  would grant US authorities permission to 'pull' data from airline reservation systems, said Albrecht. At present, the US has unlimited access to European airline reservation systems, and can pull data on any traveller. The draft agreement seeks to make the majority of cases a 'push' measure, under which airline carriers would automatically aggregate data, and submit it to US authorities. However, it leaves a provision that the US can still pull the data it wants.

"The huge problem is that this is not logged, so the carrier could not check if the agreement has been executed in the right way," said Albrecht.

The US engages in automated profiling of the risks posed by passengers using the Automated Targeting System, according to campaign groups Privacy International and the American Civil Liberties Union.

Provisions for the sharing of PNR data in the draft agreement could mean the data can be shared with law enforcement agencies and departments across the US, Gus Hosein, a senior fellow with Privacy International, told ZDNet UK on Friday.

"Everything that has been agreed between the European Union and the US seems to have been written in disappearing ink," said Hosein. "Once data is in the hands of the US government, it's shared across the US government, and shared right down to the tribal level of law enforcement."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards