Passenger data pact is 'too broad' says watchdog

A draft data agreement that allows US authorities to hold European citizens' airline passenger data for up to 15 years has been criticised by European Union data protection officials.

The draft pact, which replaces a 2007 agreement that may be illegal, is too broad in scope, European data protection supervisor (EDPS) Peter Hustinx said in a statement on Tuesday.

"Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfil strict conditions," said Hustinx. "Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the member states have not been met."

Passenger Name Record (PNR) data is part of the data set that European air carriers automatically share with US authorities. Data includes names of passengers and fellow travellers, payment details, address, contact data, and general remarks.

Hustinx said that passenger data should be deleted after a maximum period of six months.

Under the draft, the crimes that can be investigated using the data are too broad, said Hustinx. PNR data should only be used for terrorism or a well defined list of crimes, said Hustinx, rather than the draft specification of crimes which could attract a minimum three-year prison sentence.

The types of data that are transferred are too broad, according to EDPS, and should exclude sensitive data. US authorities should not be able 'pull' data from air carriers' systems, and citizens should have a right of legal redress.

A number of members of the European Parliament have similar concerns to Hustinx about the 15 year data retention period. Green MEP Jan Philipp Albrecht told ZDNet UK in November that the retention period was one of the Greens' and Liberals' major concerns.