The EU has been given an ultimatum by a European Parliament committee to come to an arrangement with Washington to protect the personal data of European transatlantic passengers in the next two months.
In a unanimous resolution, the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) voiced their concerns over the distribution of personal data regarding transatlantic flights to the US by airlines companies.
The MEPs noted that negotiations between the US and the European Commission "had reached an impasse" and are now demanding that action is taken before 1 December.
In March 2003, with the Commission's backing, the US authorities got direct access to the booking systems of the main companies who fly to the US, without guaranteeing adequate protection of the data according to EU privacy laws. In accordance with new antiterrorist measures introduced in 2001 and 2002, Washington is in effect requiring airlines to provide them with 39 elements of information from their PNR (passenger-name records) databases, which includes passengers' telephone numbers and in-flight meal preferences.
The conditions of access, conservation and protection of the data aren't always guaranteed. The resolution adopted by the LIBE commission, which hasn't been submitted to the Parliament as a whole, insists that within the next two months, "if these conditions [of data protection] are not fulfilled, the Commission would have to prohibit companies from distributing passengers' personal data".
This would lead to something of a problem at airports, since the US is refusing to let any "non-conforming" planes land.
The resolution "invites the European Commission to determine which data can be legitimately distributed to third parties". According to the resolution, the Commission would have to assure that "there is no discrimination against non-American passengers" and that "in the event of problems arising, passengers have access to a fast and efficient appeal process".
One of the problems still to be resolved is the amount of data that is being collected said the commission -- "the objective that would justify the collection and storage of data remains imprecise and is not limited to the fight against terrorism"; "the number of data required (39 different PNR elements) seems excessive and out of proportion to the stated aim"; "the duration that data will be retained, six to seven years, seems unjustified, in particular for data concerning people who present no risk to the security of the US".
Above all, the MEPs are demanding "that there is no…data retention above the period which the passenger remains in US territory", which is thought to be unacceptable to US authorities.
On the other hand, they're keeping quiet on the role of the airlines themselves, which are ordered to put in place certain technical solutions, including filtering sensitive data, in order to for the PNR data transfer to be in accordance with the law.