On 19 April 2012 the European Parliament voted to approve a new bilateral agreement between the EU and USA which permits the transfer of passenger name record (PNR) data to the US Department of Homeland Security (DHS) from airlines flying from the EU to the USA. The data is being transferred for the purposes of national security.
The European Data Protection Regime
The European Data Protection regime is set out in the EC Data Protection Directive (95/46/EC) (the Directive), which has been implemented by all 27 EU member states (Member States). The Directive requires Member States to impose certain standards on the entities (data controllers) which collect and control the use of personal data relating to individuals (data subjects) regarding the manner in which they collect, use and distribute the data while it is under their control.
The Directive provides that the transfer of personal data to a country outside the EU is allowed only if the country in question ensures "an adequate level of protection". Presently, the USA is not on the list of countries designated by the European Commission as providing an "adequate level of protection". It has, therefore, been necessary for the Commission to negotiate an agreement with the DHS which ensures "adequate levels of protection" for the transfer of personal data. On 19 April 2012 the European Parliament approved this agreement by 409 votes to 226.
EU-US PNR Agreement
The new Agreement replaces the 2007 PNR Agreement which has been provisionally applied pending the adoption of a new agreement. The new PNR Agreement requires airlines flying from the EU to the USA to send and share PNR data about all their passengers with the DHS for the purposes of "prevention, detection, investigation and prosecution" of terrorism and certain other cross-border offences.
PNR data is information provided by passengers and collected by carriers during reservation and check-in procedures. This includes information such as the passenger's name, address, phone number, credit card details, travel agency data, baggage information, and seat number and can also include "sensitive data" such as meal choices and some sensitive health information.
Under the agreement the US authorities may keep PNR data in an active database for up to 5 years. After the first 6 months, all information which could be used to identify a passenger would be codified so that the passenger's name or her/his contact information would be removed (but would still be recoverable were it required). After 5 years, the data is transferred to a database for up to 10 years, with stricter access requirements for US officials. After this all information which could serve to identify the passenger will be removed.
Controversial agreement
The terms of the agreement are controversial, and have been the subject of an adverse opinion issued by the European Data Protection Supervisor. This is illustrated by the fact that a significant minority of MEPs voted against the deal due to concerns over data protection safeguards, including Dutch MEP Sophie in't Veld who authored the Parliament's initial report into the agreement.
Under the new PNR agreement data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases, and on a case-by-case basis in the event of a serious threat or if ordered by a US court. This has raised concerns that PNR data may also be used for border control purposes.
The agreement does contain some new data protection provisions aimed at tightening up the position which was put in place under the 2007 arrangement, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. Provisions have been inserted into the new agreement which allows EU citizens to access their own PNR data and to seek corrections or possible erasure by the DHS where information is inaccurate. The agreement also provides that EU citizens will have the right to administrative and judicial redress in accordance with US law if their personal data is misused.
Comment
Although this new agreement does ostensibly fly somewhat in the face of the existing European data protection regime, it is probably right that, due to the current global security environment, some legislative arrangement be put in place to regulate the sharing of data in order to ensure the safety of air travel and of passengers.
What remains moot, however, is the proportionality of the measures approved by the European Parliament - the amount of data collected seems to be quite extensive and one would query the rationale for some of the heads of data which are to be collected. It is also vital to ensure that the passengers from whom the data is collected are aware of the collection of the data, the reasons for this collection and what is to happen to the data. Whilst this will not change the fact that the data is being collected, it will at least go some way towards demonstrating that the authorities are acting transparently regarding the collection and transfer outside the EU of the passenger data.
Next steps
In the UK, the Justice and Home Affairs Ministers will formally approve the agreement on 26 April, and other national ministers across the Eurozone will act similarly shortly. This agreement will replace the 2007 agreement and will apply for 7 years. All airline carriers will be required to send PNR data to the DHS within 2 years of the agreement's entry into force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
