Privacy and data protection | Cross border access to data | Privacy and confidentiality

No legal basis for transfer of passenger data

By EDRi · March 27, 2003

The agreement between the European Commission and U.S. authorities on the transmission of passenger name record data (PNR) has encountered fierce opposition during a public hearing at the European parliament. The agreement gives the U.S Customs on-line access to passenger name record data of all EU based airlines for flights that go to, from or through the U.S.

During the 25 March public hearing in the European parliament the Commission argued that it had no choice but to accept the U.S. demands for passenger data. Threats to fine European airlines or even halt landing rights were taken very seriously by the Commission. But many participants were not satisfied with the explanation that the Commission had been blackmailed and couldn’t do anything about it. They argued that the transfer of PNR data has no legal basis and is a direct violation of the EU data protection directive.

Stefano Rodotà, chairman of the Article 29 Working Party (the coalition of EU privacy commissioners), concluded: “Everybody now realises how serious this is”. He said the EU must take its responsibility and act, otherwise every third country could change its law and force the EU to adopt foreign legislation. Three civil liberty organisations (EDRI, Statewatch and EPIC) testified during the hearing and expressed concern about the willingness of the European Commission to bypass EU law to satisfy the U.S.

The scope of the agreement is wide. The agreement says that “Customs will retain the data no longer than is required for the purpose for which it was stored”. But at the same time it is clear that the data is stored for an almost unlimited number of purposes, certainly not limited to fighting terrorism: “PNR data is used by Customs strictly for enforcement purposes, including use in threat analysis to identify and interdict potential terrorists and other threats to national and public security”. The U.S. Customs will also share the data with all other U.S. agencies: “Other law enforcement entities may specifically request PNR information from Customs and Customs, in its discretion, may provide such information for national security or in furtherance of other legitimate law enforcement purposes”. The agreement reads as an assurance that EU passenger data will be stored in FBI, NSA and CIA databases.

The PNR data consist of all relevant information related to a passengers flight: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers.

EP public hearing: Grave concerns over data protection
http://www2.europarl.eu.int/omk/sipade2?PUBREF=-//EP//TEXT+PRESS+NR-20030326-1+0+DOC+XML+V0//EN&LEVEL=2&NAV=S#SECTION5

European Commission – US Customs talk on Passenger Name Record transmission
http://europa.eu.int/comm/external_relations/us/intro/pnr.htm