Campaign against the illegal transfer of European travellers' data to the USA

EDRI campaign at Schiphol airport (Amsterdam).

EDRI and its partners held successful actions on 20 May at Schiphol (Amsterdam), Zaventem (Brussels) and Vienna airport.

At all three airports EDRI members have provided airline passengers with important information about the transfer of their personal data to US authorities. Passengers were given a letter they can send to the national Data Protection Authority in their country to request an investigation of the illegal transfer of their personal data.

The action in Amsterdam was done by Bits of Freedom with Kathalijne Buitenweg (member of the European parliament) and Marijke Vos and Jan de Wit (members of the Dutch parliament). In Brussels Kathalijne Buitenweg and Marco Cappato (both members of the European parliament) informed passengers. In Vienna passengers were given information and letters by Public Netbase.

Campaign launching event at the EU Parliament: Marco Cappato (MEP), Maurice Wessling (EDRI), Kathalijne Buitenweg (MEP) and Cedric Laurant (EPIC).

!!Download the letter to an airline
*English
*Danish
*Dutch
*Finnish
*French
*German
*Italian
*Spanish

!!Download the letter to your National Data Protection Commissioner
*English
*Danish
*Dutch
*Finnish
*French
*German
*Italian
*Spanish

!!Press release
*English
*Dutch
*Finnish
*French
*German
*Spanish

!!What is wrong with the transfer?

Since 5 march 2003, United States authorities have had access to most European airlines’ passenger databases. An agreement (the “joint statement”) between the European commission and United States Customs gives the USA online access to passenger name record (PNR) data of all Europe-based airline carriers for flights that go to, from or through the USA.

The PNR data consist of all relevant information related to a passenger’s flight: departure and return flights, connecting flights, special services required on board the flight (meals such as kosher or halal) and payment information such as the credit cards used to purchase the ticket.

Under EU privacy regulations, the transfer of personal data to third countries that do not have laws adequately protecting individuals’ privacy is prohibited, unless the individual consents to the transfer of his/her data. Most passengers, when they book a flight to the USA, are not even notified that their data is directly sent to US law enforcement authorities. European travellers, therefore, do not have any possibility to object to the transfer.

EU privacy laws also provide that the use, retention and processing of personal data must be clearly specified, and the use of those data limited to the purposes for which the personal data were collected. However, the agreement between the European commission and the US government hardly puts any limitation in place.

The agreement mentions that the data can be used “for enforcement purposes” and that it can be retained as long as it is “required for the purpose for which it was stored”. The agreement also mentions that US Customs may share the data with other US agencies for “legitimate law enforcement purposes”. Those terms read like an assurance that all European passengers’ data could be stored in FBI and other US agencies’ databases for many years to come and will be used for broad and vague law enforcement purposes. Those purposes are very different from the limited anti-terrorism objectives, that the US government claimed, originally justified their request for more EU passenger data from European airline companies.

The European commission has agreed to this transfer after the US government threatened EU airline carriers with heavy fines in case of non-compliance. The European commission, by giving in too easily under the US government’s pressure, failed to fulfil its role as the guardian of the EU Treaty and EU laws. It thereby seriously disregarded EU travellers’ privacy rights.

!!What can you do?

If you have flown to the USA after 5 march 2003 you can request access to your personal data and complain to your national data protection authority about the use of such data. We have provided you with two model letters to make it easy for you to complain. All you need to do is fill in your personal information, as well as the additional details specific to your case, and send the letter by postal service or fax to the airline carrier you recently used to fly to the USA and to the data protection authority of your country.

The first letter is a request to the airline company to have them provide you with all the personal data they have on you and inquire about what they do with those data. It also asks which of those personal data the airline carrier has transferred to US authorities.

The second letter is a complain to your national data protection authority in which you ask that authority to investigate the lawfulness of the way your airline carrier processed your personal data and transferred them to the USA.

Both letters compel your airline carrier and your national data protection authority to investigate the legal basis of the transfer of personal data to the USA. By sending this complaint letter, you show the European commission, the European parliament, the council of the EU and your data protection authority that you are worried about your privacy and how all your data might be used by US authorities.

If you do not want the European commission to give your privacy away, write these letters today to show that you want to claim back your privacy rights.