EU-US negotiations about PNR Data

Negotiations about airline passenger data between the European Commission
and the US are stuck but both parties have agreed to solve their
differences before the end of this year. On 22 September, Asa Hutchinson,
US Under Secretary for Border & Transportation Security met with EU
Commissioner Bolkestein, but that didn’t result in any public change of
the US position.

Since March the US is demanding passenger data from European airlines
flying to or through the US. The data is send to the US prior to flight
departure and used by the US to screen passengers and apply a risk
assessment. The passenger name record data (PNR) consist of 39 data items:
departure and return flights, connecting flights, special services
required on board the flight (meals such as Kosher, Halal) and payment
information such as credit card numbers. Airlines might loose landing
rights if they do not comply with US demands.

At the same time, a scandal broke out around passenger data from the US
carrier JetBlue. JetBlue voluntarily handed over the itinerary information
of 1.5 million passengers, including passenger name, address, and phone
number to a US Defence contractor. This contractor used the data to test
passenger screening software. The US Electronic Privacy Information Center
(EPIC) responded by filing a complaint with the Federal Trade Commission.
Since there is no legal privacy protection for passengerdata in the US,
the claim could only be based on violation of JetBlues own privacy policy.
EPIC also requested information from several federal agencies about
possible government use of JetBlue passenger data. The case illustrates
why European passengers should worry when their data are transferred to
the US.

The scope of the use of EU passenger data by the US is wide. An initial
agreement between the EU and US that will now be revised, says that
‘Customs will retain the data no longer than is required for the purpose
for which it was stored’. But at the same time it is clear that the data
is stored for an almost unlimited number of purposes, certainly not
limited to the fight against terrorism: ‘PNR data is used by Customs
strictly for enforcement purposes, including use in threat analysis to
identify and interdict potential terrorists and other threats to national
and public security’.

The EU Commission and Parliament agree that the passenger data can only be
given to the US if an adequate level of data protection is in place. The
US handling of the data seems in no way adequate, as the purpose of the
data processing is not clearly defined, retention time is not limited and
supervision is not independent.

Bolkestein said on 9 September to the European Parliament Committee on
Citizens’ Freedoms and Rights, Justice and Home Affairs (LIBE) that
‘progress on the remaining issues has been rather disappointing’. It seems
no surprise as Tom Ridge, US Secretary of Homeland Security, said only a
few days earlier: “Looking at this request beyond just a data protection
issue but as a mutual security issue is something that can help us get
closer to resolving our differences”. On 29 September, LIBE will vote
about a proposal for a resolution by the European Parliament to stop all
transfer by 1 December 2003, if the US cannot guarantee adequate data
protection.

Draft motion for a European Parliament Resolution on PNR-data (24.09.2003)
http://www.europarl.eu.int/meetdocs/committees/libe/20030929/en.pdf

Speech Bolkestein on EU/US talks (09.09.2003)
http://europa.eu.int/rapid/start/cgi/guesten.ksh?p_action.gettxt=gt&doc=SPEECH/03/396|0|RAPID&lg=EN&display=

EPIC dossier on passenger profiling
http://www.epic.org/privacy/airtravel/profiling.html