PNR: EU Commission negotiates breach of law

On 16 December the European Commission presented the long-awaited outcome
of its negotiations with the U.S. Department of Homeland Security on the
transfer of Passenger Name Record (PNR) data to the U.S. As expected, the
outcome is a foul compromise, creating a permanent breach of law.

According to European data protection principles, personal data can only be
transferred from Europe if the recipient has an adequate level of data
protection. In the case of PNR data, the Commission will always issue a
finding of adequacy in order to legitimise the transfer already taking
place. The outcome of the finding – quite a lengthy procedure – is thereby
already anticipated: it has to be positive, or the EU Commission and the
aviation industry would be in trouble.

The proposed solution for the problem is the development of ‘push’ system
for data to be actively transmitted to the USA, after filtering out the
unnecessary information. That future development is now also used to
justify current practices.

In order to make the agreement more acceptable for the EU, the U.S. have
reduced their demand from 60 data fields per passenger to 34, and promised
to retain the data for ‘only’ 42 months instead of 50 years, as they had
intended originally. In addition, they assure that the data will not be
shared with any other agencies outside the homeland department. There is no
way, however, to assure that any of this is going to happen.

The Commission says that Homeland’s chief privacy officer “has agreed to
receive and handle in an expedited manner representations from Data
Protection Authorities in the EU on behalf of citizens who consider that
their complaints have not been satisfactorily resolved by the department”.
But the chief privacy officer is not independent, she works under the
department’s chief Tom Ridge.

The European parliament responded divided. The rapporteur on this subject,
Liberal MEP Johanna Boogerd-Quaak called on commissioner Bolkestein to
bring the matter to the European Court of Justice himself, instead of
waiting for parliament to do it.

Meanwhile, the European Union has a project of its own aiming at obliging
third countries to transfer flight passengers’ personal data. The report,
going back to a Spanish initiative, is currently being dealt with in the
LIBE Committee. It is being justified by the presumed need ‘to combat
illegal immigration effectively’. The big difference with the U.S. demands
is however that, presently at least, the data comprises only “the number of
the passport or travel documents used, nationality, first name and family
name(s) and the date and place of birth”, and are to be deleted “after the
border checks on passengers have been completed”. In the future the EU aims
at “the creation of a multilateral framework for PNR Data Transfer within
the International Civil Aviation Organisation (ICAO)”. The intention is
clear: When PNR transfer is part of an international agreement under the
ICAO, a UN body, EU concerns with data protection will have to step back –
and the Commission can avoid more lengthy negotiations.

Communication from the Commission to the Council and the Parliament:
Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach
(16.12.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/adequacy/apis-communication/apis_en.pdf

Statewatch: EU: Commission “compromises” and agrees on handing over
passenger data to USA (18.12.2003)
http://www.statewatch.org/news/2003/dec/11euuspassengerdeal.htm

Initiative of the Kingdom of Spain with a view to adopting a Council
Directive on the obligation of carriers to communicate passenger data
(25.03.2003)
http://www.europarl.eu.int/meetdocs/committees/libe/20031216/0761en.pdf

Edward Hasbrouck’s Practical Nomad blog
http://hasbrouck.org/blog/archives/000090.html

(Contribution by Andreas Dietl, EDRI EU affairs director)