On 19 April 2012 the European Parliament voted to approve a new bilateral agreement between the European Union and the US which permits the transfer of passenger name record ("PNR") data to the US Department of Homeland Security ("DHS") from air carriers flying from the EU to the US for the purposes of national security.
Whilst the new Agreement should be welcomed for providing more legal certainty to the aviation industry after the interim measures which have been in place following the 2007 PNR Agreement, the Agreement has also been viewed as controversial by some data protection groups. Once the Agreement comes into force (which it is expected to do on 1 June 2012) air carriers will have two years to ensure that they have the necessary technology in place to comply with the requirement to "push" PNR data to the DHS.
The data protection regime
The current European Data Protection regime is set out in the EC Data Protection Directive (95/46/EC), which has been implemented by all 27 EU Member States, though the European Commission has recently outlined plans to harmonise data protection across the EU (as described in the article on the subject elsewhere in this Bulletin). The Directive requires Member States to impose certain standards on the entities ("data controllers") which collect and control the use of personal data relating to individuals ("data subjects") regarding the manner in which they collect, use and distribute the data whilst it is in their possession or otherwise under their control.
The Directive provides that the transfer of personal data to a country outside the EU is allowed only if the country in question ensures "an adequate level of protection". Presently, the US is not on the list of countries designated by the European Commission as providing an "adequate level of protection". It has, therefore, been necessary for the Commission to negotiate an agreement with the DHS which ensures "adequate levels of protection" for the transfer of personal data. On 19 April 2012 the European Parliament approved this agreement, albeit with a significant majority which voted against the Agreement (409 votes to 226, with 33 abstentions).
The new EU-US PNR Agreement
The Agreement replaces the 2007 PNR Agreement which has been provisionally applied pending the adoption of a new agreement, and will apply for seven years. The Agreement requires carriers flying from the EU to the US to send and share PNR data about all their passengers to/ with the DHS for the purposes of the "prevention, detection, investigation and prosecution" of terrorism and certain other cross-border offences. Under the new Agreement this obligation to transfer PNR data to the DHS is imposed on the air carriers (the "push" method), unlike the previous method where the DHS could "pull" data from the air carrier reservation system.
PNR data is information provided by passengers and collected by carriers during reservation and check-in procedures. It includes information such as the passenger's name, address, phone number, credit card details, travel agency data, baggage information, and seat number and can also include "sensitive data" such as meal choices, ethnic origin, religious beliefs and some sensitive health information.
Under the Agreement the US authorities may keep PNR data in an active database for up to five years. After the first six months, all information which could be used to identify a passenger is required to be codified so that the passenger's name and contact information are removed (but this information may still be recoverable should it be required). After five years, the data is to be transferred to a database for up to ten years, with stricter access requirements for US officials. After this cumulative period of 15 years, all information which could serve to identify a passenger is to be removed.
The terms of the Agreement are controversial, and have been the subject of an adverse opinion issued by the European Data Protection Supervisor. The controversy over the Agreement is further illustrated by the fact that a significant minority of MEPs voted against the deal, primarily due to concerns over data protection safeguards. In fact, the Dutch MEP Sophie in't Veld, who authored the Parliament's initial report on the Agreement, withdrew her support for the Agreement and requested that her name be removed from the report on the Agreement.
Under the new PNR Agreement data may also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases, and on a case-by-case basis in the event of a serious threat or if ordered by a US court. This legislative "creep" is causing some alarm amongst human rights activists as well as data protection lawyers, who are raising concerns that PNR data may also be used for border control purposes, something which arguably goes beyond the initial stated ambit of the Agreement.
The Agreement does contain some new data protection provisions aimed at tightening up the position which was put in place under the 2007 arrangement, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens now also have the right to access their own PNR data and to seek corrections or possible erasure by the DHS where information is inaccurate or out of date. The Agreement also provides that EU citizens have the right to administrative and judicial redress in accordance with US law if their personal data is misused.
Although the new Agreement does have some compatibility problems with the existing European data protection regime, it is probably right that, due to the current global security environment, some sort of legislative arrangement be put in place to ensure the safety of air travel and of passengers. What remains moot, however, is the proportionality of the measures approved by the European Parliament – the amount of data collected seems to be quite extensive and one would query the rationale for some of the heads of data which are to be collected. It is also vital to ensure that the passengers from whom the data is collected are aware of the collection of the data, the reasons for this collection, what is to happen to the data and, crucially, what their rights are in relation to that data. Whilst this will not change the fact that the data is being collected, it will at least go some way towards demonstrating that the authorities are acting openly regarding the collection and transfer outside the EU of the passenger data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.