Since March this year most European airlines have been handing over transatlantic passenger details to US Customs. These include such details as: the date of your reservation, the travel agency where you booked your trip, your credit card number, expiry date and billing address, your affiliation to a particular group, your e-mail address, your work address, medical data, and possibly your religion or ethnic origin. And this data might be shared with other US agencies. Understandably, this has been causing some concern.
The controversy began with the US Aviation and Transportation Security Act. Passed on 19th November 2001, this law introduced the requirement that airlines operating passenger flights to, from or through the US, provide the US Customs Border Protection Bureau (CBP), upon request, with electronic access to passenger data contained in their reservation and departure control systems, which can be linked up not only with identification data but with other information of the type described above.
In the EU the Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection.
The Directive also allows the Commission to adopt a decision confirming the adequacy of the data protection provisions of a particular country, by reason of its domestic law or the international commitments it has entered into. Very few countries qualify for this accolade: Canada, Switzerland, Argentina and Hungary are the only non-EU countries to which EU businesses can currently transfer personal data without the need for additional guarantees.
However, data relating to transatlantic passengers has been passed over to US Customs since 5th March this year, on the basis of an unenforceable agreement between the Commission and US Customs.
This took the form of a Joint Statement and provided that US Customs would give information to other US law enforcement authorities "only for purposes of preventing and combating terrorism and other serious criminal offences," and that, basically, further protections would be added.
These further protections have still not been added and, according to reports, the Commission announced on Tuesday that it had now rejected US demands for the transfer of passenger data.
According to Reuters, Commission spokesman Reijo Kemppinen said: "The US side has refused to limit the use of data to combat terrorism". In other words, agencies investigating other crimes would have access to the data too.
There are also difficulties over the length of time the data is kept. The EU expects the data to be retained for a period of weeks, or months, while the US reportedly wants to keep it for around seven years.
At a daily media briefing, Frits Bolkestein, the Commissioner responsible for customs matters, issued copies of a letter he had sent to the US Homeland Security Secretary Tom Ridge. This said that the transfer of data highlighted "fundamental rights and liberties which are constitutionally protected in the law of several member states", adding, "These liberties are fiercely cherished in the European Union".
Referring to the protections promised by the US, Reuters reports that Bolkestien wrote, "The US undertakings fall short of what we need."
The deepening EU/US rift will do nothing to help airlines, which are likely to face action by EU data protection agencies if they hand over passenger data, but will face action by US authorities if they do not.
Finnish airline Finnair is to begin transferring data to the US next week, despite the recent announcement by the Commission. It plans to get round the data protection problem by only transferring the data of those passengers who consent to the transfer – but will not issue a ticket to those passengers who do not consent. Finnair says it has no choice in the matter.