If you are travelling from Europe to the US, be aware that US Customs will get details that can include, according to the European Parliament: the date of your reservation, the travel agency where you booked your trip, your credit card number, expiry date and billing address, your affiliation to a particular group, your e-mail address, your work address, medical data, and possibly your religion or ethnic origin. And this data might be shared with other US agencies. Understandably, this is causing some concern.
Background
The controversy begins with the US Aviation and Transportation Security Act.
Passed on 19th November 2001, this law introduced the requirement that airlines operating passenger flights to, from or through the US, provide the US Customs Border Protection Bureau (CBP), upon request, with electronic access to passenger data contained in their reservation and departure control systems, which can be linked up not only with identification data but with other information of the type described above.
The Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection.
The Directive also allows the Commission to adopt a decision confirming the adequacy of the data protection provisions of a particular country, by reason of its domestic law or the international commitments it has entered into.
Very few countries qualify for this accolade: Canada, Switzerland and Hungary are the only non-EU countries to which EU businesses can currently transfer personal data without the need for additional guarantees.
Last week's developments
The Commission has been meeting with US officials over the course of several months to discuss how to meet the US security demand and also to prepare a decision on the adequacy of data protection on the US side. The US agreed to put its data requirements on hold until 5th March 2003 for European airlines.
Anticipating that no decision would be made quickly on the adequacy of US data protection laws, the Commission and US Customs issued a Joint Statement in February, outlining how EU passenger data would be used from 5th March.
The Joint Statement provided that US Customs would "respect the principles of the Data Protection Directive"; that US Customs would provide information to other US law enforcement authorities "only for purposes of preventing and combating terrorism and other serious criminal offences," and that, basically, further protections would be added, "preferably before 5th March".
These further protections did not arrive before 5th March and, as the Parliament observed last week, the Joint Statement lacked any legal basis. Notwithstanding, since last Wednesday, US authorities have had access to most European airlines' passenger databases.
In response to public criticism at this apparent flouting of privacy rights, the European Commission addressed the further protections in a press release of 6th March, stating that US Customs has undertaken:
"not to use any data that fall into the categories identified as sensitive by EU law (e.g., data revealing race or religion or concerning health) and to introduce a special filter to protect such data further. Sensitive data are not and will not be used to identify potential passengers for [US Customs and Border Protection] border examination."
This did not satisfy the European Parliament, which had never been properly consulted.
This week's controversy
On 10th March, the Parliament's Committee on Citizen's Rights and Freedoms, Justice and Home Affairs (LIBE) adopted a resolution that attacked the Commission's deal with US officials.
The LIBE Resolution "questions the legal base and the repercussions" of the Joint Declaration with US officials and "expresses concern that it could be interpreted as an indirect invitation to the national authorities to disregard Community law".
The LIBE Resolution points out that airlines are in a Catch-22 position: if they follow Community law, they are liable to US sanctions; but if they give in to the US authorities' demands, they fall foul of Europe's data protection authorities.
Yesterday, according to European Digital Rights, or EDRi, a non-profit group founded by privacy and civil rights organisations, "the Security spokesperson of the EP conservative fraction, the Austrian Hubert Pirker, announced [yesterday] his fraction will take the Commission to the European Court of Justice."
EDRi observes:
"While some of the MEPs' anger may be attributed to a true concern with the protection of privacy and personal data, one must be aware of the fact that partisan and inter-institutional rows do play an important role in this conflict.
"The rapporteur is Jorge Salvador Hernández Mollar, a Spanish Conservative, who's Group is notoriously at war with the responsible Commissioner, Chris Patten, a Conservative "traitor" who was nominated by Blair's New Labour government. Many MEPs will vote for anything that criticises the Commission for not respecting the Parliament."
The Joint Statement of 17th/18th February is at this page of the Commission's site.
The Commission press release of 6th March is at:
www.eurunion.org/news/press/2003/2003018.htm
The announcement of legal proceedings by conservative MEPs (in German) is here.
The Motion of 6th March, which won the LIBE committee's vote to become a Resolution of 10th March, is here.
The EDRi's coverage is here.