The European Commission gave approval this week to controversial privacy protections that aim to safeguard the personal details of US-bound air passengers. Since March, passenger details have been going to US Customs, in breach of EU data protection laws.
The controversy began with the US Aviation and Transportation Security Act. Passed just two months after the terrorist atrocities of September 2001, it introduced the requirement that airlines operating passenger flights to, from or through the US, provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems.
The problem in Europe is that its Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. The Commission decides which countries have adequate laws, but to date, only Canada, Switzerland, Argentina and Hungary have met the criteria. Transfers of data to other countries need additional guarantees.
Airlines found themselves in a catch-22 position: to fly from Europe to the US, they would need to comply with either European law or US law, but could not find a way to comply with both. So European and US authorities negotiated.
The European Commission agreed, temporarily, to waive aspects of its privacy regime and, on terms agreed with the US, data relating to transatlantic passengers has been transferring to US Customs since 5th March this year.
Negotiations have continued between the Commission and the US Department of Homeland Security to find a formula that would satisfy the US anti-terrorist requirements, and allow the EU to issue an adequacy finding in respect of the US data protection provisions. But negotiations have been tricky.
In particular, the US had refused to limit access to the data to agencies seeking to combat terrorism – agencies investigating other crimes were to have access too. There were also difficulties over the length of time the data should be kept. The EU expected the data to be retained for a period of weeks, or months, while the US wanted to keep it for around seven years.
On Tuesday, Commissioner Frits Bolkestein said: "Today the Commission exercised its 'political judgement' in deciding how to take matters forward." He went on to explain how difficult the resolution had been.
"Some believe that there was a quick fix possible here. Simply by telling the airlines that they had to obtain the unambiguous consent of all passengers, we could have solved the problem."
"But relying on consent alone would have been bad data protection, even if it resolved the legal problems. We would have been saying to people: it is up to you to decide whether to go to the US, but we are washing our hands entirely of what happens to your personal data once it gets to the US. We rejected this path."
He explained that the Commission this week made a limited finding of adequate protection with regard only to transfers of passenger data to the US Bureau of Customs and Border Protection.
The main points of the deal are as follows:
Limits are placed on the amount of data to be transferred, with a closed list of 34 elements. Furthermore, the US has undertaken not to require airlines to collect any data where any of these 34 elements would be empty. In practice, the Commission says that most would consist of no more than 10-15 items.
The data will be stored for no more than 3.5 years – exactly the same length of time that the agreement, unless extended, will last – the 'sunset clause'.
The arrangement will not cover the US Computer Assisted Passenger Pre-Screening System (CAPPS II) the proposed domestic airline passenger screening system. This will be discussed at a later date.
There will be a joint review of US compliance by US and EU authorities each year.
EU passengers will have redress to the Department of Homeland Security, and if not resolved satisfactorily EU data protection authorities will be recognised as having the right to represent EU citizens in the US.
All categories of sensitive data will be deleted, and there will be no bulk sharing of data with other agencies. In particular, the data will be used only for the purposes of preventing and combating:
The EU Parliament now has an opportunity to comment on the finding.
Dr. Chris Pounder, a data protection expert with Masons, the law firm behind OUT-LAW.COM, commented:
"In data protection terms, the statement made by Frits Bolkestein, although welcome, shows all the signs of being 'sexed-up'."
"The main reason for this is the sunset clause, which is, in effect, a commitment to renegotiate the whole deal in 3.5 years time. The product of that renegotiation could well be the dropping of the 3.5 year retention period in favour of the USA's initial 50 year retention proposal or a requirement for passengers to provide all 34 items of personal data."
He concluded:
"The key comment in Mr Bolkestein's statement is that the Commission has made its 'political judgement' in favour of transfer in the hope that any privacy problem will be in the meantime resolved. In short, the statement should be seen as a mechanism to boot the privacy problems into the long grass whilst allowing the US authorities access to the data they want."
