Since March this year most European airlines have been passing transatlantic passenger details to US Customs. These include such details as: the date of your reservation, the travel agency where you booked your trip, your credit card number, expiry date and billing address, your affiliation to a particular group, your e-mail address, your work address, medical data, and possibly your religion or ethnic origin. And this data might be shared with other US agencies. Understandably, this has been causing some concern.
The controversy began with the US Aviation and Transportation Security Act. Passed on 19th November 2001, it introduced the requirement that airlines operating passenger flights to, from or through the US, provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems, which can be linked up not only with identification data but with other information of the type described above.
In the EU the Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection.
The Directive also allows the Commission to adopt a decision confirming the adequacy of the data protection provisions of a particular country, by reason of its domestic law or the international commitments it has entered into. Very few countries qualify for this accolade: Canada, Switzerland, Argentina and Hungary are the only non-EU countries to which EU businesses can currently transfer personal data without the need for additional guarantees.
However, data relating to transatlantic passengers has been passed over to US Customs since 5th March this year, on the basis of an unenforceable agreement between the Commission and US Customs.
This took the form of a Joint Statement and provided that US Customs would give information to other US law enforcement authorities "only for purposes of preventing and combating terrorism and other serious criminal offences," and that, basically, further protections would be added.
These further protections have still not been added and last month the Commission announced that it had rejected US demands for the transfer of passenger data. Negotiations between the Commission and the US have made little progress since then, although the data is still being sent.
The main difficulty is that the US has refused to limit access to the data to agencies seeking to combat terrorism – agencies investigating other crimes will have access too.
There are also difficulties over the length of time the data is kept. The EU expects the data to be retained for a period of weeks, or months, while the US reportedly wants to keep it for around seven years.
Last week the Parliament's Citizens' Rights Committee unanimously adopted a draft resolution calling on the Commission to quickly determine what data might legitimately be transferred. A deadline of two months has been set, according to ZDNet News.com.
The draft states that, "it is currently not possible to consider the data protection provided by the US authorities to be adequate".
For the transfer to be acceptable the Commission must ensure that:
There must be no discrimination against non-US passengers and no retention of data beyond the length of a passenger's stay in the US.
Passengers must be notified upon purchase of their ticket and give their informed consent to the transfer of personal data to the US.
Passengers must have access to swift and efficient appeal procedures, should any problems arise.
If these conditions are not met, says the draft resolution, the Commission should refuse to allow airlines to transfer personal passenger data. The problem for the airlines is that if they cannot transfer the data, they will not be allowed to land in the US.