The Council of the European Union has given the green light to a new agreement between the European Union and the United States of America that will see the sharing and storing of personal data of passengers flying to the US. The agreement now has to be ratified by the European Parliament, with the agreement already drawing fire about its level of data protection.
Accessing and storing Passenger Name Records
The agreement would allow American authorities to access and store the so-called Passenger Name Records or PNR, the information provided by passengers and collected by air carriers in order to process reservations and check-in.
Pursuant to the new agreement US will be able to access and store the data of passengers flying to the United States, which includes, among other, credit card numbers and the passenger’s date of birth. This data would be stored for 10 years or for 15 years when part of a terror investigation.
At the moment PNR transfers between the EU and the US are taking place under a provisionally applied 2007 agreement, as the European Parliament refused to sign the data transfer agreement with the US until its privacy concerns were met.
Under EU legislation, PNRs fall under the Data Protection Directive and can be shared only with countries that apply comparable data protection laws. Moreover, EU law dictates that access to passenger data is possible only on a case-by-case basis and where a particular suspicion exists.
Opening the way to profiling
The new PNR exchange agreement with the US adopted by EU home affairs ministers on 13 December 2011 must now be approved by the European Parliament.
The agreement, however, is already drawing heavy criticism from both the Parliament and privacy advocates that are warning that it once again fails to address privacy concerns and is opening the way for the practice of profiling, which is in direct conflict with data protection in the EU.
Should the Parliament not approve the new agreement, it will have to be renegotiated again.
‘Many concerns have not been met’
Prior to the EU Council’s adoption of the agreement, the European Data Protection Supervisor Peter Hustinx issued a statement advising that the 15-year data retention period is excessive and that data should be deleted immediately after its analysis or after a maximum of 6 months.
“Any legitimate agreement providing for the massive transfer of passengers’ personal data to third countries must fulfill strict conditions. Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the Member States have not been met. The same applies to the conditions required by the European Parliament to provide its consent.” warns Hustinx.