Yesterday the European Parliament approved an agreement between the United States of America and the EU that will see the transfer of EU air passenger’s personal data to US authorities.
Passenger Name Record data to be retained in a database
Under US law, air companies are obliged to make the personal data of air passengers flying to or from the United States available to the Department of Homeland Security prior to passenger departure. The so-called Passenger Name Record (PNR) data includes, among other, credit card numbers and the passenger’s date of birth.
Pursuant to the newly approved Passenger Name Record agreement the US will now be able to store the data of EU air passengers, keeping the data in an active database for up to 5 years. After the first 6 months the information is to be depersonalized, and after 5 years is to be moved to a “dormant database” where it will remain for up to 10 years. Data related to any specific case will be retained in an active PNR database until the investigation is archived.
Sensitive data, revealing for example ethnic origin or sexual orientation is to be accessed only in exceptional circumstances, on a case-by-case basis and will be deleted after 30 days.
The agreement will be formally approved on 26 April and will apply for 7 years.
In conflict with data protection in the EU
As already reported, the agreement has been criticized by privacy advocates from the very beginning. They warn that it fails to address privacy concerns and is opening the way for the practice of profiling, which is in direct conflict with data protection in the EU.
Under EU legislation, PNR fall under the Data Protection Directive and can be shared only with countries that apply comparable data protection laws. Moreover, EU law dictates that access to passenger data is possible only on a case-by-case basis and where a particular suspicion exists.
A proposal to refer the agreement to the European Court of Justice was rejected by MEPs.
