EU Working Party report on passenger data access by USA

"it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the directive"



The deal agreed by the European Commission and the US Customs authorities on 17-18 February 2003 contained the following observation on its implications for the 1995 EC Data Protection Directive (95/46/EC):

"the Commission side considered that EU data protection authorities may not find it necessary to take enforcement actions against airlines complying with the US requirements"

The Commission no doubt felt the need to express this hope in the light of the express views of the EU's own Article 29 Data Protection Working Party's Opinion adopted on 24 October 2002. The Working Party question whether it would be legal for the transfer of such data (especially as it is intended to contain information not required for the purpose of booking a plane ticket), where there are no limits on the use of the data nor any guarantees that it will not be amended for other purposes nor who it may be passed on to. The Working Party called for a "common approach at EU level", that is to say, for the Commission to draw up a proposal which could be submitted to the Council, European Parliament and national parliaments.

The US authorities pre-empted the proper democratic process in the EU by demanding that the system was in place by the end of February - this was then extended by five days to 5 March 2003. Under the deal US Customs will have direct access to airline reservation databases in the EU to download personal data on all passengers and crew.

Tony Bunyan, Statewatch editor, comments:

"The joint declaration by the European Commission and the US Customs authorities is not binding and has no force in EU law. It is therefore up to each Data Commissioner in each of the EU member states to decide whether to take enforcement proceedings against any airline which supplies data to the USA."

Analysis of the Working Party Opinion



The Working Party report traces the origin in US law of the demand for details on passengers. The first requirement for the electronic transfer of passenger data was in the Aviation and Transportation Security Act (19.11.01) which said this data must be available at least 15 minutes before takeoff (under the deal agreed on 17/18 February this data will be accessible hours if not days before a flight). Although the "Commissioner of Customs" is the official recipient of the data "the data will be shared by the US federal authorities". The purpose of the data transmission is not limited to aviation security "but is also an issue of public order in the United States".

Another relevant law was passed in the USA on 14 May 2002, the Enhanced Border Security and Visa Reform Act, which says the US Immigration and Naturalisation Service must also have access to passenger data. The US Immigration and Naturalisation Service has the power to demand that a plane leaving the USA has to return up to an hour after its departure.

All the passenger data transmitted will be held on a "centralised database jointly operated by the US Customs and Immigration Naturalisation Service". The Working Party observes that:

"Once transmitted, the data will be shared with other federal agencies and no longer specifically protected"

The Working Party notes that the categories of data to be submitted under the PNR (Passenger Name Record) can include "any other data deemed necessary to identify persons travelling [and to] implement regulations on immigration or protect national security and safety". It also draws attention to the fact that the data required may extend well beyond basic data (name, nationality etc) and include:

"religious or ethnic information (choice of meal etc), affiliation to a particular group, data relating to place of residence or means of contacting an individual (e-mail address, details of a friend, place of work etc), medical data.."

(For countries participating in the "Visa Waiver Program", "the transfer of biometric data is due to become compulsory by October 2004).

The Working Party states unequivocally that the EC Data Protection Directive (95/46/EC) applies to airlines based in the EU - "this obligation is without exception" and:

"It appears that the technical requirements imposed on airlines by the USA leave data exposed to non-authorised access by third parties"

Key to the Working Party's observations in respect of the EC Data Protection Directive (95/46/EC) is that data which goes beyond the purpose of collecting personal information from passengers related to travelling "cannot be considered as compatible with the original purpose of collecting personal data by airlines or travel agencies in particular the fulfilment of their contractual obligations vis-a-vis the passengers". Moreover, Article 6.1.b of Directive 95/46/EC:

"prohibits further processing of data collected for specified, explicit and legitimate purposes in a way incompatible with those purposes"

Directive 95/46/EC says that data can only be transferred to a third country if that country has an adequate level of protection, "the processing of data that are transmitted by airlines for US federal authorities falls short of this condition." The Working Party says:

"it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the directive"

The Working Party finds that if direct access to data held by airline is given to US Customs - as it is going to be - then "the entire directive could be considered as being directly and completely applicable to them" but this raises "numerous questions".

For example, Article 8 of the EC Directive explicitly prohibits "any processing of sensitive data" (eg: racial or ethnic origin, religious beliefs etc) without specific authorisations where there has to be "explicit consent to processing for a given purpose". Such authorisation would have to be given either by changes in the law in EU member states or by express exemptions laid down by a supervisory authority provided there are "reasons of substantial public interest" for the member state itself (ie: not the third party) and that there are suitable safeguards.

The Working Party Conclusions are that: 1) the provision of such information would be "disproportionate" as it could lead to the routine use of passenger information for immigration and customs and more generally "for US national security and may at least be shared amongst all US federal agencies"; 2) Compliance with US demands creates problems under the 1995 EC Directive which should be addressed by EU member states and the Commission; 3) the transfer of passenger information requires national legislation or a decision of the supervisory authority; 4) if direct access is given - which it is going to be - to airline reservation data the US agencies must be committed to "ensuring respect for the directive as a whole"; 5) any agreement has to clearly set out the recipients of the data, the categories of data, conditions and guarantees on the processing of data in particular by US federal agencies.

Documentation and analyses


1. Full text of : Article 29 Data Protection Working Party: Opinion 6/2002 on transmission of Passenger Manifest Information and other data from Airlines to the United States, adopted 24 October 2002, doc no: 11647/02/EN, WP 66 (pdf).

2. Full-text: European Commission/US Customs talks on PNR transmission, Brussels, 17/18 February: Joint Statement (html)

3. Statewatch report 26.2.03:
US Customs to have direct access to EU airlines reservations databases

4. Statewatch report 13.2.03: European Commission caves in to US demands for airline passenger lists



Statewatch News online | Join Statewatch news e-mail list | Statewatch websites