EU working party on data protection highly critical of proposed deal on US access to passenger data
The EU's Article 29 Data Protection Working Party has issued a strong report on access by the USA to personal data on passengers flying from the EU to the USA. Since the USA demand that they have access to this data was put into operation in March their agencies have been accessing the data reservation databases of airlines based in the EU - this is known as the "pull" mechanism as distinct from the "push" mechanism under which data is selected and transferred by the airline companies. This will remain the situation until the ad hoc agreement is replaced.
1. The Working Party report starts by recognising the discussions between the European and the US authorities are still going on. However the report observes that:
"This opinion is given at a time when US are requesting from the EU or directly from Member States numerous flows of personal data (eg: visas etc)"
and further states that it is aware that similar data from airlines has been requested "by several other third countries".
2. The report reiterates the basis of EU law and policies on data protection in the EC Data Protection Directive of 1995, Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and comments that:
"The legitimate requirements of internal security in the United States of America may not interfere with these fundamental principles"
Indeed US authorities have access to data which is currently not available to EU law enforcement agencies as a matter of course.
The collection of data by the USA could cover up to 10-11 million people a year who could be subject to "generalised surveillance and controls by a third State".
3. The Working Party is not at all convinced by the "undertakings" put forward by the USA, for example, they:
"create a very broad mandate for use and disclosure of the data "as otherwise required by law""
The proposed collection of biometric data and CAPPS II ("automated pre-screening process") could result in "substantial unilateral changes to the conditions in the US". The Working Party therefore says that any agreement must be in law at national level and "should not rest only on mere "undertakings" of administrative agencies". Not only is the US regulatory framework not "stable" it is likely to undergo further changes under the Terrorism Information Awareness Initiative which have not been set out.
The Working Party is also concerned about the scope of the "undertakings" which should be:
"limited to fighting acts of terrorism without expanding their scope to other unspecified "serious criminal offences""
The list of "other public bodies" who would have access to the data "are currently not identified" which is especially important for agencies "operating "no fly" and "watch" lists, against which the PNR is processed" (PNR is the Passenger Name Record).
4. The Working Party says that the amount of data to be transferred (see Appendix B in the "undertakings):
"goes well beyond what could be considered adequate, relevant and not excessive... Access to the full set of PNR data is excessive"
5. The transfer of sensitive data - which is protected by Article 8 of the 1995 Directive - "should be ruled out" - this includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data about personal health and sex life - under the current ad hoc arrangement sensitive data can be accessed by US authorities. The Working Party further says that other data which may be collected by airlines should not be passed over (and by implication access to it should not be given) such as "behavioural data", "general remarks" and entries in open or free-text fields.
6. The time that data is retained should be no more that "some weeks" or maybe months - the USA agencies are proposing 7-8 years.
7. The Working Party is insistent that the rights of data subject should be protected. This includes the right of access to information held about them and the right to correct any erroneous or misleading information. The subject's right of access to their own data must be "unambiguous".
This right of access:
"should extend to any new data which may be generated as a result of the processing to which the data transmitted from Europe are submitted (risk profile, exclusionary lists...)
8. The Working Party "sees major flaws" in enforcement and "independent third-party supervision", nor is it clear how the "undertakings" can produce "binding legal effects and be the source of obligations that can give rise to claims before a court. This reflects the Working Party overall concern that it is unclear "which authority precisely will commit the US side" - under EU law any transfer of data "must be based on domestic law and/or international commitments".
Tony Bunyan, Statewatch editor, comments:
"It is quite clear from the report that the transfer of data should not be taking place until proper safeguards - which meet EU standards - are place to protect the rights and privacy of people going to the USA - and a host of questions have to be answered before this can happen"
1. Article 29 Data Protection Working Party, report WP 78, dated 13.6.03: Text (pdf)
2.Annex to above text containing: "Untertakings of the United States Bureau of Customs and Border Protection and the United States Transportation Security Administration": Annex (pdf)
3. On 12 March 2003 the European Parliament plenary session in Strasbourg passed a highly critical Resolution on the deal agreed between the European Commission and the USA on access to personal details of airline passengers. The vote was 414 in favour and only 44 against. Full report and background documentation: Text
Statewatch News online | Join Statewatch news e-mail list | Statewatch websites