EU Working Party report on passenger data access by USA
01 February 2003
"it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the directive"
The deal agreed by the European Commission and the US Customs authorities on 17-18 February 2003 contained the following observation on its implications for the 1995 EC Data Protection Directive (95/46/EC):
"the Commission side considered that EU data protection authorities may not find it necessary to take enforcement actions against airlines complying with the US requirements"
The Commission no doubt felt the need to express this hope in the light of the express views of the EU's own Article 29 Data Protection Working Party's Opinion adopted on 24 October 2002. The Working Party question whether it would be legal for the transfer of such data (especially as it is intended to contain information not required for the purpose of booking a plane ticket), where there are no limits on the use of the data nor any guarantees that it will not be amended for other purposes nor who it may be passed on to. The Working Party called for a "common approach at EU level", that is to say, for the Commission to draw up a proposal which could be submitted to the Council, European Parliament and national parliaments.
The US authorities pre-empted the proper democratic process in the EU by demanding that the system was in place by the end of February - this was then extended by five days to 5 March 2003. Under the deal US Customs will have direct access to airline reservation databases in the EU to download personal data on all passengers and crew.
Tony Bunyan, Statewatch editor, comments:
"The joint declaration by the European Commission and the US Customs authorities is not binding and has no force in EU law. It is therefore up to each Data Commissioner in each of the EU member states to decide whether to take enforcement proceedings against any airline which supplies data to the USA."
Analysis of the Working Party Opinion
The Working Party report traces the origin in US law of the demand for details on passengers. The first requirement for the electronic transfer of passenger data was in the Aviation and Transportation Security Act (19.11.01) which said this data must be available at least 15 minutes before takeoff (under the deal agreed on 17/18 February this data will be accessible hours if not days before a flight). Although the "Commissioner of Customs" is the official recipient of the data "the data will be shared by the US federal authorities". The purpose of the data transmission is not limited to aviation security "but is also an issue of public order in the United States".
Another relevant law was passed in the USA on 14 May 2002, the Enhanced Border Security and Visa Reform Act, which says the US Immigration and Naturalisation Service must also have access to passenger data. The US Immigration and Naturalisation Service has the power to demand that a plane leaving the USA has to return up to an hour after its departure.
All the passenger data transmitted will be held on a "centralised database jointly operated by the US Customs and Immigration Naturalisation Service". The Working Party observes that:
"Once transmitted, the data will be shared with other federal agencies and no longer specifically protected"
The Working Party notes that the categories of data to be submitted under the PNR (Passenger Name Record) can include "any other data deemed necessary to identify persons travelling [and to] implement regulations on immigration or protect national security and safety". It also draws attention to the fact that the data required may extend well beyond basic data (name, nationality etc) and include:
"religious or ethnic information (choice of meal etc), affiliation to a particular group, data relating to pl