• Home /
• News /
• 2003 /
• June /
• EU working party on data protection highly critical of proposed deal on US access to passenger data

EU working party on data protection highly critical of proposed deal on US access to passenger data

01 June 2003

The EU's Article 29 Data Protection Working Party has issued a strong report on access by
the USA to personal data on passengers flying from the EU to the USA. Since the USA
demand that they have access to this data was put into operation in March their agencies
have been accessing the data reservation databases of airlines based in the EU - this is
known as the "pull" mechanism as distinct from the "push" mechanism under which data is
selected and transferred by the airline companies. This will remain the situation until the ad
hoc agreement is replaced.

1. The Working Party report starts by recognising the discussions between the European
and the US authorities are still going on. However the report observes that:

"This opinion is given at a time when US are requesting from the EU or directly from
Member States numerous flows of personal data (eg: visas etc)"

and further states that it is aware that similar data from airlines has been requested "by
several other third countries".

2. The report reiterates the basis of EU law and policies on data protection in the EC Data
Protection Directive of 1995, Article 8 of the European Convention on Human Rights and
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union and
comments that:

"The legitimate requirements of internal security in the United States of America may
not interfere with these fundamental principles"

Indeed US authorities have access to data which is currently not available to EU law
enforcement agencies as a matter of course.

The collection of data by the USA could cover up to 10-11 million people a year who
could be subject to "generalised surveillance and controls by a third State".

3. The Working Party is not at all convinced by the "undertakings" put forward by the USA,
for example, they:

"create a very broad mandate for use and disclosure of the data "as otherwise
required by law""

The proposed collection of biometric data and CAPPS II ("automated pre-screening
process") could result in "substantial unilateral changes to the conditions in the US". The
Working Party therefore says that any agreement must be in law at national level and
"should not rest only on mere "undertakings" of administrative agencies". Not only is the US
regulatory framework not "stable" it is likely to undergo further changes under the Terrorism
Information Awareness Initiative which have not been set out.

The Working Party is also concerned about the scope of the "undertakings" which should
be:

"limited to fighting acts of terrorism without expanding their scope to other
unspecified "serious criminal offences""

The list of "other public bodies" who would have access to the data "are currently not
identified" which is especially important for agencies "operating "no fly" and "watch" lists,
against which the PNR is processed" (PNR is the Passenger Name Record).

4. The Working Party says that the amount of data to be transferred (see Appendix B in the
"undertakings):

"goes well beyond what could be considered adequate, relevant and not excessive...
Access to the full set of PNR data is excessive"

5. The transfer of sensitive data - which is protected by Article 8 of the 1995 Directive -
"should be ruled out" - this includes racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership and data about personal health and sex life -
under the current ad hoc arrangement sensitive data can be accessed by US authorities.
The Working Party further says that other data which may be collected by airlines should
not be passed over (and by implication access to it should not be given) such as
"behavioural data",