European Commission tells USA that demands for access to data on airline passengers breaches EU Data Protection Directive - but hints at a deal that would "fudge" the issue

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

- Commission option to reach bilateral agreement allowing for derogation from EU laws

- access to passenger data breaks EC Regulation on computer reservation systems (CRS) as well as 1995 Data Protection Directive

- Tom Ridge, US Secretary for Homeland Security, says on visit to Italy: "Looking at this request beyond just a data protection issue but as a mutual security issue is something that can help us get closer to resolving our differences"

- correspondence reveals that USA is also asking for "Advance Passenger Information" to vet those flying

- in a democracy data protection and civil liberties are indivisible

Update 18 September 2003

Tony Bunyan, Statewatch editor, comments:

"The debate in Europe over the US demand for access to personal information on air passengers travelling from the EU has rightly centred on data protection issues.

However, the issue of how the information could be used to potentially infringe peoples' civil liberties has been missing from the discussion. Everyone flying to the USA, and flying within the USA, will automatically be "profiled" under the proposed Computer Assisted Passenger Profiling System (CAPPS II). Their "profile" will be determined after checks against a series of "watch-lists", which although said to be directed at terrorism go much wider in practice.

Data protection covers what information is passed over, who it is passed on to, how long it is kept for and whether a person can see and correct data held on them. Civil liberties deals with how that data is used against people - whether they are questioned, searched, detained or placed under surveillance. In a democratic society the two are indivisible."

In their latest "Alert" Electronic Privacy Information Center (EPIC, Washington, USA, 18 September 2003) write:

"The United States is working diligently to convince the European Union to participate in the proposed Computer Assisted Passenger Profiling System (CAPPS II), the airline passenger security system created to prevent suspected terrorists from boarding airplanes. If the EU does choose to participate in the system as proposed, all travellers entering or flying through the U.S. will be required to provide their name, address, birth date, and home telephone number when purchasing a plane ticket.

Each passenger's information would then be shared with the US government and then checked against various private databases, terrorist watch lists, and felony warrant lists. Passengers would be assigned a color code to inform screeners whether to allow them to board the flight, or question, detain or arrest them."

See EPIC's webpage on Passenger profiling

Story filed on 15 September 2003

1. The US tried to impose a new deadline of 12 September for airlines flying there from within the EU to give access to personal passenger data (Passenger Name Record data, PNR). It is reported that Air France, British Airways and Iberia have been giving the USA access to this data since 5 March 2003. Indeed some airlines do not allow passengers to book tickets online unless they agree to personal data being handed over. Alitalia on the other hand have been banned from passing over any information that is not contained on a passport by their Data Protection Authority. Under US law airlines that fail to comply could be fined up to $6,000 a passenger and a loss of landing rights - passengers would be subject to checks on arrival. The European Commission has set a deadline of Christmas for trying to resolve the issue.

Tom Ridge, US Secretary for Homeland Security, said in Italy that there was still "some time to go to reconcile our differences" but stressed that the United States was firm in its intention to move aggressively on the issue. "Looking at this request beyond just a data protection issue but as a mutual security issue is something that can help us get closer to resolving our differences," he said.

sources: and AP.

2. The speech of Mr Bolkstein, the Commissioner for the Internal Market, to the European Parliament's Committee on Citizens' Freedoms and Rights on 9 September provided more insight into the issues involved.

"What has caused the problem", he told the Committee, "is a conflict of laws.. there is no avoiding the fact that the US has a different approach when it comes to the security of their homeland". He said "We must be realistic" because the USA is not the only country wanting to use PNR:

"Canada and Australia have already made similar requests"

However, Mr Bolkstein fails to mention that these two countries have comprehensive data protection laws in place (see, Privacy International 2003).

He notes that there has been some progress, the US has agreed to "filter and delete.. sensitive data" - though of course they should not have access in the first place ("sensitive data" is defined in Article 8 of the 1995 EC Directive).

The Committee was told that there were four outstanding issues:

1) the USA does not want to restrict the use of PNR data to terrorism but want to cover "other serious crimes";

2) The Committee was told that:

"the US requires 39 different PNR elements, which it is hard to regard as proportionate to the purpose";

3) the US demand that data be kept for 50 years has come down to 6-7 years. Under Article 6.1.a. of the EC Regulation 2299/89 on computer reservations systems individual data has to be taken off-line within 72 hours of the completion of the booking (ie: flight arrival), can be archived for a maximum of three years and access to the data is "allowed only for billing-dispute reasons".

4) as the undertakings provided are not adequate, nor in a legal binding form, the EU is insisting "on an independent extra-judicial redress mechanism".

A fifth point considered essential by the Commission is that data is supplied by the airline reservation systems rather than US agencies having direct access to reservation databases.

The Commissioner told the Committee that he could envisage three options:

1) to continue negotiating until the USA position meets a standard of "adequacy" (see his letter below) - he is clearly not optimistic that the US is going to move sufficiently;

2) "to enforce the law" which would "ideally mean stopping data transfers" - under the 1995 Directive this is the job of the national data protection authorities. The Commission role is "to ensure that member states respect the Directive, not that the airlines do". However, the Commission has direct responsibility to enforce EU law under the 1989 EC Regulation on computer reservation systems as amended by the 1999 EC Regulation 323. The 1989 Regulation said in Article 6.d that:

"personal information concerning a consumer and generated by a travel agent shall be made available to others not involved in the transaction only with the consent of the consumer."

This was greatly strengthened by the 1999 amendment to Article 6 which reflected the 1995 Data Protection Directive. In addition to saying that personal data can only be accessed for "billing-dispute purposes" - that is, it cannot be accessed for any other purpose as proposed by the USA - says that data:

"shall include no identification, either directly or indirectly of personal information on a passenger"

Moreover, no users of the data shall "manipulate information" that leads it to "inaccurate, misleading or discriminatory presentation of that information" and the "consumer" has the right to be informed of the name and address of anyone using the information on them, "the purposes of the processing, the duration of the retention of individual data and the means available to the data subject of exercising their access rights [and].. access free of charge to their own data".

Extraordinarily, Mr Bolkstein states:

"At present, the Commission does not have clear-cut evidence of a breach, but is writing to the CRSs to obtain more information and to remind them of their obligations"

A number of airlines are on the public record that they are giving the US access to their passenger reservation database, at a hearing in the European Parliament on the issue back in March and in the presence of Commission officials several airlines declared that they were complying with US demands and online booking on the internet for a number of airlines does not allow ticket purchases unless a box is ticked agreeing to heir data being handed over.

The Commission's reasoning is that there is not agreement among the 15 EU governments, some member states back the Commission undertaking its legal and constitutional duties, others do not - which inevitably leads to the third option.

3) to "negotiate a bilateral agreement" between the USA and the EU. This would allow "narrowly targeted derogations to be made from the Data Protection Directive". This is a contradiction in terms - the EU law on computerised reservations system is perfectly clear as are the principles of the 1995 Data Protection, namely that information supplied by the citizen for one purpose cannot be used for another purpose, data supplied cannot be further "processed" for another purpose (ie: checked through US intelligence and security watch-lists and amended) and the data subject has a right to a copy of the information held on them and the right to correct it - none of these principles can be "derogated" from without abandoning data protection rights.

Mr Bolkstein presented the option of a bilateral agreement as a means to "bridge the gap between the two legal systems", but this not just about legal differences it is about the USA's determination to "aggressively" pursue their demands and the EU's lack of political will to maintain established law and protections for the citizens.

Full-text of Mr Bolkstein's speech in the European Parliament on 9 September 2003: Speech (pdf)

Story filed 5 September 2003

On Tuesday 2 September the full meeting of the Commission in Brussels agreed a Communication from Mr Bolkstein (Internal Market) and Mr Patten (External Affairs) and in agreement with the Commission President Mr Prodi and Commissioners Ms de Palacio and Mr Vittorino (Justice and home affairs) on US demands for access to data on all airline passengers leaving the EU for that country.

Commission press officer, Reijo Kemppinen, said that the USA had failed to give binding commitments that the data provided would not be used in ways that would breached the EU's Data Protection Directive, "The US side has refused to limit the use of data to combat terrorism", he said.

In a letter to Tom Ridge, head of US Homeland Security on 12 June 2003, Commissioner Bolkstein says that the matter affected:

"fundamental rights and liberties which are constitutionally protected in the law of several member states... These liberties are fiercely cherished in the European Union... The US undertakings fall short of what we need... it is urgent to establish a framework which is more legally secure."

The letter makes clear that the use of the term "adequacy" of the US assurances:

"is not a mere formality. It is not a device by which something that was previously illegal becomes legal: it requires binding undertakings to be made by the US authorities concerned which meet a series of data protection concerns... As things stand today, I have to say that the draft undertakings provided by the USA so far are not such as to convince me" (emphasis in original)

The Commissioner goes on to say that the purpose must be explicitly limited to terrorism and some forms of crime that are related to it. Second there must be a "tightly worded undertaking" about how the data will be used, the conditions on which it can be passed t other US agencies and their use of it.

Next because EU-based airlines do not yet have the software to filter out "sensitive data" (like religion or health) the Commissioner asks the US to automatically filter out this data themselves and give an undertakig to this effect.

The Commissioner says that only the creation of an "independent body" outside of the US government can satisfy the requirement of a right to see the data held and to correct it. Unless this is forthcoming "we shall have to insist that the undertakings as a whole be made legally binding".

The fourth issue raised by the Commissioner is interesting because it has not figured in any previous announcements by the Commission, namely that the USA is requesting access to "Advance Passenfer Information" (API). API is distinction from PNR - this is a full list and details of all passengers booked onto a flight with the object of vetting them before they board a plane. Most will not know but some could be refused boarding and others may be question on arrival or put under surveillance. As the Commissioner notes, API is "currently not covered by the undertakings".

New on 5 September: Text of Commissioner Bolkstein's letter to the USA (thanks to Edward Hasbrouck): Text

sources: and Reuters, 3.9.03.

In an associated development the Austrian National Data Protection Commission (27.8.03) said that passenger data could not be passed to the US for legal reasons concerning data protection. A spokesperson for the Commission said that Austria is seeking an extension of the September deadline from the United States, but it could take months before a satisfactory solution is found. See:

Statewatch coverage, analysis and documentation on the transfer of passenger data to USA

1. Full-text of Mr Bolkstein's speech in the European Parliament on 9 September 2003: Speech (pdf)

2. Text of Commissioner Bolkstein's letter to the USA (thanks to Edward Hasbrouck): Text

3. EU airlines allowing access to all personal details on passengers by US authorities: Report

4.. EU working party on data protection highly critical of proposed deal on US access to passenger data: Report

5. EU: Major commercial associations express strong concerns about plans for data retention: Report

6. EU: Campaign launched against the illegal transfer of European travellers' data to the USA: Report

7. Massive majority in European Parliament against deal with US on access to passenger data: Full report, resolution and amendments and verbatim debate

8. European Parliament resolution on airline passenger data gains wide support: Report

9. European Parliament committee to hold emergency session on the transfer of personal data to USA: Report

10. Direct access to personal details of EU passengers: How US Customs bounced the European Commission into a quick decision: Report

11. EU data protection chair calls for US access to passenger details to be postponed: Report

12. EU Working Party on data protection report on passenger data access by USA: Report

"it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the directive"

13. US Customs to have direct access to EU airlines reservations databases: Report

14. European Commission caves in to US demands for airline and shipping passenger lists: Report

15. EU-US: US demands EU airlines and ships provide passengers list - UK is first EU government to back US scheme: Report

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error