Privacy campaigner: EU-US passenger data deal 'meaningless'
A secretive agreement allowing Washington access to all personal information of air travellers to the US, seen by EUobserver, is "meaningless" and "deceptive" from a data privacy point of view, say experts.
The agreement, sealed last week between the European Commission and the US government, is now pending approval by member states and the European Parliament.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
It provides a legal basis for what started as an anti-terrorism data sifting programme in the US following the attacks on 11 September 2001: the transfer of data such as private email address, credit card number, travel itinerary, but also "general remarks" made by airline officials on the behaviour of the passenger.
EU commissioner Cecilia Malmstrom on Thursday (17 November) said the agreement "contains robust safeguards for European citizens' privacy," and is legally binding on the US.
But the full text remains secret - despite being of public interest as it deals with mass private data transfers, circumventing EU law on data privacy. MEPs dealing with the dossier have been allowed to look at the agreement only in a sealed room.
US campaigners like Edward Hasbrouck, who has filed several legal complaints in the US against the extensive use and storage of Passenger Name Records (PNR) by authorities, disagrees with Malmstrom's confident assessment of the deal.
"This is theoretically true: It is 'binding', but there is no enforcement mechanism. According to the terms of the agreement, the only remedy for non-compliance is to terminate the agreement for future data transfers," he told this website.
Even in this instance, the US government would still have access to the data, as airlines do not store the PNR information in their own servers, but in US-based "computer reservation systems" to which the Department of homeland security (DHS) has access.
According to the text, "the collection and analysis of PNR is necessary for DHS to carry out its border security mission."
Based on the personal data transferred to the American authorities 92 hours prior to departure, people can be subject to close inspection and interrogation or banned from flying, if they turn out to be on a no-fly list. But such lists are secret and access to them forbidden.
Claiming that personal data collection and analysis is "necessary" for border controls is false, says Hasbrouck. According to the UN Human Rights Committee, measures that hamper freedom of movement have to be proven to be effective and it must be clear that less restrictive alternative would not achieve the same purpose.
"There has been no showing as to why existing legal means - warrants or court orders - would not be sufficient as a means to obtain PNR data in specific investigations," Hasbrouck says.
The wide scope of the potential crimes targeted by the data analysis is also a reason for concern. Apart from suspects of terrorist acts, funding, being a facilitator or "contributing in any other way" to something that may look like a terrorist act, the agreement also applies to "other crimes that are punishable by a sentence of imprisonment of three years or more and that are transnational in nature," the text reads.
This may apply, for instance, to someone suspected of having illegally downloaded American movies or music and distributed them abroad.
Overall, the personal data will be retained for 15 years - five years in an active database and ten in a "dormant" state - where access is more limited and names blackened. "Re-personalisation" can be done, however, "in connection with law enforcement operations and then only in connection with an identifiable case, threat or risk."
The data for cases concerning other crimes than terrorism "may only be re-personalised for a period of up to five years," the agreement says.
Again, Hasbrouck points out that these retention limits "only apply to the DHS copy of the PNR."
The computer reservation systems can keep the original copy forever and there is nothing to stop the US authorities from getting a new copy from the reservation system, something not covered by the PNR agreement.
There are other potential issues too.
Anyone is entitled to access, correct or delete personal data but they are unlikely to be able to get hold of it, as most PNR data is exempt from the Freedom of Information Act.