The European Union's official data privacy watchdog
delivered a stinging criticism last week of last month's proposed new European
Commission strategy for transmitting air passenger data to the United States
and other third countries.
The United States, Canada and Australia insist on access to
the passenger name records of all passengers entering their airspace. The
document issued by the Commission on Sept. 21 outlined a standard framework for allowing the transfer of PNRs in the future.
However, European Data Protection Supervisor Peter Hustinx
delivered an official opinion on the strategy last week in which he expressed "major
concerns as regards the necessity and legitimacy of some important aspects of
the proposed schemes," according to a statement from his office. Hustinx
said: "To be admissible, the conditions for collection and processing of
PNR data should be considerably restricted. I am particularly concerned about
the use of PNR schemes for risk assessment or profiling."
The opinion found the indiscriminate transfer of PNRs to
government agencies incompatible with EU principles on data protection. It
read: "The EDPS considers that the bulk transfer of data about innocent
people for risk assessment purposes raises serious proportionality issues. The
EDPS questions in particular the proactive use of PNR data."
The United States was the first country to make PNR
transfers mandatory, a strategy it introduced in response to the 9/11 attacks.
However, although the wish to improve security assessments of travelers
crossing U.S. borders has been well understood, critics have argued that bulk
transfer of all PNRs is too blunt an instrument. The opinion also argued that
just because government agencies can now analyze PNR data does not mean they
should be allowed to do so. "The fact that recent technological
developments currently render wide access and analysis possible ... is not in
itself a justification for the development of a system aimed at the screening
of all travellers," it said. "In other words: the availability of
means should not justify the end."
The supervisor's opinion also called for greater consistency
in PNR-related processing initiatives, including a system currently being
created for use within the EU. In addition, it said there should be more
precision about minimal safeguards, especially for the processing of sensitive
data, onward transfers and the retention of data, and there should be more
explicit provision of directly enforceable rights for individuals who are affected.
The present PNR agreement between the U.S. and EU allows for
19 fields of information to be transmitted to U.S. authorities. It expires in
2014.