The European
Union and the United States last week initialed a deal on the transfer of air
passenger data that would, if adopted by the European Parliament and the EU
Council of Ministers, supplant an existing deal that took effect in 2007. Like
the pre-existing agreement, the new deal calls for the transfer of 19 data
types from airline databases to U.S. authorities but includes several new
elements, many of which were crafted to allay European concerns about personal
privacy.
The two sides
since December 2010 have been developing a new deal to govern how data from
passenger name records is sent to U.S. authorities. EU Commissioner for Home
Affairs Cecilia Malmström issued a statement expressing satisfaction that the
new agreement "represents a big improvement" on the protection of
personal data, including "robust safeguards for European citizens'
privacy, without undermining the effectiveness of the agreement in terms of EU
and U.S. security."
The new deal
defines how U.S. authorities can use PNR data ("the prevention, detection,
investigation and prosecution of terrorism and of transnational crimes,"
excluding "minor" crimes, according to EU information) and how they
can get it. Rather than the U.S. Department of Homeland Security directly
accessing airline reservations systems, carriers must transmit the data from
their databases. Furthermore, to "prevent profiling," a human—not
just an automatic data process—must be involved before authorities "take decisions
adversely affecting passengers."
The deal also
lays out detailed rules on how long PNR data can be stored (no more than 10
years, in most cases) and requires that data be "depersonalized" six
months after it is received by U.S. authorities. "In a nutshell, this
means that elements of personally identifiable information contained in the PNR,
such as a person's name and contact information, will be masked out and made
inaccessible to U.S. officials," according to EU information. "This
is a considerable improvement compared to the existing PNR Agreement from 2007,
which allows all PNR data to be retained for 15 years, without any
depersonalization at all."
The agreement
also includes stipulations allowing passengers to access their PNR information,
request corrections and seek redress "as provided for under U.S.
law." The redress mechanisms include the DHS Traveler Redress Inquiry Program.
Furthermore,
the deal obligates DHS "to share PNR and analytical information obtained
from this data with law enforcement and judicial authorities" in the
European Union, according to an EU statement.
DHS deputy
secretary Jane Holl Lute in a prepared statement noted that "for the first
time, all of our commitments on PNR have been incorporated into a single
agreement that helps ensure the safety and security of the traveling public
while providing legal certainty for airlines and assuring travelers that their
privacy will be protected."
The
seven-year deal "is automatically renewable," according to EU
information, and either side can terminate the agreement "at any point in
time."