Privacy Concerns Surround PNR Deal

A new agreement between the United States and European Union that allows airlines to transmit European passenger name record information has drawn mixed reactions from business travel organizations and strong criticism from the official European data protection supervisor. The deal allows the United States to access fewer fields of PNR data than did a previously rejected agreement, but to keep it for a longer period of time.

U.S. Department of Homeland Security Secretary Michael Chertoff and Wolfgang Schäuble, minister of the interior for Germany-the country which held the Presidency of the Council of the European Union at the time-late last month signed a draft agreement that replaces a permanent agreement signed in 2004, which subsequently was deemed unlawful on technical grounds by the European Court of Justice, and a subsequent temporary deal that expires at the end of this month. The new agreement takes effect in August but may yet find more trouble, as some national parliaments in Europe have indicated they wish to scrutinize its detail.

The United States first moved to access PNR data from airlines shortly after 9/11. Since then, negotiations have been characterized by finding a balance between the U.S. wish for unfettered access to passenger information, citing security interests, and the EU's desire to maintain data-protection rights for its citizens. The latest agreement appears to be a compromise on both sides. The number of data fields from a PNR that the United States can access has been reduced from 34 to 19, but the amount of time DHS can hold the data has been raised from 3.5 years to 15 years. For the last eight years of that period, the data will be deemed 'dormant' and DHS said it would only access such records on a case-by-case basis.

The National Business Travel Association welcomed the new deal as a sensible compromise. "Three years of experience in using passenger data to protect international aviation while respecting the privacy of law-abiding travelers has built confidence in our security systems," said C. Stewart Verdery, former assistant secretary for Homeland Security, who negotiated the 2004 treaty and is now the lead government affairs consultant to NBTA.

However, EU European data protection supervisor Peter Hustinx criticized the agreement. In a letter to Schäuble, he wrote: "I have serious doubts whether the outcome of these negotiations will be fully compatible with European fundamental rights."

Hustinx outlined four "main areas of grave concern": the concept of dormant data being "without legal precedent," the lack of limitations of what U.S. authorities are allowed to do with the PNRs, "the absence of a robust legal mechanism that allows EU citizens to challenge misuse of their personal information" and the lack of a binding commitment by the United States to its assurances regarding data protection.

These criticisms were noted in the Association of Corporate Travel Executives' equivocal response to the agreement. "Being an international organization, it is ACTE's responsibility to be cognizant of both the security needs of the U.S. government and rights to privacy of European travelers," said global executive director Susan Gurley. "The reduction in number of required data fields now sought by the DHS from European travelers clearly indicates that 40 percent of previously collected information was unnecessary."

Gurley continued: "This is a victory for the European Union. ACTE has always maintained that security programs should be thoroughly thought out and tested before being implemented. However, it has come to our attention that EU data-protection experts have a number of concerns regarding the new agreement. ACTE believes these issues need to be properly addressed, or this will simply be one more agreement subject to contentious revision in a few years."
Sophia in't Veld, a member of the European Parliament who followed the negotiations closely, has also expressed doubts about the deal, alleging that the apparent reduction in the number of data fields has been achieved by merging fields. Among the fields retained are those that show the passenger's full itinerary plus contact and payment information.

The new agreement also includes a commitment by the United States to move by Jan. 1, 2008, to a system in which airlines push relevant data fields to DHS, rather than DHS pulling the information. There are no restrictions on the United States sharing the PNRs with third countries.

Meanwhile, European justice commissioner Franco Frattini announced last week that, in spite of unease in Europe over the issue, in October he will introduce proposals for an EU equivalent of the U.S. PNR collection program.
First mooted in August 2006, the plan will offer all member states "the possibility to establish a system," Frattini said. The commissioner added he will look for an obligation from all 27 EU states to join, otherwise it could "leave the front door open for dangerous people" if some member states opt out.