As many readers will know the EU has a range of Data Protection Laws, all based on a common format. This is standard, as each member of the EU enacts the regulations differently. However, each place a set of restrictions on who can receive data and what they can do with it. For example, typically the person who the data is about (the Data Subject) must be told the purpose(s) for which their data is to be used, and when the data is no longer needed the person collecting it should delete it.
However, in the aftermatch of 9/11 the US wanted a lot more information about people flying to the US. Airlines collect a lot of data about passengers during a booking, and through frequent flyer schemes know a lot more than you might think. (For example, during the merger of United and Continental, United is going to go back and recalculate the way Million Miler status is credited. For me they have to look at all my flights back to 1984 – can you imagine how much data that is?)
The US typically does not have as restrictive laws on Data Protection and so some tension has existed between the EU and US and Passenger Name Records (PNRs), what they should contain and what they can be used for.
Last week a little noticed new version of the agreement was signed. The new agreement is such a concern that European Data Protection Supervisor has complained about the agreement. He mentions several concerns, which passengers really ought to know about. When your airline says it is passing your information to the Appropriate Authorities this is what they mean:
- The data will be kept for 15 years
- The purposes for obtaining and keeping the data should be restricted to preventing terrorism or transnational crime
- Too much information is being passed to the US
- Data Subjects have inadequate rights
- The DHS plans to transfer this data to other US authotiries, or third countries, without appropriate data protection guarantees and the third countries are not prevented from sharing the data further
My friend Chris Pounder has developed an excellent marked up version of the Agreement, with a commentary that any traveller bound for the US might find enlightening – http://amberhawk.typepad.com/files/eu-usa-pnr-deal-amberhawk-analysis.pdf I commend this as a read to take away with you for Christmas mileage runs.
Chris teaches Data Protection and has a keen interest in these areas. He has identified a number of significant issues which should concern travellers, in addition to those mentioned above:
- There is no requirement to follow data protection obligations – just an aspiration to do so.
- There is no definition of what ‘transnational crime’ means AND the agreement allows data sharing for things other than terrorism or transnational crime
- The Agreement allows for a review after 7 years of operation, this might allow for an extension of the data retention period for a further 10 years.
- The various data protection agencies in the EU have no authority or ability to advise on the Agreement
- No independent audit or reporting is planned and no data will be published about well (or otherwise) the agreement is working
- The EU Commission has acted to prevent this being discussed by the elected EU Parliament, where these types of agreement have had problems before
- Typically information about criminal convictions is treated as Sensitive Personal Data and a higher threshold for release is required. This is not the case with the Agreement, allowing information about even low level criminal convictions to be shared between the EU and USA. Even when these have nothing to do with terrorism or transnational crime.
- Whilst the DHS will provide information about this agreement they are only going to publish it in the Federal Register, on their web site, and report to Congress about it. They may ask air carriers to include information in the Contracts of Carriage (note: not in the ticket purchase)
Whilst all of this might be academic, but the agreement does cover more things that just crime – for example someone failing to pay child support and planning a holiday in the US could be stopped under this agreement. If the DHS suddenly looses a laptop or memory stick with all of this data on it, there is no requirement to tell anyone whose data has been lost. How much value would that have to identity thieves?
Hidden in Article 20 of the Agreement is a provision to further weaken the Data Protection contained in the Agreement with the US wanting further consultations on lowering the protection even further in the future!