EU-US Airline Passenger Data Disclosure

• Latest News |
• Background |
• EPIC Resources |
• EDRi Campaign |
• News Items |
• Documents |
• Int'l Passenger Profiling Systems |
• Analysis | Previous News

Latest News

• Department of Homeland Security Releases 2014 Privacy Report: The Department of Homeland Security released the 2014 Privacy Office Annual Report to Congress. The report describes a joint review conducted with the European Commission regarding the transfer of EU Passenger Name Records to the US. The European Commission found the redress mechanisms were lacking for passengers denied boarding. The Commission also found that DHS would often review passenger records without a legal reason. The Annual Report describes the sixth Compliance Review of the department’s social media monitoring program. The review found that the DHS began collecting GPS and geo-location of Internet users without assessing or mitigating the privacy risks. In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. For more information, see EPIC: EU-US Airline Passenger Data Disclosure and EPIC: EPIC v. DHS - media monitoring. (Oct. 2, 2014)
• EU and US Groups Object to EU-US Passenger Data Agreement: Over 20 organizations in the EU and the US have sent an open letter to the European Parliament, opposing a new agreement that would allow European companies to transfer the personal data of European travelers to the United States government in apparent violation of the EU Data Protection Directive. The European Court of Justice struck down the original Passenger Name Record (PNR) agreement in 2006 after members of the European Parliament charged that there was no legal basis to disclose the data to the US. The revised agreement is still subject to approval by the Parliament, which has also gained new legal powers since the earlier dispute. For more information, see EPIC: EU-US Airline Passenger Data Disclosure, EPIC: Air Travel Privacy, EPIC: Passenger Profiling. (Dec. 5, 2011)
• EU Establishing a European System for the Exchange of Passenger Name Records
  The European Commission has unveiled a proposal to establish a passenger name records system similar to that of the US. The European PNR system would require PNR data for flights entering or departing the European Union. The data will be processed for the purpose of carrying out a risk assessment of passengers' "threat levels." (Nov. 6, 2007)
• European Council Adopts Passenger Name Records Agreement
  The European Council has adopted the EU-US agreement on the processing and transfer of passenger name records signed by the European Union this summer. (Aug. 4, 2007)
• EU Data Protection Supervisor Cites Grave Concerns Over New Passenger Name Records Agreement
  In a letter to the EU's Minister of the Interior, European Data Protection Supervisor Peter Hustinx outlined four areas of "grave concern" with the new EU-US passenger name record agreement: the lengthened retention period for PNRs, the US' use of letters to avoid a binding agreement, the lack of a "robust" system of redress, and the possibility of US data sharing between an undisclosed number of agencies. (Jun. 28, 2007)
• EU-US Reach New Passenger Name Records Agreement
  The EU and the US reached an agreement over the sharing of passenger name records. The new agreement reduces the 34 pieces of data on passengers now collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. The agreement also extends access to PNR information to EU citizens consistent with the provisions in the US Privacy Act and the Freedom of Information Act. The agreement does not, however, go so far as to extend the full protections of the Privacy Act. In a letter attached to the agreement, the US states that the Department of Homeland Security "had made a policy decision to extend administrative Privacy Act protections to PNR data" of non-US citizens and that all individuals have access to the DHS' redress system developed for travelers. Finally, the US letter states that PNR data will be retained for a minimum of 15 years. (Jun. 28, 2007)
• EPIC Speaks Before European Parliament on Transatlantic Privacy
  EPIC Executive Director Marc Rotenberg appeared before the Committee on Civil Liberties, Justice and Home Affairs for a public seminar on transatlantic relations and data protection. The European Parliament is currently reviewing the transfer of travel, consumer, and financial information on European citizens to the United States government. The European institutions are concerned about the absence of adequate privacy protection for personal information. (Mar. 26, 2007)
• European Parliament Adopts Resolution on Passenger Name Records
  The European Parliament has adopted a Resolution on SWIFT, the PNR agreement and the transatlantic dialogue on these issues. The Resolution stresses that during the last few years several agreements on these issues, prompted by US requirements and adopted without any involvement of the European Parliament, have led to a situation of legal uncertainty with regard to the necessary data protection guarantees for data sharing and transfer between the EU and the US for the purposes of ensuring public security and, in particular, preventing and fighting terrorism. The Resolution calls for Parliamentary involvement in negotiation of a new PNR Agreement, and states that such Agreement should provide greater transparency and redress measures. (Feb. 8, 2007)
• Tensions Rise Between EU Parliament, Council and Commission on Passenger Data Debate
  In a joint debate of European Parliament, members stressed the need to negotiate a permanent agreement with the United States that provides strong privacy protections to European citizens. Without an agreement, air carriers would come under great pressure to continue transferring passenger data, for fear of losing their landing rights in the United States. The United States and the European Union will begin formal negotiations in March in an effort to reach a permanent agreement for the transfer of personal information on European travelers before the current temporary arrangement expires in July of 2007. (Feb. 1, 2007)
• Temporary Agreement Reached on Transfer of Passenger Data
  The United States and the European Union have established a temporary arrangement for the transfer of personal information on European travelers that will expire in July of 2007. An earlier agreement was annulled by the European Court of Justice. The new agreement gives the Europeans greater control over the disclosure of passenger data to the United States. However, it leaves unresolved whether the United States has adequate privacy protections to safeguard the private information of European consumers. For more information, see the EPIC pages on Air Travel Privacy and EU-US Airline Passenger Data Disclosure. (Oct. 6, 2006)
• US, Europeans Fail to Reach Accord on Passenger Data
  The European Union and the United States are in a "legal vacuum" three months after the European Court of Justice struck down the passenger name record deal that allowed the transfer of personal information on European travelers to the U.S. government. European airlines face lawsuits by European citizens for violating European privacy laws if the information is disclosed to the U.S. without a new agreement. European consumer organizations have called for strong safeguards for personal data. Officials say negotiations will continue. More information at EPIC pages on Air Travel Privacy and EU-US Airline Passenger Data Disclosure. (Oct. 3).
• European and US Consumer Groups Urge Privacy Safeguards for Air Travel Information. The Trans Atlantic Consumer Dialogue has written to Homeland Security Secretary Michael Chertoff and European Commissioner Franco Frattini recommending the establishment of legal protections for passenger information collected by the US government. The letter follows an earlier statement from TACD that identified numerous risks to consumers that would result from the disclosure of detailed personal information. The TACD letter responds to Secretary Chertoff's recent call for increased government snooping. EPIC has filed a Freedom of Information Act request with the Department of Homeland Security regarding the program and whether adequate privacy safeguards have been established. The European Court of Justice earlier held that there was no legal basis for the Homeland Security program. For more information, see EPIC's air travel privacy page. (Sept. 13)
• Senate Subcommittee Holds hearings on Airline Passenger Screening. On September 7, the Senate Subcommittee on Terrorism, Technology, and Homeland Security will hold a hearing on pre-screening international travelers who are flying into the United States. A Homeland Security program that acquired European passenger name records for pre-screening was opposed for its privacy violations by the European Parliament, and struck down by the European Court of Justice earlier this year. Homeland Security Secretary Chertoff has announced plans not only to revive the program, but also to expand certain aspects of it. For more information, see EPIC's Passenger Data page. (Sept. 5)
• DHS Seeks Expanded Access to Travelers' Data. The Department of Homeland Security recently proposed expanding a program that would transfer detailed airline passenger recordsbetween European airlines and the US government. In 2003, the Department secretly entered into an agreement with European governments to obtain personal information on European travelers to the United States. The European Parliament challenged the agreement and the European Court of Justice recently ruled that the agreement lacked a legal basis. Negotiators have until September 30 to come up with a program that complies with European privacy law. (Aug. 22)
• European Court Rejects Data Transfer to US. The European Court of Justice has just ruled that the 2004 airline passenger data transfer agreement (pdf) between the U.S. Department of Homeland Security and the European Union is to be voided after September 30, 2006. The Court held that the agreement was illegal because it exceeded the scope of the EU 1995 Directive on data protection, which excludes operations concerning public security, defense, state criminal law and state security. Since the framework for data transfer was dictated by public authorities, and amounted to processing operations concerning public security, the Court held that the Commission lacked legal competence under the Directive to address public and state security issues. Privacy International describes the holding as a "pyrrhic victory" because the Court ruled on the basis of legal authority, and did not address the privacy implications of the transfer of the personal data to the U.S. The European Data Protection Supervisor is concerned that the ruling has created a loophole because it is uncertain that the Directive protects data collected for commercial reasons but used for police matters. (May 30)
• European Court's Top Advisor Recommends Annulment of EU-US Passenger Data Deal
  The Advocate General of the European Court of Justice considers the May 2004 Passenger Name Records agreement between EU and US authorities to be without adequate legal basis, and has called for its annulment. Since 2004, airlines flying from the EU to the US have had to disclose their passengers' personal information, including e-mail and credit card details. The European Parliament complained with the Court later that year that the agreement did not sufficiently protect European travellers' privacy rights. The ruling of the Court, which follows its Advocate General's opinion in 80 % of the cases, may call other EU anti-terrorism measures into question, as a data retention proposal now for review before EU institutions is being carried out under the same legal basis as the PNR agreement. Full Text of Opinion (French, 4.52MB, pdf). (Nov. 30, 2005)
• Italian Data Protection Authority Secretary General Criticizes EU-US PNR Agreement. Giovanni Buttarelli, talking at EPIC's Freedom 2.0 conference, likened the agreement to a "stillborn child … imposed from above" because of a serious lack of institutional cooperation between the European authorities and the European Parliament - the EU's only elected body. Buttarelli criticized the agreement as entrusting technology and databases to solve problems that require instead wholly different and broad-minded approaches. He also made it clear that, while the agreement recognizes, on the one hand, the importance of fundamental rights and freedoms, it does not provide concrete safeguards for these rights. See
• "Promoting Freedom and Democracy: a European perspective". (May 21, 2004)
• European Commission Adopts Decision Recognizing Adequate Privacy Protections in EU-US Passenger Data Disclosures. In its Decision, the Commission considers that the data on air passengers transferred to US authorities enjoys the "adequate protection" required under the EU Data Protection Directive for data sent to countries outside the EU. The Decision will enter into force once the US signs its Undertakings and once the international agreement that will complement the Commission's adequacy finding has been signed by the Council of the EU and the US Department of Homeland Security. For the European Parliament, however, the Undertakings do not offer adequate protection. If the Council concludes the agreement, the Parliament has the option to seek the annulment of the international agreement, or of the adequacy finding, or both, before the Court of Justice of the European Communities. (May 17, 2004)
  

Background

The United States announced that by March 5, 2003 all international airlines had to provide the government full electronic access to detailed airline passenger data on all travelers contained in the airline's computer system. This passenger information includes among other things, name, address, flightnumber, credit card number, and choice of meal. European airlines and European officials are concerned that providing unfettered access to U.S. law enforcement authorities would violate their privacy laws and have been holding discussions with the U.S. to ensure that the privacy of their citizens is adequately protected. EPIC also submitted comments on the same issue concerning the collection of passenger information on U.S. Citizens and permanent residents and criticized the government for failing to fulfill its legal obligations under the Privacy Act (see comments (pdf)).

The European Data Protection law, which implements the framework of Fair Information Practices embodied in the Organization for Economic Cooperation and Development (OECD) 1980 Privacy Principles, allows law enforcement authorities access to passenger data only on a case-by-case basis based upon a particular suspicion. The law also requires that data collected for one purpose should not be used for another. For sensitive data such as religious, ethnic, or political affiliation there are even stricter safeguards on the use and disclosure of the information. The U.S. requirement would force European airlines to violate the Data Protection laws and therefore Europeans airlines have petitioned their governments to clarify the airlines obligations and responsibilities. European data protection authorities are also concerned about the protection of their citizens' privacy rights.

The United States and the Europeans are in the process of formulating an arrangement for the United States to obtain the passenger information while installing appropriate safeguards to protect the privacy of European citizens and to ensure that airlines comply with the data protection laws. On February 18, 2003 the European Commission brokered an interim arrangement where the Europeans agreed to not enforce their laws until a new agreement is reached. In exchange the U.S. offered some clarifications about how they would handle the data. EPIC argues that this interim solution violates EU data protection laws and the agreement itself is flawed because the European Commission is not in a position to act for data protection authorities (see our analysis for more information).

As the discussion between the Europeans and the United States moves forward the following legal and policy considerations need to be considered in any permanent arrangement:

• Why does United States law enforcement require access to the airline systems?
• Which agencies (including intelligence agencies) will have access to the passenger data?
• What purposes could the data be used for? What limitations will there be on the purposes for the data?
• What will be the conditions and limits on data disclosure and transfer?
• How will the data be protected from unauthorized access?
• What will be the oversight mechanisms to ensure compliance with the agreement?
• How long will the data be retained?

EPIC Resources

• EPIC's Air Travel Privacy page
• EPIC's Passenger Profiling page
• EPIC's Total Information Awareness page
• EPIC's International Data Retention page
• Allison Knight, EPIC Staff Counsel, Push and Pull: Negotiating the Transfer of Passenger Name Record Information (Eye on Privacy, Ontario Bar Association, April 2007).
  

EDRi Campaign Against Illegal Transfer of European Passenger Data to the US

• EDRi startet Kampagne gegen die Übermittlung von Flugdaten. Das virtuelle Datenschutzbüro, May 12, 2003.
• Die Flugdaten Affäre. Das virtuelle Datenschutzbüro, May 12, 2003.
• France 2 (French TV) News Report. May 10, 2003 (RealOne needed).
• Volez tranquille, vous êtes fliqués. Libération, May 9, 2003.
• Un dossier bien rempli. Libération, May 9, 2003.
• Press conference at the European Parliament promoted by Marco Cappato (MEP, Radicals) and European Digital Rights: "Presentation of the campaign against the illegal transfer of European travellers' data to the USA (pdf)," May 8, 2003.
• Comment les Etats-Unis vont surveiller et ficher tous les passagers. AirInfos.com, May 7, 2003.
• US unable to appease EU worries on data transfers. EU Observer, May 7, 2003.
• Groups: Passenger data is flying to U.S. against EU laws. IDG News Service, May 6, 2003.

News Items

• Giving airline data to US illegal: EU court adviser, Reuters, November 22, 2005.
• Europe bows to U.S. on air passenger data, International Herald Tribune, May 18, 2004.
• Ministers thwart MEPs, OK EU-US airline data deal, The Register, May 18, 2004.
• EU adopts passenger data accord with US, Financial Times, May 17, 2004.
• MEPs snubbed as EU-US air data deal done, EUPolitix.com, May 17, 2004.
• Controversial air data transfer deal gets go-ahead , EUObserver.com, May 17, 2004.
• Europe, U.S. To Share Airline Data, Washington Post, May 17, 2004.
• EU Agrees to Swap Information On Airline Passengers With U.S., Washington Post, May 14, 2004.
• EU set to go ahead with disputed US airline data transfer, EUObserver, May 12, 2004.
• MEPs reject new vote on EU-US air data deal, EUPolitix.com, May 4, 2004.
• Europe Parliament to Vote on EU-U.S. Deal, The Guardian, May 4, 2004.
• MEPs forced to vote on EU-US air data deal - again, EUPolitix.com, April 30, 2004.
• Europeans Seek Court Review of Data-Sharing Plan, Washington Post, April 22, 2004.
• Parliament takes Commission to Court over passenger data, Euractiv.com, April 22, 2004.
• Europe Asks Court to Rule on Air Security Pact, New York Times, April 22, 2004.
• Air data D-day on April 15, EUPolitix.com, April 7, 2004.
• European parliament opposes US data deal, Financial Times, April 1, 2004.
• Data-Sharing Fails European Vote, Washington Post, April 1, 2004.
• EU threatens lawsuit on U.S. air data, CNN.com, April 1, 2004.
• Europe rebuffs US flight info data grab, The Register, April 1, 2004.
• E.U.-U.S. Airline Pact In Trouble, CBS News, March 31, 2004.
• MEPs threaten court action over data transfer to US, EUObserver, March 31, 2004.
• Airlines press EU to resolve rift with US on data, Reuters, March 31, 2004.
• EU parliament rejects post-9/11 passenger data deal with US, EUBusiness.com, March 31, 2004.
• MEPs defy air passenger data deal, EUPolitix.com, March 31, 2004.
• Brussels 'flagrantly breached' EU privacy law, Europolitix.com, March 9, 2004.
• "EU Commission plots global travel surveillance system" The Register, February 4, 2004.
• Europe, U.S. Near Accord On Passenger Information. Washington Post, December 2, 2003.
• No air data deal. Europolitix.com, Nov. 26, 2003.
• US sees EU deal on air passenger data by year-end. Reuters, Nov. 24, 2003.
• Air privacy deal 'unthinkable" within EU law. Europolitix.com, Nov. 24, 2003.
• Air data D-Day looms. Europolitix.com, Nov. 20, 2003.
• 'Paranoid' US security push threatens future of transatlantic flights. Sunday Herald, Nov. 16, 2003.
• MEPs and US officials discuss exchange of airline passenger data. EP Press Release, Brussels, May 8, 2003.
• US unable to appease EU worries on data transfers. EU Observer, May 7, 2003.
• Groups: Passenger data is flying to U.S. against EU laws. IDG News Service, May 6, 2003.
• Trading Freedom for Security. The New American Magazine, May 5, 2003.
• This week in the European Union. EU Observer, Belgium, May 4, 2003.
• EU must guard against security.EUobserver.com, April 14, 2003.
• EU scheint machtlos in Flugdaten-Affäre. Heise Online, March 27, 2003.
• European Parliament News report, March 26, 2003.
• Decimated airlines seek solution to passenger data feud. EUobserver.com, March 26, 2003.
• Passenger-Screening Plan Assailed: EU, Budget Office Among Those Saying System Is Not Ready. Washington Post, March 26, 2003.
• Etienne Wery, "Vous voyagez vers les USA ? Merci de laisser votre vie privée au guichet d'enregistrement," March 24, 2003.
• US Zoll greift auf persönliche Daten zu. Spiegel Online, March 21, 2003.
• EU lawmakers assail data-sharing plan. The International Herald Tribune, March 14, 2003.
• Parliament defends data protection rights. Official Press Release of the EP, March 13, 2003.
• Passenger data split looms with US. Financial Times, March 13, 2003.
• EU parliament wants to suspend passenger data transfer to US. AFP, March 13, 2003.
• Les Américains obtiennent l'accès aux fichiers des vols européens. Le Monde, March 12, 2003.
• EU: Brussels Grants US Access To Trans-Atlantic Passenger Data. Radio Free Europe, March 6, 2003.
• US and EU start sharing fliers' data. International Herald Tribune, March 6, 2003.
• Travel Industry and Privacy Groups Object to Screening Plan for Airline Passengers. New York Times, March 6, 2003.
• Swiss passengers spared scrutiny - for now. Swissinfo, March 5, 2003.
• EU Secures Privacy Protection for European Passengers. ABC News, March 5, 2003.
• Budget crunch doesn't keep TSA from playing its cards. Government Computer News (GCN.com), March 5, 2003.
• European Feb airline data seen anticipating war. Forbes, March 4, 2003.
• Government: Airline credit screening hasn't begun yet. Minneapolis Star Tribune, March 4, 2003.
• TSA Launches New Data Mining Pilot Program. InternetNews.com, March 4, 2003.
• Poetic Licence: CAPPS II system will create a government blacklist of Americans. Daily Times (Pakistan), March 3, 2003.
• EU data protection chair calls for postponement. Statewatch, March 3, 2003.
• Customs to seek passenger data from incoming airlines. Travelbiz.com, Australia, March 2, 2003.
• EU-Flugdaten für die NSA. ORF, February 24, 2003.
• Civil liberties groups critical of data deal on flights to US. Irish Times, February 21, 2003.
• Weitergabe von Fluggastdaten nach USA. ARGE Daten, February 21, 2003.
• EU Agrees to Give Passenger Data to U.S. ABC News, February 19, 2003.

Relevant Documents

• Full text of the European Data Protection Directive 95/46/EG.
• Article 29 Data Protection Working Party, Working Document (WP 49) on IATA Recommended Practice 1774 Protection for privacy and transborder data flows of personal data used in international air transport of passengers and of cargo (pdf) (Sept. 14, 2001).
• Article 29 Data Protection Working Party, Opinion 6/2002 (WP 66) on transmission of Passenger Manifest Information and other data from Airlines to the United States (pdf) (Oct. 24, 2002).
• Examples of PNR data:
  • Example 1, from Amadeus CRS.
• EU/US Joint Statement of February 17-18, 2003
• Letter of the Chairman of the EC Article 29 Working Party (March 3, 2003) (pdf)
• EPIC's comments on Aviation Security Screening Records (Feb. 24, 2003).
• Results of talks on 4 March 2003 between the European Commission and US Customs and Border Protection (CBP) with regard to Passenger Name Record (PNR) sensitive data (March 4, 2003).
• European Parliament, Resolution on transfer of personal data by airlines in the case of transatlantic flights (March 13, 2003).
• Official EU FAQ list on Airline passenger data transfers from the EU to the United States (March 12, 2003).
• 1st Speech by Frits Bolkestein (Member of the European Commission in charge of the Internal Market and Taxation) on "Airline passenger data transfers from the EU to the United States," to the European Parliament (March 12, 2003).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE Committee), Public Seminar on "Data Protection since 11 September 2001: What Strategy for Europe?" (March 25, 2003):
  • EPIC's statement (pdf)
  • Other contributions
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE Committee), Analysis of US legal background for passenger data requests (pdf)
• "Watch list" documents released by the Transportation Security Administration in response to EPIC's Freedom of Information lawsuit. Includes some analysis (April 2003).
• The Balance between Freedom and Security (pdf), analyses provided by European Human Rights Experts group CFR-CDF (April 2003).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs's Public Hearing on the disclosure of passenger data to the United States (May 6, 2003):
  • Prepared statements by Deputy Commissioner of Customs and Border Protection Douglas M. Browning, and by Steve McHale, Deputy Administrator of the Transportation Security Administration.
  • Prepared statement (pdf) by Nuala O'Connor Kelly, Chief Privacy Officer, U.S. Department of Homeland Security.
  • Minutes from the hearing.
• US Government, Undertakings of the United States Bureau of Customs and Border Protection and the United States Transportation Security Administration (1st version) (May 22, 2003).
• Article 29 Data Protection Working Party, Opinion 4/2003 (WP 78) on the Level of Protection ensured in the United States for the Transfer of Passengers' Data (pdf) (June 13, 2003).
• 2nd speech by Frits Bolkestein (Member of the European Commission in charge of the Internal Market and Taxation): Address to the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE Committee) (Brussels, Sept. 9, 2003). Also available here (pdf).
• Resolution concerning the Transfers of Passengers' Data, 25th International Conference of Data Protection & Privacy Commissioners, Sydney (12 September 2003).
• Speech by Stefano Rodota (Chair of the Article 29 Data Protection Working Party) to the European Parliament's Committee on Citizens' Freedoms and Rights (LIBE Committee) (Nov. 25, 2003).
• 3rd speech by Frits Bolkestein: Address to the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs and Legal Affairs and the Internal Market Brussels (Dec. 1st, 2003).
• European Commission, Communication from the Commission to the Council and the Parliament: Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach (Dec. 16, 2003).
• Letter from Commissioner Bolkestein to US Secretary Tom Ridge, Department of Homeland Security (Dec. 18, 2003).
• Article 29 Data Protection Working Party, Opinion 2/2004 (WP 87) on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (US CBP) (includes the 2nd version of the US Government Undertakings) (pdf) (Jan. 29, 2004).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, Report on the First Report on the implementation of the Data Protection Directive (95/46/EC) (pdf) (Feb. 24, 2004).
• Privacy International, Transferring Privacy: The Transfer of Passenger Records and the Abdication of Privacy Protection (Feb. 2004).
• European Commission, Proposal for a Council Decision on the conclusion of an Agreement between the European Community and the United States of America on the processing and the transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (March 17, 2004).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, Motion for a Resolution on the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (PE 339.611) (March 19, 2004). (Outline: Statewatch.)
  • Amendments to the Resolution of March 19, 2004 (March 25, 2004).
• European Commission, Draft Decision on the adequate protection of personal data contained in the PNR of air passengers transferred to the United States' Bureau of Customs and Border Protection (including the 2nd version of the US Undertakings) (March 31, 2004).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, European Parliament Resolution on the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (PE 344.133) (March 31, 2004).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, Report on the initiative of the Kingdom of Spain with a view to the adoption of a Council directive on the obligation of carriers to communicate passenger data (March 19, 2004).
• European Parliament, Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, Draft European Parliament legislative resolution on the proposal for a Council decision on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection (April 7, 2004).
• Remarks by Department of Homeland Security Secretary Tom Ridge and European Union Commissioner of Justice and Home Affairs Antonio Vitorino, Ridge, EU Officials Discuss Passenger Data, Aviation Security (May 10, 2004).
• European Commission, Decision on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States' Bureau of Customs and Border Protection (including the 3rd version of the US Government Undertakings) (May 14, 2004).
• US Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) (3rd and final version) (May 14, 2004)
• European Commission, Commission secures guarantees for protecting personal data of transatlantic air passengers (May 17, 2004).
• Privacy International, Transferring Privacy and Inadequate Adequacy - Commission Fails in 'Negotiations,' (May 2004).
• Opinion of the Advocate General in cases C-317/04, C-318/04 Parliament / Council - European Court of Justice press release (pdf)

International passenger prescreening systems

• Proposal (pdf) for a Council Decision on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data, May 19, 2005 COM(2005) 200 final, 2005/0095 (CNS).

• European Union

  • Working Party on Aviation of the Council of the European Union, Working paper on An International Framework for the Transfer of Passenger Name Record (PNR) Data to Public Authorities - submission of a working paper to the ICAO (International Civil Aviation Organisation) (pdf), (Feb. 13, 2004). Outline.

  • Council of the European Union, Draft Council Directive on the obligation of carriers to communicate passenger data (March 23, 2004).

  • Council of the European Union, Directive on the obligation of carriers to communicate passenger data (April 27, 2004).

• Canada

  • International Air Transport Association (IATA), Working paper on the Canadian Advance Passenger Information Program (pdf) (Dec. 11, 2003).
  • Article 29 Data Protection Working Party:
    • Opinion 3/2004 (WP 88) on the level of protection ensured in Canada for the transmission of Passenger Name Records and Advanced Passenger Information from airlines (pdf) (Feb. 11, 2004).
    • Opinion 1/2005 (WP 103) on the level of protection ensured in Canada for the transmission of Passenger Name Record and Advance Passenger Information from airlines (pdf) (Jan. 19, 2005).

• Australia

  • Article 29 Data Protection Working Party, Opinion 1/2004 on the level of protection ensured in Australia for the transmission of Passenger Name Record data from airlines (pdf) (Jan. 16, 2004).

• New Zealand

  • International Air Transport Association (IATA), Working Paper on the Introduction of Advance Passenger Screening (APS) in New Zealand, (March 20, 2004).

• International organizations

  • International Air Transport Association (IATA), Working Paper on Airline Reservation System and Passenger Name Record (PNR) Access by States (pdf) (March 15, 2004).

Full Analysis

On November 19, 2001, the United States adopted the Aviation and Transportation Security Act. which requires airlines flying into the United States to disclose to the Commissioner of Customs data relating to passengers and cabin crew ("Passenger Manifest Information"). The transfers must be completed before the plane takes off, or at the latest 15 minutes after departure. As soon as the data arrive at the US Customs, the US Customs and all US federal agencies would have access to these data.

On May 14, 2002, the US adopted another law to enhance border security that requires airlines arriving and departing from the United States to transmit data relating to passengers and crew to US Immigration and Naturalization Service. (see: Article 29 Working Party's Opinion Nr. 66 of October 24, 2002 (pdf)) It stipulates that all data must be transmitted to a centralized database, known as Interagency Border Inspection System ("IBIS"), and will also be shared with other federal agencies.

Requested data (PNR, APIS and DCS)

Through the Advanced Passenger Information System ("APIS"), the US agencies will request the name, the date of birth, the nationality, the sex, passport number and place of issue, foreign registration number (if applicable), address in the United States during the stay and any other data deemed necessary to identify the persons traveling.

In addition, the US requires to get information collected by the reservation and departure control systems ("DCS"), which is connected to the Passenger Name Record System ("PNR"). (Example of PNR.) Because this system contains all passenger data of the whole airline company, the system is not restricted to a specific flight. Thus, allowing full access to the DCS and PNR means that the US Customs would have also full access also to the data of passengers not flying from or in the United States. The momentary PNR file contains information provided to the moment of the reservation, intended to ensure the associated transport and services, and which the travel agencies, the companies or the luggage handlers reach. It can contain up to sixty fields, according to the companies and their level of service: identity of the traveller, health, paid price, banking co-ordinates, telephone number of a person to be contacted in the event of problem, place of lodging in the country of destination, name of people with whom the person travels. In certain cases it might contain the history of the preceding voyages and the choice of meal. A passenger, usually, may choose "no pref, baby, child, pure vegetarian, vegetarian (lacto), fruit, raw, seafood, high fiber, diabetic, low calorie, low fat/low cholesterol, low protein, low sodium, no lactose, Asian vegetarian, Asian, Hindu, kosher, Musli, Bland." The specifications "Asian vegetarian, Asian, Hindu, kosher, Musli, Bland" make obvious that these data must be regarded as a category of "special sensitive data" because they could reveal the religious or ethnic background of the passenger.

Legal Analysis

These requests interfere with the European Data Protection Directive (95/46/EC), the "directive."

The Directive applies when data of identified or identifiable physical persons ("personal data") are processed ("Any operation which is performed upon personal data whether or not by automatic means, such as collection, recording, organization, disclosure, collected, stored or disclosed" (see full definition in Article 2 (b)). It imposes, in general, strict requirements on data processing. This means mainly that every data processing must be made with a specific, explicit and legitimate purpose (Article 6 (1)(b)), which is mostly the fulfillment of contractual obligations. For example an online bookstore may collect a client's address in order to be able to deliver the books. In addition, the data collection must be adequate, relevant and not excessive in relation to the purposes for which the data are collected and/or for which they are further processed (Article 6 (1)(c)). Referring to the previous example, an excessive data collection would be the request of the bookstore to receive not only the client's address but also his telephone number. Further, data must be accurate, kept up to date and generally only stored as long it is necessary for the given purpose (Article 6 (1)(d) and (e)). Finally, there are several other requirements such as the right to know if data is being processed, what kind of purpose etc. (see Articles 10 and 11) or the right of access (Article 12).

National Security Exemption Clause

However, there are narrowly interpreted exemptions, such as in Article 13 to the general data processing obligations mentioned above. Article 13 stipulates that the European Member States may restrict the scope of the obligations in the mentioned articles when such a restriction constitutes a necessary measure to safeguard national security, defense, public security, prosecution of criminal offences or other purposes not related to the US request, see: Article 29 Working Party's Opinion Nr. 66 of October 24, 2002 (pdf)

The words "necessary measure" make it clear that these exemptions are restricted only for specific investigations. Therefore, the exemption rule of Article 13 cannot justifiably be invoked to restrict the obligations of the Directive where the transfer is systematic as it is foreseen by the US Customs. Since Article 13 requires a case by case request, the systematic general US request does not comply with it.

Rule of data limiting to the original purpose

The US requests for data access also conflict with the general data quality principle of Article 6 (1)(b) of the Directive which stipulates that the data controller ("natural or legal person, public authority, agency or any other body which determines the purposes an means of the processing of personal data") can process personal data only as long it is compatible with the original purpose for which the data have been collected for. Under this scope the transfer of personal data to US government agencies can hardly be seen as a fulfillment of the contractual obligations of the airlines or travel agencies vis-à-vis their passengers (see Working Party's Opinion WP 66). In other words, the airlines collect data from the passenger primarily to deliver a service, including providing tickets and serving food. The airlines did not originally intend to collect data to transfer them to US Customs. The necessity of the transfer to fulfill a contract between the data subject and the data controller cannot expand the purpose for which the data were originally collected. The "physical impossibility" for the airlines to fulfill their contractual obligations, is usually regarded as an insufficient ground to expand the original purpose collecting passenger data (see Working Party's Opinion WP 66).

At any rate Article 6 cannot apply to cover the transfer of data related to persons not traveling to the US.

Transfer to "Third States"

In addition, the Directive prohibits, in general, any transfer of personal data to "third countries" (non-EU countries) if these countries do not provide an adequate level of data protection. Article 25 clarifies the definition of an "adequate level" of safeguards. The US is considered such a third country, since it does not offer any safeguards for the protection of personal data equivalent to the one provided by the Directive (see: Working Party's Opinion 1/99). Thus, even if one may argue that the requested transfer were compatible with the contractual purpose of the airlines (relying on the argument that, without the transmission, the airlines would simply not be able to carry their passenger to the US), the transfer would generally be prohibited, because of the US' lack of adequate safeguards. This prohibition could only be circumvented when the airlines get an "unambiguous" consent from their passenger for this specific disclosure (see Article 26). This means, pursuant to the Directive, a "freely given specific and informed indication of a person's wish." The information provided to the data subject must include the identity of the US Agency, the purpose of this request and a notification that the data will be transferred to a country that does not offer adequate privacy safeguards (Articles 10 und 11 of the Directive).

The other exemptions of the third country prohibition listed in Article 26 do not apply. There is neither a proof that the transmission of the specific data is necessary to safeguarding important public interests, nor that the transmission is necessary in order to protect the vital interests of the passengers.

EPIC's most important concerns and recommendations:

1. There is no legitimate reason for requesting data of passengers not traveling to the United States. The US is trying to use its political power to force airlines to get data of persons the US should have no concern with. If the US needs specific information about other persons, the US could contact the competent foreign law enforcement authorities such as Europol. Airlines should not play the role of intermediaries for US agencies.
   
   So far, there exist no obligations under international law to provide the US with passengers data. The US request for passenger data might even violate international economic and trade agreements (Austrian Data Protection Organization, ARGE DATEN). Thus, it should be up to the US to introduce its own controls for passengers traveling to the US.
2. The Directive prohibits any processing of sensitive data such as the information of choice of meal which can reveal religious or ethnic or medical data without explicit consent or substantial public interest. Thus, any agreement must exclude these data as long there is no specific purpose showed.

Recent Developments

THE JOINT STATEMENT OF FEBRUARY 17/18, 2003

In January the European Commission opened talks with the US Customs. Recently, on February 17-18, 2003, both sides came to an interim arrangement, the "Statement of the European Commission/US Customs Talks".

The joint statement made address privacy concerns covering the period from March 5 (when the US Customs will start requesting passengers' data) until the European Commission makes a final decision pursuant to Article 25 (6).

During this period the Commission urges the Member States not to take enforcement actions against airlines complying with US government's requirements even if the transfer of data clearly violates the Directive.

The Joint Statement mainly provides that:

1. Compliance by airlines and reservation systems with US PNR requirements will not involve unlimited on-line access by US Customs to EU-based data bases, but rather the processing of PNR data for persons whose current travel itinerary includes flights into, out of, or through the US.
2. US Customs undertakes to respect the principles of the Data Protection Directive when accessing PNR data in the territory of the Community.
3. US Customs develops in accordance with the EU applicable law measures to protect "sensitive" data.
4. European Data subjects may request the US Customs for disclosure of data under the American Freedom of Information Act (FOIA).
5. There will be further discussions on a regular basis between US Customs and the European Commission about implementation of this statement and possible enhancement.
6. US Customs may provide information to other US law enforcement authorities, who specifically request PNR information, only for purposes of preventing and combating terrorism and other serious criminal offenses.
7. Both sides agree to work together towards a bilateral arrangement, that, in the end, would define the purposes for which the data will be used. It would contain a limitation of use to these purposes; conditions and limits of data disclosure and onward transfer; protection of data from unauthorized access; duration and conditions of data storage, additional measures for the protection of sensitive data; remedies for passengers, including possibilities to review and correct data held by US Customs; reciprocity.

Analysis of the Joint Statement:
In response to point 1.:
The promise not to allow full access appears to be a big step towards a better privacy protection. But, as it is stated in the ANNEX of the Joint Statement, the US Customs are entitled by legal statute (49 U.S.C. 44909 (c) (3)) to have full access to air carriers operating passenger flights in foreign air transportation to, from or through the United States. Therefore it will be crucial that the access will be technically limited to the data referred to in this statement. Otherwise, all data, even all data of passengers not flying to or from the United States would be accessible to the US Customs. This would raise the issue of what the US Customs may do with other passengers?data and how the US Customs could be subject to control and oversight.

To 2.): The US Customs' promises to abide by the Directive's principles when accessing PNR can hardly be fulfilled. The agency by being entitled to look at every passenger data without having to justify of any specific purpose infringes Article 6 of the Directive. It does not respect the narrowly interpreted "national security" clause of Article 13, it does not limit the transfer to third entities (see below) and does not give access to the data subject . Finally, since the US Privacy Act does not apply to non US citizens, how will the US Customs ensure to respect the principle of the Directive?

To 4.): Europeans do not have the same rights under the FOIA as Americans have. Further, it is unclear, whether data subjects may request data in every cases, because the US Customs is stating only two paragraphs later in the Annex that it will regard the PNR data as exempted from FOIA.

To 6.): The limitation processing data to other US law enforcement authorities has to be seen as a significant step towards more data protection. The Annex clearly stipulates that other US federal, local agencies and law enforcement entities have no direct access to the US Customs data. This promise offers much more security than for other data. However, the purpose of requesting data is not limited to the investigation and prevention of terrorism, but to all "serious criminal offenses." Therefore the allegation remains that the US is using foreign private companies as data collectors for law enforcement purposes. This is a perfidious way to circumvent the higher requirements European law enforcement agencies have to follow before disclosing law enforcement relevant data to the US.

The implementation of the Joint Statement:

In addition to the aforementioned issues with the Directive principles by the US Customs, the implementation of the Joint Statement itself is legally insecure. The EU Commission urged, in return to the promises given by the US, the national data protection authorities not to take enforcement actions against airlines complying with the US requirements after March 5, 2003.

"In view of the above process, the Commission side considered that EU data protection authorities may not find it necessary to take enforcement actions against airlines complying with US requirements." (Joint Statement of 17-18 February)

This behavior of the Commission is unique as it urges national authority to violate their national law. See Mr. Rodota's comment (pdf).

The Commission is "not legally in a position to convene, even for reasons of urgency, prior to the very close deadline of March 5, 2003 - when the APIS/PNR legislation is expected to take effect . . . In fact, national data protection supervisory authorities and judicial authorities of Member States are not free to apply or not national laws merely on the basis of the relevant advisability, and it has not yet been clarified how the Joint Statement might provide a sound legal base to justify an exception to that rule," Mr. Rodota concluded.

In addition, even the procedure considered in the Joint Statement for the period running after March 5 is legally questionable. The EC Commission promised to make a decision under the exemption clause of Article 25 (6) of the Directive to give the data access a strong legal basis.

The European Commission exemption clause Article 25 Section 6

Article 25 Section 6 of the Directive opens up the strict regime of the Directive for decisions given by the EC Commission stating that a specific third country ensures an adequate level of protection. In this case, all Member States shall take the measures necessary to comply with the Commission's decision. According to Article 25 Section 2, the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer. Although Section 2 gives further instructions for this consideration, the final decision allows a broad discretion to the Commission.

Thus, the EC Commission pursues to declare the requested access of the US Customs with the given promises of data protection as consistent with the adequate level clause of Article 25.

Still, this way would be very disputable for of the following reasons:

1. The Directive mainly applies to the collection of data among individuals and companies or among companies and themselves, but not among law enforcement agencies (see Article 3 "Scope" of the Directive which stipulates that the Directive shall not apply to the processing of personal data in any case to processing operations concerning public security, defense, State security). Therefore, in general, Article 25, which contains the assurance that personal data transferred to companies located in other countries meet the same level of data protection as within the EU, does not apply to data sharing between public law enforcement agencies and individuals or companies. The requested access is therefore not a matter of the regulation of data flow among companies for which the EU is solely competent for. It is a matter of cooperation with foreign law enforcement agencies which mainly still remains in the sole competence of the European Member States. As an illustration, one could have a closer look at what airlines have to do in order to fulfill the US Customs' request. They are transferring data not for their own contractual purpose but solely at US government's request. The US could ask every passenger for the same data on their own. Instead of this, the US Customs force private companies to do so. Therefore it does not appear an exaggeration to conceive the airline companies as agencies of the US Customs.
2. But, even if Art 25 Section 6 would in general apply, access to data for US Customs would still violate the principles of the "limitation of the purpose" as it is set forth in Article 6 (see above) of the Directive. The airlines did not originally collect data with the purpose of transferring them to US Customs and there is no specific freely given consent by passengers (see Legal Analysis).

Previous News

• EP Wants to Check Legality of EU-US PNR Deal. The European Parliament has decided to submit the recent passenger data agreement between the European Commission and the Department of Homeland Security to the European Court of Justice to examine whether it violates European data protection legislation and whether the Parliament's assent is necessary for the agreement to enter into force on the grounds that it modifies the EU Data Protection Directive. The vote comes as new questions arise over the U.S.'s sharing of information on EU passengers with other countries. (April 21, 2004)
• Two EP Committees Have Rejected the EU-US PNR Deal. In a legislative resolution, EP committee members have rejected the conclusion of the transatlantic agreement and called on the Council of the EU to refrain from concluding it until the Court of Justice has delivered its opinion on the compatibility with the Treaty of the EU. A vote in plenary session of the Parliament is expected around April 19-22. (April 7, 2004)
• EP Urged European Court of Justice to Check Legality of EU-US PNR Agreement. In a resolution, the European Parliament has reserved the right to bring an action before the Court of Justice of the European Communities to determine whether the PNR agreement violates EU data protection laws, should the European Commission and the Council of the EU decide to conclude the agreement without taking the EP's non-binding opinion into account. The EP's action would have the Court verify the legality of the projected international agreement, and in particular, check its compatibility with the protection of the fundamental right to privacy as protected by the European Convention for the Protection of Human Rights and Fundamental Freedoms, as well as determine whether the EU-US agreement has to be submitted to a binding, instead of consultative, EP vote. (March 31, 2004)
• EP Sends Passenger Data Negotiators to the Drawing Board. The European Parliament has voted today on a resolution that criticizes the draft of the Commission's adequacy decision on the disclosure of passenger name records (PNR) of travelers flying to the US. The Members of the EP have called for more privacy protections for air passengers, have threatened to appeal to the European Court of Justice for violation of EU data protection laws, and have urged the European Commission to reach a more appropriate international agreement with the US. (March 31, 2004)
• EP Committee Rejects EU Council's Proposal of Directive on PNR. The Committee on Citizens' Freedoms and Rights, Justice and Home Affairs has rejected an EU Council's draft Directive on the obligation of carriers to communicate passenger data that the Spanish government put forward in March 2003 that would require airlines operating within the EU to provide passenger data to governments in the EU country of arrival. The EP will vote in this issue around April 19-22 during its next plenary session. (March 19, 2004)
• US, EU Reach Deal on Passenger Data Transfer. The European Commission has temporarily agreed to provide the United States with information on its airline passengers traveling to the U.S. The agreement comes after a year of negotiations in which the U.S. has sought expansive access to EU passenger information. The agreement may still violate European privacy laws and faces opposition from the European Parliament. (Dec. 17, 2003)
• Data Commissioners Call for Passenger Data Protection. A resolution was passed at the International Conference of Data Protection and Privacy Commissioners last week in Sydney, calling for "an international agreement stipulating adequate data protection requirements, including clear purpose limitation, adequate and non-excessive data collection, limited data retention time, information provision to data subjects, the assurance of data subject rights and independent supervision." The resolution supports the current stance of the EU, which has rejected U.S. requests to transfer European passenger data until more stringent privacy safeguards are in place. (Sept. 18, 2003)
• European Commission Rejects US Demand for Passenger Info. The European Commission rejected U.S. demands for airlines to reveal passenger information as the anti-terrorism measure could breach EU privacy rules. A spokesman for the EU executive said Washington had failed to give binding commitments that personal data could not be abused in ways that might break EU laws on confidentiality. (Sept. 2, 2003)
• European Campaign Against US Profiling. European Digital Rights (EDRi), a coalition of privacy and civil liberties organizations, has kicked off a campaign against the illegal transfer of European air passenger data to the United States. In a hearing yesterday before the European Parliament, Homeland Security Department representatives testified about their concerns for privacy (pdf), but did not provide clear answers to many questions from Members of Parliament. (May 7, 2003)
• Europe and US Negotiate Passenger Record Access Changes. According to the data protection office of European airline carrier Lufthansa, the ongoing discussion between the European Commission and the U.S. Bureau of Customs and Border Protection (CBP) on air passenger profiling seems to have resulted in a so-called "push solution" to restrict the threat to European passengers' privacy. The push solution would call for airlines to create a back-up copy of passenger data stored in their PNR (passenger name record) system 24 hours before departure. This would allow airlines to filter out data that CBP did not specifically request, or sensitive data that is specially protected under the European Data Protection Directive. The data would then be transferred to CBP, instead of allowing them full and direct access to the databases, which they currently have. However, this would impose high costs for the airlines that CBP does not want to pay. In addition, the solution does not address the fact that CBP is asking for data that are originally collected for business and not for law enforcement purposes. The Joint Statement of February 17-18, 2003, which allowed CBP full access to airline databases, stipulated that the US and EU undertake further talks in order to stop the ongoing violation of the European Data Protection Directive (see full analysis) caused by the US' request for passenger data. (May 5, 2003)
• European Airlines Check US No Fly List. EPIC uncovered government documents showing that the Transportation Security Administration maintains two watch lists, against which European and other airlines flying to, from, or within the United States check their passenger names. One is a "no-fly" list; the other is a list of people who are to receive additional searching at security. The passenger names are approved for list inclusion on the basis of secret criteria, and the information is supplied by intelligence agencies. Documents obtained by EPIC show that there are many complaints from passengers who were mistakenly identified as being on the list. The documents do not show that the agency has any due process rights for suspected passengers, nor an easy method for individuals to take their names off the lists. The problems in implementing these watch lists uncover new threats to European citizens' data processed under the EU US Joint Statement of February 17-18th, 2003. For more information, see EPIC's analysis. (Apr. 4, 2003)
• Spain Proposes Passenger Profiling Scheme. In response to the United States' recent request for access to European airline passenger data, Spain has proposed a new European directive (pdf) that would require air carriers and shipping companies to collect data on all passengers. The companies would then have to send this data to law enforcement agencies in the appropriate destination country, and would also be asked to investigate all foreign nationals who fail to leave the EU on the scheduled date of their return flight. EPIC argues that these requirements not only violate European data protection law; they also pose a threat to the privacy of American citizens. (Mach. 31, 2003)
• EPIC Criticizes Profiling at EP Hearing. At a European Parliament Committee on Citizens' Freedoms and Rights hearing on traveler profiling in Brussels, EPIC submitted a statement (pdf) identifying the threats that extensive US profiling programs raise for European and American travelers' privacy. These threats include reversal of the presumption of innocence, widespread spying and third party data sharing, long-term retention of passenger records, lack of access and judicial remedies, and absence of public oversight.Other contributions from the hearing can be found here (in French). (March 27, 2003)
• European Parliament Opposes Passenger Data Disclosure. An overwhelming majority of the European Parliament has adopted a resolution expressing opposition to an arrangement allowing the transfer of airline passenger data to US customs. The arrangement, which allows access to personal details of airline passengers, was agreed upon by the European Commission and the US on February 17-18. The European Parliament has concluded that disclosing passenger data may end up heading "into de facto 'data-mining' territory for the US Administration." The resolution questions the legal legitimacy of such disclosure in both the EU and the US. Parliament blames the European Commission for not having duly verified the real basis in US law to justify access to reservation systems. The Commission should investigate whether the actual US request is just an over-broad interpretation on the part of the present US administration. The resolution also states that Parliament regrets the lack of legal basis for the adoption of the Joint Statement. In addition, Parliament admonishes the Commission for inviting national authorities to disregard community law. (March 13, 2003)
• Air Travel Profiling Violates EU Privacy Laws. The US government has pressured European Union authorities to allow European airlines to disclose passenger information. A new agreement (pdf) (also available in HTML from Statewatch) makes medical, ethnic and religious information available to US law enforcement. The agreement violates EU data protection laws because the disclosure is excessive and does not provide adequate privacy safeguards. (March 5, 2003)
• Joint Statement of US Customs and EU Commission of February 18-19, 2003. In this statement, the European Commission decided to urge European Member States Data Protection Authorities not to take enforcement steps against airlines allowing the US Customs full access to passenger data after March 5, 2003. For further details, see EPIC's Explanation and Analysis. (March 5, 2003)
• Letter of Mr. Rodota from March 3, 2003. Mr. Stefan Rodota, the Chairman of the EC ("European Community") Data Protection Working Group, sent a letter (pdf) on March 3, 2003 to the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs in Brussels. He raises the question if the procedures giving US Customs access to European Airlines' data after March 5, 2003 are compatible with EU Member States laws and if they (see the Joint Statement) will offer a practicable interim solution. Mr. Rodota proposes a postponement of the data access until the next Working Party's meeting of 20 and 21 March 2003. For further details see Statewatch's Comment. (March 3, 2003)