Tuesday, 27 January 2004
European Commissioner ackowledges need of USA airlines to respect EU privacy laws
In a letter dated 18 December 2004 to USA Secretary of Homeland Security Tom Ridge, European Commissioner Frits Bolkestein has clearly ackowledged the practical impossibility (as I've been discussing for months) of segregating personal data in airline reservations collected in the European Union from data collected in the USA or elsewhere:
I also understand that, when CAPPS II begins testing and even more when it becomes operational -- even if not at all applied to flights within the EU -- PNR data of some subset of passengers on such flights may emanate from the EU and that there is no reasonable or cost-effective mechanism for airlines or TSA to identify or filter out such PNR. I recognize that airlines are concerned that this situation might leave them vulnerable to enforcement action by data protection authorities in the EU Member States.
The letter from Bolkestein to Ridge, posted in a semewhat obscure location on the European Commission Web site, was brought to public attention by Member of the European Parliament (MEP) Marco Cappato. MEP Cappato's statement today says that by the letter, "The Commission hereby confirms its attitude of not taking into due account citizens' rights and the EP serious reservations on the issue of the transfer of personal data of transatlantic airline passengers to the US."
But while Bolkestein's comments were made in the specific context of CAPPS-II , the larger implication may be this:
If, as Commissioner Bolkestein has now admitted, some subset of passenger data on any flight may have been collected in the EU, and it is impossible for airlines in the USA to identify or filter out such data, then the only way airlines or other travel companies in the USA can ensure their compliance with EU data protection regulations is if they treat all PNR data as though it might have come from the EU, and handle all PNR's, even on domestic flights within the USA, in compliance with EU data protection standards. (Which of course they don't.)
The only legal way for airlines, CRS's, and other travel companies to withhold from customers in the USA the rights they are required to give EU customers would be if they tracked whether each item of personal data in each PNR originated in the EU. They don't, and their failure to do so -- or to treat all PNR's in accordance with EU data protection standards -- is the essence of their near-total disregard to date for any actual compliance with EU data protection laws, as applied to PNR (travel reservations) data.
MEP Cappato's statement continues:
We appeal to the President of the EU Privacy Authorities, Stefano Rodotà, to formally intervene to ask for provisions and sanctions to be applied against current illegal practices. And we ask to national privacy authorities to take measures where they have powers to do so, such as in Italy. We do not understand why President Rodotà and national privacy authorities do not activate the national and European instruments at their disposal to have the laws applied and citizens' rights respected.
The real question now is not just what will be done by European authorities about CAPPS-II, but what will be done about the larger issue of compliance with EU data protection rules throughout the handling of PNR data in the USA.Link | Posted by Edward on Tuesday, 27 January 2004, 16:55 ( 4:55 PM)