Monday, 19 July 2004
European privacy authorities respond to EU decision on PNR access by the USA
The European Union's Article 29 Data Protection Working Party -- the organization of national privacy protection officers from each EU member country -- has adopted an official response to the European Commission's finding and agreement to permit the USA government to access airline reservations from the EU, which are currently being challenged by the European Parliament in the European Court of Justice.
In the meantime, "the Working Party considers the following practical measures to be essential to keep encroachments on passengers' rights as minimal as possible:"
- Airlines should replace the "pull" method of transferring data with the "push" method as soon as possible.... In the "pull" method used until now, recipients are given all data. It is then their duty to filter out and use only the data for which they have authorisation under an agreement. [I've previously reported that the USA department of Homeland Security is actually "pulling" data far beyond that supposedly authorized by the European Commission findings and agreement.]
- Air passengers must be adequately informed of the data transfer.... [I]t is essential that air passengers always receive the same information regardless of which airline they use and where they acquire the plane ticket, including through travel agents. [In fact, passengers travelling today -- and having their reservations made available to the USA -- could have bought their tickets as much as a year ago, and could have made reservations months before that. Requiring notice prior to ticketing would require postponing government access to PNR's until at least a year after a system for providing ntoice is put into effect.]
- The Working Party is pleased that the agreed data transfers relate only to air passenger data recorded and saved by the airlines, travel agents and other sales points for the purposes of processing tickets. The agreement does not obligate or authorise airlines to record other data. [Actually, the agreement explcitly includes Advance Passenger Information (API), which by definition is additional data collected at government order, not for the airlines' business purposes.]
- The agreements between the Community and the United States provide for regular checks that the data protection rules which have been drawn up as a basis for recognition of the level of data protection are being complied with. The Working Party considers these checks to be particularly important. They are essential to analyse the practical consequences of the data transfers and thus to evaluate the extent of any encroachment on data protection. The Working Party is therefore very
interested in the design, implementation and evaluation of the checks, and would appreciate to work together with the Commission in this respect. [This is indeed critical, since the first sufficently thorough and technically competent audit of the logs of DHS access to reservations form the EU will show that the USA has not complied with the purported agreement.]
- In order to gain a clear and detailed insight into the practical steps involved in flight data transfers, the data protection supervisory authorities are planning to hold a joint event with the airlines in Rome in the near future. [Unstated is whether this event will be open to the public.]