The year 2010 is certainly an important one for data protection in Europe as transatlantic deals agreed by the EU following the terrorist attacks of 11 September 2001 against the US have been challenged. Equipped with its new power of veto over international agreements, the European Parliament is being called on to approve the no less controversial EU-US and EU-Australia agreements that allow the two partner countries to access European airline passenger data (passenger name record, PNR) for the fight against terrorism. But, by contrast with SWIFT, the EP has decided to take its time on this issue. The consequences of a rejection would be much more serious.

In saying ‘no’ to the interim SWIFT agreement, MEPs argued that the transfer of banking data could now be done via the 2003 agreement on mutual legal assistance, which came into force on 1 February (a more restrictive system because the data must be related to a specific investigation and not sent en bloc as for SWIFT). It is not possible to have this safety net for PNR. A negative response would put a stop to US and Australian access. And the European Parliament is likely to be all the more cautious as “the transmission of PNR data is part of the conditions that the US has imposed [on European countries] in exchange for a waiver to the visa regime [via the Visa Waiver Programme for most member states],” stressed the rapporteur for the two agreements, Dutch Liberal Sophia In’t Veld, to the Committee on Civil Liberties (LIBE), on 4 March in Brussels.

The concerns of MEPs are still the same as these are two agreements signed by the EU Council, in 2007, but not yet concluded. To resolve this situation, the rapporteur made a plea for the vote to be put back until the European Commission proposes a common “model” for any PNR exchange with non-EU countries.

There are still concerns about the use of data, initially commercial, for security purposes; the length of time that they can be kept (the agreement stipulates 15 years, after seven years the data will maintain a ‘non-operational’ status for eight years); the right to delete erroneous data; the possibility of appeal; and reciprocity for European access to their partners’ data.

RESOLUTION IN APRIL

Since 2008, MEPs had listed the “minimum conditions” for an agreement: a legal limit, a solid legal basis, standards for data protection and a restricted retention period. In the plenary session, from 19 to 22 April in Strasbourg, they need to adopt a new resolution stating their demands. Right from the start, the criticism has above all been about the length of time data are retained for. According to the so-called ‘Article 29’ (from the 1995 directive on the protection of personal data) group of national experts, “the data should be retained for a short period, which should not be more than a few weeks or a month after entry onto US territory”.

“We’re considering a more general framework,” says the spokesperson of the EU’s Internal Security Commissioner, Cecilia Malmström. Her services are preparing an evaluation report on the system for June. The idea of the EP is not so much to have a European PNR, as the EU has so far envisaged in vain, but to define – at the European level – the data that can be shared or not shared with non-EU countries and on what conditions under the framework of a general PNR deal. “An agreement with the US and Australia is one thing but other non-EU countries is quite another,” said Maltese Conservative MEP Simon Busuttil. The feeling, however, is different on the other side of the Atlantic: “There is no particular urgency to change the agreement,” said Mark R. Koumans, assistant secretary for international affairs at the US Department of Homeland Security, in comments to journalists, adding that a general agreement would “involve some risk”.

During check-in time, airline companies collect 19 pieces of information (including trip itinerary, where the ticket was bought, seat number and method of payment). Nowadays most of these PNR data can be obtained by the Customs and Border Protection Office, the agency of the US’s Department of Homeland Security, says the US Mission in Brussels. The Department of Homeland Security is supposed to destroy so-called ‘sensitive’ data immediately (such as illnesses or food preferences).

During check-in time, airline companies collect 19 pieces of information