European Parliament approves the controversial EU/US PNR agreement

The agreement, which the UK government separately signed into last month, defines the conditions under which personal information about travelers can be passed between the EU and the US. PNR, said Cecilia Malmström, Home Affairs Commissioner, “is the information you provide to the airline or travel agent when booking a flight. This information has been used by law enforcement authorities around the world for many years to identify serious criminals and terrorists.”

Few people doubt the value of this information in the fight against international crime and terrorism, but the blanket provision of data and the manner in which it is stored and may be used in the US has caused, and is still causing, considerable concern among European civil liberties groups. The EC has attempted to allay fears. Malmström said yesterday, “The period during which PNR data may be stored and used will be reduced from 15 to 10 years for transnational serious crimes, for terrorism it stays at 15 years, and all data should be anonymized after 6 months.”

‘Anonymized’ is used just once in the agreement, and refers only to personal data retained after a 15 year period when “data retained must be rendered fully anonymized by deleting all data types which could serve to identify the passenger to whom PNR relate without the possibility of repersonalization.” It is this lack of clarity and apparent confusion that most concerns civil liberties groups. Nick Pickles, director of Big Brother Watch, said, “This policy involves handing over our credit card numbers, details on our sex lives, ethnicity and political views, without legal process. Governments are betraying their citizens because a paranoid security complex is running rampant across policy.”

EDRI, the European Digital Rights organization, is equally concerned. “The Commission has neither provided evidence that the collection, storage and processing of personal data is proportionate at all, let alone why it appears to believe that 15 years of data retention are necessary and proportionate,” wrote Kirsten Fiedler at the end of last month. She has other concerns. Parliamentarians had asked “for ‘push’ only as a method of transfer and for a clear prohibition of profiling - none of these conditions have been met in the new Agreement.” Malmström says, “The agreement also gives the individuals the right to access their PNR data held in the U.S. and if the information is inaccurate, it shall be changed or removed..” But Fiedler comments “since the Agreement does not address what citizens are entitled to receive an answer, the DHS can decline this request. Moreover, the DHS has decided that its use of PNR data is exempt from the Privacy Act even for U.S. citizens.”

The view of the respective governments, however, is clear. “This is an agreement the three EU institutions can be proud of,” said Malmström: “it provides stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-U.S. PNR Agreement from 2007.” Janet Napolitano, US Secretary of the Department of Homeland Security, announced “In an era of transnational threats, we should all be proud of this strong international partnership.”

But, “It is far from clear that this policy is not in breach of the EU's own data protection laws,” adds the director of Big Brother Watch.

What’s Hot on Infosecurity Magazine?