UK opts in to the EU-USA PNR agreement

Noticeably, the opt-in announcement comes at the end of the fifth paragraph of a written statement presented to parliament by Damian Green, the Minister of State for Immigration. The preceding paragraphs describe the government’s commitment “to defending civil liberties” and its “stringent data protection safeguards, especially when handling sensitive personal data”; but its view of the US as “as a key partner” and that “appropriate use of PNR data is vital in keeping the public safe.” This recognizes and tries to counter some of the many concerns held by European privacy groups.

The purpose of providing PNR data is to allow receiving countries to be aware of potentially dangerous individuals heading towards their borders, “for the purpose of preventing terrorism and serious crime,” said Green. That data may include home addresses, mobile phone numbers, email addresses and credit card details. If the email address is operated by one of the major US-based providers such as gMail or Hotmail, the separate Patriot Act will subsequently allow the US government to demand further data from the provider, outside of the PNR agreement.

European privacy groups are concerned about the extent of personal data provided under PNR, and the duration that the US authorities are able to keep that data. The agreement allows the US Department of Homeland Security (DHS) to store the data for six months, after which it has to be “depersonalized and masked” but can be kept for a further 14 years. Critics question the need for the data to be retained, and the actual effect of ‘de-personalizing’ the data. The EU’s own working party on data protection (currently known as the Article 29 Working Party) expressed serious concerns about the PNR agreement in an open letter it published on 6 January 2012. “As a general assessment,” it writes, “the Working Party notes (modest) improvements in the draft agreement, but does not see its serious concerns removed.”

Peter Hustinx, the European Data Protection Supervisor said in a formal 'Opinion' last December that PNR data should be deleted immediately after use, or retained for a maximum of six months. He specifically suggests that the purpose of PNR should be clarified, that the “list of PNR data to be transferred should be narrowed”, that the US DHS should not be allowed to process personal data, and that the data retention period should be shortened.

The UK government, however, does not share these concerns. “It is for this reason.” concluded Green, “the government has opted in to the EU-US Agreement on the exchange of passenger name record data.”

What’s hot on Infosecurity Magazine?