EC Calls New PNC Accord a Victory, But Some Aren’t So Sure
Talks on an interim airline passenger name records (PNR) agreement ended in a win for Europeans when the U.S. agreed to a more scheme more protective of privacy, EC and Presidency officials said Fri. After a 9-hour session Thurs. night, the parties settled on an arrangement under which U.S. law enforcement agencies eventually will have to seek passenger data --including phone numbers and email addresses- - from airline databases. The old agreement let the U.S. accessing data directly. The shift to a “push” system generally was welcomed, but data protection authorities and some European Parliament members said the temporary PNR doesn’t resolve major privacy concerns.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The agreement replaces a 2004 accord the European Court of Justice (ECJ) annulled this spring. It marks a “very important result” by maintaining without break a U.S./EU arrangement on the “very sensitive matter” of transferring data to the U.S. for counter-terror work, said EC Vp Franco Frattini. It also negates a need for 25 bilateral pacts between the U.S. and EU nations, which would have created privacy risks, he said.
Besides moving to a “push” system -- to be tested later this year -- the agreement recognizes U.S. and EU desire for “easy circulation” of data among law enforcement agencies, Frattini said. The EU will give passenger data to the U.S. Customs & Border Protection Agency and other Dept. of Homeland Security (DHS) agencies, the Justice Dept., the FBI and other anti-terror entities subject to conditions: (1) No increase in either the fields of information provided nor the number of exchanges. (2) DHS may disclose the data to other agencies without granting them direct access to them. (3) The EU will accept disclosure to agencies if they have “comparable standards” of data protection. The adequacy of an agency’s privacy protections will be gauged via the same test as applied under the earlier PNR, Frattini said.
DHS Secy. Michael Chertoff praised the new information- sharing flexibility the PNR will provide. It means the govt. will get passenger data earlier, he said.
National govts. are expected to clear the pact next week, said Finnish Justice Minister Leena Luhtanen. It will run from the date of signature to July, 31, 2007, by which time parties hope to have a more permanent arrangement. The U.S. accepted the principle that a more comprehensive pact will go into place from 2007, Frattini said. “We spoke in Europe with one voice,” which is why the EU prevailed, he said.
‘Least Worst Option'?
Some MEPs don’t see it that way. The EU “has once again caved to U.S. pressure at the expense of EU citizens’ civil liberties,” the Greens/European Free Alliance party said. The interim PNR allows “continued plundering” of personal data despite an inferior U.S. data protection system, it said. The Greens criticized the new agreement for leaving American agencies as free as before, for the moment, to pull passenger data from air carrier databases -- and for allowing more agencies access to the data.
The Alliance of Liberals and Democrats for Europe (ALDE) party branded the agreement “the least worst option under the circumstances.” The Bush Administration is “determined to extract ever more personal data and share it with the wider intelligence community,” said party leader Graham Watson.
The U.S. and EU need a broad dialog on civil liberties, Dutch MEP Sophie in ’t Veld, author of an EP report on PNR, said: “Issues involving the transfer of sensitive personal data such as PNR and retention of telecom data are growing, and we have no common view on how to approach them in the context of strengthening our security arrangements against terrorism.”
German MEP Alexander Alvaro, ALDE spokesman on civil liberties and justice issues, blasted the agreement. “The EU has given in to pressure by the United States,” he said: “My hopes that the negotiations would result in a more balanced agreement with regard to data privacy have not been fulfilled.”
Alvaro criticized not only the lack of limitations on the data sought, but also their intra-agency transfers. For such transfers, such as to the FBI, “some data protection rules should have been made a condition,” he said. With regard to Europe “giving in,” he said. Stopping EU air traffic to U.S. airports certainly wouldn’t help the U.S. economy. Europe should have stood its ground, he said.
Privacy Chiefs Cautious
Germany’s privacy commissioner hailed the change from a pull to a push system. “This is positive from a data protection point of view, but we still have to analyze the agreement with regard to the handover of the data between U.S. agencies,” a spokeswoman for German Federal Data Protection Officer Peter Schaar said: “We certainly would be opposed to automatic data transferrals between U.S. authorities.”
So far, transfers to appropriate U.S. authorities have been possible only in investigations of terrorism or serious crime, the privacy officer said. But when the earlier PNR expired Sept. 30, the office began hearing different interpretations of the issue, he said. “With regard to next year’s more permanent agreement, we certainly will promote [exchange of] a more limited set of data,” the spokeswoman said. She cited an EU-Canadian agreement that’s far less heavy-handed and allows transfer only of a select set of passenger data. It’s also based on a push system, she said.
The U.K. Office of the Information Commissioner welcomed the signing of a new agreement but said it’s waiting to see the details.
Airlines backed the agreement, urging a more harmonized approach to security. The new PNR is a step toward better information sharing,” said International Air Transport Assn. Dir.-Gen. Giovanni Bisignani. Now it’s time for govts. to move to further standardization in other areas of security, he said.
Digital rights group Imaginons un reseau Internet solidaire (IRIS) said the new accord endangers the security of EU citizens and residents. The ECJ ruling wasn’t founded on the agreement’s merits, but on its legal basis, so the U.S. unsurprisingly seized a chance to seek a more expansive accord, IRIS said.
To justify its decision, the EU said it had to yield to U.S. demands to protect its aviation sector and, more generally, transatlantic economic activity. But many member countries are enacting laws for furnishing personal data to their own police services, raising the question of whether they care about protecting such data, IRIS said. When one considers the expansion of the U.S., and, more and more, the EU “fight against terrorism,” one sees how the PNR violates individuals’ privacy and security, the group said.
Negotiator Jonathan Faull was asked if Europe will have a PNR system of its own. It’s “hard to tell,” he told a briefing. The EC, which deems PNR data a source of data useful in fighting terror and other transnational crime, is writing a proposal, he said. But it will face the sticky issue of such an instrument’s legal basis: 3rd pillar (police matters) or first (internal market)? Using the police pillar requires unanimous approval by all member govts., the latter co-decision by the EC and Council with input from the EP.