The European Commission has adopted a plan to limit third-country access to travelers’ data and intends to use the plan in negotiations with the U.S., Australia and Canada.
The Commission Tuesday approved a proposal for handling passenger name record (PNR) data, which is comprised of all the information that air carriers collect about their passengers. Current European Union data protection laws do not allow air carriers from the E.U. to transfer PNR data to third countries without a legal agreement in place to ensure data privacy protection. Formal PNR agreements between the E.U. and the U.S., Australia and Canada are pending after the European Parliament postponed its vote in May. Under the Lisbon Treaty, Parliament must give its consent to the proposals.
PNR data has been used manually by customs and law enforcement authorities around the world for almost 60 years. But new technology means that such data can now be screened more quickly and easily. This is of huge benefit in combating crime, but also opens up the possibility of misuse of personal data. To prevent this, the new proposal states that PNR data should never be disclosed in bulk but only on a case-by-case basis.
Furthermore, in order to prevent ‘profiling,’ decisions that will have an adverse effect on passengers must never be based on automated processing. A person must be involved before a passenger is denied boarding.
Although aimed at protecting passengers’ rights, the new proposals do not impose a time limit on the retention of passenger data. The Commission says it should not be stored for "longer than necessary," but many factors may be used to justify the retention of PNR data indefinitely -- these include the security threat faced by the country and the conditions under which the data is stored.
Sensitive information such as racial or ethnic origin, political opinions, religious beliefs or trade union membership may only be accessed in “very exceptional cases,” but it is rare that airlines collect this information.
The data can only be accessed in connection with fighting serious international crime including people trafficking, child abduction, drug trafficking and terrorism, explained Home Affairs Commissioner Cecilia Malmström. Third countries must also ensure a high level of data security and implement independent public oversight of the authorities which use PNR data.
Reciprocity should also be ensured and information about terrorism and serious transnational crime must be shared with Europol, Eurojust and E.U. member states. Passengers who believe that their privacy has been infringed will also have right to redress.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.