Sélecteur de langues
Brussels, Tuesday 13 December 2011
EDPS issues an opinion on the new EU-US Passenger Name Record agreement
The European Data Protection Supervisor (EDPS) adopted on Friday an opinion on the Commission's proposal for a new agreement between the EU and the US on the exchange of passengers' data (Passenger Name Record - PNR)*. The agreement obliges airline companies to send to the US Department of Homeland Security (DHS) data relating to all passengers flying between the EU and the US.
The EDPS welcomes the safeguards on data security and oversight foreseen in the new agreement and the improvements in comparison with the 2007 agreement. However, a number of concerns remain:
the 15-year retention period is excessive: data should be deleted immediately after its analysis or after a maximum of 6 months;
the purpose limitation is too broad: PNR data should only be used to combat terrorism or a well defined list of transnational serious crimes;
the list of data to be transferred to the DHS is disproportionate and contains too many open fields: it should be narrowed and exclude sensitive data;
there are exceptions to the “push” method: these should be removed, the US authorities should not be able to access the data directly ("pull" method);
there are limits to the exercise of data subjects' rights: every citizen should have a right to effective judicial redress;
the DHS should not transfer the data to other US authorities or third countries unless they guarantee an equivalent level of protection.
Peter Hustinx, EDPS, states: "Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfil strict conditions. Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the Member States have not been met. The same applies to the conditions required by the European Parliament to provide its consent."
PNR transfers are currently taking place on the basis of an agreement of 2007, which is being applied provisionally because the European Parliament decided not to give its consent until its data protection concerns were met. If the Parliament does not approve the new agreement, it will have to be renegotiated again.
The European Data Protection Supervisor (EDPS) is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by:
monitoring the EU administration's processing of personal data;
advising on policies and legislation that affect privacy;
cooperating with similar authorities to ensure consistent data protection.
(*) COM (2011) 807 final: Proposal for a Council Decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security.
EDPS - The European guardian of data protection