EU to Resume Sharing Airline Passenger Data with US

Albeit several days after an official deadline had already passed, negotiators for law enforcement officials in the US and Europe have agreed to resume a controversial program in which the personal data of European airline passengers traveling into the US may now be shared with US officials.

A statement released late this afternoon from the Office of the Presidency of the European Council reads in part, "The EU welcomes the new Agreement which will help to prevent and combat terrorism and serious transnational crime, whilst ensuring an equivalent level of protection of passengers' personal data in line with European standards on fundamental rights and privacy."

According to several European press sources, airlines operating in Europe must now resume the practice of making available 34 elements of personal data, including names, addresses, credit card numbers, and other identifying information, specifically to US Customs and Border Protection.

According to EU Justice Commissioner Franco Frattini, US officials must specifically request this data, which is a change from the previous agreement where data was provided unconditionally. In exchange for that concession, CBP is now free to share the data among other US agencies.

In a statement late today, Ulrich Schulte-Strathaus, secretary-general of the Association of European Airlines, said, "The agreement signed today will put an end to a period of uncertainty that was highly uncomfortable both for European carriers and their passengers. Even though our negotiators had assured us that we could continue transferring the passenger data in our reservation systems to the US, we were all aware that this period could not be indefinitely extended."

After the terrorist incidents of September 2001, the forerunner of the Department of Homeland Security unilaterally announced that the US would require all international airlines to provide complete passenger data for all incoming flights into the US, by March 2003. European law permitted the collection of this data, but only on a case-by-case basis, and only with regard to a specific case. This prevented the US from being able to screen all incoming passenger data.

In May 2004, the Council of the EU decided to agree to make this information available, but only after a prolonged period of heated debate which extended well past the US' original deadline. Since that time, a handful of controversies erupted about how the collected data was used.

In September 2003, it was learned that low-fare carrier JetBlue handed over information on 1.5 million passengers to a private contractor working for the Defense Dept., supposedly under the auspices of the agreement, for what was described as a "security risk assessment" project.

Then in January 2004, the US Electronic Privacy Information Center learned that, just a few months after the 9/11 attacks, NASA had obtained passenger data from Northwest Airlines, supposedly with regard to data mining experiments that would yield new methods for identifying terrorists. EPIC filed formal complaints, which are apparently still under review by the US Federal Trade Commission.

Last May, the European Court of Justice annulled the data sharing agreement, not because of the misuse revelations, but because the Court decided the Council did not have the jurisdiction to be making the agreement. Essentially, the Court ruled, the Council could not make decisions on how other entities outside its scope and purview could use EU citizens' data. The Court gave the Council of the EU until the end of September to renegotiate, suspending the effects of its judgment until that time.

Meanwhile, the Court did not resist taking a shot across the bow: "The fact that the [passenger name records] data have been collected by private operators for commercial purposes and it is they who arrange for transfer of the data to a non-member State," reads the ruling from last May, "does not prevent that transfer from being regarded as data processing that is excluded from the directive's scope."

Negotiations between the two governments to resume data sharing broke down late last month, mainly due to airlines' concerns that they could be fined by the EU for violating its privacy provisions, and that member nations could conceivably revoke airlines' landing rights. As a result, the Court suspension took effect last Sunday.

The Council of the EU is hopeful this new agreement will stand up to judicial review, since it was made under the auspices of the European Union (the legal entity) rather than the European Community (the economic entity). It is due to expire at the end of next July, so the debate over the new agreement's merits is likely to begin almost immediately.