The European Parliament recently approved the new Passenger Name Records (PNR) agreement with the US. Signed in December 2011, the agreement provides for transfers of the PNR data to the US Department of Homeland Security (DHS) by airlines operating flights between the EU and US and replaces the 2007 PNR deal, which has until now been applied provisionally.
The saga of PNR agreements dates back to 2004, when the first deal on the transatlantic exchange of passenger data was signed. The agreement was contested by the EP, and in 2006 the relevant Council and Commission Decisions were annulled by the ECJ on formal grounds. Heated EU-US negotiations followed, with the EP emphasizing the need for a stronger protection of personal data, where passenger records were to be used in the fight against terrorism and transnational crime. Although the EP approved the 2011 agreement, it remains to be seen whether or not the EU and the US have buried the hatchet for good. Indeed, does the new agreement provide for a stronger protection of passenger data, or have the changes been largely superficial? In order to find out, let us look at the agreement from the three aspects: its purpose and scope, transparency and safeguards of the data processing, as well as the presence of an independent oversight and effective enforcement of individual rights.
In addition to a rather broadly worded purpose of the fight against terrorism and transnational crime (Arts. 1 and 4) and the provision to the DHS of 19 types of passenger data, the 2011 agreement, just as the previous version, presupposes that the gathering and processing of PNR data applies to all passengers flying to the US. While the processing of PNR records on the basis of actual suspicions may be absolutely necessary, the indiscriminate nature of data collection and processing under the PNR agreement appears striking. Furthermore, as the PNR data is initially necessary for the ticket reservation, individuals have few effective opt-out options: if someone is not willing to provide their personal data, they would not be able to complete the booking.
The 2011 agreement is more detailed than the 2007 version and sets out key provisions on the processing of data in its main text, rather than in a separate letter. It provides more details on, inter alia, the retention periods (Art. 8), and prohibits taking decisions about individuals solely on the basis of automated data processing (Art. 7). This taken into account, the information provided still remains rather general. Should a passenger be interested in how (e.g. with the help of what techniques and on basis of what criteria) his data is processed, this would be exceedingly hard, if at all possible. Similarly to the 2007 version, the new agreement provides passengers with the right to access only their own PNR - which they, one would expect, are already aware of - but neither the results of automated data processing nor any criteria on which decisions to e.g. allow or deny boarding are based (Art. 11). Some information is provided in the DHS Privacy Office Reports – however, it remains rather technical, and thus may not be easily accessible to the general public.
Next, issues remain with the oversight of data processing and the possibilities for EU citizens to enforce their rights in the US. While Art. 14 of the 2011 agreement provides for the data processing oversight by the DHS Privacy Officers and several independent entities - a welcome development – hardly any role is spelled out for the European DPAs. In contrast, under the SWIFT agreement - another EU-US data sharing instrument - DPAs at least play a mediatory role between the aggrieved EU citizens and the US Treasury Department. Finally, although the PNR agreement lists several US instruments under which passengers can seek judicial redress, it is to be kept in mind that, before obtaining possibilities for the judicial review, individuals will need to exhaust administrative remedies.
To sum up, although some positive developments have been brought by the new PNR agreement, it seems that key travellers’ concerns remain insufficiently addressed. The new PNR agreement may be a winning moment in EU-US relations, but the level of personal data protection that it provides is still awaiting its star hour. Per aspera ad astra.