The controversy surrounding the transfer of air passenger data began shortly after the terrorist atrocities of September 2001, when the US passed its Aviation and Transportation Security Act.
This new law introduced the requirement that airlines operating passenger flights to, from or through the US provide the US Customs Border Protection Bureau, upon request, with electronic access to passenger data contained in their reservation and departure control systems.
The problem in Europe is that its Data Protection Directive of 1995 provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. The Commission decides which countries have adequate laws, but to date, only a few countries – not including the US – have met the criteria. Transfers of data to other countries need additional guarantees.
Airlines found themselves in a catch-22 position: to fly from Europe to the US, they would need to comply with either European law or US law, but they could not find a way to comply with both. So European and US authorities negotiated.
The European Commission agreed, temporarily, to waive aspects of its privacy regime and, on terms agreed with the US, data relating to transatlantic passengers has been transferring to US Customs since 5th March 2003.
Following delicate negotiations between the Commission and the US Department of Homeland Security, the Commission announced in December that it had reached agreement with the US. This placed limits on, for example, the nature of the data to be transferred and on the period for which data would be stored.
The arrangements have yet to be put into formal terms – and on Tuesday, the Parliament voted against the deal when considering a Parliamentary report that criticised the Commission's deal. Four hundred and thirty nine MEPs voted in favour of the critical report, with 39 against and 28 abstentions.
The report states firmly that transfers of personal data to third country authorities without consent – as in the access by US authorities of air passenger data – seriously infringe EU data protection standards. The report concludes that the progress made over a year of talks with the US is inadequate, and calls for arrangements for data protection in such circumstances to be subject to approval by Parliament in the future.
