The Article 29 Data Protection Working Party (WP) has just published its comments on the EU-USA Passenger Name Record (PNR) Agreement; a deal that I analysed just before Xmas as having the following characteristics: “data protection is weak, proportionality not guaranteed, and obvious safeguards absent” (see references). This view is substantiated by the WP’s comments.
As a general assessment, the WP notes that there have been “modest” improvements from earlier drafts “but does not see its serious concerns removed”. Primarily that “the legislators oblige carriers and computer reservation systems to make PNR data of all their passengers – nearly all of them being innocent and unsuspected citizens available to foreign law enforcement agencies”.
The WP adds that “Since the negotiations of the first PNR agreement, the WP has expressed its doubts that sufficient evidence has been provided to demonstrate the necessity and the proportionality of mass transfer and use of PNR data for law enforcement purposes”; the “WP notes that no new evidence is offered now” (to justify the Agreement).
Then WP states that “there remains a high degree of uncertainty about what DHS (Department for Homeland Security in the USA) is intending to do with the transferred data” and that “the agreement lacks clarity when defining the limits within which PNR data can be used”. It notes that “it is troubling that all definitions provided are not exclusive” (this is because most definitions use words such as “including” and “in particular” which can expand their meaning – something we drum into our ISEB delegates!).
So for example “the definition of transnational serious crime does not only appear to be quite wide-ranging ... it also appears not to be necessarily related to law enforcement in the US”. Indeed “it covers all crimes where more than one jurisdiction is involved” and provides that “on a case-by-case basis” PNR can be used for all crimes regardless of whether they are serious, and even for other actions not related to crimes at all, if ordered by a court”.
In summary “it appears to be rather clear that it will also be used for cases other than relating to terrorism and serious transnational crime and the Working Party considers this use disproportionate”.
With respect to data retention, the WP state that “the improvements of the agreement do not remove the fact that data of unsuspected citizens is stored for up to 15 years, only its use would be more limited”. The WP “cannot see how these long retention periods can be substantiated and justified” and “considers them to be excessive and disproportionate”.
In relation to the rights of access the WP states that for “many years” it “has expressed doubts as to whether US law and the agreements concluded with the US provide for the right of access and redress mechanisms in line with requirements of fundamental rights under EU law”.
With respect to the provisions on domestic sharing and onward transfer, the WP “regrets that the agreement is not more specific on how compliance with these terms or safeguards can practically be ensured, particularly with respect to retention periods”. The WP adds that the EU has stipulated that “the data protection level in the US is adequate despite its excessive retention periods and its lack of independent supervision”.
The WP notes that the PNR Agreement can be reviewed but “regrets that it is not explicitly provided (in the PNR Agreement) that the representatives of the European Union shall include representatives of the Member State’s data protection authorities”.
Finally, the WP adds “that many of the fundamental concerns expressed .... are also valid for the already concluded PNR agreement between the European Union and Australia”. It consequently asks for these concerns be taken “into consideration when negotiating and deciding upon the PNR agreement with Canada”.
So there you have it: a level of adequacy acceptable to the European Commission (i.e. it satisfies the UK's 8th Principle by law) but is clearly unacceptable to the collective view of all Europe’s Data Protection Commissioner (and the European Data Protection Supervisor - see references). All this too in the week where the Commission will trumpet "data protection day" and publish the Regulation that replaces Directive 95/46/EC.
There is no doubt the Commission will use the events of this week to flaunt its data protection credentials and spray the air with sweet, "privacy scented" press releases (just like those issued with this PNR Agreement). I for one will be holding my nose; I advise blog-readers to do likewise.
EU/USA PNR Agreement: data protection is weak, proportionality not guaranteed, and obvious safeguards absent.: http://amberhawk.typepad.com/amberhawk/2011/12/euusa-pnr-agreement-data-protection-is-weak-proportionality-not-guaranteed-and-obvious-safeguards-ab.html
Download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” Download Eu-usa-pnr-deal-amberhawk analysis
Letter of the WP29 working party can be downloaded here Download WPletter_pnr_Jan2012
EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-12-09_US_PNR_EN.pdf