A new agreement on the transfer of EU air passengers' personal data to the US authorities was approved by the European Parliament on Thursday. The deal sets legal conditions and covers issues such as storage periods, use, data protection safeguards and administrative and judicial redress. The agreement will replace a provisional deal in place since 2007.
The EU-US Passenger Name Record (PNR) agreement was adopted with 409 votes in favour, 226 against and 33 abstentions. A significant minority of MEPs voted against the deal due to concerns over data protection safeguards, including rapporteur Sophie in'T Veld (ALDE, NL), who withdrew her name from the report. A proposal to refer the agreement to the European Court of Justice was rejected by MEPs.
Retention period and purpose
Under the new agreement, US authorities will keep PNR data in an active database for up to 5 years. After the first 6 months, all information which could be used to identify a passenger would be "depersonalized", meaning that data such as the passenger's name or her/his contact information would be codified.
After the first 5 years, the data will be moved to a "dormant database" for up to 10 years, with stricter access requirements for US officials. Thereafter, the agreement says, data would be fully "anonymized" by deleting all information which could serve to identify the passenger. Data related to any specific case will be retained in an active PNR database until the investigation is archived.
PNR data will be used mainly to prevent, detect, investigate and prosecute terrorism and serious transnational crimes. Transnational crimes are defined as crimes punishable by 3 years of imprisonment or more under US law. PNR data will also serve "to identify persons who would be subject to closer questioning or examination".
Sensitive data such as those revealing the ethnic origin, religious beliefs, physical or mental health or sexual orientation of a passenger could be used in exceptional circumstances when a person's life is at risk. This data is most frequently tied to a religious meal choice or requests for assistance due to a medical condition. This data will be accessed only case-by-case and will be permanently deleted after 30 days from receipt, unless it is used for a specific investigation.
Should their data be misused, EU citizens will have the right to administrative and judicial redress in accordance with US law. They will also have the right to access their own PNR data and seek rectification by the Department of Homeland Security (DHS), including the possibility of erasure, if the information is inaccurate.
PNR data are collected by air carriers during the reservation process and include names, addresses, credit card details and seat numbers of air passengers. Under US law, air companies are obliged to make these data available to the DHS prior to passenger departure. This applies to flights to or from the US.
In May 2010, Parliament postponed its vote on a PNR agreement with the US applied provisionally since 2007, mainly due to data protection concerns. MEPs urged then the European Commission to negotiate a new deal, which the Commission did in 2011.
The European Parliament adopted a PNR deal with Australia in October 2011. The EU is currently negotiating a PNR agreement with Canada.
Justice and Home Affairs Ministers will formally approve the agreement on 26 April The deal will replace the 2007 text and will apply for 7 years.