The European Parliament looks set to reject an agreement with the US to hand over personal data of airline passengers.
So-called PNR (passenger name register) agreements have been in place since 2004, but the latest draft will be voted on by the Parliament's justice and civil liberties committee on Tuesday. The PNR deal requires bulk passenger data, including name, contact details, payment information, itinerary, email and phone numbers, to be passed from European airlines to the US Department of Homeland Security.
The justification for the data transfer is to fight terrorism, but a report carried out by Franziska Böhm of the University of Luxembourg found that the latest draft of the deal extends the purpose for which such data can be used.
"When comparing the 2004, 2007 and the 2011 agreements, the purposes for which the PNR data can be used have been considerably extended. According to Article 4 of the proposed agreement, PNR data can be used for other purposes not related to terrorist or related crimes," she said.
The data can also be retained indefinitely. It must be "anonymised" after 15 years, but there is no technical specification as to how this should be done. "The use of undefined terms such as 'anonymisation,' 'masking out' and 'repersonalisation' leads to uncertainty as regards the content of those terms," said Böhm. This retention period can be compared with periods in agreements with Canada (3.5 years) and Australia (5.5 years).
Independence of supervision is still not guaranteed, while the data subject's rights and judicial review are still not enforceable, concluded the report.
The member of the European Parliament (MEP) charged with evaluating the deal has also called for it to be rejected. Dutch MEP Sophie in 't Veld agreed with the points raised in the report and also questions the necessity of such a mass transfer of data.
The EU-US PNR agreement does not meet the criteria set by the European Parliament in its 2010 resolutions, and is not in line with EU legislation she said.
"Passenger data will be stored for up to 15 years with insufficient provisions to protect against the odious practice of profiling. This flies in the face of court rulings across Europe and is at odds with EU data protection rules," said Green MEP Jan Phillipp Albrecht.
The deal will almost certainly be rejected by the justice committee next week, but it will then be put to the Parliament as a whole in April.