Transatlantische betrekkingen en gegevensbescherming (en)

Over five years after the "9/11" attacks in New York, views still differ across the Atlantic on how best to fight terrorism without jeopardising human rights. Does the fight against terrorism really require transatlantic transfers of air passengers' personal data, or of the data required for international banking transactions? And if so, are these data adequately protected?

Politicians, experts and NGO representatives agreed on Monday that even years after these transfers to the US administration took place, it is still unclear whether such personal data were really indispensable for catching terrorists. Neither the Council nor the Commission, or even the US administration, have since offered any figures to demonstrate the effectiveness of processing billions of personal data on European citizens and others, MEPs complained.

"Some in the US seem to be thinking that the legitimate goal to fight terrorism justifies all means, but many people in the EU appear to think the contrary", said Civil Liberties Committee Vice-Chairman Stavros Lambrinidis (PES, EL), who chaired the public hearing on facts and laws governing the transfer of air passenger name record (PNR) data, financial transfer data (SWIFT case) and data exchanged between private parties ("safe harbour" data protection principles).

Mr Lambrinidis wondered whether the sole purpose of collecting data was to fight terrorism. "You cannot break data protection rights except when the measure is proven to be necessary, proportionate and appropriate", he explained. So far, there has been only one review of the first PNR agreement with the US, and there should at least be a second review of the system's current effectiveness before the new PNR agreement is signed in July, he said. 

Air passenger data: not a closed chapter

Following the European Court of Justice's May 2006 ruling that a May 2004 EU-US agreement on the transfer of personal data by air carriers to the US authorities was illegal (inter alia because the EU's 1995 Directive on personal data privacy does not empower the Commission to address public and state security issues), the EU was obliged to open new negotiations with the US government. Although the ensuing agreement, signed in October 2006, still did not satisfy most MEPs, Parliament managed to persuade the EU Council of Ministers and the US Administration that it should be made to expire in July 2007, so that they could meanwhile continue working on a wider approach and achieve a final agreement - with better standards of data protection - to replace the temporary one from August 2007 onwards.

Parliament has always sought to become fully involved in Council negotiations with the US government and to strengthen EP relations with the US Congress. A delegation of 9 MEPs will visit Washington in April to discuss data protection issues with members of Congress.

 "It must be absolutely clear who will use the data, who is the addressee", said Professor Spiros Simitis of the Goethe University in Frankfurt. "Giving data to a specific agency that combats crime is one thing, but this American agency transferring it to other agencies is quite another", he continued. Before data transfers are permitted, their purpose, conditions, storage period and control provisions should be ascertained, and the people concerned should have the right to consult data and correct errors, he concluded.

The problem of protecting PNR properly in America stems from the fact that "the US Privacy Act [US equivalent of the EU data privacy Directive] - does not work", added Professor Francesca Bignami of Duke University, USA. "It has been ineffective because there are a number of exceptions in the matter of public security: personal data can always be shared for police cooperation and law enforcement purposes", she said.

The Privacy Act "has many shortcomings, like the absence of any protection for anybody who is not a US citizen or permanent resident (...), or the fact that collected information is not simply for anti-terrorism purposes. It is also used for law enforcement, security interests and even for migration purposes. The risks to privacy are no longer theoretical", added Marc Rotenberg, Director of the Electronic Privacy Information Center in Washington. 

Improvements needed

MEPs stressed the need to rectify known deficiencies in the current agreement. This would include switching to a "push" system, so that US officers should have to request data specifically required, case-by-case (rather than simply being granted access to the full database), and reducing the number of PNR data fields that they can check. Ben Simmons of Amadeus explained that his company has developed the necessary software for transferring PNR data collected by airlines. "Authorities in Washington now have access to this database similar to any other air company. It is like having an 'open window' into the Amadeus system", he said

Arnaud Camus of the Association of European Airlines (which represents 31 airlines) explained that PNR transfer is done through the "push" system in Canada, where 25 files of each passenger name record can be transferred in one operation upon request. "Next month we will start the same push system with the UK but only for a limited number of air routes", he explained. However, US government is the only country to use the "pull" system, accessing to up to 34 files of each person in one operation. "They can extract any data (...) 140 million PNR transactions were made by US authorities from the 6 biggest airlines only in 2006".

Hans-Jürgen Förster, of the German Interior Ministry, who is in charge of negotiating the new PNR agreement on the EU Presidency's behalf, explained that negotiations had "just started". "The switch to the push procedure is urgent; this has been made absolutely clear to the Americans" and "the US government has indicated a willingness to discuss and draft a list of principles, to see whether additional restrictions to PNR transfer are desirable", he added, concluding that "the American side is expected to deliver a revised version on the undertakings before we start a second round of negotiations".

ATS system

Parliament's rapporteur, Sophia In 't Veld (ALDE, NL), voiced concern that the existence of the US Automated Targeting System (ATS) had led to a situation of legal uncertainty with regard to the necessary data protection safeguards for sharing and transferring data. "We never got any clarification on how ATS relates to PNR transfers", she said.

For the European Commission, Director General Jonathan Faull replied that "on ATS the situation is clear. I got a letter signed by Stewart Baker (US Homeland Security Department) assuring us that the use of ATS in no way violates the PNR agreement". Gus Hosein, from US Privacy International, said he was "shocked to hear that a letter can be sufficient guarantee for the Commission" and added that ATS "is taking PNR and data-mining it and keeping it up for 40 years, and not even for terrorism purposes only but also for migration and border control management".

Bank transactions

MEPs also reiterated their concerns, set out in a resolution adopted in July 2006, about the fact that the US government had gained access to financial personal data of European citizens by subpoenaing the Society for Worldwide Inter-bank Financial Telecommunications (SWIFT).

"There is still substantial ground for improvement in the European arena for compliance with the law", said the European Data Protection Supervisor Peter Hustinx, referring to the SWIFT case.

Asked by Ms In't Veld about the basis for their confidential agreement with US authorities, SWIFT representative Blanche Petre confirmed that her company had obtained permission to have two SWIFT representatives verifying any search done by the US Treasury department. "If these representatives were to consider that the search was not justified they had the power to stop the transfer of data. This was part of our memorandum of understanding", she said. Mr Lambrinidis wondered how it could be possible for a private company to get precisely what the EU seems to find it so difficult to obtain as a precondition for the transfer of data.

After this hearing the political debate with the representatives of the Council and of the Commission will take place at the next Civil Liberties Committee meeting on 10 and 11 April, before the parliamentary delegation leaves for the US.

Hearing documents at: http://www.europarl.europa.eu/hearings/default_en.htm

26/03/2007

Committee on Civil Liberties, Justice and Home Affairs

In the chair: : Stavros Lambrinidis (PES, EL)