EU Approves PNR Bill To Share Air Passenger Data With The US

US Department of Homeland Security will be handed personal details including names, credit card details and phone numbers

European ministers have voted 409 votes to 226 in favour of a bill that would provide the Department of Homeland Security with personal details on all airline passengers flying to the US.

As well as sharing names, travel itineraries, billing information and passport details, American authorities may access the Passenger Name Record (PNR) for sensitive data (including political opinions, ethnic origins and religion) in “exceptional circumstances”.

EU data sharing

The agreement passed on Thursday is an updated version of a provisional 2007 deal, under which the US authorities have been given access to PNR information in an effort to fight terrorism, the BBC reports. The renegotiated version, as laid on in a file dated December 2011, supposedly does more to safeguard the data.

“This is an agreement the three EU institutions can be proud of: it provides stronger protection of EU citizens’ right to privacy and more legal certainty for air carriers than the existing EU-U.S. PNR Agreement from 2007,” said EU commissioner Cecilia Malmström in a statement. “At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism.”

As Malmström notes, there is significant emphasis on ensuring privacy and fortifying data safeguards within the updated agreement. If sensitive data does not fall under the category of “exceptional circumstances”, which will be handled on a case-by-case basis, it will be masked out by automated systems. If sensitive data is then not used for a specific investigation, prosecution or enforcement action, it will be deleted after 30 days.

The DHS will retain the core PNR data in an active database for five years, but after six months personally identifiable information (name, booking information, etc) will be masked. The data will then be held in a dormant database for up to ten years before being “fully anonymised”.

“We have negotiated a very strong agreement with our transatlantic partners, which will see very specific pieces of information transferred under tight conditions with strong independent oversight,” said UK MEP Timothy Kirkhope in a statement to the EU Parliament’s news site. “I do not believe that the USA wants to store this information for the sake of some Orwellian plot. It uses it to ensure security against terrorism and serious crime.”

Despite the efforts made by the EU to improve the 2007 agreement by including stronger data safeguards, opposing MEPs maintain that the real issue is that of privacy.

“The main objections against the agreement for me as rapporteur are that the use of PNR data is not limited to the fight against terrorism and serious transnational crime, but that the data can be used for a wide range of other vague and unspecified purposes, such as immigration and border controls,” said Dutch MEP Sophie in ‘t Veld. “I also object to the storage of data for an indefinite period, albeit anonymised. The possible use of sensitive data, such as medical data, religion or sex life, is another contentious issue.”

Additionally, other concerns raised relate to the example the agreement sets. The BBC reports that some MEPs question what the EU Parliament will do if Russia or China make the same demands as the US.

Are you a security expert? Try our quiz

Read also : India Fines Meta $25m Over WhatsApp Data Sharing