Lawyers for the European Commission (EC) have warned that a US-European agreement to store the personal data of air passengers for 15 years is unlawful.
The Passenger Name Record agreement - under which EU governments collect, store and share details about users of scheduled transport - is in the process of being finalised.
But a note from the EC's legal service says it has grave doubts that the Passenger Name Record (PNR) agreement complies with the fundamental right to data protection, according to The Guardian.
Prevailing official legal opinion could prove crucial, as the PNR needs the approval of the European parliament as well as ministers. But commission officials say the PNR's legality can only be tested in the courts.
Lawyers say the biggest concerns surround: the widely-drawn limits on the use of the personal data; the disproportionate storage period of 15 years; the lack of independent oversight; and proper access to the courts for those seeking redress over misuse of their details.
The legal advice concludes that the draft agreement does not constitute a sufficiently substantial improvement of the previous agreement rejected by the European parliament on data protection grounds.
Some members of the European parliament say the EU is acting against its own legal advice and have called for the draft agreements with the US, Australia and Canada on passenger record retention to be renegotiated, to ensure the agreements are in line with EU data protection law.
The US Aviation and Transportation Security Act of 19th November 2001 introduced the requirement that airlines operating passenger flights to, from or through the United States provide US authorities, upon request, with electronic access to PNR data contained in their reservation and departure control systems.
European authorities and the US signed an initial agreement on sharing passenger information in 2004, but the parties have since struggled to reach a final agreement on the issue because of persistent concerns about data protection.