EU and US agree on air passenger data sharing

The European Commission has agreed that US security demands for information about all air passengers flying to the US from Europe...

The European Commission has agreed that US security demands for information about all air passengers flying to the US from Europe do not breach tough European Union data privacy laws.

The US Department of Homeland Security (DHS) initially sought 39 pieces of information about passengers before they boarded their flights, including their name, address and details about how and where they purchased their tickets.

The DHS wanted to hold the information for 50 years and use it in domestic criminal investigations as well as for antiterrorism purposes. It also wanted the information before the passengers boarded their flights.

EU data protection laws forbid airlines from sharing personal details of their passengers with organisations based in countries with less stringent privacy laws, such as the US.

The commission has spent most of this year trying to find a way of accommodating US security needs within the EU's privacy laws. Agreement was only possible after last-minute concessions by the US, said commission spokesman Jonathan Todd.

US officials agreed to reduce the amount of time they would hold on to the passenger data to three and a half years, down from 50 years. They also agreed to restrict use of the data to investigation of terrorist and other international crimes, excluding domestic US criminal investigations.

The US also agreed to reduce the number of items of required data to 34 from 39.

The issue of the number of data elements is largely academic, said Todd, as many airlines do not collect all the items anyway. Italy's Al Italia refuses to pass on the data at all, he added.

In addition, the US agreed to provide similar data on US citizens when they fly to Europe. "The aim is to make this reciprocal," Todd said.

Commissioner Frits Bolkestein led the negotiations for the EU. "I do not see any solution which serves our objectives better," he said.

Failure to agree with the US would have had negative repercussions, according to Bolkestein. "I see in any case no justification at all for pursuing policies which risk producing negative outcomes for passengers and negative impacts for airlines."

The agreement with the US was the only practical way of avoiding lengthy delays for European travellers to the US and fines against European airlines that did not provide the data to the US authorities, Todd said.

The agreement must be discussed by national data protection regulators, the European Parliament and national governments before it can be adopted. The commission hopes to finalise the agreement by March or April.

Paul Meller writes for IDG News Service

Read more on IT risk management