Transmission of personal data by airlines in the case of transatlantic flights

European Parliament resolution
on transfer of personal data by airlines in the case of transatlantic flights:
state of negotiations with the USA

October 9, 2003

The European Parliament,
- having regard to Rule 42(5) of its Rules of Procedure,

A. having regard to its resolution of 13 March 2003 on transfer of personal data by airlines in the case of transatlantic flights1,

B. whereas, since 11 September 2001, the USA has put into place various measures to strengthen border controls, and whereas, in particular, as of 1 October 2003, only passengers with a 'machine readable passport' are able to enter without a visa and passengers in the near future will be required to have a passport containing biometric data,

C. having regard to the verifications carried out by the Commission within the last few months at administrative as well as political level, with regard to whether the measures taken and planned by the US authorities ensure adequate protection of data in conformity with the provisions of Directive 95/46/EC2 as well as the principles established by the Convention for the Protection of Human Rights and Fundamental Freedoms and the Charter of Fundamental Rights of the European Union,

D. having regard to the information provided by the Commission and to the fact that it is currently not possible to consider the data protection provided by the US authorities to be adequate, because:

(a) the objective that would justify obtaining and storing data remains unclear and is not restricted to fighting terrorism; consequently, there is a risk that the data could be used for other purposes, including transfer to other services of the US administration or to third parties,
(b) the number of items of data required (39 different passenger name record elements) seems excessive and is in any case out of proportion to the aim pursued,
(c) the retention of data (6/7 years) seems unjustified, in particular with regard to data concerning persons that do not present any risk to the country's security3,
(d) the undertakings envisaged by the US administration seem not only insufficient, but also do not represent obligations, nor can they be invoked before a court either by the European Union or by passengers, who, in addition, are not offered any other efficient means of extra-judicial appeal to any independent authority,

E. convinced that there is an imperative and urgent need to give passengers, airlines and reservation systems clear indications as soon as possible on which measures are to be taken in response to the demands made by the US authorities,

F. having regard to Article 232 of the EC Treaty, which lays down the possibility for Parliament to bring an action before the Court of Justice for failure to act, in infringement of the Treaty,

G. having regard to the recommendations made by the International Conference of Data Protection and Privacy Commissioners (Sydney, 10-12 September 2003) to the effect that international transfers of data should be made within the framework of international agreements defining:

(a) the conditions necessary for ensuring data protection,
(b) the clear targets that justify the collection of data,
(c) a specific and not excessive number of items of data,
(d) strict limits on the storage period,
(e) the provision of adequate information to the persons concerned, and
(f) mechanisms to correct possible errors, as well as independent control authorities,

1. Welcomes in principle the fact that the dialogue with the US is taking place at the highest political level; calls nevertheless on the Commission to ensure genuine cooperation between the Commissioners involved, notably Mrs de Palacio, Mr Bolkestein, Mr Vitorino and Mr Patten, so as to fully cover all aspects of the negotiations with the USA;

2. Calls on the Commission, in accordance with Article 232 of the EC Treaty, to act within two months after the adoption of this resolution to take appropriate measures enforcing Regulation (EEC) No 2299/89, in particular Article 11 thereof,

3. Therefore invites the Commission:

(a) forthwith to determine, within the limits outlined by the working party set up under Directive 95/46/EC, what data may legitimately be transferred by airlines and/or computerised information systems to third parties, and under what conditions, provided that:
- there is no discrimination against non-US passengers and no retention of data beyond the length of a passenger's stay on US territory
- passengers are provided with full and accurate information before purchasing their ticket and give their informed consent regarding the transfer of such data to the USA,
- passengers have access to a swift and efficient appeals procedure, should any problem arise,
(b) to deny airlines and computerised information systems any access and/or transfer which is not in accordance with the principles laid down in point (a), or if they are in apparent breach of the obligations stemming from Directive 95/46/EC and Regulation (EEC) No 2299/89;
(c) immediately to begin negotiations on an international agreement under the appropriate legal basis (Article 300 of the EC Treaty) and with due regard to Community legislation (Directive 95/46/EC);
(d) to evaluate the EU-US police cooperation in the fight against terrorism and serious crime with regard to its efficacy and its respect for fundamental rights and, moreover, to examine the compatibility of those two aims;
(e) to examine the compatibility with Directive 95/46/EC of any other projects, such as the introduction in the EU of passports with electronic chips on which biometic and other data can be stored in an easily accessible way;
(f) to take the necessary steps to facilitate the implementation of computer-based filter systems for controlled access to passenger data such as the Secured Short-Term PNR Store project developed by Austrian Airlines and the Austrian Data Protection Authority, which is supported by the other members of the Association of European Airlines;

4. Urges that a direct contact group be established between Members of the European Parliament and Members of the US Congress, in order to exchange information and discuss the strategy on ongoing and upcoming issues;

5. Instructs its President to forward this resolution to the Council and Commission, the governments and parliaments of the Member States and the United States Congress.

1 P5_TA(2003)0097.
2 OJ L 281, 29.11.1995, p. 31.
3 (Note: Under Article 6(1)(a) of Regulation (EEC) No 2299/89 on computerized reservation systems, as amended by Regulation (EC) No 323/1999 (OJ L 40, 13.2.1999, p. 1), individual data have to be taken off-line within 72 hours of the completion of the booking (i.e.: flight arrival) and can be archived for a maximum of three years, and access to the data is 'allowed only for billing-dispute reasons'.)