US Travel Surveillance authorised by EU. Can US data protection measures be trusted? Passing European airline passenger data to US authorities contravenes European privacy law and puts passengers at risk that their personal data could be misused.
European Passenger Data has been authorised for transfer to the USA to use in testing CAPPS-II. The European Commission authorised the breach of the law (PDF file), as we were all frantically trying to get the last Christmas cards written. It was made apparently on the basis that adequate provisions had been taken in line with European law for the protection of that data. This was despite that fact that the Working Party had already clearly stated in this document that the transfer of PNR data to the USA would be illegal under European law.
As always, we must carefully study the footnotes in this linked document. Footnote # 6 refers to Article 8 paragraph 1 of the Data Protection Directive.
" Article 8 of the Directive establishes additional protections for special categories of data. These are defined in Article 8 paragraph 1 as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and ... data concerning health or sex life".
The communication states that "All categories of sensitive data as defined by Article 8 paragraph 1 of the Data Protection Directive will be deleted. The Commission has secured the necessary guarantees from the US that all personal data revealing racial or ethnic origin (e.g. dietary preferences), health, etc. will be filtered out and deleted."
So why is that data passed to the USA in the first place if a guarantee is needed that it be filtered out and deleted?
Finally the communication states: "The Commission will strongly encourage operators to obtain systematically the consent of passengers to their data being transferred, to the extent practicable, but believes that it is necessary to establish a legal framework which does not rely solely on consent."
So that implies that they are going to do it even without passenger consent.
It is now very clear that adequate protection measures for that data have NOT been put in place. We can all imagine what can happen to data once it lands in a computer system.
Therefore, if you are European and have travelled to the USA since 5 March 2003, then you should know that US databases will soon have access to your Passenger Name Record (PNR) data. That includes your private phone number, email address, maybe dietary preferences and 31 other fields containing your personal data.
Judging by the amount of Spam that we get, I cannot imagine anybody wanting his or her email address in yet another database, particularly an unsecured one.
Furthermore, your personal data is at serious risk of being compromised and the growth of ID theft is horrendous.
I suggest that you visit this site immediately to join the Campaign against the illegal transfer of European travellers' data to the USA. You can help by filing a complaint to any airlines with which you have flown and write to your local data protection office. All of the letters have been prepared and the addresses are supplied too, so it is just a 10-minute task.
So will we be able to rely on a secure database in the end? I guess not, but at least we might be able to stop the transfer of data if every individual helps.
This commentary is interesting.
