After months of resistance, the European Commission agreed late Tuesday that U.S. security demands for information about all air passengers flying to the U.S. from Europe do not breach tough European Union data privacy laws.
The U.S. Department of Homeland Security initially sought 39 pieces of information about passengers, including their name, address, and details about how and where they purchased their tickets. The DHS wanted to hold the information for 50 years and use it in domestic criminal investigations as well as for antiterrorism purposes. It also wanted the information before the passengers boarded their flights.
E.U. data protection laws forbid airlines from sharing personal details of their passengers with organizations based in countries with less stringent privacy laws, such as the U.S.
The Commission has spent most of this year trying to find a way of accommodating U.S. security needs within the E.U.'s privacy laws. Agreement was only possible after last minute concessions by the U.S., says Jonathan Todd, a spokesperson for the Commission.
U.S. officials agreed to reduce the amount of time they would hold on to the passenger data to three and a half years, down from 50 years. They also agreed to restrict use of the data to investigation of terrorist and other international crimes, excluding domestic U.S. criminal investigations.
The U.S. agreed to reduce the number of items of required data to 34 from 39.
"Agents of the department's U.S. Customs and Border Protection Bureau need 34 elements of [passenger] data to screen passengers for possible involvement in terrorist activities or other serious crimes," the DHS says in a statement.
The issue of the number of data elements is largely academic, says Todd, as many airlines don't collect all the items anyway. Alone among European airlines, Italy's Al Italia refuses to pass on the data at all, he says.
In addition, the U.S. agreed to provide similar data on U.S. citizens when they fly to Europe, Todd says. "The aim is to make this reciprocal," he says.
Commissioner Frits Bolkestein led the negotiations for the E.U. "I do not see any solution which serves our objectives better," he says.
Failure to agree with the U.S. would have had negative repercussions, according to Bolkestein. "I see in any case no justification at all for pursuing policies which risk producing negative outcomes for passengers and negative impacts for airlines," he says.
The agreement with the U.S. was the only practical way of avoiding lengthy delays for European travelers to the U.S. and fines against European airlines that did not provide the data to the U.S. authorities, Todd says Wednesday.
The agreement must be discussed by national data protection regulators, the European Parliament, and national governments before it can be formally adopted. The Commission hopes to finalize the agreement by March or April next year, Todd says.