‘Illegal’ Snatch a lá BIG BROTHER: USA now wants all passenger data

US government wants personal data of millions of passengers who fly between the US and Europe, including credit card details, phone numbers and home addresses, may be stored by the US department of homeland security for 15 years, according to a draft agreement between Washington and Brussels leaked to the Guardian.

The “restricted” draft, which emerged from negotiations between the US and EU, opens the way for passenger data provided to airlines on check-in to be analysed by US automated data-mining and profiling programmes in the name of fighting terrorism, crime and illegal migration. The Americans want to require airlines to supply passenger lists as near complete as possible 96 hours before takeoff, so names can be checked against terrorist and immigration watchlists.

Draft of Washington-EU deal leaked to the Guardian shows agreement ‘violates basic European principles’

• Read the full text of the agreement

The agreement acknowledges that there will be occasions when people are delayed or prevented from flying because they are wrongly identified as a threat, and gives them the right to petition for judicial review in the US federal court. It also outlines procedures in the event of anticipated data losses or other unauthorised disclosure. The text includes provisions under which “sensitive personal data” – such as ethnic origin, political opinions, and details of health or sex life – can be used in exceptional circumstances where an individual’s life could be imperilled.

The 15-year retention period is likely to prove highly controversial as it is three times the five years allowed for in the EU’s PNR (passenger name record) regime to cover flights into, out of and within Europe. A period of five and a half years has just been negotiated in a similar agreement with Australia. Germany and France raised concerns this week about the agreement and the unproven necessity for the measure.

But the European parliament, which would have to approve it, has demanded proof that such a PNR agreement is necessary, and said it should in no circumstances be used for data-mining or profiling.

A provisional agreement on sharing airline passenger data between the EU and the US has been in force since 2007, but has been the subject of an intense civil liberties debate across Europe. This draft agreement appears to give the Americans all they have asked for.

A leaked opinion from the EU council of ministers’ legal advisers also warns that the EU’s PNR scheme is disproportionate and not in line with privacy requirements under human rights law. The German constitutional court ruled last years that six months was the maximum appropriate period for retaining personal telecommunications data.

The EU-US agreement tries to allay some of these privacy concerns by proposing to “mask” or “depersonalise” the identity of individuals after six months on the homeland security department’s active database. The data will be transferred to a dormant database after five years, to be held for a further 10 years. But the agreement allows for the identity of individuals to be restored at any stage by authorised officials in connection with a particular law enforcement operation.

The agreement will not only cover transatlantic flights, but appears to raise the prospect that airlines will have to provide PNR details to Washington for other international flights. It also allows passenger data to be passed to agencies in countries outside the US and Europe.

The data to be collected includes 19 separate items relating to each airline passenger, including their billing details, contact numbers, the names of those they are travelling with and how much baggage they have, as well their itinerary.

Airlines are to be required to provide the details up to 96 hours in advance, compared with 72 hours now under the provisional arrangement.

The European commission‘s own lawyers have warned that a joint US-European agreement to store the personal data, including credit card details, of millions of transatlantic air passengers for 15 years is unlawful.

The confidential legal opinion, passed to the Guardian, says the agreement to allow the US department of homeland security to store airline check-in data is “not compatible with fundamental rights”.

The note by the commission’s legal service, dated 16 May, says it has “grave doubts” that the passenger name record (PNR) deal, now being finalised, complies with the fundamental right to data protection.

The official legal opinion could prove crucial as the agreement, which has been negotiated by the commission with the US, needs the approval of the European parliament as well as ministers.

Leaked details of an EU ambassadors’ meeting last week showed the French, Germans, Italians, Dutch and others are still strongly critical of the proposed deal, with only the British, Irish, Swedes and Estonians supporting it.

Commission officials played down the significance of the official legal opinion, which was provided to negotiators before the deal was finalised, by saying its legality could only be tested in the courts.

The European lawyers say their “most serious concerns” cover the widely-drawn limits on the use of the personal data, the disproportionate storage period of 15 years, the lack of independent oversight and proper access to the courts for those seeking redress over misuse of their details. Their concerns include:

• The US-European PNR database is being built “to prevent and detect terrorism and serious crime” but the lawyers say this definition includes any offence carrying a jail term of more than 12 months: “Given the low maximum penalty, it is likely to include a very large number of crimes which cannot be regarded as serious. This point alone puts the proportionality of the agreement in question.”

• The PNR database can also be used “to ensure border security”, by identifying people who should be subject to closer questioning on entering or leaving the US. The lawyers say this means the database can be used to investigate minor immigration or customs offences without any link to terrorism or serious crime.

• The 15-year retention period – four times longer than the current deal – includes five years on an “active” database, after which information will be archived in a “dormant” database for 10 years, though still accessible to senior law enforcement agents. The lawyers say 15 years goes “far beyond” the five years in the EU’s own proposal for internal European travel, and the five and a half years in a proposed deal with Australia: “The council legal service in its opinion on EU-PNR … questioned the necessity of a period of more than two years. It appears highly doubtful that a period of 15 years can be regarded as proportional.”

• Judicial redress for aggrieved individuals is not guaranteed, the lawyers say: “All redress is made subject to US law, while the forms of redress explicitly guaranteed are administrative only and thus at the discretion of the department of homeland security.”

• Oversight to be carried out by homeland security “privacy officers” does not amount to independent oversight, say the European lawyers.

The official legal advice concludes: “Despite certain presentational improvements, the draft agreement does not constitute a sufficiently substantial improvement of the agreement currently applied on a provisional basis, the conclusion of which was refused on data protection grounds by the European parliament.”

They add that the use of PNR for border security purposes is a setback from the current agreement. “For these reasons the legal service does not consider the agreement in its present form as compatible with fundamental rights.”

Tony Bunyan of Statewatch, which monitors civil liberties across Europe, said the European parliament should refuse to consent to the agreement, as it is allowed to do under the Lisbon treaty. He said it did not meet EU data protection standards, nor provide judicial redress or independent oversight.

“Secret minutes of EU-US meetings since 2001 show that they have always been a one-way channel, with the US setting the agenda by making demands on the EU,” said Bunyan. “When the EU does make rare requests, like on data protection, because US law only offers protection and redress to US citizens, they are bluntly told that the US is not going to change its data protection system – as they were at the EU-US JHA ministerial meeting in Washington on 8-9 December 2010.”

Jan Philipp Albrecht, a German Green party MEP and member of the European parliament’s civil liberties committee, said the document showed the EU was acting against its own legal advice in pushing ahead with the proposed retention of sensitive passenger data.

“The commission cannot simply continue to stick its fingers in its ears, and it is high time that it dropped its obsession with PNR. This means going back to the drawing board and renegotiating the draft agreements with the US, Australia and Canada on passenger record retention, ensuring these agreements are in line with EU data protection law.

THE EXTENT OF US PATRIOT ACT

Last year, the European Parliament approved a EU-US bank data-sharing agreement to help in the War on Terror.  European lawmakers initially rejected the scheme, citing concerns that personal information, including details from electronic bank payments, would be used by the US authorities, held for too long and handed on to other governments.

SWIFT, the Belgian bank networking firm that transmits billions of financial transactions every day, was approached by U.S. government authorities shortly after the terrorist attacks of 2001 and demanded to share bank transfer details. It did so without alerting European data protection authorities. The SWIFT network unites data from 8,000 banks in Europe with millions of financial operations made daily. When the data sharing was revealed in press reports, it sparked a scandal dubbed the SWIFT affair.