By Ellen Nakashima
Washington Post Staff Writer
Sunday, November 4, 2007
American travelers' personal data would for the first time be exported to all European Union states by airline carriers flying to Europe under a proposal to be announced this week.
The data, including names, telephone numbers, credit card information and travel itinerary, would be sent to E.U. member states so they could assess passenger risk for counterterrorism purposes, according to a draft copy obtained by The Washington Post. The European Commission proposal would allow the data to be kept for 13 years or longer if used in criminal investigations and intelligence operations. It would cover all passengers flying into and out of Europe, not just Americans.
Airlines already share data with U.S. authorities on passengers entering the United States. A handful of countries, including Canada and Australia, have similar laws. The European proposal was apparently modeled after an agreement signed in July between the United States and Europe dealing with passenger data from European flights entering and leaving the United States.
Under the proposal by Franco Frattini, European commissioner for freedom, security and justice, airlines or computerized reservation systems would send at least 19 pieces of data on each passenger to data-analysis units set up by each state. The data fields also would include e-mail addresses, names of accompanying passengers and open ones for such special requests as meals or medical service.
Under the proposal, no personal data that could reveal race, ethnicity, political opinions, religion, trade union membership or health or sex-life information could be transmitted. Any such data that was shared would have to be deleted immediately by the data-analyzing units, the proposal says.
The proposal must be approved by all 27 E.U. states to become a Europe-wide law, though individual states could introduce their own programs. It would affect about 30 million people who fly from North America to Europe each year.
The move is part of an effort to combat terrorism by sharing information globally, and it is fueling concerns of loss of privacy and control over personal data.
"It almost becomes an arms race with one country adopting a data-gathering system without reflecting on whether or not the system is necessary," said Allison Knight, staff counsel for the Electronic Privacy Information Center.
Frattini has made clear that he believes a policy requiring Passenger Name Record data from airlines would be beneficial to combating terrorism in light of terror attacks in Madrid and London.
"The Union is at least as much a potential target of a terrorist attack as the United States, and the use and analysis of passenger name records is an important law enforcement tool to protect our citizens," Frattini told the European Parliament in September.
The U.S. is "definitely open to the idea," Department of Homeland Security spokeswoman Laura Keehner said. "It would be fair of the Europeans to ask the same information of us that we're asking of them. We are open to finding ways to make our respective homelands secure."
The U.S.-E.U. pact was opposed by civil libertarians and liberal politicians, many of whom have said they do not favor an E.U. equivalent. But some have suggested retaliating with a mirror policy.
Sophie in 't Veld, a member of Parliament from the Netherlands, said Frattini's proposal would "undermine the credibility" of the E.U., which criticized the E.U.-U.S. pact. "We still do not have sufficient evidence of how effective the use of these data are in the fight against terrorists," she said.
The European countries' units would analyze the data to identify people and their associates who may be involved in terrorism or organized crime. It would also create and update "risk indicators" for assessing them and provide intelligence on travel patterns and other trends relating to terrorist offenses and organized crime, according to the proposal. The data could be used in criminal investigations and prosecutions.
James Harrison, a Sacramento attorney and director of the Identity Project, a privacy organization, said that the prospect of analyzing the data to create risk assessments is "alarming."
"Congress forbids the U.S. from conducting algorithms on passenger data domestically," he said, referring to a ban on testing algorithms assigning risk to passengers not on government watch lists. "That is exactly what they are talking about here."
E.U. officials said that all non-Europeans would be protected under the scheme by European states' data-protection laws, while U.S. privacy laws apply only to U.S. citizens. In the case of passenger data, the United States has extended administrative Privacy Act protections to non-U.S. citizens. The Department of Homeland Security also has an online redress site open to all.
But, in 't Veld said, "Even if there were 27 excellent data protection schemes, if you are an American citizen, and travel around Europe for a month, who will you turn to? Ask yourself: How good is your Hungarian?"
Another difference between the U.S.-E.U. pact and the European proposal deals with sensitive information such as religion, sexual orientation and union membership. Under the U.S.-E.U. deal, that information can be used in exceptional cases, "where the life of a data subject or of others could be imperiled or seriously impaired."
Douglas Lavin, regional vice president North America for the International Air Transport Association, called the European proposal "a positive step" in terms of harmonizing data-sharing policies, but said he is concerned about an international patchwork dealing with passenger data. "We don't want to be faced with conflicting laws in this area," he said.