EU Court Blocks Passenger Data Deal with U.S.

Reinier writes "The BBC reports that the European Court of Justice has ruled the airline data agreement with the United States is illegal. The 'agreement' required airlines to share 34 items of personal data of their passengers with American authorities at least fifteen minutes before take-off of any flight to the US. The Court of Justice examined the agreement after the European Parliament objected. A PDF of the ruling is available online."

Directive & Articles

[eldavojohn]

The PDF linked states:

The Court found that Article 95 EC, read in conjunction with Article 25 of the directive, cannot justify Community competence to conclude the Agreement with the United States that is at issue.

I could not find anything entitled Article 95 EC, did they mean Directive 95/46/EC [wikipedia.org] which is in regards to the protection of personal data?

Article 25 of the EU Directive [cdt.org] can be found on a number of sites and states that non-member countries may be provided with member data in the case of need. It's quite vague (standard law-talkin' guys strategy) so I could see it being read either way--entirely open ended!

Re:Sounds like it was more a concern about protect

[gowen]

Which raises the question as to what specifically the EU courts find lacking in US data security.

The EU has strong legal protection for data privacy that the US simply lack. The default position in the EU is that no personal data may be shared between two parties without the explicit agreement of the person. Each member state has its own law, but certain principles are common to all [wikipedia.org], and further safeguards mean that data cannot be transferred outside the EU without similar guarantees.

Re:Sounds like it was more a concern about protect

[Confused]

Which raises the question as to what specifically the EU courts find lacking in US data security.

Basically, the main problem of the database-war between the USA and the EU is, that the EU guarantee to its citizens certain rights concerning their data, like not having it transferred to third parties, the right to review the data about oneself and some limited rights to have the data erased. To prevent clever corporations to circumvent those regulations by shipping the data outside the EU, there's a directive that personal data can only be shipped to countries, that have similar data-protection rights (so called safe havens). As you can imagine, the USA isn't really too interested in giving its own citizens data protection rights from corporations and the gouvernement and even less on granting those rights to foreigners. Thus, no data transfer of personal data of EU-citizens to the USA.

Re:Directive & Articles

[gowen]

It's quite vague (standard law-talkin' guys strategy) so I could see it being read either way--entirely open ended!

No, its not. The principles are vague, Article 26 itself is pretty clear. It says that you can't transfer to third countries unless you can guarantee data protection up to the level of Directive 95/46/EC unless

(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case.

Only (b) or (c) could possibly apply here, and the Court have decided they don't.

Re:Directive & Articles

[Anonymous Coward]

Article 95 EC refers to to Article 95 of the Treaty Establishing the European Community [eu.int]

that wasn't necessary

[Anonymous Coward]

When purchasing an advance (ha ha) ticket for a not-yet-born person the airlines are perfectly capable (I know several people who've gone through this within the last 12 months) of making the reservation for an un-named infant as long as you supply the real name before boarding.

Since you already knew what you were going to name the child you had an extra option, but there are still plenty of mothers out there who don't know ahead of time what they're going to name the baby or sometimes even what gender it will be (suppose your ultrasound had been wrong about gender?)

If the travel agent tried to tell you that you had no other choice when you didn't want to disclose the intended name, then I'm sorry you let yourself be bullied.

Re:Dear Land of the Free

[MrSquirrel]

Benjamin Franklin once said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." I think those words ring just as true today as they did 200 years ago.

Re:Visas?

[radish]

You don't get visas at the immigration desk in the US, you get visas at the US embassy in your home country before you leave. I have a US visa and I have to travel back to my home country every few years to get it renewed. However, most EU citizens on short trips to the US don't need visas, they travel on what's called the visa waiver program. That requires you to fill in a short form essentially stating you're a "normal person" and you get a stamp at immigration and in you go.

And yes, the US - like every other country - can deny anyone entry even if they have a visa. That's one of the risks of international travel.

The point however is that these regulations aren't to prevent terrorists entering the US through an airport, they're to prevent them entering through a skyscraper (think 9/11) so collecting the personal info on the ground after they land is too late.

I'm not saying I think they're effective - obviously not, they're dumb like most of the recent security measures - but the whole point is to know about the incoming passengers before they hit US airspace.

Re:what are those 34 items?

[mbrett]

These are the 34 items, taken from the DHS document at http://www.dhs.gov/interweb/assetlibrary/CBP-DHS_P NRUndertakings5-25-04.pdf [dhs.gov] which also describes how easily the data can be distributed, and how "deleted after 3.5 years" doesn't really mean what it says, but may mean that your data goes into a file marked "deleted, honest, and reely hard to read because it's raw data" and kept for 8 years or more.

1. PNR record locator code
2. Date of reservation
3. Date(s) of intended travel
4. Name
5. Other names on PNR
6. Address
7. All forms of payment information
8. Billing address
9. Contact telephone numbers
10. All travel itinerary for specific PNR
11. Frequent flyer information (limited to miles flown and address(es))
12. Travel agency
13. Travel agent
14. Code share PNR information
15. Travel status of passenger
16. Split/Divided PNR information
17. Email address
18. Ticketing field information
19. General remarks
20. Ticket number
21. Seat number
22. Date of ticket issuance
23. No show history
24. Bag tag numbers
25. Go show information
26. OSI information
27. SSI/SSR information
28. Received from information
29. All historical changes to the PNR
30. Number of travelers on PNR
31. Seat information
32. One-way tickets
33. Any collected APIS information
34. ATFQ fields

Re:what are those 34 items?

[KoosLx]

Statewatch News online [statewatch.org] has a useful overview.

The 12 January 2004 draft "Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection (CBP)" [statewatch.org] on transfers of airline reservations data (passenger name records, or PNR's) from the European Union to the USA, lists the following 34 items:

1. PNR record locator code
2. Date of reservation
3. Date(s) of intended travel
4. Name
5. Other names on PNR
6. Address
7. All forms of payment information
8. Billing address
9. Contact telephone numbers
10. All travel itinerary for specific PNR
11. Frequent flyer information (limited to miles flown and address(es))
12. Travel agency
13. Travel agent
15. Travel status of passenger
16. Split/Divided PNR information
17. Email address
18. Ticketing field information
19. General remarks
20. Ticket number
21. Seat number
22. Date of ticket issuance
23. No show history
24. Bag tag numbers
25. Go show information
26. OSI information
27. SSI/SSR information
28. Received from information
29. All historical changes to the PNR
30. Number of travellers on PNR
31. Seat information
32. One-way tickets
33. Any collected APIS information
34. ATFQ fields

financial aid?

[m874t232]

The US doesn't give "financial aid" to Europe. Instead, Europe and Asia are pouring hundreds of billions of dollars into the US to keep the US economy afloat (it's not called "financial aid", but "loans and investments", but the end result is not that different). They are doing this because the US is an important export market for Europe and Asia and the world economy would collapse if they didn't do this.

So, the US has some credible economic threats against Europe, but withdrawal of "financial aid" isn't it. The US threat is more like "we can commit economic suicide and take you with us"; it's a threat better exercised with great care.

Re:So, has anyone ever ...

[Erwos]

Kosher doesn't mean it was blessed. It means the food doesn't contain any forbidden items, such as improperly-slaughtered meat, unkosher meats or fish (eg, pork, shellfish, etc), and so on. I think there's a bit of confusion because kosher slaughtering (shechitah) does require someone with ordination to do it, because of potential complexities and problematic situations - indeed, this is what the bulk of a proper rabbinical ordination covers in material.

Halal is apparently similar, but less strict on the number of "inherently un-Halal" items (for instance, I believe Muslims can eat shellfish). I'm no expert, but I've been told that kosher is a subset of Halal - so Muslims who can't find Halal food can rely on kosher certification in a pinch. I don't think they're supposed to do that as the first option, though, which is understandable (after all, their own authorities should be the one making the call).

You can get foods which are both kosher and Halal - for instance, the My Own Meals brand (they do instant meals and MRE-esque stuff) has a good kosher certification, and at least some sort of Halal certification.

Re:So, has anyone ever ...

[Neph]

Wikipedia says yes [wikipedia.org]. Foods allowed under halal are pretty much a superset of those allowed under kashrut (kosher), and in fact:

The Qur'an 5:5 declares that the food of Jews and Christians is halal.

The one exception seems to be alcohol.

Re:what are those 34 items?

[mbrett]

SABRE defines some of these items as:

26. OSI information Other Supplemantary Information which does "not require action or a reply by the carrier. They are low-priority messages and are usually used for information purpose only."

27. SSI/SSR information Special Service Request

"Use SSR messages when you require an action or a reply to your request for these service items:

• Send Emergency Contact Information (PCTC)
• Send OTHS for CC Holder to carriers
• Send Passport Info (3PSPT)
• Send Special Meal Request
• Send Unaccompanied Minor Information
• Send Wheelchair Request "

This obviously can include Credit Card and other information relating to connecting flights or to other passengers not even travelling to the USA.

Passport information is not mandatory for travel agents to demand, but it is often included.

So much for the exclusion of meal requests from the initial list of 39...

33. Any collected APIS information - Advanced Passenger Information System

- "passenger manifests" including name, nationality, passport number, date of birth, etc. - why are they duplicating data on two systems ?

34. ATFQ fields Automatic Ticket Fare Quote i.e. the price of the ticket and could be commercially sensitive

The SABRE system (and probably the other CRS systems) seems to have other hidden free text fields in the Passenger Name Record, which can be hidden from other airlines etc, but which are, presumably available to the US Deptment of Homeland Security

Re:Huh?

[Anonymous Coward]

The commision has come up with the data sharing, and also with the communication data retention. The european parliament has rejected both. However, in the current EU organigram, the parliament has the right to talk, not to actually make laws. So, due to the huge messy behemoth the EU is, parliament has to go to court to prevent the commision (and the council, yet another administrative organ frequently used by the national governments to impose stupidity upon europeans) from doing whatever they want. It's sad. The courts have rejected data sharing, and they will probably reject data retention. But it will take a while, again. The damage might be done, again.

Re:Interesting...

[rpjs]

one hour waits in the passport queue with two agents, while USA citizens get four agents which spend most of the time waiting

Whatever else you might say about US immigration, I've never yet had an experience where if the "US citizen" line agents run out of work the agent superivising the line hasn't sent people from the non-US line to those agents.

It works this way

[justinmoo]

Hmmm, the /. article incorecctly states 15 minutes before flight departure, the Beeb, have their facts correct. The APIS message (current message between Canada and the US) must be sent with 15 minutes of actual departure e.g. the plane is moving. I'm not clear if this means DOOR CLOSE,TAXI or what ever the message is from FliteData type of systems). So, Canada and the US do this now, and have done for a while. If the EEC court does not like this, stay in the EEC. For the record, I am a Brit living in Calgary, Canada, who has just started working on an airline IT project.

Re:Marshall plan to EU 2 trillion in 2005 dollars

[SEMW]

>Ungrateful gits. My parents paid many of their hard earned dollars in taxes to finance the Marshall Plan. The Marshall Plan
>provided nearly 267 billion postwar dollars in aid to Europe -- which equals over two trillion of today's dollars.

Don't know where you got your figures from, but they're way out. The Marshall plan provided $13 billion dollars to Europe (source: http://usinfo.state.gov/ [state.gov] the equivalent of $90 billion in today's money -- a figure, incidentally, nearly 100 times smaller than the current US national debt. Moreover, the money could only be used "to buy goods from the United States, and they had to be shipped across the Atlantic on American merchant vessels" (source: the US government website again).

Incidentally, you, with your "hard earned tax dollars", now contribute 100 times less to foregn aid (0.34% of GDP, the lowest out of 22 MEDCs in the ODA survey) than to defense (3.4% of GDP) - figures taken from *before* the Iraq war.

Re:Dear Land of the Free

[Anonymous Coward]

Um, 38,000 Iraqi civilians have been killed, thats nearly 8 times the number of innocents who lost their lives on 9/11.

Re:Easy ! Just add consent as term of the ticket

[Anonymous Coward]

They can get your data this way, but only if they themselves obey *the rest* of the data protection directive. I'm thinking here of bits like Article 12, where you can ask for all data held about you, have it corrected, deleted etc. Its not consent to use for any purpose, its consent to use for a limited purpose. The bit of the directive you're referring to is there to allow (eg) a mortgage company to check your credit worthiness with Equifax; this limited purpose is stated in the contract you sign. Asking for unlimited purpose would be unfair as in Article 3 of 93/13/EEC (in US terms, unconscionable as in UCC 2-302) and the contract might end up void.

*That* is the problem with the data going to the states; and ways around it already exist [export.gov], but apparently costs too much when applied to the kind of scrutiny currently levelled at US citizens.

IANAL. YMMV.

Re:that wasn't necessary

[magetoo]

Gender is a grammatical term. For instance in German there are 3 genders:

In English there are four genders (the same three you specify, plus the "common gender")

And just to round things out, in Swedish there are two; basically person and thing. ("realgenus" or "utrum" vs. "neutrum")

It's great, because we never have to wonder about the baby's gender.

Re:Huh?

[Frenchy_2001]

Let me see if I understand.

Let me help you.

Sharing info BAD.

Only when it is done in a manner the person giving the info did not agree to and not following the current laws on sharing and retention. In Europe, people value their personnal information and the people have a right to correction and decision on those infos. This is not the case in the US => there is conflict of the laws and data should not be shared this way.

Logging all internet traffic(EU data retention acts) GOOD.

I do not agree with the law, but the law defines exactly what should be logged, how and for how long. Also, it defines who can get access to this information. Nothing of the sort exists for US data bases, that belongs to their respective companies, even if the data inside is yours.

So, no real contradiction here. The court just said: "We disagree about the way you handle personnal data and hence we will not share our data with you until we can garantee it to our standards".

Re:Translation of Qu'ran?

[Jim_Callahan]

The christian texts were written in Latin and Aramaic, and not translated until the second breaking of the church. Even when the empire was strong, most Christians didn't know Latin. The Q'ran was written in the vernacular that everyone who could read at all could read (the muslim empire had a much stronger universal language than late/post-fall rome did). So, essentially, you have it backwards for most of the history of the religions.

As for the present, I have an english translation of the text sitting on my desk right now, which kind of blows your theory out of the water. I'm informed you have to learn Arabic to be considered a scholar of the text, but since you also have to learn French to be a french major and German to be a German major in college, this requirement does not strike me as particularly unreasonable.

(P.S. - Any seminary worth its salt FORCES you to learn latin and greek, though I've heard some will let you slide on the Aramaic and Hebrew, but not many.)

Re:An excuse not to let the French into the US now

[esper]

The 9/11 hijackers had perfectly valid travel papers and would have been most likely granted entry even had these rules been in place.

Some of them entered the US with perfectly valid travel papers. As I recall, the 9/11 Commission Report mentioned that two of them entered with obviously-forged passports, but, for some reason, the customs guys at the border decided to let it slide. Others were already known terrorists and should not have been issued visas in the first place.

You're absolutely right that all the new laws since then probably wouldn't have kept these guys out, but everyone seems to overlook the reverse of that argument: The laws already in place on Sept. 10, 2001 would have been sufficient to catch at least half of these guys - and, more likely than not, to prevent the attack entirely - if only they had been properly enforced.

I also agree that US involvement in the mideast (and, specifically, our dogmatic insistence on supporting Israel, no matter what) is the root issue and needs to be addressed if we're ever to get a true resolution to our terrorist problems.

Re:This just increases hassles for EU citizens

[CrankyOldBastard]

The previous post highlights what I (and many other citizens of The Rest of The World) see as one of the big problems that the USA has to face some time, the way you say "Your laws only apply in your country" and at the same time "Our laws apply in your country"

The USA does not have a particularly good track record of respecting the sovereignity of other nations.