A controversial bill that will give the United States access to personal information about airline passengers has been approved by the European Parliament.
The deal, which was held up for two years over privacy concerns, was agreed by MEPs in a vote of 409 to 226 on Thursday. It sets out the legal parameters governing the transfer of passengers’ personal data to the US Department of Homeland Security.
Passenger Name Record (PNR) data is provided by travellers and collected by airline staff during reservation and check-in procedures.
The deal covers issues such as storage periods, purpose of the data use, data protection safeguards, administrative and judicial redress.
It also includes information such as names, addresses, credit card and phone numbers, travel agency data, baggage information (such as the number of bags), seat number as well as "sensitive" data such as ethnic origin, a religious meal choice or request for special assistance due to a medical condition.
The agreement applies to airlines that operate flights between EU countries and the US.
The list of airlines covered by the new legislation extends beyond European carriers to include any carriers that are "incorporated or storing data" in the EU and operating flights to or from the US.
The deal has proved a divisive issue among MEPs.
Those who support the bill say it is a crucial step in helping to fight against international terrorism; it would allow the use of PNR data to prevent, detect, investigate and prosecute terrorism, as well as transnational crimes. It will also serve "to identify persons who would be subject to closer questioning or examination".
However, others say the deal is incompatible with the fundamental right of data protection. They are concerned about the duration and conditions of the storage of data.
Under the terms of the agreement, data will be stored in an active data base for up to five years, though after the first six months all information which could be used to identify a passenger would be "depersonalized" meaning that data such as the passenger's name or contact details would be masked out.
It then remains in a "dormant" database for an extra 15 years, with stricter access requirements for US officials. Thereafter, the agreement says, data would be fully "anonymized" by deleting all information which could identify the passenger. Data related to any specific case will be retained in an active PNR database until an investigation is completed.
Some MEPs believe this is too long. They are also concerned that the system lacks independent oversight, and that the PNR database could be used to investigate minor immigration and customs offences without any link to terrorism.
This new deal is intended to replace another accord applied provisionally since 2007. The European Parliament refused to vote for the old deal, believing that the 2007 agreement offered too little protection of privacy and personal data, forcing Washington and the European Commission to negotiate a new PNR agreement in May 2010.
The EU agreed a PNR deal with Australia in October last year that will allow Australian authorities to store passenger data for five and half years. Another deal is currently being negotiated with Canada.
Justice and Home Affairs Ministers will formally approve the agreement on 26 April. It will then apply for the next seven years.