By Alan Travis
The European commission’s own lawyers have warned that a joint US-European agreement to store the personal data, including credit card details, of millions of transatlantic air passengers for 15 years is unlawful.
The confidential legal opinion, passed to the Guardian, says the agreement to allow the US department of homeland security to store airline check-in data is “not compatible with fundamental rights”.
The note by the commission’s legal service, dated 16 May, says it has “grave doubts” that the passenger name record (PNR) deal, now being finalised, complies with the fundamental right to data protection.
The official legal opinion could prove crucial as the agreement, which has been negotiated by the commission with the US, needs the approval of the European parliament as well as ministers.
Leaked details of an EU ambassadors’ meeting last week showed the French, Germans, Italians, Dutch and others are still strongly critical of the proposed deal, with only the British, Irish, Swedes and Estonians supporting it.
Commission officials played down the significance of the official legal opinion, which was provided to negotiators before the deal was finalised, by saying its legality could only be tested in the courts.
The European lawyers say their “most serious concerns” cover the widely-drawn limits on the use of the personal data, the disproportionate storage period of 15 years, the lack of independent oversight and proper access to the courts for those seeking redress over misuse of their details. Their concerns include:
Judicial redress for aggrieved individuals is not guaranteed, the lawyers say: “All redress is made subject to US law, while the forms of redress explicitly guaranteed are administrative only and thus at the discretion of the department of homeland security.”
Oversight to be carried out by homeland security “privacy officers” does not amount to independent oversight, say the European lawyers.
Tony Bunyan of Statewatch, which monitors civil liberties across Europe, said the European parliament should refuse to consent to the agreement, as it is allowed to do under the Lisbon treaty. He said it did not meet EU data protection standards, nor provide judicial redress or independent oversight.
“Secret minutes of EU-US meetings since 2001 show that they have always been a one-way channel, with the US setting the agenda by making demands on the EU,” said Bunyan. “When the EU does make rare requests, like on data protection, because US law only offers protection and redress to US citizens, they are bluntly told that the US is not going to change its data protection system – as they were at the EU-US JHA ministerial meeting in Washington on 8-9 December 2010.”
Jan Philipp Albrecht, a German Green party MEP and member of the European parliament’s civil liberties committee, said the document showed the EU was acting against its own legal advice in pushing ahead with the proposed retention of sensitive passenger data.