U.S. and European Union officials on Wednesday signed an anti-terrorism accord that renews a 2007 agreement to exchange fliers' personal data, despite objections from some EU members who say the deal is excessively invasive despite added data protections.
The pact took years to negotiate because of European members' privacy concerns. The data at issue -- passenger name records -- encompasses an array of information that people register with travel agencies and airlines to book flights, including names, itineraries, phone numbers, payment methods and credit card numbers.
The new policy limits the purposes of reviewing the records to detecting, pre-empting and investigating criminal offenses, according to European Union Council officials. They added it contains a "robust data protection regime," including the stipulation that personal information "be masked out" -- rendered illegible to most users, after six months. After five years, passenger records will be relocated to a "dormant database" with additional controls. The information, however, will remain accessible to authorities for 15 years for investigations into terrorist activity and 10 years for international crime probes.
The countries will use a technological fix to ensure records cannot be used for anything other than potential terrorist cases after 10 years, DHS officials said. Two databases, one accessible for any future criminal cases and one for possible terrorist probes, will house the same data. The information stored in the designated crime database will be deleted after 10 years, and the duplicate information in the second database will remain open only to terrorist investigators for another five years.
Beyond enhancing privacy, the plan should help authorities identify illicit activity faster, Homeland Security officials added. Today, records shared are sometimes outdated and only dispatched 72 hours before fliers' departure. Going forward, data will be updated in real-time, starting 96 hours before takeoff.
The accord now awaits approval from the European Parliament.
Homeland Security Deputy Secretary Jane Holl Lute said in a statement, "today's signing of the new agreement on the transfer of passenger name records is a significant step forward in strengthening our cooperation with the EU to combat terrorism and transnational threats while respecting our commitment to privacy and data protection. This agreement passed the Council of the European Union with strong support and we encourage the European Parliament to give its consent as soon as possible so that the agreement can enter into force."
Germany and Austria rejected the measure, because of the length of time records will be available, but were unable to block passage Tuesday, Germany's Deutsche Welle reported.
The European Data Protection Supervisor, the EU's independent privacy watchdog, said concerns remain over data retention periods, access by U.S. authorities outside the Homeland Security Department and other uses of the information. Specifically, supervisor Peter Hustinx said records should be deleted immediately after analysis or six months after receipt -- maximum. The reasons for reviewing data should be restricted to terrorism probes or a defined list of serious crimes, he added. And Homeland Security should be prohibited from sharing the information with other U.S. officials or other countries unless those entities guarantee equal levels of protection, Hustinx said.
"Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfill strict conditions," he said in a statement. "Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the member states have not been met."
In December 2010, DHS officials told lawmakers that the EU's reluctance to adopt this agreement was one of the legal and cultural factors beyond America's control that was hurting aviation security. U.S. officials were acting in response to several near misses, such as the attempted bombing of a Detroit-bound plane by a man hiding explosives in his underwear.
"The PNR is extremely important," DHS Assistant Secretary of Policy David Heyman said at the time. "It has helped us to do analysis that allows us to find co-travelers who might be of concern -- we did that in the case of Zazi -- and to identify individuals who may be trying to flee the country as the case was with Shahzad." Najibullah Zazi was convicted of trying to ignite explosives in the New York subway system and Faisal Shahzad allegedly attempted to bomb Times Square.