"Final agreements between EU and USA on PNR and SWIFT
After a long and difficult period of negotiations, on 28-29 June 2007, final agreements were reached between EU and USA on the data regarding European financial transactions operated by Belgian consortium SWIFT and on the passenger name records (PNR) issue respectively.
Regarding the access to financial data from SWIFT, the US has committed to use any data received from SWIFT exclusively for counter-terrorism purposes, the data retention period being of 5 years.
SWIFT is also bound to "adequately" protect the privacy of data according to EU principles as laid out in 2000 and further more, from now on, all banks using SWIFT will have to inform their customers about any transfers of their data.
According to a spokesman for Commission Vice-President Franco Frattini, an "agreement had been reached on the substance of the new Passenger Name Records (PNR) system, with only technical details and EU national parliaments' opinion still to be resolved". The agreement will replace the interim agreement due to expire at the end of July 2007.
Both sets of negotiations resulted in the EU having obtained the power to inspect US investigators' use of European data. The EU has insisted on this, considering that US privacy laws would not protect European citizens' data from being abused. However, according to Gus Hosein from Privacy International, the EU won only limited oversight over the US use of PNR data.
The PNR agreement reduced the number of pieces of data that can be collected by the US authorities from 34 pieces to 19, including name, contact information, payment details, travel agency, itinerary and baggage information, but excluding sensitive data such as ethnicity.
The US will be allowed to store the data for a seven year period under an "active" or "operational" regime and can extend this period by 8 years for "dormant" data which would be accessible under stricter rules. This means a 15 year storage period in total as compared to three years as previously agreed. The EU officials however state that the agreement has more safeguards than before.
In a letter to the German interior minister Wolfgang Schauble, the European Data Protection Supervisor Peter Hustinx has still shown concern believing that the privacy rights of air passengers between the EU and US will be threatened by the agreement struck on 29 June.
A good point is that, for the first time, EU citizens will also be covered by the US Privacy Act which means they can enforce their rights in US courts. The new PNR system deal must be ratified by national parliaments before taking effect as expected at the end of July 2007.
But the PNR data started to look interesting also for the European officials. Just a few days after the car bomb attack in Glasgow and London, the commissioner Franco Frattini announced that he would propose in October a new draft containing anti-terrorism measures, including creating a European PNR system. In this way, the airlines flying to the EU would be obliged to share passengers private data with Europe's secret services. It is not clear yet if the scheme will cover intra-European flights.
Draft text - PNR Agreement (28.06.2007)
EU-US data-sharing deals renew privacy concerns (29.06.2007)
EU legitimises US travel and bank data snoops (28.06.2007)
US gives in to EU demands over data (29.06.2007)
Europe's banks must inform customers of US snooping (27.06.2007)
New PNR Agreement with the United States of America - Peter Hustinx letter to the German Minister of Interior (27.06.2007)
Air passengers to face EU anti-terror screening (4.07.2007)
EU plans air passenger data exchange system (3.07.2007)