Court brands passenger data transfer illegal

A U.S. mandate that airline passenger information be sent to theAmerican government prior to arrival has come into questionfollowing a decision last week in the European Court of Justicethat brands the process as illegal.

The European Parliament took the matter to the court inLuxembourg due to concerns that passenger data may not beadequately protected by the U.S. government under the 2004″passenger name agreement” introduced in the wake of the September11, 2001 attacks.

The ruling means the agreement – signed between the EuropeanUnion’s executive body the European Commission, and the U.S.government – is invalid and is currently under a four-monthhiatus.

The court gave the commission until September 30 to find anothersolution. Plans are under way to sign a new agreement that providesmore than 30 hit points of ID data per passenger.

The move is a victory for civil libertarians but it leavestravel companies, especially the airlines that must collect thepassenger data in a legal quandary. Under U.S. laws passed afterSeptember 11, 2001, airlines can be fined for failing to hand overthe information.

Irene Graham, Electronic Frontiers Australia executive director,said providing information to another country’s immigrationdepartment raises huge privacy issues about the security ofdata.

“I don’t believe that most people travelling overseas know thata vast amount of [personal] information is given to internationalauthorities,” Graham said.

“It raises the question of not only how securely the airlineskeep information, but if that is handed over to officials inanother country, how can we be sure the people with access to thatdata are legitimate. I do not understand how this information stopsterrorism.”

Australian airlines fully comply with the U.S. mandate and theAustralian federal government claims passenger data is secure.

A spokesperson from the Department of Immigration, Multiculturaland Indigenous Affairs (DIMIA) would not disclose the amount ortype of passenger information sent, via airlines, to the U.S.

Australian legislation covering passenger data collection fallsunder the DIMIA-controlled Border Control and Compliance Divisionas “Advanced Passenger Processing” (APP).

The spokesperson said APP performs two key functions for bordersecurity.

It allows an airline to electronically verify a passenger’sauthority to travel to, and enter, Australia before boarding aflight and signals the impending arrival of a passenger on aninternational flight to enable the passenger’s arrivalprocessing.

“The Australian and the U.S. systems are both advance passengerinformation systems. However, how they use and collect data isdifferent; our system has additional functionality,” thespokesperson said.

“Australia’s APP system does not use airline reservationinformation or Passenger Name Record (PNR) data.

“Instead, the airline check-in agent collects data from thepassenger’s passport and sends that data to Australia’s APP systemfor validation purposes and no other data is collected forprocessing.”

The information used by the APP includes passport number,nationality, family name, given names, date of birth and gender.The APP allows DIMIA to issue passenger boarding directives toairlines at the time of check-in.

A spokesperson at Qantas Airways Ltd. confirmed that detailssent to the U.S. of passengers travelling from Australia to theU.S. “fully comply with relevant U.S. legislation.”