The vast amount of data - ~30 items per passenger, including credit card details - required by the Department of Homeland Security of airlines flying to the US within 15 minutes of takeoff, has been ruled illegal by the EU, citing the EU Data Protection Directive.
From September onwards, transatlantic airlines will be faced with the dilemma that they break EU law by supplying the data, or US law by failing to supply it. Airlines could be fined/banned, and passengers subjected to severe security checks when arriving from the EU if this data isn’t supplied.
Personally, I think the Department of Homeland Security, while doing its job of protecting the US, is overreaching its remit, exaggerating the threat posed by certain passengers (qv. the Cat Stevens/Yusuf Islam farrago), and is unlikely to be able to use the data thus supplied in any decent fashion, relying on other intelligence to identify potential terrorists.
How’s this going to pan out? Is the threat to both economies so great that one side or other will back down, or a comprimise reached?
If the stalemate lasts, and European airlines start to be punished, I predict there will be at least a few arrangements where European airlines will take people to Canada (pulling out of the States entirely), and then US airlines will take them from there. US border agents “pre-clear” passengers at many Canaadian airports, so they will get all their information on the spot rather than requiring the European airlines to do their work for them.
According to the BBC Q&A, the US originally wanted to store the details for 50 years, but after pressure from the EU Parliament dropped it to 3.5 years. What kind of terrorist-fighting intelligence is relevant 50 years later?
They also agreed not to collect data on the type of meal you order for the flight. Which was big of them.
I’d like to know what the 34 pieces of information they collect are. I can only guess the first 5.
Name
DOB
Address
Nationality
Credit Card Number
This is essentially it. They will have this massive and unwieldly database that is chock full of personal information (a giant target for identity thieves) that will do absolutely nothing to stop a terrorist outrage.
I don’t think it’s possible to compromise the Data Protection Act. If they did it for the US government then why should anyone be held subject to it?
I wonder what the respective penalties for non-compliance are, and whether the fines for breaching one could simply be added to the cost of travel.
I can’t see the major transatlantic carriers (Virgin Atlantic, British Airways, Air France etc) pulling out of the US. It would kill their business.
This is just about setting out the legalistic terms in such a way that the Data Protection Directive is bypassed on security grounds (which is allowed). Typical ECJ nitpickery really, and barely newsworthy. They’ll just rephrase it acceptably before the September deadline and the agreement will come into effect.
If on the off chance fines are levied on European airlines, maybe Europe could start fining non-European airlines and call it a fuel tax?
In all seriousness, I do think that the absurd measures the US now imposes on foreign visitors should be reciprocated in the manner that other immigration issues are. (Then again, the EU would no doubt be terrified of losing all those touri$m dollar$, so would probably be lobbied not to increase the inconvenience.)
Does Brazil still fingerprint US citizens when they pass through passport control, or was that a publicity stunt just in effect when the US began fingerprinting all visitors to the US?
I don’t see how the EU Court of Justice can rule on something happening in another non-EU country (USA), even if it is done by a EU company. Is it usual for the EU to try to set the rules that EU companies are supposed to follow even when they’re doing business outside the EU. When did it become a EU matter for that sake, rather than a simple state matter?
Apparently the ruling only goes for EU airlines, while US airlines (still submitting the info) are in violation of no laws. So EU airlines will be barred from flying from the EU to the USA, while US airlines can fly as they wish, and EU airlines are posed to lose a very valuable market. Stop over in Canada? Not bloody likely.
This is never going to stand. The EU parliament is going have its knickers in a twist.
It isn’t. The DHS wants the data collected and sent to them before a flight takes off from the EU, to the United States. The collection and transmission of the data is all taking place within the EU Court’s jurisdiction.
That’s a very good point, Rune. The data is still emanating from the EU, even if it is submitted by a US airline. Perhaps it’s only the country of incorporation, but it does still appear rather inconsistent.
When the directive was issued, as per the 1957 Treaty of Rome, which binds all member states due to the supremacy of EU law.
In this case, the Data Directive applies not only to the states themselves but to entities which are considered emanations of the state. I’m not sure whether airlines which are subsidised by EU governments qualify in this regard, but if so, they would be forced to obey the Directive despite other airlines doing whatever the heck they liked with such data.
Nah, I don’t think it’s the country of incorporation that matters. My old employer had to comply with EU privacy laws, even though at the time they had no EU offices - they’d created some Web-based client questionnaires that clients were to complete while still in their (EU) home countries, and were told that if the information was being collected in the EU, its collection was subject to EU privacy laws.
The question is, who could I sue for releasing my details in a manner which contravened Directive 95/46? If EU-subsidised airlines are emanations of the state, I could sue them just as I could sue my own government: this is the principle of “vertical direct effect”.
But what of US airlines doing business in the EU - could I sue them too? Sadly not. This is a Directive, and these only apply to states or emanations thereof. Only certain Regulations allow me to sue other people or companies (the principle of horizontal direct effect), and I don’t know of any which apply here. I could, perhaps, sue my government for not making them obey EU law, but I doubt that I’d be successful.
In any case, like I said, this is a silly-season storm in a teacup - the entirely expected ECJ legal quibble du jour which the press have jumped on despite knowing full well that the Directive-sidestepping legalese will be ironed out in good time and the data sent off for security purposes as per the agreement. I bet that on the day this starts happening, it won’t even make the news.
Hmmm… I’m not sure. Isn’t the directive what allowed airlines to provide the datas to the USA? And isn’t the statute about data protection an EU regulation? If I’m not mistaken, then, couldn’t you sue the airline on the basis of this regulation?
And yes, anyway, you could sue your government for not implementing the directives, anyway, assuming they had not done so.
(by the way, I’ve been really pleased by the ruling. I had been mightily pissed off when they accepted to agree to US demands about providing these datas, even though they agreed only to a watered-down version. Yes, the 30 items kept for 50 years is only a watered-down version of the original US request).
No, Directive 95/46 placed limitations on what can be done with personal data (plural of ‘datum’). Nothing “allowed” EU airlines to supply data to the US per se, that was just an agreement between private companies, as sanctioned by one of the three EU governing bodies, the European Commission.
Another of the three, European Parliament, thought this deal might contravene Directive 95/46 and so referred it to the legal authority of the ECJ. The ECJ are currently saying that the deal isn’t quite set out in good enough legalese to sidestep the Directive on certain security grounds (which is allowed).
A Directive is neither, necessarily, a national statute nor an EU regulation. Suing another individual or company via horizontal direct effect gets extremely messy very quickly (the ECJ effectively first has to rule whether you can or not!), especially in a case like this when different EU bodies themselves are in disagreement. Like I say, the ECJ’s nitpickery will almost certainly be satisfied in the next few months and the deal will stand.
(And I understand it’s 30 items kept for 3.5 years, not 50.)