Travelling by air from the European Union to the United States these days may impact privacy more than most passengers realise.
Following the events of September 11 2001, the US has adopted rules that require airlines to grant the US Department of Homeland Security access to passenger name record information for flights to, from or through its territory.
Airlines that refuse to supply the PNR data face heavy fines, possible loss of landing rights, as well as substantial delays at US airports.
According to the grandly named Article 29 Working Party, airlines and travel agents do not always provide such information to passengers in a consistent and satisfactory way.
So, what information should be provided, who should provide it, and when should it be provided to ensure compliance with European data privacy rules?
At a bare minimum, passengers flying from the EU to the US should be informed that Department of Homeland Security will receive certain PNR data for the purposes of preventing and combating terrorism and other serious crimes.
Passengers should also know that the information, which may be used for checking against lists of passengers raising security concerns, will be kept for at least three-and-a-half years and may be shared with other authorities in the US.
If passengers request furtherinformation, they should at least receive a standard notice with frequently asked questions on the transfer of passenger information to the US, which has recently beenupdated.
The notice also advises passengers to contact the airline if they need more information on how their personal data is being handled.
The obligation to inform air passengers rests primarily on the airline selling the flight ticket.
In the case of codesharing, the airline that made the reservation and sold the ticket has a duty to inform the passenger. In those cases where the ticket is bought through a travel agent, the agent should provide the necessary information.
As far as timing is concerned, air passengers should receive the information before they decide to buy the ticket. It is essential that passengers are able to consider the possible impact of the data transfer to the US authorities on their privacy before entering into an agreement with the airline.
The information should preferably be provided a second time after the ticket has been bought, for example as part of the flight reservation confirmation or as a leaflet attached to the ticket.
The proper method for informing passengers will vary depending on how the flight is booked.
If the flight is booked at a travel agency, passengers should receive a paper version of the basic privacy information. The agent should provide them with the more extensive FAQs notice upon request.
If passengers make the booking by telephone, the basic information should be read out to them and the FAQs notice should be available, for example, on a website.
More and more bookings are made via the Internet and in this case, the basic notice should be automatically presented to online customers, for instance, via a pop-up window, without the need for the customer to do anything to look for it such as clicking on a web link.
The longer FAQs notice, however, can be made available elsewhere on the website, provided that a web link to the FAQs is included in the basic information notice.
The FAQs notice encourages passengers with concerns, complaints and correction requests regarding their information to contact the Department of Homeland Security.
However, passengers who are concerned that their privacy rights may have been violated as a result of, for example, untimely or insufficient information by the airline or travel agent, can also file acomplaint with the data privacy authority of their EU member state or seek regress in a competent court of law.
US authorities retain passenger information for three-and-a-half years. Clients should be informed of this fact before they commit to travelling agreement spells out privacy rules
For legitimising the transfer of passenger name record information to the US Department of Homeland Security, European Union and US authorities entered into an international agreement in May 2004, which was replaced by a new agreement in October 2006.
However, PNR information includes passengers’ personal data and European data privacy rules impose specific obligations on those responsible for collecting and processing personal data in Europe (ie the ‘data controllers’).
European data privacy law imposes, for example, an obligation on data controllers to inform individuals of what will happen to their personal information after it has been collected.
Recently an advisory body to the European Commission consisting of representatives of the European member states’ data privacy authorities – the ‘Article 29 Working Party’ – expressed the need for coherence in the content of the information that should be provided to air passengers travelling to the US, a well as in the time and way in which that information should be provided.
Wim Nauwelaert is counsel for law firm Hogan and Hartson