EU Court Blocks Passenger Data Deal with U.S.

Reinier writes "The BBC reports that the European Court of Justice has ruled the airline data agreement with the United States is illegal. The 'agreement' required airlines to share 34 items of personal data of their passengers with American authorities at least fifteen minutes before take-off of any flight to the US. The Court of Justice examined the agreement after the European Parliament objected. A PDF of the ruling is available online."

So, has anyone ever ...

[Ihlosi]

... made bogus meal requests on international flights just to confuse the data mining algorithm ?

For example: "Must have pasta." ... muhahah.

Re:So, has anyone ever ...

[chiskop]

Mustafa Pasta?

Red Flag! Red Flag!

Re:So, has anyone ever ...

[Erwos]

Kosher doesn't mean it was blessed. It means the food doesn't contain any forbidden items, such as improperly-slaughtered meat, unkosher meats or fish (eg, pork, shellfish, etc), and so on. I think there's a bit of confusion because kosher slaughtering (shechitah) does require someone with ordination to do it, because of potential complexities and problematic situations - indeed, this is what the bulk of a proper rabbinical ordination covers in material.

Halal is apparently similar, but less strict on the number of "inherently un-Halal" items (for instance, I believe Muslims can eat shellfish). I'm no expert, but I've been told that kosher is a subset of Halal - so Muslims who can't find Halal food can rely on kosher certification in a pinch. I don't think they're supposed to do that as the first option, though, which is understandable (after all, their own authorities should be the one making the call).

You can get foods which are both kosher and Halal - for instance, the My Own Meals brand (they do instant meals and MRE-esque stuff) has a good kosher certification, and at least some sort of Halal certification.

Re:So, has anyone ever ...

[PinkPanther]

The one exception seems to be alcohol.

Alcohol being "banned" is also questionable in Islam.

Islam preaches about moderation. Anything in abundance is bad, including prayer if it interfers with the general principles of being a good Muslim (e.g. prayer to the exclusion of being an active member of society or devotion to the point of obsession).

Though I have seen passages from the Qu'ran stating that alcohol (or "intoxicants" or "fermented fruits") are banned, I strongly question that stance. Many of these passages, as with other religion documents around the world, are taken out of context and/or questionably translated.

Islam does not contain many absolutes in its philosophy (don't confuse philosophy with practice and culture)...it is a religion of reason and its primary messages are of love, peace, family, society and living a life of moderation.

Yes, you can find many (MANY) webpages stating that there are fundamental truths in Islam and its practice including the "Haram" of alcohol...and I can find a number of sites that state that women have no voice, that "infidels" are anyone who disagrees with some sect's interpretations, yada-yada-yada.

At its root, Islam asks that each individual Muslim question for themselves the essence of their faith and the meaning of its philosophy. Blindly accepting rules and "facts" set out by others does not make one a "good Muslim".

Directive & Articles

[eldavojohn]

The PDF linked states:

The Court found that Article 95 EC, read in conjunction with Article 25 of the directive, cannot justify Community competence to conclude the Agreement with the United States that is at issue.

I could not find anything entitled Article 95 EC, did they mean Directive 95/46/EC which is in regards to the protection of personal data?

Article 25 of the EU Directive can be found on a number of sites and states that non-member countries may be provided with member data in the case of need. It's quite vague (standard law-talkin' guys strategy) so I could see it being read either way--entirely open ended!

Re:Directive & Articles

[gowen]

It's quite vague (standard law-talkin' guys strategy) so I could see it being read either way--entirely open ended!

No, its not. The principles are vague, Article 26 itself is pretty clear. It says that you can't transfer to third countries unless you can guarantee data protection up to the level of Directive 95/46/EC unless

(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case.

Only (b) or (c) could possibly apply here, and the Court have decided they don't.

Re:Directive & Articles

[Gadzinka]

But you see... European data protection laws explicitelly state, that consent to give away data protection cannot be condition to any contract and items of contracts containing such provisions are void.

This is a big difference between US and EU laws. In both organisms state reserves the oversight of contracts between private citizens and corporations. But while in US government backs away from such oversight in any matter that any wacko might label "anti-business", in EU there are lots of laws, that state that some provisions in them cannot be discarded by contracts, and items of contracts contradicting such provisions are illegal and void.

I actually like my state protecting me from monopolies/cartels.

Robert

Dear Land of the Free

This is what courts standing up for individual privacy rights look like.

Note how the US played the "Terrorism" card, and the courts didn't immediately fold.
You may wish to send this news item to your Attorney General.
Or you may wish to remain asleep.

Whatevers good with you.

Re:Dear Land of the Free

And I, for one, an American with a family history that goes back to the Mayflower, welcome this with open arms!

My fellow Americans are definitely asleep. They spout off about how "moral" they are, and then allow torture. They support war crimes. They support public bribery of every public official. They allow their elections to be rigged with wild abandon. And, through their ignorance and abject greed they are quite willing to kill off the rest of the world with their environmental stupidity.

Europe is my only remaining hope. Bring it on! Please! In all fairness, you should just let us drown in our own effluent, but it really is a small and interconnected world. It is in your best interest, as well as ours, for you to "bitch slap" the hell out of us, and preferrably soon.

BillyDoc

Re:Dear Land of the Free

[Nevynxxx]

" Fact is, we live in an ever-increasingly dangerous world"
This is not a fact. This is compleatly untrue. There have been active terrorists in the world, constantly for the last 100 years.

I work no more than 1 mile from the last IRA attempt, as far as I can see it did us a lot more good than harm, but that's another matter.

Please don't say that just because they are after you now, the world is "more dangerous" maybe your part of it is, but overall, it's ticking along as normal.

Re:Dear Land of the Free

[mrchaotica]

Fact is, we live in an ever-increasingly dangerous world.

No we don't. The real fact is that we live in an ever-decreasingly dangerous world. For example, 500 years ago people couldn't travel without an entourage because otherwise they'd be attacked by freakin' bandits! They had to worry all the time about growing enough food to not starve to death. They were pretty darn likely to die in childhood from diseases that barely even exist anymore. They had to worry about being sold into slavery. They lived in constant fear of attack from neighboring fiefdoms.

Nowadays, the thing most likely to kill you is not bandits or the plague or maurading Huns, but rather is your own gluttony! And yet our entire country gets bent out of shape just beacuse a few thousand people happened to die in the same incident. Honestly, it isn't that big a problem!

Re:Dear Land of the Free

[mrchaotica]

Of course we shouldn't ignore it, but we shouldn't get hysterical about it either! And it's certainly not worth giving up our civil liberties for, seeing as how those are more important than any individual's life anyway.

Big help

[Confused]

That'll help all those EU-citizens a lot, that had their data sent to the USA in the past two years to be stored for the rest of eternity is all kind of dubious databases in the USA.

But better late than never. I always though the implementation of the treaty should have been postponed until this ruling.

Re:Big help

[Khammurabi]

That'll help all those EU-citizens a lot, that had their data sent to the USA in the past two years to be stored for the rest of eternity is all kind of dubious databases in the USA.

Well then thank god I'm an American! Oh wait.

Re:Big help

[Confused]

Well, the point isn't to preotect you from getting into legal databases, the point is that a citizen you have certain rights to the data in those databases. And no, those rights don't allow you to have your criminal record deleted immediately or forbid the gouvernement to collect data about you.

These rights are more to prevent the gouvernement to sell this data to the next direct marketeer, which will use it to make personalised adds along the road you drive every morning, or to have pharmacies sell your drug purchase history to your employer.

Sounds like it was more a concern about protection

[RsG]

From TFA, it seems the issue was more that the US doesn't guarantee sufficient protection of passanger data. Given that this data includes things like CC numbers and identifying information, I could see the concern.

Which raises the question as to what specifically the EU courts find lacking in US data security. Perhaps there are too few checks and balances with regard to who gets access to passenger data?

Americans are doomed!

[bogaboga]

With open southern and northern borders, the US government still thinks that al-Qaida and the like will use an airline to get into the US? I laugh at them.

On the otherhand, it's good to see that the EU is flexing some muscle. Bush I believe will say..."they have some backbone..."

Interesting...

[__aaclcg7560]

Does anyone think that US will start banning flights or threaten to remove financial aid if the data isn't shared? Would a European country give in to the US or obey the court ruling?

I think this is going to be a sticky mess since the rule of law isn't being respected in the US now and US attitudes towards foreign courts has always been "screw you, mate!"

Re:Interesting...

[RasendeRutje]

I think every traveller to the US will have to sign a document that allows the Flight Company to pass your personal data to the US (a.k.a. selling your soul).
You don't sign the document? You don't get on the flight.

Result: terrorists fly to mexico and walk into the US.

A victory for terrorism

[kkiller]

Hell, this could open the floodgates for any kind of crazed nut-case.

Difficult position for airlines

[debest]

"If we don't supply the information to the United States authorities then we're liable to fines of up to $6,000 per passenger and the loss of landing rights," he said.

"And if we do supply the data, potentially we're breaking the law [on data protection]."

So what are their options? Are the airlines going to have to completely suspend flights to the United States if neither side backs down?

(Not that this possibility isn't intriguing, but I certainly wouldn't want to have to be a manager in one the major European carriers for the next few months).

Visas?

[Alfred,+Lord+Tennyso]

Could the US simply refuse visas to anybody who will not provide them that information?

And could they turn away a plane carrying somebody without a visa?

In general EU citizens get their visas in customs, after having landed in the US, and US citizens get the same treatment in the EU. That's always struck me as odd, actually; what if they refuse you a visa? You've flown all that way for nothing?

I wonder if they need to move the visa procedures back closer to the country of origin. That would probably be a massive regulatory hassle. And it would sure make relations between the US and the EU seem chillier.

Re:Visas?

[radish]

You don't get visas at the immigration desk in the US, you get visas at the US embassy in your home country before you leave. I have a US visa and I have to travel back to my home country every few years to get it renewed. However, most EU citizens on short trips to the US don't need visas, they travel on what's called the visa waiver program. That requires you to fill in a short form essentially stating you're a "normal person" and you get a stamp at immigration and in you go.

And yes, the US - like every other country - can deny anyone entry even if they have a visa. That's one of the risks of international travel.

The point however is that these regulations aren't to prevent terrorists entering the US through an airport, they're to prevent them entering through a skyscraper (think 9/11) so collecting the personal info on the ground after they land is too late.

I'm not saying I think they're effective - obviously not, they're dumb like most of the recent security measures - but the whole point is to know about the incoming passengers before they hit US airspace.

Re:Sounds like it was more a concern about protect

[Confused]

Which raises the question as to what specifically the EU courts find lacking in US data security.

Basically, the main problem of the database-war between the USA and the EU is, that the EU guarantee to its citizens certain rights concerning their data, like not having it transferred to third parties, the right to review the data about oneself and some limited rights to have the data erased. To prevent clever corporations to circumvent those regulations by shipping the data outside the EU, there's a directive that personal data can only be shipped to countries, that have similar data-protection rights (so called safe havens). As you can imagine, the USA isn't really too interested in giving its own citizens data protection rights from corporations and the gouvernement and even less on granting those rights to foreigners. Thus, no data transfer of personal data of EU-citizens to the USA.

This whole data-collection nonsense ...

[Ihlosi]

... lead to the hilarious situation that for a while, my wife, I, the travel agent and the US government were the only entities that knew what we wanted to name our son (months before he was actually born).

At least all the relatives still acted surprised when we told them the name.

Re:This whole data-collection nonsense ...

Although on your part, calling him Osama wasn't the brightest move...

What if the shoe were on the other foot?

[mark-t]

How would Americans feel if their information had to be given to destination countries or their planes would be denied landing rights there?

How to stamp out international tourism in 1 easy step.

What the USA is asking won't stop terrorists from getting on board planes. Not for a second. All it has the potential to do is flag innocent people.

Re:What if the shoe were on the other foot?

[gowen]

Why just the other day I heard the US president talking about the "Global War on Tourism".

At least I think that's what he said. I understand that to show his support for legal immigration, President Bush often pretends to struggle with the pronounciation of simple English words.

Re:I see no backbone

[gowen]

The French backed down from sane free-market reforms in order to improve their high unemployment rate

I believe thats called "the right of self-determination". Your grandfather probably helped fight for it in World War 2, only for you to belittle it.

Huh?

[DAldredge]

Let me see if I understand.

Sharing info BAD.
Logging all internet traffic(EU data retention acts) GOOD.

Huh?

Re:what are those 34 items?

[mbrett]

These are the 34 items, taken from the DHS document at http://www.dhs.gov/interweb/assetlibrary/CBP-DHS_P NRUndertakings5-25-04.pdf which also describes how easily the data can be distributed, and how "deleted after 3.5 years" doesn't really mean what it says, but may mean that your data goes into a file marked "deleted, honest, and reely hard to read because it's raw data" and kept for 8 years or more.

1. PNR record locator code
2. Date of reservation
3. Date(s) of intended travel
4. Name
5. Other names on PNR
6. Address
7. All forms of payment information
8. Billing address
9. Contact telephone numbers
10. All travel itinerary for specific PNR
11. Frequent flyer information (limited to miles flown and address(es))
12. Travel agency
13. Travel agent
14. Code share PNR information
15. Travel status of passenger
16. Split/Divided PNR information
17. Email address
18. Ticketing field information
19. General remarks
20. Ticket number
21. Seat number
22. Date of ticket issuance
23. No show history
24. Bag tag numbers
25. Go show information
26. OSI information
27. SSI/SSR information
28. Received from information
29. All historical changes to the PNR
30. Number of travelers on PNR
31. Seat information
32. One-way tickets
33. Any collected APIS information
34. ATFQ fields

financial aid?

[m874t232]

The US doesn't give "financial aid" to Europe. Instead, Europe and Asia are pouring hundreds of billions of dollars into the US to keep the US economy afloat (it's not called "financial aid", but "loans and investments", but the end result is not that different). They are doing this because the US is an important export market for Europe and Asia and the world economy would collapse if they didn't do this.

So, the US has some credible economic threats against Europe, but withdrawal of "financial aid" isn't it. The US threat is more like "we can commit economic suicide and take you with us"; it's a threat better exercised with great care.

Re:Sounds like it was more a concern about protect

[Confused]

The EU, by and large, trusts their governments to deal with privacy and controlling it. The US, by and large, trusts the private sector.

Yes, that sums it up quite well. And given the choice, trusting the gouvernement seems more reasonable, as they already have certain monopols (law making, law enforcement, military power). So if your gouvernement becomes corrupt to a point that even basic trust isn't justified any more, your personal data will be your least concern. Another feature of gouvernements is that it keeps the level of corruption rather equal across the branches. So if you still have a few branches you trust, there's a good chance you can trust the other branches as much.

On the other side you have the private sector, where every corporation does as it thinks it can get away with. If one oversteps the boundary, they'll declare bankrupt and the same people start another corporation with a different name and the same game. Self-regulation has been proven many times in the past not to work, a very popular example for this is boiler safety in the UK and US in the late 1800s. If the major concern is the protection of weak individuals against corporations, asking the industry to play fair and nice is naïve, if so much money can be made by not playing nice. Also corporations will have a hard time being more trustworthy than the gouvernement, which can threaten the people working in the corporation. Never underestimate the persuavie power of free roaming death-squads.

To balance things out, the private sector works far better if the goal is effiency to deliver products and services. So if you want cheap and efficient data protection, go to the private sector, if you want trustworthy data protection, stay with the gouvernement.

Re:An excuse not to let the French into the US now

[jeffasselin]

Because a lot of terrorists striking the US came through this route lately...

Seriously, this and other measures are totally useless and inefficient to deter terrorists. The 9/11 hijackers had perfectly valid travel papers and would have been most likely granted entry even had these rules been in place. Building fences isn't going to do much, I'd rather suggest solving the problem at the source - US involvement in the Middle East.

Re:what are those 34 items?

[mbrett]

SABRE defines some of these items as:

26. OSI information Other Supplemantary Information which does "not require action or a reply by the carrier. They are low-priority messages and are usually used for information purpose only."

27. SSI/SSR information Special Service Request

"Use SSR messages when you require an action or a reply to your request for these service items:

• Send Emergency Contact Information (PCTC)
• Send OTHS for CC Holder to carriers
• Send Passport Info (3PSPT)
• Send Special Meal Request
• Send Unaccompanied Minor Information
• Send Wheelchair Request "

This obviously can include Credit Card and other information relating to connecting flights or to other passengers not even travelling to the USA.

Passport information is not mandatory for travel agents to demand, but it is often included.

So much for the exclusion of meal requests from the initial list of 39...

33. Any collected APIS information - Advanced Passenger Information System

- "passenger manifests" including name, nationality, passport number, date of birth, etc. - why are they duplicating data on two systems ?

34. ATFQ fields Automatic Ticket Fare Quote i.e. the price of the ticket and could be commercially sensitive

The SABRE system (and probably the other CRS systems) seems to have other hidden free text fields in the Passenger Name Record, which can be hidden from other airlines etc, but which are, presumably available to the US Deptment of Homeland Security