Personal Data No Longer Private

The porous nature of call centres in India and elsewhere is now a fixture on the list of things we have to worry about in modern life. But up until now we have not had to concern ourselves about personal information which passes to the United States.

Since the US has no significant foothold in the market for personal data generated in Europe, most EU citizens would only transmit data across the Atlantic in the context of an American holiday, or perhaps a flight to the land of the free.

That has now changed, and in the most dramatic fashion. And Europe is spiralling towards an ignominious defeat in its efforts to protect the privacy of its citizens in the face of tunnel-visioned American demands - which they insist are justified by the ongoing War on Terror.

It was not long after the appalling and traumatic events of September 11, 2001, that America first told airlines operating to, from or through the US that they had to supply detailed records of the passengers they were carrying to US Customs and Border Protection. The argument from the Department of Homeland Security was that if America knew who was in the country, it might be able to do something about them.

These passenger name records, or PNRs, demanded details which most of us would prefer to keep to ourselves - addresses, email addresses, credit card details, phone numbers and even information about the number of bags we had with us.

This caused consternation in the EU, which is committed under the terms of its own directives to stringent protection of the privacy of its citizens and of information about them since the US would not provide adequate safeguards for this data.

 After nearly three years of tough and frustrating negotiations, the European Commission agreed a formula which would allow the lawful transmission of this information. However, in May this year the European Court of Justice ruled that the formula did not fall within the competence of the EC and it was annulled.

American authorities continued to demand the details, backed up by the threat that they would deny airlines who refused permission to land. This placed the airlines in an impossible position, since if they did pass on the information, they would be wide open to legal action under European data protection directives.

The EU and the Department of Homeland Security finally drafted an interim agreement at the start of this month (October 6) running until July next year in terms similar to those agreed two years ago.

It included subtle changes in wording and emphasis which effectively downgraded fundamental rights and freedoms - which are set in stone in the EU - from something of vital importance to something that merely had to be taken into account. And instead of an undertaking that the Department of Homeland Security would implement the agreement, the EU was now simply relying on implementation.

But the ink was barely dry on this agreement before the American side was back with their “understandings” of it. And these understandings drove a coach and horses through Europe’s last-ditch attempts to protect privacy and data. They include:

·       Data sharing with other, unspecified US agencies.

·       Alterations to means of accessing data.

·       Alterations to the time data could be kept.

·       The potential to add new elements to data demands.

Put simply, the US has unilaterally re-interpreted supposedly agreed undertakings in a way which meets its policy imperatives, but not those of fundamental EU data protection requirements.

To say that the EU’s response to this apparent high-handedness was muted is an understatement. It is clear that Europe feels it has lost the battle.

There will be another skirmish when attempts are made next year to create a definitive agreement before the interim one runs out. But until then, European passengers must resign themselves to the fact that their personal information is being passed to unspecified US agencies whether they like it or not.

David Flint is a partner in and head of MacRoberts Solicitors’ technology, media and communications group.

25 October 2006