New US regulations requiring carriers to disclose data on passengers run foul of European data protection laws. David Naylor, partner at London-based law firm Morrison & Foerster, looks at the implications for airlines

In the aftermath of 11 September 2001, the US government implemented wide-ranging extra security measures. Among other key objectives, the administration perceived an immediate need to enhance its ability to identify potential terrorists entering the country. Within months the US government had implemented two major pieces of legislation aimed at providing access to the personal data of airline passengers and crews. Unfortunately for the airline industry, compliance with the new laws effectively required airlines with operations in Europe to routinely breach European data protection laws.

Under the Aviation and Transportation Security Act and the Enhanced Border Security and Visa Entry Reform Act, all carriers operating flights to, from or through the US are required to provide customs and immigration officials with access to data on individual passengers. Airlines face fines for violations of the requirements of $1,000 a passenger by US immigration and $5,000 a passenger by customs.

However, compliance with this legislation has meant that they face potential fines and civil damages in the European Union (EU) for breaching data protection laws that, among other things, prohibit the transfer of personal data to countries which are not considered to offer adequate protection - such as the USA.

The dispute between the EU and the USA over the incompatibility of their approaches to this issue began to surface in 2002. In November, US Homeland Security Secretary Tom Ridge's attempts to resolve the situation were rebuffed during a visit to Brussels. Reports followed in the European media of US threats to impose additional visa requirements on EU nationals and, according to some sources, simply to ban incoming flights from the EU. Allegations abounded that EU nationals were subjected to unnecessarily invasive searches and delays on entry to the USA.

In February this year, in the face of mounting US pressure, the European Commission (EC) appeared to soften its stance, reaching an "interim arrangement" with the US authorities, subject to their assurances that data will be handled appropriately, with "only" the CIA and the National Security Agency being provided further access to this information.

However, in the immediate future, there will still be a number of grey areas. The EU will have no direct control over the way US authorities use the data. Moreover, although the EC has insisted that US access to databases would be restricted solely to transatlantic flights, US documentation annexed to a joint EU-US statement, says US customs will access air carrier reservation systems directly. The USA has said it would be "too costly" for carriers to select and transmit data to the USA. The EU has also said that "fencing off" non-transatlantic flights in airline databases would be very expensive.

Even more alarming, however, is the fact, conceded by Brussels, that the arrangement is effectively without "legal security". In other words, while the EC may have accepted the US position, it does not have the authority to prevent member states' data protection authorities or the courts from enforcing local data protection laws - which leaves airlines significantly exposed. Indeed, in a speech on 12 March of this year, EC Commissioner Frits Bolkestein accepted a reprimand from the European Parliament for the Commission's failure to involve the Parliament in its discussions with the US authorities, and conceded that the "interim arrangement" did not amount to a decision or agreement and, as such, had no 'legal base'. He restated the airlines' obligation to comply with data protection laws, and confirmed that only the courts could act as final arbitrators on questions of compliance.

In the long term, the only satisfactory solution is likely to require further bilateral negotiations with the USA, and the implementation of legal measures at EU level. Until then, airlines should carefully consider their current procedures and take all possible steps to limit their exposure and comply with applicable data protection laws to the fullest extent possible.

Measures they can take include ensuring that they have proper legal grounds for their processing of legal data, and that they obtain passenger and crew consent or establish other legal grounds for transfers of their personal data.

Source: Airline Business