Court brands passenger data transfer illegal

A US mandate that airline passenger information be sent to the American government prior to arrival has come into question following a decision last week in the European Court of Justice that brands the process as illegal.

The European Parliament took the matter to the court in Luxembourg due to concerns that passenger data may not be adequately protected by the US government under the 2004 "passenger name agreement" introduced in the wake of the September 11, 2001 attacks.

The ruling means the agreement - signed between the European Union's executive body the European Commission, and the US government - is invalid and is currently under a four-month hiatus.

The court gave the commission until September 30 to find another solution. Plans are under way to sign a new agreement that provides more than 30 hit points of ID data per passenger.

The move is a victory for civil libertarians but it leaves travel companies, especially the airlines that must collect the passenger data in a legal quandary. Under US laws passed after September 11, 2001, airlines can be fined for failing to hand over the information.

Irene Graham, Electronic Frontiers Australia executive director, said providing information to another country's immigration department raises huge privacy issues about the security of data.

"I don't believe that most people travelling overseas know that a vast amount of [personal] information is given to international authorities," Graham said.

"It raises the question of not only how securely the airlines keep information, but if that is handed over to officials in another country, how can we be sure the people with access to that data are legitimate. I do not understand how this information stops terrorism."

Australian airlines fully comply with the US mandate and the federal government claims passenger data is secure.

A spokesperson from the Department of Immigration, Multicultural and Indigenous Affairs (DIMIA) would not disclose the amount or type of passenger information sent, via airlines, to the US.

Australian legislation covering passenger data collection falls under the DIMIA-controlled Border Control and Compliance Division as "Advanced Passenger Processing" (APP).

The spokesperson said APP performs two key functions for border security.

It allows an airline to electronically verify a passenger's authority to travel to, and enter, Australia before boarding a flight and signals the impending arrival of a passenger on an international flight to enable the passenger's arrival processing.

"The Australian and the US systems are both advance passenger information systems. However, how they use and collect data is different; our system has additional functionality," the spokesperson said.

"Australia's APP system does not use airline reservation information or Passenger Name Record (PNR) data.

"Instead, the airline check-in agent collects data from the passenger's passport and sends that data to Australia's APP system for validation purposes and no other data is collected for processing."

The information used by the APP includes passport number, nationality, family name, given names, date of birth and gender. The APP allows DIMIA to issue passenger boarding directives to airlines at the time of check-in.

A spokesperson at Qantas confirmed that details sent to the US of passengers travelling from Australia to the US "fully comply with relevant US legislation."

Join the newsletter!

Error: Please check your email address.

More about Electronic Frontiers AustraliaEuropean CommissionEuropean ParliamentQantasVIA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Crawford

Latest Videos

More videos

Blog Posts

Market Place