A Flight to the US Can Invade Your Privacy

European travellers need to be aware that data transfers as a result of US rules that force airlines to supply passenger name records could result in release of personal information.
April 25, 2007
5 min read

Travelling by aircraft from the European Union to the United States these days may impact passengers' privacy more than most travellers realise.

Following the events of September 11, 2001, the US has adopted rules that require airlines to grant the US Department of Homeland Security access to passenger name record information for flights to, from or through the US. Airlines that refuse to supply PNR data face heavy fines, possible loss of landing rights and substantial delays at US airports.

For legitimising the transfer of PNR information to the US Department of Homeland Security, European Union and US authorities entered into an international agreement in May 2004, which was replaced by new agreement in October 2006.

However, PNR information inevitably includes passengers' personal data and European data privacy rules impose specific obligations on those responsible for collecting and processing personal data in Europe (i.e. the 'data controllers'). European data privacy law imposes, for example, an obligation on data controllers to inform individuals of what will happen to their personal information after it has been collected.

Recently, an advisory body to the European Commission consisting of representatives of the European member states' data privacy authorities (the 'Art. 29 Working Party') expressed the need for coherence in the content of the information that should be provided to air passengers travelling to the US, as well as in the time and way in which that information should be provided.

According to the Art. 29 Working Party, airlines and travel agents do not always provide such information to passengers in a consistent and satisfactory way.

So what information should be provided, who should provide it and when should it be provided to ensure compliance with European data privacy rules?

At a bare minimum, passengers flying from the European Union to the US should be informed that the US Department of Homeland Security will receive certain PNR data for the purposes of preventing and combating terrorism and other serious crimes.

Passengers should also know that the information, which may be used for checking against lists of passengers raising aviation security concerns, will be retained for at least three and a half years and may be shared with other authorities in the US.

If passengers request further information in this regard, they should at least receive a standard notice with frequently asked questions on the transfer of passenger information to the US, which the Art. 29 Working Party has recently updated.

The notice also advises passengers to contact the airline company if they need more information on how their personal data are being handled. According to the Art. 29 Working Party, the obligation to inform air passengers rests primarily on the airline selling the flight ticket.

In the case of code-sharing, where one airline sells a flight that is actually operated by another, the airline that made the reservation and sold the ticket has a duty to inform the passenger.

In those cases where the ticket is bought through a travel agent as an intermediary between the passenger and the airline, it is the travel agent that should provide the necessary information. As far as timing is concerned, air passengers should receive the information before they decide to buy the ticket. It is essential that passengers are able to consider the possible impact of the data transfer to the US authorities on their privacy before entering into an air transport agreement with the airline company.

The information should preferably be provided a second time after the ticket has been bought, for example as part of the flight reservation confirmation or as a leaflet attached to the ticket.

The proper method for informing passengers will vary depending on how the flight is booked. If the flight is booked at a travel agency, passengers should receive a paper version of the basic privacy information from their travel agent, who should provide them with the more extensive FAQs notice upon request.

If passengers make the booking by telephone, the basic information should be read out to them (and the FAQs notice should be available, for example, on a website). More and more bookings are made via the internet: in this case, the basic notice should be automatically presented to internet customer ndash; for instance, via a pop-up window ndash; without the need for the customer to perform a positive action such as clicking on a web link.

The longer FAQs notice, however, can made available elsewhere on the website, provided that a web link to the FAQs is included in the basic information notice.

The FAQs notice encourages passengers with concerns, complaints and correction requests regarding their PNR information to contact the US Department of Homeland Security.

However, passengers who are concerned that their privacy rights may have been violated as a result of, for example, untimely or insufficient information by the airline or travel agent, can also file a complaint with the data privacy authority of their EU member state or seek regress in a competent court of law.

Wim Nauwelaert is counsel with Hogan & Hartson.

News stories provided by third parties are not edited by "Site Publication" staff. For suggestions and comments, please click the Contact link at the bottom of this page.

Sign up for Aviation Pros Newsletters
Get the latest news and updates.