(2004/C 70 E/164)

WRITTEN QUESTION P-2893/03

by Ole Krarup (GUE/NGL) to the Commission

(23 September 2003)

Subject:   Violation of the data protection rules

Would the Commission tell us exactly what parts of the European rules on data protection are being violated due to the demands from the USA regarding transfer of personal data by airlines in connection with transatlantic flights?

Would the Commission tell us when and how that will be brought to an end?

Answer given by Mr Bolkestein on behalf of the Commission

(6 November 2003)

It should be noted, first, that the data protection directive 95/46/CE (1) does not apply to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law, such as the processing of personal data carried out directly by the police. Where the processing of personal data does fall within its scope, as in the case of the processing of passenger name records by airlines and computer reservation systems, the data protection directive imposes on Member States the obligation to adopt implementing legislation that must include a number of rules. These include the principles that personal data must be processed fairly and lawfully, and that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection. ‘Adequate’ protection means that a number of data protection principles of substance are in place, and that sufficient mechanisms exist in the country of destination to ensure that those principles are complied with. The Directive provides a number of exceptions, for example it is also possible to transfer the data when this is legally required on important public interest grounds. Such legal obligation may arise from national legislation or from an international agreement. These legal instruments may also allow exceptions to be made to restrict the scope of some of the obligations and rights provided for in the Directive, in particular the principle that data should be used for purposes compatible with those for which they were collected. In those cases it is required that legislative measures are adopted, and that such a restriction constitutes a necessary measure to safeguard important public interests, such as national security, public security, prevention, investigation detection and prosecution of criminal offences, or to safeguard a monitoring, inspection or regulatory function connected, even occasionally, with the aforementioned safeguard measures.

When allowing United States' authorities to access the whole passenger information records of all passengers flying to and from the United States in the current conditions, airlines must respect national legislation adopted pursuant to those provisions of the Directive, and may be subject to enforcement action by national data protection supervisory authorities in Member States for failure to respect these provisions.

As stated in the intervention of the Member of the Commission in charge of the Internal Market of 9 September 2003 before the Parliament's Committee on Citizen's Freedoms and Rights, Justice and Home Affairs (LIBE Committee), the Commission is negotiating with the United States authorities in order to obtain improvements in the way personal data will be processed in the United States, with the aim of allowing the Commission to adopt a formal decision under Article 25 paragraph 6 of the Data Protection Directive recognising the protection offered as ‘adequate’.

Efforts to obtain improvements focus currently on four major issues, namely:

An adequacy decision will only be possible if the United States is ready to improve significantly its ‘undertakings’. In the absence of an adequacy finding, a bilateral international agreement might provide an appropriate framework to ensure legal security for the data transfers, but this too could only be concluded on the basis of a significant improvement of the present United States undertakings as regards the protection of the data transferred.

The Commission has informed the United States side that it is necessary to find a solution by December 2003 and the United States side has agreed to this timetable.

(1)  Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995.