EU privacy watchdogs to review air passenger data stance

[PARIS] Europe's data privacy watchdogs will meet in coming days to discuss revising their earlier opposition to countries sharing airline passenger data as part of efforts to tighten security and thwart terror attacks, the group's head said on Wednesday.

The talks come after EU President Donald Tusk said he would press lawmakers in the European Parliament to drop their resistance to the so-called EU Passenger Name Record system in the wake of deadly Islamist attacks in France.

Lawmakers have resisted endorsing the system for sharing data, known as the PNR, on the grounds it would infringe on people's privacy by instituting mass tracking and surveillance of all travellers.

"The G29's position has been reserved up till now," said Isabelle Falque-Pierrotin, who chairs the group of European data protection regulators as well as France's watchdog called the CNIL, at a briefing.

"We will discuss it again in 10 days or so."

In a position set out in late 2011, European data protection regulators argued that there was no evidence that the mass collection and transfer of air passenger data would help security, deeming it a "disproportionate" response.

Ms Falque-Pierrotin suggested, however, that any future record system could be accompanied by guarantees to address privacy concerns. She suggested the possibility of safeguards on access to such data, together with other guarantees on length of storage of data and the security of such databases.

She noted a national passenger record system due to be put in place by France later this year included similar safeguards, including a two-year limit on holding passenger data. The current European proposal would hold data for five years.

Ms Falque-Pierrotin, speaking on the same day France announced it would hire 1,400 extra intelligence staff in its efforts to ensure there was no repeat of attacks that claimed 17 lives, acknowledged the current events were "a game-changer".

However she argued that any move by authorities to tighten security should be accompanied by guarantees that this would not undermine personal liberties - a criticism made notably of the US Patriot Act laws introduced after the Sept 2001 attacks.

"The idea that there is a straight trade-off between freedoms and security is, to my mind, a bit sterile," she said.

Ms Falque-Pierrotin said 2014 saw progress on data protection and privacy in a number of areas, including a ruling by Europe's top court that individuals had a "right to be forgotten" online, under which they can ask search engines to remove outdated or incorrect information about them.

Since the ruling in May, Google has set up a system for people to make such requests and received more than 200,000 from across Europe affecting over 700,000 URLs. Other big web companies like Microsoft and Facebook have been slower to set up systems to comply.

However Google has tussled with regulators about how the ruling should be applied. It argues that ruling should only apply to its European websites, such as Google.de in Germany or Google.fr in France - a position that France's CNIL and other watchdogs oppose.

Ms Falque-Pierrotin said discussions continued with Google but that data protection regulators have the option of putting the company on notice to change its arrangements or face fines.

"The message to the company is the following: Like any other player, you must comply with European law - no more, no less."

Earlier attempts by European regulators to get Google to comply with local rules have failed. Several have fined Google over changes in 2012 to its user privacy policy, but the company has not altered its approach.

The penalties remain small compares with Google's size. France fined it 150,000 euros in January 2014, while Spain imposed one of 900,000 euros. Google's annual revenue in 2013 was US$55.52 billion.

REUTERS