Passenger data technology suspended over questions of cost

The US and the EU recently signed an agreement that definitively ratifies the transfer of European air passengers' data to the US. For some months, the European Commission had clearly signalled that the Council of Ministers would pass the agreement despite the protests of the European Parliament.

Since March 2003 – well before the agreement - the US administration has been able to access information on passengers, some of it highly sensitive – name, credit card number, telephone numbers, travel records and even dietary preferences – contained in Passenger Name Records (PNR), which are the reservation files compiled by the airlines. According to Washington, such data can serve to identify potential terrorists before they enter American territory.

The European Parliament nonetheless levelled criticism at the scheme, saying the conditions under which data is transferred do not grant adequate protection of passengers' privacy. As a response to such fears, the Commission got several concessions from the US, notably on the amount of data to be transferred (34 separate pieces instead of 39).

"The legal context has changed since the Council of Ministers and the Commission have clarified the condition under which the transfer of the 34 pieces of data to the American authorities is legally acceptable," said Arnaud Camus, of Air France's international affairs management division.

"Before, we were in a legal vacuum," he said. The airlines were finding themselves between a rock and a hard place: the US was threatening to block any airline from its airports that didn't comply with its demands, despite the fact that complying with such demands meant breaking European law.

In reality, on the other hand, not much has changed. "The American authorities only get access to the flights into their territory but they still take the 39 pieces of data directly from our databases," Camus said.

One the data has been collected, they have to "filter" it to retain just the 34 fields legally permitted under the May agreement. It all adds up to the data still being transferred in "pull mode", while the two parties agreed that the best guarantee for passengers was to put in place a transfer system using a "push" model – that is, to send the data to the US after filtering it at source.

Air France, like the other members of the Association of European Airlines (AEA), confirms that such a technical solution could be put in place within months, by centralising the data (Austria was the chosen as most likely location) before transferring it on to Washington.

Camus confirmed it six months ago: "This type of solution should be able to be operational in some months, from when an agreement is reached and its financing is assured by the public bodies responsible for creating it."

The problem from now on will be economic. "Who's going to pay for it?", Camus is now asking. "The authorities who are in charge of the matter have to tackle it, which will inevitably take some time.

"In the meantime, the Commission and the Council believes that a "pull" solution with a filter system is legally acceptable… we will therefore stick to that."

There remains one question that still needs settling: the European Parliament has not yet said its last word and could bring the matter in front of the European Court of Justice, with the intent of proving the agreement contravenes European law.

It's a step the AEA is violently opposed to. "Such a measure would, to us, be counter-productive," Camus said. "The Commission has got the most it can from the US that it reasonably can. To demand more would run the risk of a split and European airlines would be the only victims of the collateral damage."

Estelle Dumout writes for ZDNet France