Since the beginning of 2007, the European Union (EU) Member States' privacy regulators, which comprise the Article 29 Working Party, have issued two important working papers. In the first, the Working Party adopted a standard application for the approval of Binding Corporate Rules (BCR) for multinationals wishing to transfer EU residents' personal data to non-"certified" third countries, such as the United States. In the second, the Working Party clarified its position on various parties' responsibilities stemming from the U.S. Department of Homeland Security's (DHS) demand for Passenger Name Records (PNR) for all inbound international flights.
BCR Application: An Attempt at Streamlining?
As discussed in the November 2006 issue of Privacy In Focus, some multinationals may find BCRs to be a more palatable alternative to the safe harbor agreement. Unlike the safe harbor's one-size-fits-all approach, BCRs can, in theory, be tailored to a multinational's particular needs. Once recognized by EU privacy regulators, a company's BCRs will permit it to make internal international data transfers regardless of the location of the recipient, who could even be located in a country that the EU does not recognize as providing "adequate safeguards" for the collection, processing and use of personal data. In practice, however, parties seeking approval of their BCRs still face substantive and procedural impediments.
In its January 10, 2007, Working Paper, the Working Party may have offered a glimmer of hope that it is willing to work with multinationals to develop and implement BCRs. Specifically, the Working Party's creation of a standard application and clarification of the requirements for BCR certification could represent a small step towards easing the process's procedural burdens. But the Working Party still has not addressed significant substantive issues, such as requirements that could conflict with the national laws of non-member states. Thus, only a handful of companies may find the BCR certification process's intrusive and procedurally complex requirements to be the preferred means of complying with EU privacy regulations.
Navigating PNR Notice Requirements
In mid-February, the Working Party issued a non-binding opinion on the transfer to US authorities of PNRs related to flights to the United States. Though brief, the Working Party's opinion offers several modifications of existing policies related to this contentious requirement in the United States' ongoing effort to combat global terrorism. Specifically, the Working Party clarified airlines' and travel agents' obligations under the Data Directive and provided airlines with specific instructions on how to display privacy notices to EU customers.
The DHS requires access to PNR for inbound flights, and EU residents still want or need to travel to the United States. Thus, the Working Party has never been in a position to recommend an outright prohibition on the data's transfer. In an unusual departure from its usual stance, the Working Party has not prohibited airlines from participating in the trans-border data flow; rather, it merely requires the airlines to tell passengers that information about their travel will be transferred to DHS.
Travel agents are not representatives acting on behalf of the airlines -- the classic legal definition of an "agent." Instead, the Working Party classifies travel agents as "intermediaries" between the airlines and passengers. In the absence of representative capacity, one might assume that the travel agents would not face the same responsibilities for the release of PNR data to DHS, but this assumption would be wrong. After taking the time to distinguish travel agents from airlines, the Working Party imposed essentially the same notice requirements on travel agents.
Next, the Working Party addressed the proper means of giving notice of PNR transfer to DHS to passengers who book their own flights on the carrier's website. The Working Party advised that the notice must be "presented to passengers automatically, without requiring them to look for it" and then suggested that airlines use pop-up windows as one means of providing the requisite notice. The Working Party gave no guidance on whether it will deem notice to have been given if a passenger uses pop-up blocking software. The text of the notices is the subject of an earlier Working Paper and remains unchanged.
Given the Working Party's emphasis on the manner, time and contents of notices to US-bound EU residents, companies in the travel industry would be prudent to work with counsel to fashion compliant notice procedures.