EU Ministers of Home Affairs push for Passenger Records Directive; EU Member States Data Protection Authorities: News Regarding Safe Harbor (continuous update).

EU Ministers of Home Affairs push for Passenger Records Directive

In the aftermath of the November 13 attacks in Paris, European Union Ministers of Home Affairs push for the release of a Passenger Records Directive applicable to flights into or between EU airports (“PNR Directive”).

The PNR Directive would require airlines flying into or between EU airports to provide passenger data to law enforcement authorities in the arrival country, who would then screen those data.

Originally proposed by the European Commission in 2011, the PNR Directive was at first blocked by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee in 2013 because of privacy concerns. Following the terrorist attacks in Paris, the Ministers of Home Affairs on Nov. 20 now pledged to finalize the PNR Directive by the end of 2015.  It should provide for a sufficiently long data period during which Passenger Name Record data (PNR) can be retained in non-masked-out form. In addition, the use of data obtained under the PNR Directive should not be limited to crimes of a transnational nature.

The proposed PNR Directive should go through the normal negotiation process involving discussions between the Parliament and the Council of the EU.


EU Member States Data Protection Authorities: News Regarding Safe Harbor (continuous update)

In the ongoing discussions about the future of EU-US data transfers after the October 6 decision of the European Court of Justice, several Data Protection Authorities of the Member States regularly issue updates and advice on cross-border-data transfers.

The French DPA (CNIL) in a guidance note of Nov. 19 advised that companies who relied on Safe Harbor should use standard contractual clauses for data transfers to the US, at least until a new framework would be in place to replace the invalidated Safe Harbor Program. The authority recommends the use of standard contractual clauses as a short-term solution, because BCRs take several months to be implemented. The CNIL also made public an eight-question FAQ, regarding cross-border data transfers in the aftermath of the Safe Harbor decision.

The Slovakian DPA announced that transfers based on Safe Harbor to the US are no longer legal, therefore organizations must either use standard contract clauses  or binding corporate rules to transfer data to the US. These mechanisms under Slovakian Data Protection law require previous approval of the DPA.