The United States and European Union have been discussing exchanging personal data of citizens, “including personal information collected commercially but used for security purposes,” such as airline passenger name records.” But there is a lack of understanding about how EU laws apply to such personal data collection and distribution, says the Department of Homeland Security’s Privacy Office. Therefore, the office has “looked for an analogous situation in which commercial entities collected [personally identifiable information, PII] for security service use. The DHS Privacy Office chose to investigate and report on the EU practice of collecting hotel guest registration data, as from a functional perspective it most closely mirrored PNR data collection and use.”
This investigation is set out in the recently released “Interim Report on the EU Approach to the Commercial Collection of Personal Data for Security Purposes: The Special Case of Hotel Guest Registration Data.” Here’s an excerpt from the report (pdf):
The DHS Privacy Office faced great difficulty in obtaining relevant information from the responsible EU and Member State data protection, justice, and interior ministry officials. As of the date of this report the DHS Privacy Office had sufficient information to report on only eight Member State countries. There are differences in the way each of the eight countries requires hotels to collect hotel guest registration data and make it available to security services. Significantly, the DHS Privacy Office has observed a trend of electronic capture and transmission of this data to security services.
There are also differences in the way each of the eight countries we studied has established oversight mechanisms for security service collection and use of hotel guest registration data. Data Protection Authorities may not always be fully competent to investigate security services, though other bodies may exist to do so. Importantly, none of the eight countries has actually conducted and made publicly available audits or investigations of security service use of hotel guest registration data. The lack of publicly available oversight reports, whether at the EU level or from the Member States, stands in stark contrast to the publicly available oversight reports on PNR. […]
All trends indicate there will be even more, not fewer, transatlantic exchanges of data in the future. Due in part to the growth of the Internet, the ever-increasing speed and ease of storage and transmission of data, and increased collection by private entities, those data exchanges are ever more likely to involve commercially-collected data. The stakes are too great for the US and the EU, and for the essential values of privacy and security, not to go forward in finding agreement on a proper and consistent approach to sharing information.
The DHS Privacy Office also listed recommendations:
Based on its review of procedures and privacy issues surrounding the mandatory collection of hotel guest registration data in the EU, the DHS Privacy Office offers the following recommendations for the Department and for the American travelling public. It is our hope that these recommendations may be useful to other agencies that are engaged in discussions on trans-Atlantic exchanges of personal information.
1. The DHS Privacy Office and the Department should continue to collaborate with interagency partners to ensure consistency in engaging on privacy issues that relate to the trans-Atlantic sharing of commercially-collected personal data for security service use. To that end, there should be greatly increased understanding across the Executive Branch of the transparency and oversight mechanisms that apply to European security agencies. The DHS Privacy Office should continue to help improve understanding of European data protection structures.
2. Americans have an obligation to understand and to assert their rights when travelling to Europe. Americans should become more informed on EU data protection laws and practices. They should ask to see notices and demand clarity whenever a business or government official requests personal data from them. Americans should submit complaints to the appropriate DPA, the Article 29 Working Party, or the European Data Protection Supervisor.
3. The DHS Privacy Office should complete its review of the various European countries’ (EU and non-EU, Schengen and non-Schengen) handling of hotel guest registration data and update this report.