Letter sent by Arturo Quirantes to the Data Protection Agency,  26 June 2.003




Mr. Arturo Quirantes Sierra, with D.N.I. (ID card) number xxxxx, (photocopy is included), acting on his own name and representation, with address at xxxxx


"Iberia" arlines, with customer-service address c/Mara de Molina 40, 4 planta, 28006 Madrid


1.Photocopy of "Ronda Iberia Magazine" (April 2.003, pag. 126), which includes information request from US authorities to airlines. See transcription
2. Copi of the letter sent by me to Iberia, concerning my personal data. See copy (english)
3. Iberia answer to my request. See letter
4. PNR data held by Iberia
[PNR - Reservation:  Legend;               PNR -  Booking: Legend;           PNR: Madrid-NY, Granada-Madrid ]
5. Other data given by Iberia
[Data in Iberia.com: Profile, Profile 2  Data in Amadeus: Profile 1, Profile 2; Ticketing data]
6. List of PNR data requested by US authorities. List
7. Opinion 4/2003 on the Level of Protection ensured in the US for the Transfer of Passengers' Data"(11070/03, WP 78). Pdf copy


On date 26 March 2.003, I travelled from Madrid to New York via Iberia flight IB6251, using the Internet reservation system (later, picking the tickets at the Iberia office in Granada.  A few weeks earlier, european airlines started giving passengers' personal informatio data to US authorities without previous, explicit consent of the passenger, therefore they'd be in violation on European Directive for Data Protection 95/46/EC.  Those data, known in english as PRN, include, for instance, my name, address, phone number, birth date, credit card number and meal choice.

Iberia did not ask for my consent to give those data, nor were I informed by the airline that my data would be given ty US authorities.  In fact, the first "notificatio" (if it can be called so) I had was a newsclip of the "Ronda Iberia Magazine" (april 2.003, page 126) that the airlines distributes inside their airplanes (Annex 1).  The following is said:

As of last March, an agreement between the United States and the European Commission obliges airlines providing service to the United States, among them Iberia, to comply with new requirements that demand information about the passengers flying there.

By the terms of this agreement, US customs officials can request information, the kind that is given when making flight reservations, about passengers travelling there or changing flights in airports there.  The European Commission has informed the airlines that it has received guarantees from the United States that no inappropriate use will be made of such information.

I think that might be in violation of my personal data protection rights, and that in any case it might result in a violation of spanish laws; thats why, on May 15, 2.003, I sent a letter (Annex 2) to the Sub-direction, Customer Service of Iberia, asking for information on the personal data concerning me that have been processed and/or given to US authorities by Iberia.  Iberia's answer came to me on 28 June, over one month after my initial request.  The envelope is dated Madrid, 20 June, and rthe answering letter is dated the 18th.  Having this in mind, and considering that May 18th was a Sunday, Ill leave it to the Protection Agency's criterio to determine whether a special proceeding is needed against Iberia. [Translator's note: that refers to a special procedure against any company which refuese to comply within one month to a data request]

In Iberia's answer (Annex 3) it is stated that the data US Customs has access to are only those contained in the PNR (Passenger Name Register), a copy of which is also enclosed (Annex 4).  Iberia also encloses the data it holds on me, obtained in his webpage iberia.com, the Amadeus reservation system and the "ticketing" system (Annex 5).  In the PNR data are included such as my name, flight number and data, passport data, contact phone and email address (which I obviuosly gave  for contact purpuses to Iberia, not to US authorities), among others.  The complete list of PNR data, as US authorities request, can be read -en english- in Annex 6.  That Annex (according to which, in the future also other data will be requested, such as the traveller's complete name, birth date, complete address and home phone) is referenced on the "Opinion 4/2003 on the Level of Protection ensured in the US for the Transfer of Passengers' Data"(11070/03, WP 78)" of the Data Protection Working Group (Article 29 Group, set up pursuant to Article 29 of Directive 95/46/EC).  Such opinion is included, to the effects of information and documenting, as Annex 7.

As for the other data (coming from Iberia.com, Amadeus and ticketing, see Annex 4), Iberia claims that US authorities dont have accessto it.  However, considering the fact that, at this very monent, those authorities are pressing to obtain a wider access to airlines' data, I'm also including those data for your consideration.  Most of them are empty fields, but Id like to know whether the Data Protection Agency considers that its according to the law that Iberia can obtain and store data on such sensible subjects as traveller' s revenues, civil-working-academic status, meal preferences, motives for the trip, favorite newspaper or sport, hobbies, kind of Internet usage, etc.

I'm against the transfer of PNR data, and I think this transfer lacks legal basis, violating the basic principles of the European Directive on Data Protection.  The joint European Commission - US Customs statement related to PNR transmission (17 March 2003) mentions that data can be used for "law-enforcement purpuses", and can be stored for "as long as required for the purpuse for which they were stores".  These provisions lack the adeauqte protection requested by the European Directive on Data Protection 95/64/EC concerning personal data transfer to third countries.

Im also against the non-specific nature of data transfer.  According to EU laws and the Europen Convention on Human Rights, data stored by private companies for commercial purposes can not be used by law-enforcement aurhotities without a previos court order, based on the need to prove a demonstrable need, and should be specific for each traveller.

According EU pivacy regulations, the transfer of personal data  to third countries without laws protecting in an adequate way individual privacy is prohibited, unless the individuals agree to that transfer.  Most passenger, when booking a flight to the United States, are not even informed of the fact that their data have been sent right to that country's law enforcement autohrities.  European travellers, therefore, have no chance to object that transfer.

For all that, the writer and signer of this letter.


5. REQUESTS: That, pursuant to article 48, Organic Law 15/1999, (13 de december) on data protection of personal nature, makes a legal protest (denuncia) for violation of that Law.

In Granada, 26 June 2.003


Signed: Arturo Quirantes Sierra