Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Air transport services: Code of Conduct for computerised reservation systems

2007/0243(COD)

OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the proposal for a Regulation of the European Parliament and of the Council on a code of conduct for computerised reservation systems.

The aforementioned was sent by the Commission to the EDPS for consultation and was received on 20 November 2007. The proposal concerns the processing of passenger data by computerised reservation systems (CRSs) and is closely related to other schemes of collection and use of passenger data, within the EU or in relation with third countries. The objective of the proposal is to update the provisions of the code of conduct for CRSs. The code appears to be increasingly ill-adapted to the new market conditions, and would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers.

The EDPS welcomes the inclusion in the proposal of data protection principles that specify the provisions of Directive 95/46/EC. These provisions enhance legal certainty, and could usefully be complemented by additional safeguards on three points: (i) ensuring the fully informed consent of data subjects for the processing of sensitive data; (ii) providing for security measures taking into account the different services offered by CRSs; and (iii) the protection of marketing information.

With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical application, in a coherent way with the application of the lex generalis, i.e. Directive 95/46/EC. To ensure the effective implementation of the proposal, the EDPS considers that there is a need for a clear and comprehensive view on the whole CRSs problematic, taking into account the complexity of the CRS network and the conditions of access by third parties to personal data processed by CRSs.

Even if these issues go beyond the concrete provisions of the proposal, it is nevertheless deemed as essential to put the CRS question in its global context and to be aware of the implications and the challenges of having such a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third State authorities. It is therefore decisive that effective compliance is ensured, not only with regard to competition aspects of the proposal but with regard to data protection principles, by authorities competent for enforcement, i.e. the Commission, as foreseen in the proposal, and Data Protection Authorities.