On 28 May 2004, the European Union (EU) and the United States announced an agreement whereby the U.S. Customs and Border Protection agency will collect personal information on passengers traveling to or through the United States from Europe. The agreement lasts through 2007. Customs will collect 34 types of information, such as names, addresses and credit card numbers, and will keep it for three and a half years; Customs will use it for combating terrorism, serious transnational crimes and suspects fleeing custody.

Although people tolerate some infringement of their privacy to combat terrorism, governments will tend to overstep the limits on information use as originally envisaged with agreements such as this. As a result, political conflicts will likely arise in Europe and the United States.

Europe: The European Commission signed this agreement, yet it overrides the EU Data Protection Directive, which guarantees strong privacy protections to EU citizens. Almost certainly, the agreement will spark further controversy. The agreement allows the United States to use the data for its pending Computer-Assisted Passenger Prescreening System (CAPPS II), while U.S. airlines balk at providing similar data. (CAPPS II tries to rank passengers according to the terror risk they pose.)

United States: Over time, the U.S. government will attempt to use CAPPS II and systems like it to combat more crimes. The Department of Homeland Security (to which Customs belongs) consists of many agencies with pre-existing missions that go beyond terrorism. Those agencies will face constant temptation and pressure to use access to personal information for more routine law enforcement. CAPPS II plans originally included only terrorist suspects. Then the government added violent criminals on the grounds that these too threaten passenger safety (although airplanes and airports are full of witnesses, escape is nearly impossible, and armed marshals are present). The EU agreement now includes custody-flight suspects, who almost never imperil other passengers. Where this trend will ultimately stop remains unknown. Privacy advocates across the political spectrum already oppose the government's privacy practices. The extension of warrantless, automated searches of personal information to other classes of offenders may erode wider public support over time.

Recommendations: Public awareness of the use and abuse of personal information continues to grow. Businesses will likely feel the resentment before the government does, because businesses can't claim anti-terror as a rationale. To protect your company:

• Implement strong privacy protections and ensure your customers know about them.
• Press your industry to adopt voluntary privacy standards to minimize the risk of the government imposing onerous requirements after a backlash.

Analytical Sources: Robert Goodwin and Richard Hunter, Gartner Research

Recommended Reading and Related Research

• "Executive Summary: Thriving in the Fishbowl Society" — Aided by law, citizens will demand control over the use of their information. Companies that handle personal information will be exposed to commercial opportunities and risks. By Richard Hunter and Andy Rowsell-Jones
• "IT Security Directors: Privacy Compliance Best Practices" — Enterprises with international operations will increasingly run into the complexities of international privacy laws. By Arabella Hallawell

(You may need to sign in or be a Gartner client to access all of this content.)