EU-US agreement on air passenger data, May 2004

Author (Person)
Publisher
Series Title
Series Details 28.6.04
Publication Date 28/06/2004
Content Type , ,

On 17 May 2004 an Agreement on Passenger Name Records (PNR) was formally concluded between the European Union and the United States of America. The Agreement is intended to provide a firm legal basis for the provision of passenger details by EU airlines to the US authorities, as - since March 2003 - airlines have been providing PNR in breach of EU law. The legislation entered into force immediately.

The Agreement followed a Decision by the European Commission in mid-June which established that the US Bureau of Customs and Border Protection's personal data protection system complies with the requirements of the 1995 Data Protection Directive (a so-called 'adequacy finding'). That Decision was in turn based on formal Undertakings by the US, published on 11 May, concerning the protection of passenger data transferred by European airlines to US authorities.

The European Parliament opposed the draft Agreement and voted to ask the European Court of Justice whether it was compatible with EU law. Meanwhile, the Commission proceeded with the negotiations and the new legal framework was agreed by the Council. The Commission argues that it has obtained significant concessions from the US. Although the Agreement has entered into force, there is still a possibility that the Parliament will seek to have it annulled.

Background

The Council Decision concluding an Agreement between the European Community and the United States of America on the processing and transfer of Passenger Name Records PNR) data by air carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection - adopted on 17 May 2004 - is a contentious piece of legislation.

It has its genesis in US moves to reinforce domestic security in the wake of the terrorist attacks of September 2001. On 19 November 2001, the United States Congress adopted the Aviation and Transportation Security Act, requiring airlines flying to, from or through the US to provide the US Bureau of Customs and Border Protection (CBP) with electronic access to PNR.

Passenger Name Records are files created by carriers every time a passenger books a flight. The PNR enables a passenger to be identified by those involved in the travel process, such as travel agents and airlines. Data about his or her journey is stored by the relevant airline(s). In addition to flight details, some airlines also keep more personal information, such as special dietary requests. 'There are approximately 20-25 possible fields of PNR data', according to the European Commission, 'some of which include subsets of information, expanding the total to approximately 60 fields and sub-fields' (see: Airline passenger data ... frequently asked questions).

In response to concerns expressed by the EU since December 2001, European carriers were not required to comply with the US Act until March 2003. Since then, the majority of them have provided PNR, despite the fact that doing so is in breach of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. However, not complying with US requests could leave airlines open to sanctions, including the loss of landing rights and 'fines of $6,000 (€5,000, £3,600) per passenger' see Financial Times: US presses Brussels over access to air passenger data). Airlines not supplying PNR data also risked their passengers facing lengthy searches on arrival in the United States - leading to delays for both them and the airline companies.

Most airlines opted to provide PNR rather than face such sanctions. In October 2003, the Financial Times reported that Alitalia and Austrian Airlines were 'understood to be the only European airlines not complying with the rules', but that the US had decided 'to give the two airlines another 30 days to begin complying with the regulations' (see: Deadline for airline passenger lists is extended).

External Affairs Commissioner Chris Patten described the situation to the European Parliament as a 'dreadful dilemma', with airlines having 'either to comply with the PNR requirement and risk being taken to court by their national Data Protection Authorities, or not to comply, which would have triggered intrusive extra searches of their passengers' (see: Chris Patten: Passenger Name Record (PNR) EC /US Agreement).

Commissioner Frits Bolkestein - responsible for the Internal Market - characterised the situation as 'at best legally fragile', saying that 'we are confronted with competing, even to some extent irreconcilable concerns, all of which are legitimate in themselves' (see: Frits Bolkestein: EU/US talks on transfers of airline passengers' personal data). He went on to highlight 'a number of policy issues' raised by the United States' demands:

  • 'the fight against terrorism
  • the right to privacy and fundamental civil liberties
  • the ability of our airlines to compete
  • the EU/US relationship in general and
  • the security and convenience of legitimate air travellers, including actual or potential European air transport and border security concerns.'

Notwithstanding these wider concerns, the critical issue from the EU's perspective has been the requirement under Article 25 of the Data Protection Directive that personal data may only be transferred to a country outside the Union if an 'adequate level of protection' is assured. There is no definition of 'adequate protection', although the same Article states that 'particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.'

Article 25 also empowers the European Commission to assess whether such protection is afforded by the country concerned. It therefore fell to the Commission to open negotiations with the US authorities, aimed at reaching an agreement acceptable to both parties.

The scale of the problem facing the EU can be gauged from an Opinion issued in October 2002 by the Article 29 Data Protection Working Party (an independent advisory body on data protection and privacy, set up under Directive 95/46/EC), which warned that, although 'sovereign States do have discretion over the information that they can require from persons wishing to gain entry to their country ... the current proposals ... would lead to the disproportionate and routine disclosure of information by airlines who are subject to the requirements of Directive 95/46/EC' (see: Opinion 6/2002).

Nevertheless, the Commission announced in December 2003 that negotiations had been satisfactorily concluded and that it intended to adopt a Decision stating that the US Bureau of Customs and Border Protection provided adequate protection for passengers' data.

Speaking to the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs and Committee on Legal Affairs and the Internal Market on 1 December 2003, Commissioner Bolkestein reiterated that the Commission's objectives had been 'to achieve a legally secure framework for the transfer of PNR data; while guaranteeing the best possible data protection for European citizens' (see: EU/US talks on transfers of airline passengers' personal data). He also told MEPs that the Commission had persuaded the US to change its mind on a number of points, including reducing the length of time for which data is stored (from seven years to three-and-a-half years), and agreeing to review the situation 'at least every year'.

Shortly after, however, Johanna Boogerd-Quaak MEP argued that the EU still found itself 'in an illegal situation' and called for the European Court of Justice to decide whether the proposed Decision complied with EU law (see European Voice: Europe agrees passenger data deal with US; Ms Boogerd-Quaak was Rapporteur for the Report on the proposal for a Council decision on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, published in April 2004).

December also saw the publication by the Commission of a Communication entitled Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach, which outlined the Commission's approach to the transfer of PNR data. Amongst other things, the Commission noted the 'prime importance [of] establishing rapidly a legally secure framework for PNR transfers to the US Department of Homeland Security (Bureau of Customs and Border Protection)' and proposed to establish a 'legal framework in the form of an adequacy finding ... accompanied by an international agreement with the US.' It also promised a further proposal - by mid-2004 - 'outlining an EU approach to the use of travellers' data for border and aviation security and other law enforcement purposes', plus 'an international initiative with respect to PNR data transfers under the auspices of ICAO' [the International Civil Aviation Organization].

At the end of January 2004, the Article 29 Data Protection Working Party issued its Opinion 2/2004, which stated that 'The case of private data collected for commercial purposes and contained in the databases of airlines offering flight [sic] from the EU to or through USA and the associated reservations systems, to be communicated to a public authority by providing access to such systems is without precedent in the relationships between the EU and the USA'.

It was not until 23 February that the General Affairs Council formally authorised the Commission to open negotiations with the US on an Agreement on the use of PNR data.

On 9 March, MEPs took the opportunity of a debate on the first Report on the implementation of the Data Protection Directive to air their concerns over the proposed Commission Decision, arguing that 'transfers of personal data to third country authorities without consent, such as in the case of the US authorities accessing transatlantic passenger data, seriously infringes EU data protection standards'. They also considered that 'progress made over a year of talks with the US on this question to be totally inadequate, and call[ed] for arrangements for data protection in such circumstances to be subject to approval by Parliament in the future' (see: Data protection: transfer of passenger details to US a serious infringement, say MEPs).

At the end of March, Parliament adopted a Resolution in which it described the level of protection offered by the US to PNR data as 'inadequate' - in contrast to the Commission's assertion that it was 'adequate' (see: Passenger data on transatlantic flights: MEPs keep up their opposition). MEPs pointed out that there is no legal basis in the EU 'for using PNR data for public security purposes' and asked for a new Decision to be drafted. They also called on the Commission 'to reach a proper international agreement with the US.' In the interim, Parliament wanted Member States 'to require immediate compliance with EU and domestic privacy laws and to require airlines and travel agencies to obtain passengers' consent for the transfer of data.'

On 21 April, the European Parliament voted to refer the Commission's draft to the Court of Justice (see: Transfer of passenger data to the US). Speaking at the plenary session, prior to the vote, Commissioner Patten acknowledged Parliament's concerns, but argued that compromise was necessary, given that 'on this occasion we had to face the fact that the US was already obtaining the data which they wanted' (see: Chris Patten: Passenger Name Record (PNR) EC /US Agreement). He urged MEPs to support the Agreement, 'not because it is perfect, but because it is a great deal better for our airlines to operate under legal certainty and for the passengers to have much improved safeguards than the legal void that would result from a collapse of the package for which we have worked so long and hard to negotiate.'

Two weeks later, Parliament rejected a Council request for the use of the 'urgency procedure' to push the Agreement through (see: MEPs refuse urgency procedure on passenger data transfer). According to Statewatch, the Commission and Council 'knew that 162 MEPs from the 10 new member states would be ... joining the existing 632 MEPs. They lobbied them hard to overturn the previous votes. However, the vote against the “deal” increased' (see: EP rejects EU-US PNR deal by an even bigger majority). The vote was the fifth time MEPs had rejected the proposal.

On 11 May the US Department of Homeland Security Bureau of Customs and Border Protection issued formal Undertakings 'In support of the plan of the European Commission ... to adopt a decision recognizing the Department of Homeland Security Bureau of Customs and Border Protection (CBP) as providing adequate protection for the purposes of air carrier transfers of Passenger Name Record (PNR) data ... '

The following week, on 17 May, the Commission adopted a formal Decision indicating that it considered that 'adequate protection' for PNR was provided by the US authorities (see: Commission secures guarantees for protecting personal data of transatlantic air passengers). On the same day, the Council adopted a Decision approving the conclusion of the proposed Agreement (see: press release General Affairs and External Relations ... and text of the Council Decision). A press release from the Commission gave details of the Agreement, which cuts the number of data categories to 34, from a previous maximum of about 60; excludes (or deletes) 'sensitive data', which could reveal details of a passenger's race, religion or personal health; and deletes most PNR data after three-and-a-half years (although files that have been accessed 'will be kept in a deleted data file for a further eight years' for auditing purposes) (see: Commission secures guarantees for protecting personal data of transatlantic air passengers).

Adoption of the Decision might not be the end of the matter. Although European Voice revealed that the new Parliament might not have time to pursue its case with the Court of Justice (see: Legal challenge to passenger data deal unlikely to be pursued), Statewatch reported on 17 June that the Legal Affairs Committee had recommended that a court case be pursued (see: EU-US PNR deal: European Parliament discussing new court case).

Further information within European Sources Online

European Sources Online: European Voice

20.05.04: Legal challenge to passenger data deal unlikely to be pursued
18.12.03: Europe agrees passenger data deal with US
26.06.03: Data chiefs rein-in America over passenger information

European Sources Online: Financial Times

29.05.04: US and EU sign air passenger data deal
18.05.04: Brussels adopts passenger data accord with US
18.10.03: Deadline for airline passenger lists is extended
24.09.03: US presses Brussels over access to air passenger data

Further information can be seen in these external links:
(long-term access cannot be guaranteed)

EU Institutions

European Commission

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
2004/496/EC: Council Decision of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection
Communication ... Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach (COM(2003) 826)

DG Press and Communication

Press releases
  28.05.04: International Agreement on Passenger Name Records (PNR) enters into force [IP/04/694]
  17.05.04: Commission secures guarantees for protecting personal data of transatlantic air passengers [IP/04/650]
  17.05.04: General Affairs and External Relations - General affairs - Brussels, 17 May 2004 [PRES/04/150]
  11.03.04: Competitiveness - (Internal market, Industry and Research) Brussels, 11 March 2004 [PRES/04/62]
  23.02.04: General Affairs - Brussels, 23 February 2004 [PRES/04/48]
Speeches
  21.04.04: Chris Patten: Passenger Name Record (PNR) EC /US Agreement [SPEECH/04/189]
  16.12.03: Frits Bolkestein: EU/US talks on transfers of airline passengers' personal data [SPEECH/03/613]
  02.12.03: Frits Bolkestein: EU/US talks on transfers of airline passengers' personal data [SPEECH/03/586]
  09.09.03: Frits Bolkestein: EU/US talks on transfers of airline passengers' personal data [SPEECH/03/396]
  12.03.03: Frits Bolkestein: Airline passenger data transfers from the EU to the United States (Passenger Name Record) [SPEECH/03/125]
Memos
  12.03.03: Airline passenger data transfers from the EU to the United States (Passenger Name Record) frequently asked questions [MEMO/03/53]

DG External Relations

The EU's relations with the United States of America
  European Commission / US Customs talk on Passenger Name Record (PNR) transmission
  Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP)
  Fact sheet on Personal Name Record

DG Internal Market

Commission decisions on the adequacy of the protection of personal data in third countries
Art.29 Data Protection Working Party
29.01.04: Opinion 2/2004 on the Adequate Protection of Personal Data Contained in the PNR of Air Passengers to Be Transferred to the United States' Bureau of Customs and Border Protection (US CBP)
13.06.03: Opinion 4/2003 on the Level of Protection ensured in the US for the Transfer of Passengers' Data
24.10.02: Opinion 6/2002 on transmission of Passenger Manifest Information and other data from Airlines to the United States

European Parliament

Daily Notebook
  04.05.04: MEPs refuse urgency procedure on passenger data transfer
  21.04.04: Transfer of passenger data to the US
  20.04.04: Rejection of passenger data proposal
  01.04.04: MEPs reject transfer of passenger data
  31.03.04: Passenger data on transatlantic flights: MEPs keep up their opposition
  09.03.04: Data protection: transfer of passenger details to US a serious infringement, say MEPs
Committee on Citizens' Freedoms and Rights, Justice and Home Affairs
Committee on Legal Affairs and the Internal Market
  07.04.04: Report on the proposal for a Council decision on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection

Council of the European Union

17.05.04: General Affairs Council, Brussels, 17 May 2004 [PRES/04/150]

Other sources

BBC News Online

17.05.04: EU in passenger data deal with US

Statewatch

Observatory on the exchange of data on passengers (PNR) with USA
EP rejects EU-US PNR deal by an even bigger majority
  17.6.04: EU-US PNR deal: European Parliament discussing new court case

US Department of State, US Info

Homepage
  28.05.04: Fact Sheet: U.S.-EU Passenger Name Record Agreement

Eric Davies
Researcher
Compiled: 28 June 2004

Background and reporting on the week's main stories in the European Union and the wider Europe.

Subject Categories ,
Countries / Regions