US Transfer of Airline Passenger Data

01 October 2003

Véronique Corduant

In the aftermath of the events of 11 September 2001, the United States adopted new security regulations obliging airlines to transfer their passenger data to the US Customs. This obligation puts the airlines in a difficult position. On the one hand they are obliged to observe the legislation on implementing the Data Protection Directive 95/46/EC.[1] On the other hand US legislation requires them to forward data and this requirement is backed up by severe penalties.[2]

1. The US requirements

On 19 November 2001, the United States adopted the Aviation and Transportation Security Act. This requires airlines flying to, from or over their territory to provide the US Customs with electronic access to Passenger Name Record (PNR) data contained in their reservation and departure control systems from March 5, 2003.[3]

All the data must be transmitted to a centralised database that is jointly operated by the US Customs and Immigration and Naturalization Service. Once transmitted, the data will be shared with other federal agencies and is no longer specifically protected.[4]

A PNR is a file created by the airlines for each journey any passenger books. The PNRs are stored in the airlines’ reservation and departure databases. It allows the different players in the aviation industry to verify passengers and to access all relevant information related to the passengers’ journey (departure and return flights, any connecting flights and special services required on board, etc.).[5]

The collection of the PNR data is not restricted to passengers flying into the United States and may vary from one airline to another. The PNRs may even include additional information such as financial data, details of journeys completed in the past and even sensitive data such as religious or ethnic information (choice of meal etc.), affiliation to any particular group, medical data (where necessary to ensure a safe and comfortable flight). In addition, for countries participating in the "Visa Waiver Program", the transfer of biometric data is due to become compulsory by October 2004.[6]

Failure to forward the information required or forwarding incorrect or incomplete information is liable to be met with severe penalties, in particular loss of landing rights and the payment of substantial fines.

In addition, the US Department of Transportation ("DOT") is seeking to create a new system of records ("Aviation Security Screening Records").[7] The new system, which would be controlled by the Transportation Security Agency ("TSA"), would scan government and commercial databases for potential terrorist threats when a passenger makes flight reservations. Under the program, once the passengers have entered their personal information[8], the airline reservation system would automatically link to a new security and profiling program (CAPPS-II[9]), to perform a computer background check on passengers including their banking history and details of any criminal records. The TSA would then assign a red, yellow or green score to the passenger based on the agency’s risk assessment. The colour score will be then encrypted on the passenger’s boarding pass: green would require routine security, yellow "added checks", while red would bar passengers from flying and make them subject to law enforcement investigation.

In the United States, the public, Congress, the travel industry and civil liberties groups vehemently object to the US Administration’s proposed passenger profiling project. The EU has also said it is concerned that the TSA’s new program would conflict with the EU laws protecting personal data. Nevertheless, the TSA is already testing the system with Delta Air Lines.

2. Compatibility with the Data Protection Directive

2.1 Application of the Data Protection Directive 95/46/EC

As the data forwarded by airlines relates to identified physical persons (cf. definition of "personal data" in Article 2(a) of the Directive) and is processed (cf. Article 2(b)) by airlines within the EU, it is as such covered by the provisions of the Directive. The airlines must therefore respect the Directive’s strict requirements on data processing including ensuring data quality, accuracy and legitimacy of purpose (cf. Article 6).

US Customs may be considered a data controller for the purpose of the use mentioned above in point 1. This is because US Customs would have direct access to the information systems in the EU rather than just receiving a data flow. Article 4(1)(c) states that the Directive applies to a data controller who is established outside the EU and, for purposes of data processing, makes use of equipment situated within the territory of an EU Member State.

Article 13 of the Directive provides an exemption to the obligations in relation to data processing in case a European Member State considers that this exemption is justified and necessary to safeguard national and public securityand defence. However, Article 13 does not seem to apply in the present case since it requires a case by case request and the US request involves a systematic transfer.[10]

2.2 Conditions to be complied with under Directive 95/46/EC

Firstly, the US request for data access seems to conflict with Article 6(1)(b) and (c) of Directive 95/46/EC. These provisions only allow collection of data that is adequate, relevant and not excessive in relation to the purposes pursued. Moreover, Article 6 prohibits further processing of data collected for specified, explicit and legitimate purposes if this processing is incompatible with the original purposes.

The amount of passenger data to be collected by US Customs and to be transferred to other US agencies can hardly be considered as strictly necessary for, and compatible with, the original purpose of collecting personal data by airlines to fulfil their contractual obligations vis-à-vis the passenger. Furthermore, the "physical impossibility" for airlines to transport their passengers to, from or through the US, if they do not follow the US rules appears to be an "insufficient ground" to supersede the EU data protection obligations.[11]

From a more general approach, pursuant to Article 6 of the Directive, data concerning passengers not travelling to the United States cannot be transferred in any circumstances.

Secondly, airlines would be obliged (in accordance with Articles 7, 10 and 11 of the Directive) to provide passengers with all the information concerning the processing of their data, including the identity of the US Agency, the purpose of their request and notification that the data will be transferred to a country that does not offer adequate data protection safeguards under the EU criteria.

Finally, the PNR contains data that may reveal racial or ethnic origin, religious beliefs or other sensitive data within the meaning of Article 8 of the Directive. The Directive in principle prohibits any processing of sensitive data, save with specific authorisation of the individual concerned in the form of explicit consent to processing for a given purpose.

2.3 Inadequate level of protection in the United States for the transfer of data

Article 25 (1) and (2) of the Directive stipulates that the transfer of personal data to a third country may only take place if the third country ensures adequate level of protection. The United States has been identified as a country with a lack of adequate safeguards for data processing. [12]

The preconditions that need to be satisfied in order for airlines to be allowed to derogate from this prohibition (as set out in Article 26 of the Directive) are not fulfilled in this situation. In particular, airlines would need "unambiguous consent" from their passengers to disclose this information and passengers would need to be informed by the airlines of the fact that their data would be transferred to a third country which doesn’t have adequate protection.[13] Furthermore, exemption from obligation to transfer data is difficult to invoke given the scope of the data required.[14] Finally, other conditions for exemption such as the necessity to safeguard the public interest or the vital interests of the passengers do not apply.

3. Expected European Commission decision on the basis of Article 25(6) of Directive 95/46/EC

Pursuant to Article 25(6) of the Directive, the transfer of personal data to a third country not offering adequate data protection can be authorised if the country entered into a number of commitments for the protection of personal data. This authorisation should only be given by the European Commission after rounds of negotiations following strict procedure.[15] The Member States should then take all the necessary measures to comply with the Commission’s decision and to secure a common approach.

In the current case, a dialogue was launched in January 2003 between the European Commission and US authorities with a view to finding a solution that guarantees adequate protection for the data flow concerned. This has resulted in a joint statement (February 17-18, 2003) which provides that data access would only concern passengers going into, out of, or through the United States. The statement also added some specific assurances concerning respect of the principles laid down by Directive 95/46/EC in relation to sensitive data and in relation to the transfer of the data to other US Agencies.[16] In return, the European Commission asked airlines to comply with the US requirements as from 5 March 2003 and also urged Member States not to take enforcement actions against airlines complying with the US requirements even though this could involve a breach of the Data Protection Directive or local data protection legislation of the individual Member State.

This brief and vague joint statement constitutes a far from satisfactory answer to the issues at stake. Indeed, the European Parliament adopted a resolution asking for the suspension of the joint statement and for the launch of an internal debate to determine whether to bring an action before the European Court of Justice against the European Commission.[17] The European Parliament reproached the European Commission for having adopted a statement infringing the Directive and for not having informed the general public.

The European Commission promised to continue the negotiations in order to take an appropriate decision under Article 25(6) of Directive 95/46/EC, which would provide a legal basis for the transfer of passenger data to the United States.

In this respect, the United States accepts a substitute for the present mechanism of transfer of data.[18] Under this new process US Customs would no longer have access to airlines’ reservation and departure control systems (so-called "pull" mechanism) and only requested non-sensitive data would be transferred (so-called "push" mechanism). The creation of a back-up copy of the PNR 24 hours before departure would allow the airlines to filter out the data before their transfer to US Customs. However, this technique would be very costly for the airlines, and does not address the question of incompatibility between the original purposes of processing data, i.e. business/transport purposes and their further processing, namely law enforcement purposes.

At this stage of the negotiations, the US Government’s commitments do not meet the European Commission’s concerns on three points in particular: 1) the lack of installation of filters by the US authorities in European airlines’ reservation systems; 2) the right of passengers to appeal if the information stored is inaccurate and if the body responsible for carrying out checks is not independent; 3) the possibility for the EU to check whether the data is collected in the context of the fight against terrorism, and the conditions for access to these data by various US federal agencies.[19]

Unless the US Government offers additional guarantees, the European Commission will not present a draft decision pursuant to Article 25(6) of Directive 95/46/EC, as planned, in September.[20]

This debate is all the more crucial because in the meantime, Spain has submitted to the other Member States a proposal for an EC Council Directive to establish within the EU a similar system to that which is in place in the United States, giving authorities access to airlines databases.[21] The motivation behind the proposal is the reduction of illegal immigration.

According to this draft proposal, the carriers (airlines and shipping lines) would have to collect data on all passengers at the time of boarding and then send the data to "authorities responsible for carrying out border checks" in the appropriate destination country (proposed in Article 1(a)). The carriers would also have to transmit their data on foreign nationals who fail to leave the EU on the scheduled date for their return flight (proposed in Article 1(b)). The following data is to be communicated: the number of the passport or travel document used, nationality, first name and family name and the date and place of birth. Sanctions would be imposed on carriers that do not comply with these obligations (proposed Article 2).

The extensive scope of this proposal, including data of EU and non-EU nationals and checks at external as well as at internal borders of the EU, raise a lot of concerns. It affects the principle of free movement of EU nationals and conflicts with obligations contained in the Data Protection Directive. However, the European Parliament is likely to amend the proposal in order to restrict its scope.[22] For the purpose of reducing illegal immigration, it would only be justified for the European Parliament to ask the airlines to communicate data on non-EU passengers within an hour of departure. In addition, the airlines should be compensated for their co-operation, the data should be immediately destroyed after the border checks and the obligation for carriers to inform Members States of their customers’ travel plans should be removed.

Finally, the question of transfer of passenger data should be given the highest priority in order to allow the reinforcement of security compatible with privacy principles. In this perspective, an EU-US agreement should be a model solution for other countries confronted with similar requests and before adopting the conditions for the use of air passenger data for security purposes on a multilateral level.

Therefore, the transatlantic agreement should give sound answers to at least the following questions:

1. Which law enforcement agencies (including intelligence agencies) will have access to the passenger data, and how will this access be achieved / controlled?

2. What will be the conditions and limits on data disclosure and transfer?

3. What will be the specific provisions for sensitive data?

4. How will the data be protected from unauthorised access?

5. What will be the monitoring mechanisms?

6. How long will the data be retained?

7. How will the passengers be informed of the processing of their data?

8. What will be the procedural recourse available for passengers who have been wrongly denied to board?

9. How will the accuracy of the data be ensured?

4. Complaint lodged before the Belgian privacy regulator ("Commission pour la protection de la vie privée")

In June, Marco Cappato[AMB1], Member of the European Parliament, lodged a complaint before the Belgian privacy regulator.[23] The complaint alleges that the two US airlines with which he flew during a recent trip to the United States violated the EU privacy legislation by transferring his personal data to the US Customs authorities.

The Belgian privacy regulator accepted his request and asked the airlines for information about the criteria for transferring the personal data to the US authorities. Contacts have also been made with the European Commission.

The Belgian privacy regulator will, at the end of its consultations, issue an opinion and could further decide to refer the case to the Belgian Court if a serious breach of the privacy rules has been identified.

The European Commission news article gives further guidance on Commission developments in this area.


[1] Directive 95/46/EC of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data; OJ L 281, 23/11/1995, p.31-50.

[2] Prior to 11 September 2001, airlines were already transferring certain data to the US on a voluntary basis.

[3] Title 49, US Code, section 44909 (c)(3); Other countries as Canada, Mexico, Australia, New Zealand, South Africa and the United Kingdom have already implemented or are planning to implement similar systems to meet their own needs.

[4] Some of these data, might, where appropriate, be made public in accordance with legislation governing access to information held by the public sector.

[5] See, MEMO/03/53 of the European Commission of 12 March 2003 on airlines passenger data transfers from the EU to the United States (Passenger Name Record) frequently asked questions.

[6] Section 203 of the Enhanced Border Security and Visa Entry Reform Act of 2002.

[7] Federal register; 15 January 2003; Volume 68; Number 1 [Notices].

[8] The TSA would collect "passenger manifest information", which includes "Passenger Name Records ("PNR") and associated data". This includes date and time of flights, flight number, destination, reservation and payment information.

[9] Computer Assisted Passenger Prescreening System II ("CAPPS-II") is the second version of a passenger monitoring system established by the Federal Aviation Authority, that allowed airlines to demand photo identification and was based on travel data airlines routinely collected. CAPPS-II proposes to use extensive data mining of credit history, criminal records and travel patterns and expand the range of databases searched for suspicious activity to profile all airline passengers.

[10] Article 29 Data Protection Working Party, Opinion 6/2002 of 24 October 2002. This consultative body has been established pursuant to Article 29 of the Data Protection Directive and is composed of a representative of the supervisory authority designated by each Member State and of a representative of the authority established for the European institutions and of a representative of the Commission.

[11] Article 29 Data Protection Working Party, Opinion 6/2002 of 24 October 2002.

[12] The limited scope of the "Safe Harbor" does not enter into play for the protection of data transfers to government authorities.

[13] Cf. Article 2(h) of Directive 95/46/EC.

[14] Cf. statements of the Electronic Privacy Information Center: EU-US Airline Passenger Data Disclosure (http://www.epic.org).

[15] Cf. Article 31 of the Directive 95/46/EC.

[16] European Commission/US Customs talks on PNR transmission, Joint Statement of 17-18 February 2003.

[17] Resolution of 13/03/2003 (P5_TA_PROV(2003)97); Pursuant to Article 33 of Directive 95/46/EC the European Commission shall report to the European Parliament on the implementation of the Directive with the suitable proposals under discussion.

[18] Article 29 Data Protection Working Party, Opinion 4/2003 adopted on 13 June 2003

[19] Cf. Hearing of the European Parliament’s Committee on Citizen’s Freedoms and Rights, Justice and Home Affairs on the disclosure of passenger data to the United States (6 May 2003); Undertakings dated 22 May 2003 issued by the US Bureau of Customs and Border Protection and the US Transportation Security Administration; Press releases of the Agence Europe of 8, 22 and 27 May 2003 and Article 29 Data Protection Working Party, Opinion 4/2003 adopted on 13 June 2003.

[20] The procedure to be followed to adopt a (comitology) Commission decision based on Article 25 (6) of the Data Protection Directive involves: (1) a proposal from the Commission; (2) an opinion of the group of the national data protection commissioners - Article 29 working party -; (3) an opinion delivered by a qualified majority of the Committee composed of the representatives of the Member States –Article 31 Management Committee –; (4) a thirty-day right of scrutiny for the European Parliament, to check if the Commission has used its executive powers correctly with a possibility to issue a recommendation; (5) the adoption of the decision by the College of Commissioners.

[21] Initiative of the Kingdom of Spain with a view to adopting a Council Directive on the obligation of carriers to communicate passenger data of 25 March 2003; 7161/03.

[22] Draft Opinion of the Committee on Regional Policy, Transport and Tourism of the European Parliament of 26 May 2003 (2003/0809 (CNS); PE 331.345); Draftsman: Rijk van Dam.

[23] Like a few other MEPs, Marco Cappato supports the campaign launched by a European association of privacy and civil rights group, European Digital Rights (EDRI), against the transfer of European travellers’ data to the USA.

[AMB1]Stylistically this seems to read better? although not incorrect


Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.