Air travel: What is happening to my personal data?

25 August 2006

Catherine Erkelens

The European Court of Justice’s judgement of 30 May 2006, or how to seek a balance between public security and privacy protection

When a flight is booked, the details of the reservation and of the flight are processed and stored by the airline.

The airline creates a ‘PNR’ or a ‘Passenger Name Record’ which contains the reservation and flight details. The PNR contains the passenger’s name and contact details, details of the travel itinerary (departure and return flights, connecting flights if any, seat numbers, number of bags), details of the travel agency used, payment information, special services required on board, affiliation with frequent flyer programs.

In the EU, and depending on the legislation applicable in the Member State where the flight is booked, some of the reservation and flight details are transmitted by the air carrier to relevant ‘designated’ authorities, where the air carrier is under such an obligation.

Carriers indeed can be obliged to transmit, at the request of the authorities responsible for carrying out checks on persons at external borders, by the end of check-in, information concerning the passengers they will carry to another border of an EU Member State: name and nationality, date of birth, type of travel document used, initial point of embarkation, border crossing point of entry into the other Member State, departure and arrival time.[1]

The airlines may be obliged to provide information to designated authorities allowing to control whether a passenger is an ‘Inadmissible Passenger’ or not in the concerned country.[2]

When a passenger books a flight to and from the US, the PNR data are made directly accessible to the US Department of Homeland Security Bureau of Customs and Border Protection (CBP), which may share the data with other US authorities.

The CBP can, in its discretion, provide PNR data to other government authorities, including foreign government authorities, with counter terrorism or law enforcement functions, on a case-by-case basis, for purposes of preventing and combating specific offences.[3]

US legislation, enacted following 9/11, indeed requires airlines carrying passengers to, from or across the US territory, to give electronic access to the air passengers’ data contained in their PNR.

The US undertook, following negotiations with the European Commission, to use these data exclusively for purposes of preventing and combating terrorism and related crimes, including organised crime.

The US also undertook to limit the request for data to only certain categories of data in the PNR, to filter out and delete sensitive data (such as data revealing the health status or the racial or ethnic origin of a passenger), to limit the time period of storage of the data to 3,5 years.

A passenger may request a copy of that passenger’s PNR data in the CBP databases; the CBP may refuse to provide such copy in specific circumstances, e.g. in case of interference with pending enforcement proceedings. Passengers may seek to rectify their PNR data contained in the CBP databases.

The CBP thus at this moment may itself electronically access the PNR data. The US agreed with the European Commission that this will only be for so long as there is no satisfactory system in place allowing for the transmission of the data by the air carriers themselves.

The European Commission is aiming at a system that would allow the data flows from the airlines to the US security authorities to be controlled in the EU and, once an agreement has been found on the data to be transferred, limit the transfer to what is strictly necessary for security purposes. This is called a ‘push’ system, instead of the presently applicable ‘pull’ system where the US authorities ‘pull’ the data they wish to use from the database.

A ‘push’ system is provided for in an Agreement between the European Community and the Government of Canada.[4]

The PNR data that are transmitted by the airlines to the Canadian authorities are more limited than the data to which the US authorities have access and should not reveal sensitive information.

The Council approved this Agreement on 18 July 2005.[5] The Agreement entered into force on 22 March 2006.

The airlines since then also have to transmit to the Canadian authorities certain PNR data on the passengers travelling to and from Canada.

The Canadian authorities collect these data for the purpose of ‘identifying persons likely to import prohibited or strictly regulated goods, or any goods which threaten the health or safety of an individual, the environment or the national security or defence of Canada.’[6]

Other countries request to receive data on passengers travelling to and from their territory, such as Australia.[7] The Australian Executive Officer of Customs can request operators of international passenger air service to provide the Australian Customs with access to the PNR Data.[8]

Because the legislation of third countries requiring the airlines to transmit the PNR data on their passengers provides for penalties if access is refused, and because the data protection legislation in the EU Member States equally provides for penalties in case such data protection legislation is not respected, the airlines found themselves in the difficult situation of conflicting laws.

Agreements between the EU and such countries are thus necessary.

Realising that co-operation with third countries is indispensable in the framework of public security, the European Commission conducted negotiations with the US and with Canada to reach Agreements that take into account data protection concerns.

The negotiations with the US first lead to the definition of conditions to govern the processing of passenger data by the CBP. These are set out in Undertakings from the CBP of 11 May 2004 and were considered by the European Commission as ensuring an adequate level of protection on the basis of Article 25 (6) of the Data Protection Directive 95/46 of 24 October 1995 (according to which the Commission may find that a third country ensures an adequate level of data protection by reasons of its domestic law or the international commitments it entered into).

On this basis the Commission adopted its ‘Adequacy Decision’ of 14 May 2004.[9]

On 28 May 2004 an Agreement on the processing and transfer of PNR data by air carriers to the CBP was signed and entered into force.

The Council approved the Agreement by Decision of 17 May 2004 on the basis of Article 95 of the EC Treaty (measures of approximation of Member States’ legislation within the context of establishment and functioning of the internal market).[10] The Decision takes into account the Commission’s Adequacy Decision of 14 May 2004.

The European Parliament however continued to express data protection concerns.

The ‘PNR package’ consisting of the CBP Undertakings, the Commission’s draft Adequacy Decision and the proposal for the Council Decision had been placed before the Parliament in March 2004. The Parliament adopted a Resolution setting out a number of reservations. In particular it considered that the Adequacy Decision exceeded the powers of the Commission under Article 25 of the Data Protection Directive 95/46.

The Parliament called for an appropriate international agreement with the US addressing the protection of fundamental privacy rights.

The ‘PNR package’ was nevertheless adopted on 27 July 2004. The Parliament brought actions for annulment against both the Commission’s Adequacy Decision and the Council Decision regarding the Agreement.

With is judgement of 30 May 2006, the European Court of Justice now has annulled both the Adequacy Decision and the Council Decision.[11]

The Court of Justice judged that the European Commission did not have the competence to render its Adequacy Decision. It judged that there was a lack of Community competence to conclude the Agreement. Both the Adequacy Decision and the Council Decision were thus annulled.

The Court considered that the issue of transfer of PNR data to authorities of another country is exclusively a matter of public security. Public security falls outside the scope of Community law.

The Data Protection Directive 95/46 does not cover measures adopted through the ‘third pillar’ (including public security, police and judicial co-operation), which measures still require unanimous approval from the Member States, so that it could not be a valid basis for the Commission’s Adequacy Decision, neither for the Agreement.

The effect of the Adequacy Decision is preserved until 30 September 2006, as decided by the Court for reasons of legal certainty.

The Agreement will also remain in force for the time being. It remains applicable for 90 days as from notification of its termination. Until then, the CBP will thus in any case continue to access the airlines’ PNR as before.

Data flows from airlines are being requested or proposed by several countries.

There is clearly a common interest in combating terrorism and other serious crimes.

As the Working Party 29, the advisory body set up under Article 29 of the Data Protection Directive 95/46, has already pointed out several times, there is a need for an overall framework in relation to personal information circulating throughout the world for purposes related to security in connection with air travel.[12]

The Working Party 29 calls for a common approach at the EU level and recommends that short term re-evaluations take place in order to assess if the necessity for the data flows remains. Should the international circumstances alter or if other means of combating terrorism would appear more appropriate, the approach would need to be reviewed.

The Court of Justice now pointed out that if such general approach is sought, it should be done through the third pillar. This is the area of freedom, security and justice, provided for by both the Treaty on the European Union and the EC Treaty. ‘Preventing and combating crime, organised or otherwise, in particular terrorism (…)’is to be done through co-operation between the Member States (Article 29 of the Treaty on the European Union).

The European Commission already proposed a Council Framework Decision on the protection of personal data processed in the framework of police and judicial
co-operation in criminal matters.[13] In this proposal the Commission underlines that ‘Member States will only fully trust each other if there are clear and common rules for the possible further transmission of exchanged data to other parties, in particular to third countries’.

Instruments establishing common information systems at European level do exist, but Member States still decide themselves on appropriate standards for data processing and data protection under the third pillar.[14]

In its aforementioned proposal the Commission underlined that the specificities of data processing and data protection under the third pillar, although they need to be recognised , should not hamper consistency with the EU’s general data protection policy as contained in Directive 95/46.

As the Court of Justice pointed out with its judgement of 30 May 2006, the European legislator still is bound by the limitations of the legislative powers of the Union under the Treaty on the European Union.

The European Commission in its negotiations with the US, and with Canada, achieved a balance between the public security interest and the need for protection of data.

The need for and the common interest in international co-operation for combating terrorism and serious crime today is clear and uncontested. This necessarily involves cross-border data flows.

Respect for the privacy of the data subjects and thus the protection of their data – this means the use of correct and adequate data – is important also for guaranteeing the public security.

With the Court of Justice’s judgement, the European Institutions will undoubtedly seek to maintain the results of the negotiations with the US as far as the agreed undertakings are concerned, but other instrumental channels will need to be found.

A truly international approach through an international treaty would be a solution.

Given the time constraints however – the Adequacy Decision remains in force until 30 September 2006 – the EU will probably speed up its third pillar initiatives.

This could have as a consequence that a framework is created whereby the PNR data to be transmitted to third countries will first be controlled by authorities in the EU and/or in the Member States and only thereafter sent to the concerned third country (‘push’ system): recipients should only receive the data which they need.

If by the end of September 2006 no such co-operation framework is achieved, however, the US would have to reach an agreement with each individual EU Member State if it wishes to access the PNR data without having the airlines infringe the EU Member States’ data protection legislation.

Concerns are expressed that this situation would delay the ongoing negotiations between the US and the EU for a more liberalized Aviation Area (the so-called ‘Open Sky’ discussions) where an agreement is expected to be signed by the end of this year.

The airlines in the mean time have to carefully follow up the situation in order to take in time the necessary organisational or technical measures.

Some airlines are considering to request consent from each passenger before providing access to the passenger’s data to the authorities from third countries: infringement of Directive 95/46 and implementing legislation in the Member States would be avoided by obtaining such consent before transmitting the personal data to the relevant authorities in third countries.

Although it is indeed important that the passengers are fully and correctly informed of what is happening to their data and why this is happening, consent however can only be relied on if the data subject has a free choice.

The Working Party 29 and the Commission already expressed the view that only relying on consent is not adequate from a data protection point of view. Consent can only be considered valid if the passenger is fully informed. Moreover, if the passenger’s only choice is to fly or not to fly to the concerned country given that his data will be accessed, it can be considered that this is not a sufficient ‘free choice’.

The international co-operation for combating terrorism, including the data flows, has become indispensable and unavoidable. The PNR data will unavoidably continue to be requested by authorities in several countries.

It is important that the airlines fully inform their passengers. At the same time it seems advisable to keep in mind that the situation will probably evolve to a ‘push’ system, whereby the airlines may have themselves an obligation to adequately select the data before they are transferred to the authorities in foreign countries.

First published in Luchtvaartrecht (2006, 3: 60-62)


[1] Cf. Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, O.J. 6 August 2004, L 261/24 and Member States’ local legislation.

[2] Cf. also Article 26 of the Schengen Convention as supplemented by Directive 2001/51/EC.

[3] Cf. Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection, annexed to the Adequacy Decision of the European Commission of 14 May 2004, 244/535/EC, O.J. 2004, L 235, 11.

[4] Agreement on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR), COM (2005) 0200.

[5] Decision of 18 July 2005 on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of API/PNR data, O.J., L 082 , 21/03/2006.

[6] Opinion 3/2004 of Working Party 29 on the level of protection ensured in Canada for the transmission of PHR and AP from airlines (10037/04/EN)

[7] Opinion 1/2004 of Working Party 29 on the level of protection, ensured in Australia for the transmission of PNR data from airlines (10031/03/EN).

[8] Schedule 7 of the Border Security Legislation Amendment (Terrorism) Act 2002, amending the Customs Act 1901.

[9] Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the PNR of air passengers transferred to the US Bureau of Customs and Border Protection, O.J., 2004, L 235, 1.

[10] Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the USA on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection, O.J., 2004, L 183, 83.

[11] ECJ, 30 May 2006, joined cases C-317/04 and C-318/04.

[12] Cf. Opinion 3/2004 l.c. and Opinion 6/2002 of 24 October 2002.

[13] COM (2005) 475 of 4 October 2005

[14] Schengen Agreement of 1990 with data protection provisions related to SIS (Schengen Information System), O.J. L 239, 22 September 2000; Europol Convention of 1995, O.J. C 316, 27 November 1995; Rules governing the transmission of personal data by Europol to third States and third bodies, O.J. C 88, 30 March 1990; Decision setting up Eurojust, O.J. L 63, 6 March 2002; Rules of procedure on the processing and protection of personal data at Eurojust, O.J. C 68, 19 March 2005; Convention on the use of information Technology of customer purposes, O.J. C 316, 27 November 1995; Convention on Mutual Assistance in Criminal Matters between the Member States of the EU, O.J. C 197, 12 July 2000.