EU and US reach new Agreement on Passenger Name Records (PNR)

22 November 2007

Peter Van de Velde

Background

On 23 July 2007, after the initial PNR Agreement was replaced by an Interim Agreement which expired on 31 July 2007 [see our October 2006 Data Protection newsletter], the EU Council approved a new Agreement on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security (DHS).

The new Agreement consists of three parts: (i) the main agreement; (ii) a letter from the US to the EU in which it sets out assurances on the way the DHS will collect, use and store the PNR data; and (iii) a letter from the EU to the US acknowledging receipt of the assurances and confirming that on the basis of the assurances received the EU considers the level of US protection of PNR data adequate.

The new Agreement will apply for seven years from the date of signature unless the parties agree to replace it. Although the new Agreement provisionally applies from 23 July 2007, a number of Member States have yet to formally endorse the Agreement.

Unlike the previous Agreement, the new Agreement is reached under the “third pillar” of the EU treaty (which includes public security, police and judicial co-operation). In its judgment of 30 May 2006, the Court of Justice had considered that the transfer of PNR data to authorities of third countries is exclusively a matter of public security and therefore falls outside the scope of “first pillar” Community law.

Main elements of the new Agreement

As under the old Agreement, the most controversial parts of the new text relate to the types of data which can be accessed (which include sensitive data), the retention periods for the data (and the related distinction between active and “dormant” data) and the DHS sharing data with other US agencies and foreign countries.

In general, the list of data to which the DHS will have access was reduced from 34 categories under the old Agreement to 19 under the new text. However, this reduction is criticised as being purely “cosmetic” due to the merger of a substantial number of data categories rather than the deletion of certain data types. Under the New Agreement, the DHS may still access sensitive information. Under certain circumstances, passengers will communicate sensitive information to the airlines (e.g. if they request special assistance because of a disability, or if they have specific meal preferences). Such information will then be stored as PNR data.

Under the new Agreement, the DHS will employ an automated system that filters sensitive information from the PNR data so that it is not used, except in exceptional cases where the data subject’s life or the life of others is at risk.

The period for retention of the PNR data by the DHS is (retroactively) extended from three and a half years to a total of 15 years. The DHS will keep the data in an active database for seven years from the date of collection. After this initial period, the data will be moved to “dormant” non-operational status for another eight years. During these eight years, the data will only be accessed in exceptional circumstances and under the conditions set out in the US assurances. After 15 years, the data should normally be deleted, although the US assurances state that this question will need to be addressed by US and EU authorities as part of future discussions.

The DHS will be able to share PNR data with other US government agencies and with government authorities in other countries as long as the data will be used for the same purpose as the DHS is permitted to use the data itself, i.e. fighting terrorism and other serious crimes. DHS will be responsible for the way data is shared with other US or foreign recipients and should, except in case of (non-defined) “emergency circumstances”, ensure that any exchange of data occurs under express data privacy understandings between the parties (comparable to the EU PNR protections).

The DHS agreed to extend administrative protections under the US Privacy Act to non-US citizens and residents regarding to notice, access and redress. The DHS will also provide airlines with a form of notice to be put on public display regarding PNR collection and redress procedures. US and EU authorities will also encourage airlines to incorporate notices describing the PNR system in their contracts of carriage.

The new Agreement provides for a change from the “pull” system (where the DHS is granted online access to the full database of airline passengers data) to the “push” system (under which the DHS must request specific data which will then be selected by the airlines and transferred). The DHS must apply the push system by 1 January 2008 for all airlines that have systems that comply with DHS technical requirements. The responsibility for initiating a transition to the push system lies with the carriers who must change their systems and work with the DHS to comply with its technical requirements. For airlines not implementing such a system, the current “pull” system will remain.

The DHS and the EU have agreed to periodically review the implementation of the new Agreement. The European Commission is intending to propose mechanisms for this monitoring in the Autumn of 2007.

On 6 November 2007, the European Commission presented a draft framework decision concerning the creation of a European PNR system for passengers travelling to and from Europe, as part of a package of measures to strengthen counter-terrorism in the European Union. The new Agreement with the US anticipated this by providing that, in the event that a European PNR system is implemented, the DHS shall actively promote the cooperation of airlines within its jurisdiction.

The new Agreement again subject to criticism

The new PNR Agreement has not been able to take away the controversy that surrounded the old Agreement. MEPs have criticised finalising the Agreement without democratic control, whilst several Member States have raised concern about the lack of clarity in the new text. According to the European Data Protection Supervisor the new Agreement raises serious concerns in relation to the European citizen’s data protection rights.

The Article 29 Data Protection Working Party issued an Opinion on the new PNR Agreement (Opinion n° 5/2007 of 17 August 2007) indicating that it is not convinced that the new Agreement succeeds in striking a balance between protection of public safety and the privacy rights of individuals.

The Article 29 Working Party states that the safeguards provided under the old Agreement are considerably weakened and that the new Agreement leaves open a number of questions and shortcomings and contains too many emergency exceptions. The Working Party has announced that it will seek written clarification from the European Commission on a number of points (such as the exact scope of the Agreement, to which airlines does it apply, etc.).

In addition to the official EU data protection advisory bodies, some of the national supervisory authorities (such as the CNIL in France) have criticised the contents of the new Agreement.

Meanwhile, new points of discussion between the US and the EU are arising from the implementation of the Agreement, as the US would like to restrict the access rights of (European) passengers to data which are held in certain systems, such as the Automated Targeting System (ATS) and the new Arrival and Departure System (ADIS).