In the aftermath of the events of 11 September 2001, the United States adopted new security regulations obliging airlines to transfer their passenger data to the US Customs. This obligation puts the airlines in a rather difficult position. On the one hand, they are obliged to observe the data protection legislation that implements Directive 95/46/EC. On the other hand, US legislation requires them to disclose data to US Customs, which requirement is backed up by severe penalties.
1. The US requirements
On 19 November 2001, the United States adopted the Aviation and Transportation Security Act. This requires airlines flying to, from or through US territory to provide the US Customs with electronic access to Passenger Name Record (PNR) data contained in their reservation and departure control systems from 5 March 2003.
All the data must be transmitted to a centralised database that is jointly operated by the US Customs and the Immigration and Naturalization Service. Once transmitted, the data will be shared with other federal agencies and is no longer specifically protected.
A PNR is a file created by the airlines for each journey any passenger books. PNRs are stored in the airlines’ reservation and departure databases. It allows the different actors in the air industry to recognise passengers and have access to all relevant information related to the passengers’ journey (departure and return flights, any connecting flights, special services required on board, etc.).
The collection of the data in the PNR is not restricted to passengers flying into the United States and may vary from one airline to another. The PNRs may then indicate additional data such as financial data, the journeys completed in the past and even sensitive data such as religious or ethnic information (based on choice of meal etc.), affiliation to any particular group, medical data (necessary to ensure a satisfactory flight). In addition, for countries participating in the "Visa Waiver Program", the transfer of biometric data is due to become compulsory by October 2004.
Failure to forward the information required or forwarding incorrect or incomplete information is liable to be punished severely, in particular by cancellation of landing rights and the imposition of substantial fines.
2. Compatibility with the Data Protection Directive
2.1 Application of the Data Protection Directive 95/46/EC
On the one hand, considering that the data forwarded by airlines relate to identified natural persons (cf. definition of “personal data” in Article 2(a) of the Directive) and that they are processed (cf. Article 2(b)) by airlines within the EU, they are as such covered by the provisions of the Directive. The airlines therefore must respect the Directive’s strict requirements on data processing including ensuring data quality, accuracy and a legitimate purpose (cf. Article 6).
On the other hand, US Customs may be considered the data controller for the purposes of the Directive. This is because US Customs would have direct access to information systems in the EU rather than just receiving a data flow. Article 4(1)(c) states the Directive applies to a data controller who is established outside the EU territory and for purposes of data processing makes use of equipment situated within the territory of an EU Member State.
Article 13 of the Directive provides an exemption to the obligations in relation to data processing in case a European Member State considers that this exemption is justified and necessary to safeguard national security, defence and the public interest. However, Article 13 cannot be used in the present case since it requires a case by case request and the US request involves a systematic transfer.
2.2 Conditions to be complied with under Directive 95/46/EC
First, the US request for data access conflicts with Article 6(1)(b) and (c) of Directive 95/46/EC. These provisions only allow collection of data that are adequate, relevant and not excessive in relation to the purposes pursued. Moreover Article 6 prohibits the further processing of data that has been collected for specified, explicit and legitimate purposes if this processing would be incompatible with those original purposes.
The amount of passenger data to be collected by US Customs and to be transferred to other US agencies can hardly be considered as strictly necessary for and compatible with the original purpose of collecting personal data by airlines to fulfil their contractual obligations vis-à-vis the passenger. Furthermore, “physical impossibility” for airlines to transport their passengers to, from or through the US, if they do not follow the US rules appears to be an “insufficient ground” to supersede the EU data protection obligations.
From a more general approach, pursuant to Article 6 of the Directive, data concerning passengers not travelling to the United States cannot be transferred at any rate.
The airlines would be obliged, (in accordance with Articles 7, 10 and 11) to provide passengers with all the information concerning the processing of their data, including the identity of the US Agency, the purpose of the request and a notification that the data will be transferred to a country that does not offer adequate data protection safeguards under the EU criteria.
Finally, the PNR contains data that may reveal racial or ethnic origin, religious beliefs, or other sensitive data within the meaning of Article 8 of the Directive. The Directive in principle prohibits any processing of sensitive data, save with specific authorisation of the individual concerned in the form of explicit consent to processing for a given purpose.
2.3. Inadequate level of protection in the United States for the transfer of data
Article 25 (1) and (2) of the Directive stipulates that the transfer of personal data to a third country may only take place if the third country ensures an adequate level of protection for the data. The United States have been designated as a country with a lack of adequate safeguards for data processing.
The conditions to derogate from this prohibition as set out in Article 26 are not fulfilled in this situation. In particular, the airlines would need “unambiguous consent” from their passengers for this specific disclosure, the latter having been duly informed by the airlines of the fact that data would be transferred to a third country without adequate protection. Furthermore, exemption for the necessity of the transfer to fulfil a transport contract is difficult to invoke given the scope of the data required. Finally, the other conditions for exemptions such as the necessity of the transfer to safeguard the public interest or the vital interests of the passengers do not apply.
3. Expected European Commission’s decision on the basis of Article 25(6) of Directive 95/46/EC
Pursuant to Article 25(6) of the Directive, the transfer of personal data to a third country not offering adequate protection can be authorised if the country entered into a number of commitments for the protection of data processing. This authorisation should only be given by the European Commission at the end of rounds of negotiation following a strict procedure. The EU Member States should then take all the necessary measures to comply with the Commission’s decision and, thus, secure a common approach.
In the current case, a dialogue was launched in January between the European Commission and the US authorities with a view to finding a solution that guarantees adequate protection for the data flow concerned. This has first resulted in a joint statement of 17-18 February 2003 which mainly provides that the data access would only concern passengers going into, out of, or through the United States and which added some specific assurances concerning respect for the principles laid down by Directive 95/46/EC in relation to sensitive data and in relation to the transfer of the data to other US Agencies. In return, the European Commission asked airlines to comply with the US requirements as from 5 March 2003 and also urged Member States not to take enforcement action against airlines complying with the US requirements even though this could involve a breach of the Data Protection Directive.
This brief and vague joint statement appears to be a far from satisfactory answer to the issues at stake. Indeed, the European Parliament adopted a resolution asking for the suspension of the joint statement and for the launch of an internal debate to determine whether it will bring an action before the European Court of Justice against the European Commission. The European Parliament reproached the European Commission for having adopted a statement infringing the Directive and for not having informed the general public.
The European Commission promised to continue the negotiations in order to make an appropriate decision under Article 25(6) of Directive 95/46/EC providing legal basis for the transfer of passenger data to the United States.
In this process, it is considered that the European Commission cannot avoid giving sound answers to at least the following questions:
- Which US Agencies (including intelligence agencies) will have access to the passenger data, and how?
- What will be the conditions and limits on data disclosure and transfer?
- What will be the specific provisions for sensitive data?
- How will the data be protected from unauthorised access?
- What will be the monitoring mechanisms to ensure compliance with the agreement?
- How long will the data be retained?
 Directive 95/46/EC of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data; OJ L 281, 23/11/1995, p.31-50
 Prior to 11 September 2001, airlines were already transferring certain data to the US on a voluntary basis.
 Title 49, US Code, section 44909 (c)(3); Other countries as Canada, Mexico, Australia, New Zealand, South Africa and the United Kingdom have already implemented or are planning to implement similar systems to meet their own needs.
 Some of these data, might, where appropriate, be made public in accordance with legislation governing access to information held by the public sector.
 See, MEMO/03/53 of the European Commission of 12 March 2003 on airlines passenger data transfers from the EU to the United States (Passenger Name Record) frequently asked questions.
 Section 203 of the Enhanced Border Security and Visa Entry Reform Act of 2002.
 Article 29 Data Protection Working Party, Opinion 6/2002 of 24 October 2002.
 Article 29 Data Protection Working Party, Opinion 6/2002 of 24 October 2002.
 The limited scope of the “Safe Harbor” seems not to enter into play for the protection of data transfers to government authorities.
 Cf. Article 2(h) of Directive 95/46/EC
 Electronic Privacy Information Center : EU-US Airline Passenger Data Disclosure (http://www.epic.org).
 Cf. Article 31 of the Directive 95/46/EC.
 European Commission/US Customs talks on PNR transmission, Joint Statement of 17/18 February 2003.
 Resolution of 13/03/2003 (P5_TA_PROV(2003)97; Pursuant to Article 33 of Directive 95/46/EC the European Commission shall report to the European Parliament on the implementation of the Directive with the suitable proposals under discussion.