Brussels, 17th May 2004
Commission secures guarantees for protecting personal data of transatlantic air passengers
The European Commission has adopted a formal Decision that will bring on stream shortly new commitments by the US Government, guaranteeing protection in the US for the personal data of transatlantic air passengers. The Decision indicates that the Commission considers that the data on air passengers transferred to the US authorities enjoys the "adequate protection" required under the EU's data protection Directive for data sent to countries outside the EU. The commitments given by the US, negotiated over the past year by the Commission with the US Department of Homeland Security, means that less personal data from the Passenger Name Records (PNR) of airlines are collected by the US authorities, that these are kept for a much shorter period and that they are used for more limited purposes, notably for the shared objective of fighting against terrorism. The Decision will enter into force once the US has signed its undertakings and once the international agreement that will complement the adequacy Decision has been signed by the Council and the US.
Internal Market Commissioner Frits Bolkestein, who led the negotiations on the Commission side, said "A negotiated solution is never perfect, especially when you are up against a law adopted by the US Congress in the understandable conviction that it is vital to protect the US against terrorism. But US Homeland Security Secretary Tom Ridge was very constructive and we came up with a balanced solution, which the Member States have supported. The European Parliament has taken a different view, but the Commission considers that the negotiated solution will improve the situation for EU citizens and airlines by bringing on stream important guarantees from the US on the respect of data protection rights and enhanced legal certainty. We are not seeking a confrontation with the Parliament, which has helped us to obtain improvements from the US by the strong political pressure it has applied since March 2003. We are doing what we believe best secures the goals we have been working towards for the last year - better data protection and more legal security for airlines, which are obliged by US law to provide these data, and making sure passengers do not suffer avoidable delays. The alternative would not have been any further concessions from the US but would rather have been legal uncertainty and the potential withdrawal of US commitments to protect the data transferred - in other words chaos for EU passengers and airlines."
A law requiring all airlines operating flights to, from or through the US to provide electronic access to their Passenger Name Records (PNR) was adopted by the US Congress in the aftermath of the events of 11 September 2001. The US agreed to several postponements of the application of these rules to EU-based airlines, in the face of concerns expressed by the airlines, backed by the European Commission, that they could violate EU data protection law.
However, US Customs indicated their intention to start sanctioning airlines that did not provide PNR after 5 March 2003. The Commission then entered into intensive negotiations with the US Department of Homeland Security (DHS) with a view to ensuring that PNR data transferred to the US were subject to adequate protection, as required by the EU Data Protection Directive. In the meantime, most EU airlines have started to provide PNR to the US as required.
The Commission announced in December 2003 that it had reached a satisfactory conclusion in its negotiations with the US and was prepared to launch the formal procedures for the adoption of a Commission Decision determining that the US Bureau of Customs and Border Protection (CBP) provides adequate protection (see SPEECH/03/613). The CBP's commitments or "undertakings" provide significant data protection improvements compared with the situation prevailing now. In particular:
Less data will be collected and retained by the US authorities. A list of 34 categories has been agreed (some airlines' PNR contains more than 60 fields) and in most individual records only a limited number of these fields will be filled
Sensitive data, such as meal orders or special passenger requirements, that may for example reveal race, religion or personal health, will either not be transferred or, if transferred, will be filtered and deleted by US CBP
PNR will be used only to combat and prevent terrorism, terrorism-related crimes and serious crimes, including organised crime, of a trans-national nature, instead of a much wider range of law enforcement uses previously sought by the US
There will be no bulk sharing of PNR. This addresses concerns about the use of PNR in generalised surveillance schemes believed to be under preparation in the US. CBP will share data from the PNR they collect only on a limited case by case basis and only for the agreed purposes; when data originating from the EU are transferred under these strict conditions to law enforcement authorities in a country outside the US, a designated authority in the EU will be systematically notified
Most PNR will be deleted after three and a half years (compared with up to fifty years originally proposed by the US). Files that have been accessed will be kept in a deleted data file for a further eight years for auditing purposes (compared with indefinitely as originally intended)
EU Data Protection Authorities will be able to raise with the Chief Privacy Officer at the DHS the cases of passengers whose complaints, for example about possible abuses of their data or failure to rectify inaccuracies, are not satisfactorily dealt with by the DHS.
To underpin compliance with the undertakings, a joint review will be conducted at least once a year, by the DHS and a Commission-led team from the EU including representatives of Member States' data protection and law enforcement authorities.
The package agreed between the two sides also provides for reciprocity, when the EU or its Member States establish similar requirements for PNR concerning flights from the US. The US also undertakes not to discriminate unlawfully against non-US citizens and residents. The whole package has a three-and-a-half year lifetime and will expire unless the two sides agree to renew it. It is thus a further interim arrangement which the Commission hopes will be replaced in due course by international standards agreed in the International Civil Aviation Organisation (ICAO). The EU has recently taken the initiative to launch discussions in ICAO on the use of PNR for border and aviation security purposes.
To bring the improved data protection and other benefits on stream, two legal instruments will be put in place: the first is the Decision of the Commission adopted using the powers given to it under Article 25 paragraph 6 of the Data Protection Directive to determine that the US CBP, recipient and "owner" of the data in the US, on the basis of the undertakings that it has provided, provides "adequate protection". The second is a bilateral international agreement between the EU and the US which complements the "adequacy finding" and covers matters such as non-discrimination, reciprocity and direct access for US CBP to the airlines' data bases for as long as there is not an EU system in place to transfer such data, as well as making the US requirement on the airlines to make PNR data available also a requirement under EU law. It is the responsibility of the EU's Council of Ministers to conclude the international agreement, in accordance with Article 300 paragraph 3 of the EU Treaty. The US undertakings and the improvements they bring will take effect as soon as the adequacy decision and the international agreement are in place.
A large majority of the Member States support the Commission's approach. The European Parliament on the other hand adopted a Resolution on 31st March 2004 indicating their view that the US undertakings do not amount to adequate protection and urging the Commission to withdraw the Decision and renegotiate a more substantial agreement with the US. The Parliament reserved the right to take the matter to the European Court if the Commission went ahead. On 21st April, the Parliament further decided to ask the Court for an opinion on whether the international agreement should not have been put to the Parliament for its assent, on the grounds that it modifies the Data Protection Directive.
According to the case law of the Court, the European Parliament's request for an opinion will be devoid of purpose if the agreement is concluded by the Council. However, the Parliament would then have the option of exercising its right under Article 230 of the EC Treaty to seek the annulment of the international agreement or of the adequacy finding or both.
For further details of the Decision, see the Europa website: