Brussels, 12th March 2003
Airline passenger data transfers from the EU to the United States (Passenger Name Record) frequently asked questions
What is PNR and what data does it contain?
The Passenger Name Record (PNR) is the generic name given to the files created by the airlines for each journey any passenger books. They are stored in the airlines' reservation and departure control databases. PNR allows all the different agents within the air industry (from the travel agent and the computer reservation systems (CRS) to the carrier and the handling agents at the airports) to recognise each passenger and have access to all relevant information related to his/her journey: departure and return flights, connecting flights (if any), special services required on board the flight, etc.
The number and nature of fields of information in a PNR system will vary from airline to airline. There are approximately 20-25 possible fields of PNR data, some of which include subsets of information, expanding the total to approximately 60 fields and sub-fields.
Why is the European Commission holding talks with the US Customs and Border Protection Bureau (CBP), on sharing data from the Passenger Names Record (PNR) of air carriers?
The Aviation and Transportation Security Act of 19th November 2001 introduced the requirement that airlines operating passenger flights to, from or through the United States, provide US CBP, upon request, with electronic access to PNR data contained in their reservation and departure control systems.
Article 25 of the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995) provides that personal data may only be transferred to third countries if the specific country ensures an adequate level of protection. Paragraph 6 of Article 25 foresees that the Commission can adopt a decision confirming the adequacy of the data protection provisions of a particular country, by reason of its domestic law or the international commitments it has entered into. The Commission therefore, has competence for external relations questions arising in the data protection area. The Commission also has direct responsibilities under the Computer Reservation Systems Regulation.
The talks between the Commission services and the US CBP are intended to meet the security interests of the United States and at the same time to prepare the ground for the European Commission to take a decision on the adequacy of data protection on the US side, though the US side will need to provide some further elements and assurances to make this justified. This would provide a Europe wide solution, which will be legally binding in all Member States and help to ensure the necessary legal certainty for all concerned.
When did the Commission start talks with CBP and what are the aims of these talks?
The Commission has raised this issue in its bilateral contacts with the US side since December 2001. As a result of these contacts, CBP granted compliance extensions until 5th March 2003 for airlines asserting that they were affected by the EU Data Protection Directive. Senior officials of the European Commission and CBP (then, US Customs) met in Brussels on 17-18th February 2003. Further discussions have taken place at the end of February and beginning of March. The two sides agreed to work together towards a bilateral arrangement to reconcile US requirements with the requirements of data protection law in the EU under which the Commission will adopt a decision under Article 25 paragraph 6.
The Commission also thinks that a multilateral agreement in the framework of ICAO is necessary in the longer run as it is entirely impractical for all airlines collecting and processing data in the EU to have to operate under multiple unilaterally imposed or bilaterally agreed requirements.
Talks between US CBP and the Commission are ongoing. The Commission consulted on this matter the European air transportation industry.
Has the Commission entered into an agreement with US CBP?
No, the Commission has not entered into any agreement with the US. Article 25(6) of the Data Protection Directive confers a power on the Commission to make findings of adequate protection in third countries. There have been discussions with US CBP, which has provided certain assurances, and both sides are committed to further discussions to find a more legally secure situation for those affected by US CBP's PNR access requirement.
What is the effect of the Joint Statement between the Commission and US CBP?
US CBP has stated that it has had access to PNR data from airlines established in other parts of the world that operate flights to, from, and through the US, since the Aviation and Transportation Security Act was adopted on 19th November 2001.
In the case of airlines established in and operating flights from EU countries, the Commission understands that US CBP has had access to the PNR data of transatlantic flights as of 5th March 2003, on the basis of the US undertakings contained in the Joint Statement of 18th February 2003 and in the Addendum of 4th March 2003.
The Joint Statement is published at:
What PNR data will be shared with CBP?
As reflected in the Joint Statement, US CBP has stated that it requires access to the data contained in the PNR for persons whose current travel itinerary includes flights to, from, and through the US. All the steps taken from the moment the initial booking was made until the journey has been completed are contained in the PNR.
What about sensitive PNR data?
US CBP has undertaken to continue not to use any PNR data that falls into the categories identified as sensitive in article 8.1 of the EC Data Protection Directive (e.g., data revealing race or religion or concerning health) to identify potential subjects for border examination by CBP. US CBP has undertaken to introduce a special filter to restrict access to such sensitive PNR data that CBP collects. Other use by CBP or transfer of sensitive PNR data to other law enforcement authorities for purposes of preventing or combating terrorism and other serious criminal offences (e.g., to support investigations triggered by other information), will be subject to a special approval procedure involving the Deputy Commissioner of CBP.
Does US CBP require access to PNR data on the types of meals that passengers request or on their medical condition?
This information is collected by airlines in order to provide special services to certain clients and may therefore be contained in some PNR. However US CBP has stated that this information is not used to identify potential subjects for border examination by CBP.
Can CBP obtain the data contained in PNR by other means?
US CBP has stated that most of the data elements contained in PNR can already today be obtained by US CBP upon examining a data subject's airline ticket and other travel documents in the exercise of its normal border control authority. Additionally, the few types of information not appearing on such documents can generally be verbally requested by CBP from the passenger during the border examination. However, such examinations would result in substantial delays in the processing of flights to, from and through the US. According to US CBP, electronic access to the PNR data will significantly speed up border crossing formalities and facilitate and safeguard legitimate passenger traffic.
Will additional information have to be provided when making a reservation to satisfy US CBP requirements?
US CBP has stated that it only requires the airline to provide the fields of PNR information that it already routinely includes in its reservation/departure control system and that the implementing regulations for the PNR requirement do not require airlines to complete each available field of PNR data.
Will other US agencies have access to the PNR data that US CBP obtains from the airlines?
US CBP has stated that no other foreign, federal, state or local agency has direct access to PNR through CBP databases. However, under US law, other law enforcement authorities may specifically request PNR information from CBP and CBP, in its discretion, may provide such information. US CBP has undertaken, in exercise of this discretion, to provide PNR data to other law enforcement authorities only for the purposes of preventing and combating terrorism and other serious criminal offences.
US CBP has further undertaken that, in reviewing whether PNR data should be shared with another law enforcement agency, the official purpose for which the data is needed must be consistent with US CBP's purpose for collecting such information (i.e., for purposes of preventing or combating terrorism or other serious criminal offences). With regard to requests for PNR data identified as "sensitive" under Article 8 the EC Data Protection Directive, US CBP has undertaken that a specific approval procedure, involving the US Deputy Commissioner of CBP, will be employed by CBP prior to providing such data to other law enforcement authorities.
Does U.S. law provide for protection against disclosure of PNR data regarding non-U.S. citizens that is accessed by US CBP?
US CBP has stated that disclosure of PNR data accessed by US CBP is generally governed by the Freedom of Information Act (FOIA) which permits public access to a U.S. federal agency's records, except to the extent such records (or a portion thereof) are protected from public disclosure by an applicable exemption under the FOIA. US CBP considers PNR information regarding persons of any origin as law enforcement sensitive, confidential personal information of the data subject and confidential commercial information of the air carrier. By regulation, US CBP provides that the disclosure requirements of FOIA do not apply to data in such categories (subject to certain limited exceptions in the case of requests by the data subject). US CBP has undertaken to take this position in connection with any administrative or judicial actions arising out of any FOIA request for PNR information.
If an EU citizen believes PNR data accessed and stored by US CBP may be inaccurate, what actions may that citizen take to obtain redress?
According to US CBP, any person who believes that PNR data accessed and stored by US CBP may contain inaccurate information may request to review his PNR data pursuant to the Freedom of Information Act (FOIA). If that individual is not satisfied with US CBP's response to a request for disclosure of such data, the FOIA provides for administrative and judicial recourse to challenge an agency's decision regarding disclosure. A person who is the subject of a data record that he believes to be inaccurate (or his authorised representative) may contact the US CBP's Office of Field Operations, either through the air carrier or directly, to seek amendment of any PNR data that US CBP has stored in its databases. In response to such a request, US CBP has undertaken that it may, in its discretion and if properly supported, create a record of such amendment.
Without prejudice to the above, the European Commission recalls that within the EU every person has the right to a judicial remedy for any breach of the rights guaranteed by the relevant EU Member State's national law applicable to the processing in question. In addition, the Commission recalls that any person may lodge a claim with the relevant Member State's national supervisory authority concerning the protection of their rights and freedoms in regard to the processing of personal data.