New EU-US Agreement on PNR Improves Data Protection and Fights Crime and Terrorism
17-Nov-2011 The European Union and the United States have today initialed a new agreement on the transfer of air passengers' data for flights from the EU to the US. If adopted by the European Parliament and EU Member States in the Council of Ministers, the new agreement on Passenger Name Records (PNR) will replace the current agreement from 2007, improving data protection whilst providing an efficient tool to fight serious transnational crime and terrorism.
The new PNR agreement brings more clarity and legal certainty to both citizens and air carriers. It ensures better information sharing by US authorities with law enforcement and judicial authorities from the EU, it sets clear limits on what purposes PNR data may be used for, and it contains a series of new and stronger data protection guarantees.
"Protection of personal data has been my priority since the beginning of the negotiations in December 2010, and I am satisfied with the result, since it represents a big improvement over the existing Agreement from 2007," said Cecilia Malmstrom, EU Commissioner for Home Affairs. "The new agreement contains robust safeguards for European citizens' privacy, without undermining the effectiveness of the agreement in terms of EU and US security."
The agreement is a legally binding text with stronger rules on police and law enforcement cooperation. The US authorities (Department of Homeland Security, DHS) will be obliged to share PNR and analytical information obtained from this data with law enforcement and judicial authorities of the EU in order to prevent, detect, investigate, or prosecute serious transnational crime or terrorist offences. This will be of direct benefit for the EU.
The agreement also gives a detailed description of the purposes for which PNR data may be used by US authorities. These are notably: the prevention, detection, investigation and prosecution of terrorism and of transnational crimes punishable by 3 years of imprisonment or more. Minor crimes are thus excluded. PNR will be used to tackle serious crimes, such as drug trafficking, trafficking in human beings and terrorism.
The agreement sets out privacy-friendly rules on how and for how long PNR data may be stored. Data will be de-personalized 6 months after it is received by the US authorities. After 5 years the de-personalized data will be moved to a 'dormant database' with stricter requirements for access by US officials. The total duration of data storage is limited to 10 years for serious transnational crimes. Only for terrorism will the data be accessible for 15 years.
The agreement establishes the rule that PNR data must be sent from air carriers' databases to the US authorities (through a 'push' system). The DHS will thus not collect data directly from air carrier's reservation systems (through 'pull') except in exceptional circumstances, such as where carriers are not able to send the data for technical reasons.
The agreement has comprehensive safeguards for passengers' right to data protection. Passengers can obtain access to correct and delete their PNR data at the DHS. Passengers also have the right to administrative and judicial redress as provided under US law. Further, the DHS and air carriers will have to provide full information to passengers on the use of PNR and the ways to exercise their rights.
In addition, the agreement prohibits adverse decisions from being taken by the US authorities only on the basis of automated processing of data, a human being must always be involved, to address concerns about PNR data being used for illegal profiling. It also lays down very strict conditions for the use of sensitive data which might reveal, for example, the religion or sexual orientation of passengers.
Finally, the agreement includes detailed provisions on data security to prevent loss of data or breaches of privacy. All processing of PNR data will be logged for the purposes of oversight and auditing and there will be oversight of the DHS by independent bodies, including the US Congress.
Background
In 2007, the European Union signed an agreement with the United States on the transfer and processing of Passenger Name Record data, based on a set of commitments by the DHS. The 2007 agreement became provisionally applicable.
On May 5, 2010, the European Parliament adopted a resolution where it requested a renegotiation of the agreement. On December 2, 2010, the Council authorized the Commission to negotiate a new agreement with the US for the transfer of PNR data and discussions started immediately.
The purpose of the new agreement is to ensure the availability of PNR data to DHS, in order for it to be used in the fight against serious transnational crime and terrorism. PNR data of all flights between the EU and the US will be transferred by the air carriers to the US DHS. As in the 2007 agreement, the new agreement allows for 19 "data elements" to be transferred, such as passengers' names, travel itineraries and where they bought their tickets.
The new agreement takes into consideration and is consistent with the general criteria laid down in the Communication from the Commission on the Global Approach to the transfer of Passenger Name Record data to third countries and the negotiating directives given by the Council ( IP/10/1150 and MEMO/10/431).