Following the agreement with the US Government on a package guaranteeing protection in the US for the personal data of transatlantic air passengers, the European Commission has formally adopted an “Adequacy Decision” under the Data Protection Directive and the Council has concluded an International Agreement with the US.
The Commission’s Decision, the International Agreement to complement it, and the US ‘Undertakings’ apply from 28 May 2004.
Adequate protection for PNR data
The Decision indicates that the Commission considers that the Passenger Name Record (PNR) data on air passengers transferred to the US authorities will enjoy the ‘adequate protection’ required under the EU’s Data Protection Directive.
The International Agreement complements the ‘Adequacy Decision’ and covers other issues such as non-discrimination, reciprocity and access by US authorities to passengers’ data, and provides a legitimate basis under EU law for airlines to send PNR data to US authorities as a legal obligation.
Following the ‘Undertakings’ given by the US, which have been negotiated over the past year by the Commission, less personal data from the airlines’ PNR will be collected than was originally envisaged by the US, these will be kept for a much shorter period, and used for more limited purposes, notably for the shared objective of fighting terrorism.
Aftermath of 9/11
In reaction to the attacks of 11 September 2001, the US Congress adopted a law requiring all airlines operating flights to, from or through the US to provide electronic access to their Passenger Name Records. In the face of concerns that application of these rules could violate EU data protection law, the Commission entered into negotiations with the US Department of Homeland Security (DHS) to ensure that PNR data transferred to the US is subject to adequate protection. In December 2003, the Commission announced it had agreed a compromise package with the US authorities on the scope and use of PNR:
Less data will be collected and retained by the US authorities. A list of just 34 categories has been agreed;
Sensitive data that may for example reveal race, religion or personal health, will either not be transferred or, if transferred, will be filtered and deleted by US customs (CBP);
PNR data will be used only to combat and prevent terrorism, terrorism-related crimes and serious crimes, including organised crime, of a trans-national nature;
There will be no bulk sharing of PNR. Data will only be shared on a limited case by case basis and only for the agreed purposes;
Most PNR will be deleted after three and a half years (instead of 50, as originally proposed by the US).
To underpin compliance with the undertakings, a joint review will be conducted once a year by the DHS and a Commission-led team from the EU, including representatives of Member States’ data protection and law enforcement authorities. The whole package has a three-and-a-half year lifetime and will expire unless the two sides agree to renew it.
The agreement is viewed by the Commission as an interim arrangement which may be replaced in due course by international standards agreed by the International Civil Aviation Organisation (ICAO).
While a large majority of the Member States support the Commission’s approach, the European Parliament has argued for a more substantial agreement with the US. The Commission and the Council decided nevertheless to proceed with implementation of the agreement.
The Parliament has decided to refer the matter to the European Court of Justice with a view to the annulment of both acts.
Further information at: http://ec.europa.eu/internal_market/privacy/adequacy_en.htm#uspnr
Cesar Alonso Iriarte
TEL: +32 (0)2.299 4341
FAX: +32 (0)2.299 8094