Focusing public attention on emerging privacy and civil liberties issues

EU-US Airline Passenger Data Disclosure

Latest News

  • Department of Homeland Security Releases 2014 Privacy Report: The Department of Homeland Security released the 2014 Privacy Office Annual Report to Congress. The report describes a joint review conducted with the European Commission regarding the transfer of EU Passenger Name Records to the US. The European Commission found the redress mechanisms were lacking for passengers denied boarding. The Commission also found that DHS would often review passenger records without a legal reason. The Annual Report describes the sixth Compliance Review of the department’s social media monitoring program. The review found that the DHS began collecting GPS and geo-location of Internet users without assessing or mitigating the privacy risks. In 2012, EPIC obtained FOIA documents revealing that the Department of Homeland Security monitored social media for political dissent. For more information, see EPIC: EU-US Airline Passenger Data Disclosure and EPIC: EPIC v. DHS - media monitoring. (Oct. 2, 2014)
  • EU and US Groups Object to EU-US Passenger Data Agreement: Over 20 organizations in the EU and the US have sent an open letter to the European Parliament, opposing a new agreement that would allow European companies to transfer the personal data of European travelers to the United States government in apparent violation of the EU Data Protection Directive. The European Court of Justice struck down the original Passenger Name Record (PNR) agreement in 2006 after members of the European Parliament charged that there was no legal basis to disclose the data to the US. The revised agreement is still subject to approval by the Parliament, which has also gained new legal powers since the earlier dispute. For more information, see EPIC: EU-US Airline Passenger Data Disclosure, EPIC: Air Travel Privacy, EPIC: Passenger Profiling. (Dec. 5, 2011)
  • EU Establishing a European System for the Exchange of Passenger Name Records
    The European Commission has unveiled a proposal to establish a passenger name records system similar to that of the US. The European PNR system would require PNR data for flights entering or departing the European Union. The data will be processed for the purpose of carrying out a risk assessment of passengers' "threat levels." (Nov. 6, 2007)
  • European Council Adopts Passenger Name Records Agreement
    The European Council has adopted the EU-US agreement on the processing and transfer of passenger name records signed by the European Union this summer. (Aug. 4, 2007)
  • EU Data Protection Supervisor Cites Grave Concerns Over New Passenger Name Records Agreement
    In a letter to the EU's Minister of the Interior, European Data Protection Supervisor Peter Hustinx outlined four areas of "grave concern" with the new EU-US passenger name record agreement: the lengthened retention period for PNRs, the US' use of letters to avoid a binding agreement, the lack of a "robust" system of redress, and the possibility of US data sharing between an undisclosed number of agencies. (Jun. 28, 2007)
  • EU-US Reach New Passenger Name Records Agreement
    The EU and the US reached an agreement over the sharing of passenger name records. The new agreement reduces the 34 pieces of data on passengers now collected by US law enforcement authorities to 19 data fields, including name, contact data, payment details, and itinerary information. The agreement also extends access to PNR information to EU citizens consistent with the provisions in the US Privacy Act and the Freedom of Information Act. The agreement does not, however, go so far as to extend the full protections of the Privacy Act. In a letter attached to the agreement, the US states that the Department of Homeland Security "had made a policy decision to extend administrative Privacy Act protections to PNR data" of non-US citizens and that all individuals have access to the DHS' redress system developed for travelers. Finally, the US letter states that PNR data will be retained for a minimum of 15 years. (Jun. 28, 2007)
  • EPIC Speaks Before European Parliament on Transatlantic Privacy
    EPIC Executive Director Marc Rotenberg appeared before the Committee on Civil Liberties, Justice and Home Affairs for a public seminar on transatlantic relations and data protection. The European Parliament is currently reviewing the transfer of travel, consumer, and financial information on European citizens to the United States government. The European institutions are concerned about the absence of adequate privacy protection for personal information. (Mar. 26, 2007)
  • European Parliament Adopts Resolution on Passenger Name Records
    The European Parliament has adopted a Resolution on SWIFT, the PNR agreement and the transatlantic dialogue on these issues. The Resolution stresses that during the last few years several agreements on these issues, prompted by US requirements and adopted without any involvement of the European Parliament, have led to a situation of legal uncertainty with regard to the necessary data protection guarantees for data sharing and transfer between the EU and the US for the purposes of ensuring public security and, in particular, preventing and fighting terrorism. The Resolution calls for Parliamentary involvement in negotiation of a new PNR Agreement, and states that such Agreement should provide greater transparency and redress measures. (Feb. 8, 2007)
  • Tensions Rise Between EU Parliament, Council and Commission on Passenger Data Debate
    In a joint debate of European Parliament, members stressed the need to negotiate a permanent agreement with the United States that provides strong privacy protections to European citizens. Without an agreement, air carriers would come under great pressure to continue transferring passenger data, for fear of losing their landing rights in the United States. The United States and the European Union will begin formal negotiations in March in an effort to reach a permanent agreement for the transfer of personal information on European travelers before the current temporary arrangement expires in July of 2007. (Feb. 1, 2007)
  • Temporary Agreement Reached on Transfer of Passenger Data
    The United States and the European Union have established a temporary arrangement for the transfer of personal information on European travelers that will expire in July of 2007. An earlier agreement was annulled by the European Court of Justice. The new agreement gives the Europeans greater control over the disclosure of passenger data to the United States. However, it leaves unresolved whether the United States has adequate privacy protections to safeguard the private information of European consumers. For more information, see the EPIC pages on Air Travel Privacy and EU-US Airline Passenger Data Disclosure. (Oct. 6, 2006)
  • US, Europeans Fail to Reach Accord on Passenger Data
    The European Union and the United States are in a "legal vacuum" three months after the European Court of Justice struck down the passenger name record deal that allowed the transfer of personal information on European travelers to the U.S. government. European airlines face lawsuits by European citizens for violating European privacy laws if the information is disclosed to the U.S. without a new agreement. European consumer organizations have called for strong safeguards for personal data. Officials say negotiations will continue. More information at EPIC pages on Air Travel Privacy and EU-US Airline Passenger Data Disclosure. (Oct. 3).
  • European and US Consumer Groups Urge Privacy Safeguards for Air Travel Information. The Trans Atlantic Consumer Dialogue has written to Homeland Security Secretary Michael Chertoff and European Commissioner Franco Frattini recommending the establishment of legal protections for passenger information collected by the US government. The letter follows an earlier statement from TACD that identified numerous risks to consumers that would result from the disclosure of detailed personal information. The TACD letter responds to Secretary Chertoff's recent call for increased government snooping. EPIC has filed a Freedom of Information Act request with the Department of Homeland Security regarding the program and whether adequate privacy safeguards have been established. The European Court of Justice earlier held that there was no legal basis for the Homeland Security program. For more information, see EPIC's air travel privacy page. (Sept. 13)
  • Senate Subcommittee Holds hearings on Airline Passenger Screening. On September 7, the Senate Subcommittee on Terrorism, Technology, and Homeland Security will hold a hearing on pre-screening international travelers who are flying into the United States. A Homeland Security program that acquired European passenger name records for pre-screening was opposed for its privacy violations by the European Parliament, and struck down by the European Court of Justice earlier this year. Homeland Security Secretary Chertoff has announced plans not only to revive the program, but also to expand certain aspects of it. For more information, see EPIC's Passenger Data page. (Sept. 5)
  • DHS Seeks Expanded Access to Travelers' Data. The Department of Homeland Security recently proposed expanding a program that would transfer detailed airline passenger recordsbetween European airlines and the US government. In 2003, the Department secretly entered into an agreement with European governments to obtain personal information on European travelers to the United States. The European Parliament challenged the agreement and the European Court of Justice recently ruled that the agreement lacked a legal basis. Negotiators have until September 30 to come up with a program that complies with European privacy law. (Aug. 22)
  • European Court Rejects Data Transfer to US. The European Court of Justice has just ruled that the 2004 airline passenger data transfer agreement (pdf) between the U.S. Department of Homeland Security and the European Union is to be voided after September 30, 2006. The Court held that the agreement was illegal because it exceeded the scope of the EU 1995 Directive on data protection, which excludes operations concerning public security, defense, state criminal law and state security. Since the framework for data transfer was dictated by public authorities, and amounted to processing operations concerning public security, the Court held that the Commission lacked legal competence under the Directive to address public and state security issues. Privacy International describes the holding as a "pyrrhic victory" because the Court ruled on the basis of legal authority, and did not address the privacy implications of the transfer of the personal data to the U.S. The European Data Protection Supervisor is concerned that the ruling has created a loophole because it is uncertain that the Directive protects data collected for commercial reasons but used for police matters. (May 30)
  • European Court's Top Advisor Recommends Annulment of EU-US Passenger Data Deal
    The Advocate General of the European Court of Justice considers the May 2004 Passenger Name Records agreement between EU and US authorities to be without adequate legal basis, and has called for its annulment. Since 2004, airlines flying from the EU to the US have had to disclose their passengers' personal information, including e-mail and credit card details. The European Parliament complained with the Court later that year that the agreement did not sufficiently protect European travellers' privacy rights. The ruling of the Court, which follows its Advocate General's opinion in 80 % of the cases, may call other EU anti-terrorism measures into question, as a data retention proposal now for review before EU institutions is being carried out under the same legal basis as the PNR agreement. Full Text of Opinion (French, 4.52MB, pdf). (Nov. 30, 2005)
  • Italian Data Protection Authority Secretary General Criticizes EU-US PNR Agreement. Giovanni Buttarelli, talking at EPIC's Freedom 2.0 conference, likened the agreement to a "stillborn child … imposed from above" because of a serious lack of institutional cooperation between the European authorities and the European Parliament - the EU's only elected body. Buttarelli criticized the agreement as entrusting technology and databases to solve problems that require instead wholly different and broad-minded approaches. He also made it clear that, while the agreement recognizes, on the one hand, the importance of fundamental rights and freedoms, it does not provide concrete safeguards for these rights. See
  • "Promoting Freedom and Democracy: a European perspective". (May 21, 2004)
  • European Commission Adopts Decision Recognizing Adequate Privacy Protections in EU-US Passenger Data Disclosures. In its Decision, the Commission considers that the data on air passengers transferred to US authorities enjoys the "adequate protection" required under the EU Data Protection Directive for data sent to countries outside the EU. The Decision will enter into force once the US signs its Undertakings and once the international agreement that will complement the Commission's adequacy finding has been signed by the Council of the EU and the US Department of Homeland Security. For the European Parliament, however, the Undertakings do not offer adequate protection. If the Council concludes the agreement, the Parliament has the option to seek the annulment of the international agreement, or of the adequacy finding, or both, before the Court of Justice of the European Communities. (May 17, 2004)

Background

The United States announced that by March 5, 2003 all international airlines had to provide the government full electronic access to detailed airline passenger data on all travelers contained in the airline's computer system. This passenger information includes among other things, name, address, flightnumber, credit card number, and choice of meal. European airlines and European officials are concerned that providing unfettered access to U.S. law enforcement authorities would violate their privacy laws and have been holding discussions with the U.S. to ensure that the privacy of their citizens is adequately protected. EPIC also submitted comments on the same issue concerning the collection of passenger information on U.S. Citizens and permanent residents and criticized the government for failing to fulfill its legal obligations under the Privacy Act (see comments (pdf)).

The European Data Protection law, which implements the framework of Fair Information Practices embodied in the Organization for Economic Cooperation and Development (OECD) 1980 Privacy Principles, allows law enforcement authorities access to passenger data only on a case-by-case basis based upon a particular suspicion. The law also requires that data collected for one purpose should not be used for another. For sensitive data such as religious, ethnic, or political affiliation there are even stricter safeguards on the use and disclosure of the information. The U.S. requirement would force European airlines to violate the Data Protection laws and therefore Europeans airlines have petitioned their governments to clarify the airlines obligations and responsibilities. European data protection authorities are also concerned about the protection of their citizens' privacy rights.

The United States and the Europeans are in the process of formulating an arrangement for the United States to obtain the passenger information while installing appropriate safeguards to protect the privacy of European citizens and to ensure that airlines comply with the data protection laws. On February 18, 2003 the European Commission brokered an interim arrangement where the Europeans agreed to not enforce their laws until a new agreement is reached. In exchange the U.S. offered some clarifications about how they would handle the data. EPIC argues that this interim solution violates EU data protection laws and the agreement itself is flawed because the European Commission is not in a position to act for data protection authorities (see our analysis for more information).

As the discussion between the Europeans and the United States moves forward the following legal and policy considerations need to be considered in any permanent arrangement:

  • Why does United States law enforcement require access to the airline systems?
  • Which agencies (including intelligence agencies) will have access to the passenger data?
  • What purposes could the data be used for? What limitations will there be on the purposes for the data?
  • What will be the conditions and limits on data disclosure and transfer?
  • How will the data be protected from unauthorized access?
  • What will be the oversight mechanisms to ensure compliance with the agreement?
  • How long will the data be retained?

EPIC Resources

EDRi Campaign Against Illegal Transfer of European Passenger Data to the US

News Items

Relevant Documents

International passenger prescreening systems

Full Analysis

On November 19, 2001, the United States adopted the Aviation and Transportation Security Act. which requires airlines flying into the United States to disclose to the Commissioner of Customs data relating to passengers and cabin crew ("Passenger Manifest Information"). The transfers must be completed before the plane takes off, or at the latest 15 minutes after departure. As soon as the data arrive at the US Customs, the US Customs and all US federal agencies would have access to these data.

On May 14, 2002, the US adopted another law to enhance border security that requires airlines arriving and departing from the United States to transmit data relating to passengers and crew to US Immigration and Naturalization Service. (see: Article 29 Working Party's Opinion Nr. 66 of October 24, 2002 (pdf)) It stipulates that all data must be transmitted to a centralized database, known as Interagency Border Inspection System ("IBIS"), and will also be shared with other federal agencies.

Requested data (PNR, APIS and DCS)

Through the Advanced Passenger Information System ("APIS"), the US agencies will request the name, the date of birth, the nationality, the sex, passport number and place of issue, foreign registration number (if applicable), address in the United States during the stay and any other data deemed necessary to identify the persons traveling.

In addition, the US requires to get information collected by the reservation and departure control systems ("DCS"), which is connected to the Passenger Name Record System ("PNR"). (Example of PNR.) Because this system contains all passenger data of the whole airline company, the system is not restricted to a specific flight. Thus, allowing full access to the DCS and PNR means that the US Customs would have also full access also to the data of passengers not flying from or in the United States. The momentary PNR file contains information provided to the moment of the reservation, intended to ensure the associated transport and services, and which the travel agencies, the companies or the luggage handlers reach. It can contain up to sixty fields, according to the companies and their level of service: identity of the traveller, health, paid price, banking co-ordinates, telephone number of a person to be contacted in the event of problem, place of lodging in the country of destination, name of people with whom the person travels. In certain cases it might contain the history of the preceding voyages and the choice of meal. A passenger, usually, may choose "no pref, baby, child, pure vegetarian, vegetarian (lacto), fruit, raw, seafood, high fiber, diabetic, low calorie, low fat/low cholesterol, low protein, low sodium, no lactose, Asian vegetarian, Asian, Hindu, kosher, Musli, Bland." The specifications "Asian vegetarian, Asian, Hindu, kosher, Musli, Bland" make obvious that these data must be regarded as a category of "special sensitive data" because they could reveal the religious or ethnic background of the passenger.

Legal Analysis

These requests interfere with the European Data Protection Directive (95/46/EC), the "directive."

The Directive applies when data of identified or identifiable physical persons ("personal data") are processed ("Any operation which is performed upon personal data whether or not by automatic means, such as collection, recording, organization, disclosure, collected, stored or disclosed" (see full definition in Article 2 (b)). It imposes, in general, strict requirements on data processing. This means mainly that every data processing must be made with a specific, explicit and legitimate purpose (Article 6 (1)(b)), which is mostly the fulfillment of contractual obligations. For example an online bookstore may collect a client's address in order to be able to deliver the books. In addition, the data collection must be adequate, relevant and not excessive in relation to the purposes for which the data are collected and/or for which they are further processed (Article 6 (1)(c)). Referring to the previous example, an excessive data collection would be the request of the bookstore to receive not only the client's address but also his telephone number. Further, data must be accurate, kept up to date and generally only stored as long it is necessary for the given purpose (Article 6 (1)(d) and (e)). Finally, there are several other requirements such as the right to know if data is being processed, what kind of purpose etc. (see Articles 10 and 11) or the right of access (Article 12).

National Security Exemption Clause

However, there are narrowly interpreted exemptions, such as in Article 13 to the general data processing obligations mentioned above. Article 13 stipulates that the European Member States may restrict the scope of the obligations in the mentioned articles when such a restriction constitutes a necessary measure to safeguard national security, defense, public security, prosecution of criminal offences or other purposes not related to the US request, see: Article 29 Working Party's Opinion Nr. 66 of October 24, 2002 (pdf)

The words "necessary measure" make it clear that these exemptions are restricted only for specific investigations. Therefore, the exemption rule of Article 13 cannot justifiably be invoked to restrict the obligations of the Directive where the transfer is systematic as it is foreseen by the US Customs. Since Article 13 requires a case by case request, the systematic general US request does not comply with it.

Rule of data limiting to the original purpose

The US requests for data access also conflict with the general data quality principle of Article 6 (1)(b) of the Directive which stipulates that the data controller ("natural or legal person, public authority, agency or any other body which determines the purposes an means of the processing of personal data") can process personal data only as long it is compatible with the original purpose for which the data have been collected for. Under this scope the transfer of personal data to US government agencies can hardly be seen as a fulfillment of the contractual obligations of the airlines or travel agencies vis-à-vis their passengers (see Working Party's Opinion WP 66). In other words, the airlines collect data from the passenger primarily to deliver a service, including providing tickets and serving food. The airlines did not originally intend to collect data to transfer them to US Customs. The necessity of the transfer to fulfill a contract between the data subject and the data controller cannot expand the purpose for which the data were originally collected. The "physical impossibility" for the airlines to fulfill their contractual obligations, is usually regarded as an insufficient ground to expand the original purpose collecting passenger data (see Working Party's Opinion WP 66).

At any rate Article 6 cannot apply to cover the transfer of data related to persons not traveling to the US.

Transfer to "Third States"

In addition, the Directive prohibits, in general, any transfer of personal data to "third countries" (non-EU countries) if these countries do not provide an adequate level of data protection. Article 25 clarifies the definition of an "adequate level" of safeguards. The US is considered such a third country, since it does not offer any safeguards for the protection of personal data equivalent to the one provided by the Directive (see: Working Party's Opinion 1/99). Thus, even if one may argue that the requested transfer were compatible with the contractual purpose of the airlines (relying on the argument that, without the transmission, the airlines would simply not be able to carry their passenger to the US), the transfer would generally be prohibited, because of the US' lack of adequate safeguards. This prohibition could only be circumvented when the airlines get an "unambiguous" consent from their passenger for this specific disclosure (see Article 26). This means, pursuant to the Directive, a "freely given specific and informed indication of a person's wish." The information provided to the data subject must include the identity of the US Agency, the purpose of this request and a notification that the data will be transferred to a country that does not offer adequate privacy safeguards (Articles 10 und 11 of the Directive).

The other exemptions of the third country prohibition listed in Article 26 do not apply. There is neither a proof that the transmission of the specific data is necessary to safeguarding important public interests, nor that the transmission is necessary in order to protect the vital interests of the passengers.

EPIC's most important concerns and recommendations:

  1. There is no legitimate reason for requesting data of passengers not traveling to the United States. The US is trying to use its political power to force airlines to get data of persons the US should have no concern with. If the US needs specific information about other persons, the US could contact the competent foreign law enforcement authorities such as Europol. Airlines should not play the role of intermediaries for US agencies.

    So far, there exist no obligations under international law to provide the US with passengers data. The US request for passenger data might even violate international economic and trade agreements (Austrian Data Protection Organization, ARGE DATEN). Thus, it should be up to the US to introduce its own controls for passengers traveling to the US.
  2. The Directive prohibits any processing of sensitive data such as the information of choice of meal which can reveal religious or ethnic or medical data without explicit consent or substantial public interest. Thus, any agreement must exclude these data as long there is no specific purpose showed.

Recent Developments

THE JOINT STATEMENT OF FEBRUARY 17/18, 2003

In January the European Commission opened talks with the US Customs. Recently, on February 17-18, 2003, both sides came to an interim arrangement, the "Statement of the European Commission/US Customs Talks".

The joint statement made address privacy concerns covering the period from March 5 (when the US Customs will start requesting passengers' data) until the European Commission makes a final decision pursuant to Article 25 (6).

During this period the Commission urges the Member States not to take enforcement actions against airlines complying with US government's requirements even if the transfer of data clearly violates the Directive.

The Joint Statement mainly provides that:

  1. Compliance by airlines and reservation systems with US PNR requirements will not involve unlimited on-line access by US Customs to EU-based data bases, but rather the processing of PNR data for persons whose current travel itinerary includes flights into, out of, or through the US.
  2. US Customs undertakes to respect the principles of the Data Protection Directive when accessing PNR data in the territory of the Community.
  3. US Customs develops in accordance with the EU applicable law measures to protect "sensitive" data.
  4. European Data subjects may request the US Customs for disclosure of data under the American Freedom of Information Act (FOIA).
  5. There will be further discussions on a regular basis between US Customs and the European Commission about implementation of this statement and possible enhancement.
  6. US Customs may provide information to other US law enforcement authorities, who specifically request PNR information, only for purposes of preventing and combating terrorism and other serious criminal offenses.
  7. Both sides agree to work together towards a bilateral arrangement, that, in the end, would define the purposes for which the data will be used. It would contain a limitation of use to these purposes; conditions and limits of data disclosure and onward transfer; protection of data from unauthorized access; duration and conditions of data storage, additional measures for the protection of sensitive data; remedies for passengers, including possibilities to review and correct data held by US Customs; reciprocity.

Analysis of the Joint Statement:
In response to point 1.:
The promise not to allow full access appears to be a big step towards a better privacy protection. But, as it is stated in the ANNEX of the Joint Statement, the US Customs are entitled by legal statute (49 U.S.C. 44909 (c) (3)) to have full access to air carriers operating passenger flights in foreign air transportation to, from or through the United States. Therefore it will be crucial that the access will be technically limited to the data referred to in this statement. Otherwise, all data, even all data of passengers not flying to or from the United States would be accessible to the US Customs. This would raise the issue of what the US Customs may do with other passengers?data and how the US Customs could be subject to control and oversight.

To 2.): The US Customs' promises to abide by the Directive's principles when accessing PNR can hardly be fulfilled. The agency by being entitled to look at every passenger data without having to justify of any specific purpose infringes Article 6 of the Directive. It does not respect the narrowly interpreted "national security" clause of Article 13, it does not limit the transfer to third entities (see below) and does not give access to the data subject . Finally, since the US Privacy Act does not apply to non US citizens, how will the US Customs ensure to respect the principle of the Directive?

To 4.): Europeans do not have the same rights under the FOIA as Americans have. Further, it is unclear, whether data subjects may request data in every cases, because the US Customs is stating only two paragraphs later in the Annex that it will regard the PNR data as exempted from FOIA.

To 6.): The limitation processing data to other US law enforcement authorities has to be seen as a significant step towards more data protection. The Annex clearly stipulates that other US federal, local agencies and law enforcement entities have no direct access to the US Customs data. This promise offers much more security than for other data. However, the purpose of requesting data is not limited to the investigation and prevention of terrorism, but to all "serious criminal offenses." Therefore the allegation remains that the US is using foreign private companies as data collectors for law enforcement purposes. This is a perfidious way to circumvent the higher requirements European law enforcement agencies have to follow before disclosing law enforcement relevant data to the US.

The implementation of the Joint Statement:

In addition to the aforementioned issues with the Directive principles by the US Customs, the implementation of the Joint Statement itself is legally insecure. The EU Commission urged, in return to the promises given by the US, the national data protection authorities not to take enforcement actions against airlines complying with the US requirements after March 5, 2003.

"In view of the above process, the Commission side considered that EU data protection authorities may not find it necessary to take enforcement actions against airlines complying with US requirements." (Joint Statement of 17-18 February)

This behavior of the Commission is unique as it urges national authority to violate their national law. See Mr. Rodota's comment (pdf).

The Commission is "not legally in a position to convene, even for reasons of urgency, prior to the very close deadline of March 5, 2003 - when the APIS/PNR legislation is expected to take effect . . . In fact, national data protection supervisory authorities and judicial authorities of Member States are not free to apply or not national laws merely on the basis of the relevant advisability, and it has not yet been clarified how the Joint Statement might provide a sound legal base to justify an exception to that rule," Mr. Rodota concluded.

In addition, even the procedure considered in the Joint Statement for the period running after March 5 is legally questionable. The EC Commission promised to make a decision under the exemption clause of Article 25 (6) of the Directive to give the data access a strong legal basis.

The European Commission exemption clause Article 25 Section 6

Article 25 Section 6 of the Directive opens up the strict regime of the Directive for decisions given by the EC Commission stating that a specific third country ensures an adequate level of protection. In this case, all Member States shall take the measures necessary to comply with the Commission's decision. According to Article 25 Section 2, the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer. Although Section 2 gives further instructions for this consideration, the final decision allows a broad discretion to the Commission.

Thus, the EC Commission pursues to declare the requested access of the US Customs with the given promises of data protection as consistent with the adequate level clause of Article 25.

Still, this way would be very disputable for of the following reasons:

  1. The Directive mainly applies to the collection of data among individuals and companies or among companies and themselves, but not among law enforcement agencies (see Article 3 "Scope" of the Directive which stipulates that the Directive shall not apply to the processing of personal data in any case to processing operations concerning public security, defense, State security). Therefore, in general, Article 25, which contains the assurance that personal data transferred to companies located in other countries meet the same level of data protection as within the EU, does not apply to data sharing between public law enforcement agencies and individuals or companies. The requested access is therefore not a matter of the regulation of data flow among companies for which the EU is solely competent for. It is a matter of cooperation with foreign law enforcement agencies which mainly still remains in the sole competence of the European Member States. As an illustration, one could have a closer look at what airlines have to do in order to fulfill the US Customs' request. They are transferring data not for their own contractual purpose but solely at US government's request. The US could ask every passenger for the same data on their own. Instead of this, the US Customs force private companies to do so. Therefore it does not appear an exaggeration to conceive the airline companies as agencies of the US Customs.
  2. But, even if Art 25 Section 6 would in general apply, access to data for US Customs would still violate the principles of the "limitation of the purpose" as it is set forth in Article 6 (see above) of the Directive. The airlines did not originally collect data with the purpose of transferring them to US Customs and there is no specific freely given consent by passengers (see Legal Analysis).

Previous News

  • EP Wants to Check Legality of EU-US PNR Deal. The European Parliament has decided to submit the recent passenger data agreement between the European Commission and the Department of Homeland Security to the European Court of Justice to examine whether it violates European data protection legislation and whether the Parliament's assent is necessary for the agreement to enter into force on the grounds that it modifies the EU Data Protection Directive. The vote comes as new questions arise over the U.S.'s sharing of information on EU passengers with other countries. (April 21, 2004)
  • Two EP Committees Have Rejected the EU-US PNR Deal. In a legislative resolution, EP committee members have rejected the conclusion of the transatlantic agreement and called on the Council of the EU to refrain from concluding it until the Court of Justice has delivered its opinion on the compatibility with the Treaty of the EU. A vote in plenary session of the Parliament is expected around April 19-22. (April 7, 2004)
  • EP Urged European Court of Justice to Check Legality of EU-US PNR Agreement. In a resolution, the European Parliament has reserved the right to bring an action before the Court of Justice of the European Communities to determine whether the PNR agreement violates EU data protection laws, should the European Commission and the Council of the EU decide to conclude the agreement without taking the EP's non-binding opinion into account. The EP's action would have the Court verify the legality of the projected international agreement, and in particular, check its compatibility with the protection of the fundamental right to privacy as protected by the European Convention for the Protection of Human Rights and Fundamental Freedoms, as well as determine whether the EU-US agreement has to be submitted to a binding, instead of consultative, EP vote. (March 31, 2004)
  • EP Sends Passenger Data Negotiators to the Drawing Board. The European Parliament has voted today on a resolution that criticizes the draft of the Commission's adequacy decision on the disclosure of passenger name records (PNR) of travelers flying to the US. The Members of the EP have called for more privacy protections for air passengers, have threatened to appeal to the European Court of Justice for violation of EU data protection laws, and have urged the European Commission to reach a more appropriate international agreement with the US. (March 31, 2004)
  • EP Committee Rejects EU Council's Proposal of Directive on PNR. The Committee on Citizens' Freedoms and Rights, Justice and Home Affairs has rejected an EU Council's draft Directive on the obligation of carriers to communicate passenger data that the Spanish government put forward in March 2003 that would require airlines operating within the EU to provide passenger data to governments in the EU country of arrival. The EP will vote in this issue around April 19-22 during its next plenary session. (March 19, 2004)
  • US, EU Reach Deal on Passenger Data Transfer. The European Commission has temporarily agreed to provide the United States with information on its airline passengers traveling to the U.S. The agreement comes after a year of negotiations in which the U.S. has sought expansive access to EU passenger information. The agreement may still violate European privacy laws and faces opposition from the European Parliament. (Dec. 17, 2003)
  • Data Commissioners Call for Passenger Data Protection. A resolution was passed at the International Conference of Data Protection and Privacy Commissioners last week in Sydney, calling for "an international agreement stipulating adequate data protection requirements, including clear purpose limitation, adequate and non-excessive data collection, limited data retention time, information provision to data subjects, the assurance of data subject rights and independent supervision." The resolution supports the current stance of the EU, which has rejected U.S. requests to transfer European passenger data until more stringent privacy safeguards are in place. (Sept. 18, 2003)
  • European Commission Rejects US Demand for Passenger Info. The European Commission rejected U.S. demands for airlines to reveal passenger information as the anti-terrorism measure could breach EU privacy rules. A spokesman for the EU executive said Washington had failed to give binding commitments that personal data could not be abused in ways that might break EU laws on confidentiality. (Sept. 2, 2003)
  • European Campaign Against US Profiling. European Digital Rights (EDRi), a coalition of privacy and civil liberties organizations, has kicked off a campaign against the illegal transfer of European air passenger data to the United States. In a hearing yesterday before the European Parliament, Homeland Security Department representatives testified about their concerns for privacy (pdf), but did not provide clear answers to many questions from Members of Parliament. (May 7, 2003)
  • Europe and US Negotiate Passenger Record Access Changes. According to the data protection office of European airline carrier Lufthansa, the ongoing discussion between the European Commission and the U.S. Bureau of Customs and Border Protection (CBP) on air passenger profiling seems to have resulted in a so-called "push solution" to restrict the threat to European passengers' privacy. The push solution would call for airlines to create a back-up copy of passenger data stored in their PNR (passenger name record) system 24 hours before departure. This would allow airlines to filter out data that CBP did not specifically request, or sensitive data that is specially protected under the European Data Protection Directive. The data would then be transferred to CBP, instead of allowing them full and direct access to the databases, which they currently have. However, this would impose high costs for the airlines that CBP does not want to pay. In addition, the solution does not address the fact that CBP is asking for data that are originally collected for business and not for law enforcement purposes. The Joint Statement of February 17-18, 2003, which allowed CBP full access to airline databases, stipulated that the US and EU undertake further talks in order to stop the ongoing violation of the European Data Protection Directive (see full analysis) caused by the US' request for passenger data. (May 5, 2003)
  • European Airlines Check US No Fly List. EPIC uncovered government documents showing that the Transportation Security Administration maintains two watch lists, against which European and other airlines flying to, from, or within the United States check their passenger names. One is a "no-fly" list; the other is a list of people who are to receive additional searching at security. The passenger names are approved for list inclusion on the basis of secret criteria, and the information is supplied by intelligence agencies. Documents obtained by EPIC show that there are many complaints from passengers who were mistakenly identified as being on the list. The documents do not show that the agency has any due process rights for suspected passengers, nor an easy method for individuals to take their names off the lists. The problems in implementing these watch lists uncover new threats to European citizens' data processed under the EU US Joint Statement of February 17-18th, 2003. For more information, see EPIC's analysis. (Apr. 4, 2003)
  • Spain Proposes Passenger Profiling Scheme. In response to the United States' recent request for access to European airline passenger data, Spain has proposed a new European directive (pdf) that would require air carriers and shipping companies to collect data on all passengers. The companies would then have to send this data to law enforcement agencies in the appropriate destination country, and would also be asked to investigate all foreign nationals who fail to leave the EU on the scheduled date of their return flight. EPIC argues that these requirements not only violate European data protection law; they also pose a threat to the privacy of American citizens. (Mach. 31, 2003)
  • EPIC Criticizes Profiling at EP Hearing. At a European Parliament Committee on Citizens' Freedoms and Rights hearing on traveler profiling in Brussels, EPIC submitted a statement (pdf) identifying the threats that extensive US profiling programs raise for European and American travelers' privacy. These threats include reversal of the presumption of innocence, widespread spying and third party data sharing, long-term retention of passenger records, lack of access and judicial remedies, and absence of public oversight.Other contributions from the hearing can be found here (in French). (March 27, 2003)
  • European Parliament Opposes Passenger Data Disclosure. An overwhelming majority of the European Parliament has adopted a resolution expressing opposition to an arrangement allowing the transfer of airline passenger data to US customs. The arrangement, which allows access to personal details of airline passengers, was agreed upon by the European Commission and the US on February 17-18. The European Parliament has concluded that disclosing passenger data may end up heading "into de facto 'data-mining' territory for the US Administration." The resolution questions the legal legitimacy of such disclosure in both the EU and the US. Parliament blames the European Commission for not having duly verified the real basis in US law to justify access to reservation systems. The Commission should investigate whether the actual US request is just an over-broad interpretation on the part of the present US administration. The resolution also states that Parliament regrets the lack of legal basis for the adoption of the Joint Statement. In addition, Parliament admonishes the Commission for inviting national authorities to disregard community law. (March 13, 2003)
  • Air Travel Profiling Violates EU Privacy Laws. The US government has pressured European Union authorities to allow European airlines to disclose passenger information. A new agreement (pdf) (also available in HTML from Statewatch) makes medical, ethnic and religious information available to US law enforcement. The agreement violates EU data protection laws because the disclosure is excessive and does not provide adequate privacy safeguards. (March 5, 2003)
  • Joint Statement of US Customs and EU Commission of February 18-19, 2003. In this statement, the European Commission decided to urge European Member States Data Protection Authorities not to take enforcement steps against airlines allowing the US Customs full access to passenger data after March 5, 2003. For further details, see EPIC's Explanation and Analysis. (March 5, 2003)
  • Letter of Mr. Rodota from March 3, 2003. Mr. Stefan Rodota, the Chairman of the EC ("European Community") Data Protection Working Group, sent a letter (pdf) on March 3, 2003 to the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs in Brussels. He raises the question if the procedures giving US Customs access to European Airlines' data after March 5, 2003 are compatible with EU Member States laws and if they (see the Joint Statement) will offer a practicable interim solution. Mr. Rodota proposes a postponement of the data access until the next Working Party's meeting of 20 and 21 March 2003. For further details see Statewatch's Comment. (March 3, 2003)