United States–European Union Agreement on Passenger Name Records

Last updated

The Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security is an international agreement between the United States of America and the European Union that was signed on 14 December 2011 for the purpose of providing passenger name records (PNR) from air carriers operating passenger flights to the United States Department of Homeland Security to "ensure security and to protect the life and safety of the public" (Article 1).

Contents

Historical development

Access and transfer of passenger name records (PNRs) fall under the purview of European Data Protection Law. Under the Organisation for Economic Co-operation and Development (OECD) 1980 Privacy Guidelines, and the 1995 European Union Directive on data protection, PNRs may only be transferred to countries with comparable data protection laws. [1] Also, law enforcement authorities are permitted to access the passenger data only on a case-by-case basis, and where there exists a particular suspicion.

In the aftermath of the 11 September 2001 attacks, the US government determined that PNRs (both archived and real-time) were invaluable tools for investigating and thwarting terrorist attacks. Accordingly, the US government has sought the collection, transfer and retention of PNRs by the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection.

In May 2004, the US government negotiated the 2004 Passenger Name Record Data Transfer agreement [2] (aka. US-EU PNR agreement) – a safe harbor PNR transfer agreement with the European Commission. Specifically, the European Commission deemed that the level of protection afforded to such PNR transfers would satisfy the standard of "adequacy" required by the 1995 EU Data Directive, as long as the data would be transferred and used solely for the purposes for which it was collected. These purposes being limited to "preventing and combating: terrorism and related crimes; other serious crimes, including organized crime, that are trans-national in nature; and flight from warrants or custody for those crimes." [3] The US-EU-PNR agreement required European airlines to supply PNR data to US authorities within 15 minutes of a plane taking off. While this agreement was invalidated by the European Court of Justice on 30 May 2006 due to lack of legal authority, the European Council worked to substantively resurrect the agreement before the court-mandated deadline of 30 September 2006. [4] [5]

In July 2007, a new, controversial, [6] PNR agreement between the US and the EU was undersigned. [7] A short time afterward, the Bush administration gave exemption for the Department of Homeland Security, for the Arrival and Departure System (ADIS) and for the Automated Target System from the 1974 Privacy Act, raising concerns from Statewatch about the protection of EU citizens' data. [8]

In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR. [9] The US had signed in February 2008 a memorandum of understanding [10] with the Czech Republic in exchange for a visa waiver scheme, without consulting in advance with Brussels. [6] The tensions between Washington and Brussels are mainly caused by a lesser level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Data privacy in the EU is regulated by the Directive 95/46/EC on the protection of personal data, and the US Safe Harbor arrangement made to converge with European norms is still being controversial for alleged lack of protection. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece. [11]

On 28 November 2011, a new agreement on the transfer and use of PNR data between the EU and US DHS was authored. [12] The full text is available online. [13]

In April 2012, the agreement was approved and adopted by the European Parliament. [14] The agreement provides protections for PNR data, however critics express concerns that there is insufficient recourse should the data be misused. The parliament's approval of the agreement was warmly welcome by the Justice and Home Affairs Council of Ministers. [15]

Criticism

On 6 January 2011, the Article 29 Working Party responded to a request for its opinion:

Since the agreement would have implications for millions of European citizens, for the Working Party, there should be no doubt as to the transparency of the discussions on the draft agreement and of the approval procedures within the relevant institutions of the European Union. It regrets that this view does not seem to be shared by all relevant stakeholders. As a general assessment, the Working Party notes (modest) improvements in the draft agreement, but does not see its serious concerns removed.

...

When assessing any new PNR agreement between the European Union and any third country, it remains important to reflect upon one fundamental concern implied in all these agreements. By concluding them, the legislators oblige carriers and computer reservation systems to make PNR data of all their passengers – nearly all of them being innocent and unsuspected citizens – available to foreign law enforcement agencies. This, in itself, remains quite an unusual phenomenon and requires very careful consideration. If acceptable at all, it requires not only a legal base, which the agreement is meant to be, but also irrefutable proof that the agreement is necessary and proportionate and that safeguards are sufficiently elaborated, all in the meaning of and in full compliance with the EU Charter on Fundamental Rights. [12]

Reports by the Legal Service of the European Commission as well as two professors funded by The Greens–European Free Alliance critiqued the agreement because of perceived reductions of privacy rights. [16] [17]

See also

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> European Union directive which regulates the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive is an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Privacy Act of 1974</span>

The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

A passenger name record (PNR) is a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger or a group of passengers travelling together. The concept of a PNR was first introduced by airlines that needed to exchange reservation information in case passengers required flights of multiple airlines to reach their destination ("interlining"). For this purpose, IATA and ATA have defined standards for interline messaging of PNR and other data through the "ATA/IATA Reservations Interline Message Procedures - Passenger" (AIRIMP). There is no general industry standard for the layout and content of a PNR. In practice, each CRS or hosting system has its own proprietary standards, although common industry needs, including the need to map PNR data easily to AIRIMP messages, has resulted in many general similarities in data content and format between all of the major systems.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015 by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

<span class="mw-page-title-main">European Digital Rights</span> Advocacy group

European Digital Rights (EDRi) is an international advocacy group headquartered in Brussels, Belgium. EDRi is a network collective of non-profit organizations (NGO), experts, advocates and academics working to defend and advance digital rights across the continent. As of October 2022, EDRi is made of more than 40 NGOs, as well as experts, advocates and academics from all across Europe.

<span class="mw-page-title-main">Stewart Baker</span>

Stewart Abercrombie Baker was the first Assistant Secretary for Policy at the United States Department of Homeland Security under the Presidency of George W. Bush.

The Terrorist Finance Tracking Program (TFTP) is a United States government program to access financial transactions on the international SWIFT network that was revealed by The New York Times, The Wall Street Journal and The Los Angeles Times in June 2006. It was part of the Bush administration's War on Terrorism. After the covert action was disclosed, the so-called SWIFT Agreement was negotiated between the United States and the European Union.

The Automated Targeting System or ATS is a United States Department of Homeland Security computerized system that, for every person who crosses U.S. borders, scrutinizes a large volume of data related to that person, and then automatically assigns a rating for which the expectation is that it helps gauge whether this person may be placed within a risk group of terrorists or other criminals. Similarly ATS analyzes data related to container cargo.

<span class="mw-page-title-main">European Data Protection Supervisor</span>

The European Data Protection Supervisor (EDPS) is an independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies.

<span class="mw-page-title-main">Privacy and Electronic Communications Directive 2002</span>

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Binding Corporate Rules (BCRs) were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. BCRs are a framework for having different elements that allow for compliance with EU data protection regulations and privacy protection. The BCRs were developed as an alternative to the "standard contractual clauses" (SCCs) and the now defunct U.S. Department of Commerce EU Safe Harbor.

The United States Federal Trade Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

<span class="mw-page-title-main">Electronic evidence</span>

Electronic evidence consists of these two sub-forms:

<span class="mw-page-title-main">Max Schrems</span> Austrian author and privacy activist

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II. In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

References

  1. Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980), available at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html
  2. "Justice and fundamental rights" (PDF).
  3. Agreement between the European Community. and the U.S. on the processing and transfer of PNR data by air carriers to the U.S. Dep't of Homeland Sec., Bureau of Customs and Border Prot. Council Directive 2004 O.J. (L 183) 94 (EC).
  4. See BBC News: EU court annuls data deal with US
  5. Judgment of the Court of Justice in Joined Cases C-317/04, C-318/04 Parliament/ Council (press release).
  6. 1 2 A divided Europe wants to protect its personal data wanted by the US, Rue 89 , 4 March 2008 (in English)
  7. Jean-Pierre Masse. "New EU-US PNR Agreement on the processing and transfer of Passenger Name Record (PNR) data". Libertysecurity.org. Archived from the original on 12 January 2012. Retrieved 20 March 2013.
  8. Statewatch, US changes the privacy rules to exemption access to personal data September 2007
  9. Brussels attacks new US security demands, European Observer. See also Statewatch newsletter February 2008
  10. "MEMORANDUM OF UNDERSTANDING BETWEEN THE MINISTRY OF THE INTERIOR OF THE CZECH REPUBLIC AND THE DEPARTMENT OF HOMELAND SECURITY OF THE UNITED STATES OF AMERICA REGARDING THE UNITED STATES VISA WAIVER PROGRAM AND RELATED ENHANCED SECURITY MEASURES" (PDF). 2008 via Statewatch.
  11. Statewatch, March 2008
  12. 1 2 "Letter Ares(2012)15841" (PDF). Article 29 Working Party. 6 January 2011. Retrieved 19 September 2012. Since the agreement would have implications for millions of European citizens, for the Working Party, there should be no doubt as to the transparency of the discussions on the draft agreement and of the approval procedures within the relevant institutions of the European Union. It regrets that this view does not seem to be shared by all relevant stakeholders. As a general assessment, the Working Party notes (modest) improvements in the draft agreement, but does not see its serious concerns removed.
  13. "Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security" (PDF). European Council . 8 December 2011. 2011/0382 (NLE.
  14. "Infosecurity – European Parliament approves the controversial EU/US PNR agreement". Infosecurity-magazine.com. 20 April 2012. Retrieved 20 March 2013.
  15. "The EU and the United States strengthen cooperation on counter-terrorism". eu2012.dk. 19 April 2012. Retrieved 20 March 2013.
  16. "EU-US PNR agreement found incompatible with human rights".
  17. Hornung, Gerrit; Boehm, Franziska (14 March 2012). "Comparative Study on the 2011 draft Agreement between the Unites [sic] States of America and the European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security" (PDF). Greens–European Free Alliance . Passau an Luxembourg.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.