[Federal Register: January 4, 2007 (Volume 72, Number 2)]
[Notices]
[Page 348-351]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr04ja07-45]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Bureau of Customs and Border Protection
Interim Agreement Between the European Union and the United
States Regarding the Transfer of Passenger Name Record Data
AGENCY: Bureau of Customs and Border Protection; DHS.
ACTION: General notice.
-----------------------------------------------------------------------
SUMMARY: This Notice is intended to update a General Notice published
in the Federal Register on July 9, 2004, advising that the Department
of Homeland Security, Customs and Border Protection, had issued a
document on May 11, 2004 (referred to as the ``Undertakings'')
containing representations regarding the manner in which it would
handle certain Passenger Name Record data relating to flights between
the United States and European Union member states. This Notice
describes updates and adjustments to the Undertakings to reflect
changes in the law and circumstances surrounding these data transfers.
EFFECTIVE DATES: This Notice is effective January 4, 2007.
FOR FURTHER INFORMATION CONTACT: Michael Scardaville, (202) 282-8321.
SUPPLEMENTARY INFORMATION: On July 9, 2004, a Notice was published in
the Federal Register (69 FR 41543; corrected at 69 FR 44082 on July 23,
2004), advising that the Department of Homeland Security (DHS), Customs
and Border Protection (CBP), had issued a document on May 11, 2004
(referred to as the ``Undertakings'') containing representations
regarding the manner in which CBP would handle certain Passenger Name
Record (PNR) data relating to flights between the United States and
European Union (EU) member states. When they were issued, these
Undertakings were understood to provide the foundation for the European
Community (EC) to enter into an agreement with the United States that
permitted the transfer of PNR data to CBP consistent with applicable EC
law. However, through a diplomatic note presented on July 3, 2006, the
EC terminated the agreement as of September 30, 2006, as a consequence
of the determination of the European Court of Justice that the
agreement had been concluded on an inapplicable basis under European
Union law.
On October 19, 2006, the United States and the EU concluded an
agreement to last until July 31, 2007. This agreement was accompanied
by a letter of the United States updating and adjusting the
Undertakings to reflect changes in the law and circumstances
surrounding this data transfer. The letter was discussed extensively
with the EU, and the EU has acknowledged it without objection. Copies
of the agreement and letter are contained in this notice. All
representations contained in the Undertakings, as published on July 9
and 23, 2004 are to be interpreted consistently with the October 19,
2006 agreement and its accompanying letter. The letter reflects changes
in U.S. law and experience since the Undertakings were issued and is
consistent with existing relevant provisions of U.S. law.
Both the agreement and the Undertakings shall terminate on July 31,
2007, unless extended.
Dated: December 19, 2006.
Stewart Baker,
Assistant Secretary for Policy.
Text of agreement:
AGREEMENT
Between the European Union and the United States of America on the
Processing and Transfer of Passenger Name Record (PNR) Data by Air
Carriers to the United States Department of Homeland Security
THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA,
DESIRING to prevent and combat terrorism and transnational crime
effectively as a means of protecting their respective democratic
societies and common values,
RECOGNISING that, in order to safeguard public security and for law
enforcement purposes, rules should be laid down on the transfer of
Passenger Name Record (``PNR'') data by air carriers to the Department
of Homeland Security (hereinafter ``DHS''). For the purposes of this
Agreement, DHS means the Bureau of Customs and Border Protection, U.S.
Immigration and Customs Enforcement and the Office of the Secretary and
the entities that directly support it, but does not include other
components of DHS such as the Citizenship and Immigration Services,
Transportation Security Administration,
[[Page 349]]
United States Secret Service, the United States Coast Guard, and the
Federal Emergency Management Agency,
RECOGNISING the importance of preventing and combating terrorism
and related crimes, and other serious crimes that are transnational in
nature, including organized crime, while respecting fundamental rights
and freedoms, notably privacy,
HAVING REGARD to U.S. statutes and regulations requiring each air
carrier operating passenger flights in foreign air transportation to or
from the United States to provide DHS with electronic access to PNR
data to the extent they are collected and contained in the air
carrier's automated reservation/departure control systems (hereinafter
``reservation systems''),
HAVING REGARD to Article 6(2) of the Treaty on European Union on
respect for fundamental rights, and in particular to the related right
to the protection of personal data,
HAVING REGARD to relevant provisions of the Aviation Transportation
Security Act of 2001, the Homeland Security Act of 2002, the
Intelligence Reform and Terrorism Prevention Act of 2004 and Executive
Order 13388 regarding cooperation between agencies of the United States
government in combating terrorism,
HAVING REGARD to the Undertakings as published in the U.S. Federal
Register \1\ and implemented by DHS,
NOTING that the European Union should ensure that air carriers with
reservation systems located within the European Union arrange for
transmission of PNR data to DHS as soon as this is technically feasible
but that, until then, the U.S. authorities should be allowed to access
the data directly, in accordance with the provisions of this Agreement,
AFFIRMING that this Agreement does not constitute a precedent for
any future discussions or negotiations between the United States and
the European Union, or between either of the Parties and any State
regarding the processing and transfer of PNR or any other form of data,
HAVING REGARD to the commitment of both sides to work together to
reach an appropriate and mutually satisfactory solution, without delay,
on the processing of Advance Passenger Information (API) data from the
European Union to the United States,
NOTING that in reliance on this Agreement, the EU confirms that it
will not hinder the transfer of PNR data between Canada and the United
States and that the same principle will be applied in any similar
agreement on the processing and transfer of PNR data,
HAVE AGREED AS FOLLOWS
(1) In reliance upon DHS's continued implementation of the
aforementioned Undertakings as interpreted in the light of subsequent
events, the European Union shall ensure that air carriers operating
passenger flights in foreign air transportation to or from the United
States of America process PNR data contained in their reservation
systems as required by DHS.
---------------------------------------------------------------------------
\1\ Vol. 69, No 131, p. 41543.
---------------------------------------------------------------------------
(2) Accordingly, DHS will electronically access the PNR data from
air carriers' reservation systems located within the territory of the
Member States of the European Union until there is a satisfactory
system in place allowing for transmission of such data by the air
carriers.
(3) DHS shall process PNR data received and treat data subjects
concerned by such processing in accordance with applicable U.S. laws
and constitutional requirements, without unlawful discrimination, in
particular on the basis of nationality and country of residence.
(4) The implementation of this Agreement shall be jointly and
regularly reviewed.
(5) In the event that an airline passenger information system is
implemented in the European Union or in one or more of its Member
States that requires air carriers to provide authorities with access to
PNR data for persons whose travel itinerary includes a flight to or
from the European Union, DHS shall, in so far as practicable and
strictly on the basis of reciprocity, actively promote the cooperation
of airlines within its jurisdiction.
(6) For the purpose of applying this Agreement, DHS is deemed to
ensure an adequate level of protection for PNR data transferred from
the European Union concerning passenger flights in foreign air
transportation to or from the United States.
(7) This Agreement shall enter into force on the first day of the
month after the date on which the Parties have exchanged notifications
indicating that they have completed their internal procedures for this
purpose. This Agreement shall apply provisionally as of the date of
signature. Either Party may terminate or suspend this Agreement at any
time by notification through diplomatic channels. Termination shall
take effect thirty (30) days from the date of notification thereof to
the other Party. This Agreement shall expire upon the date of
application of any superseding agreement and in any event no later than
31 July 2007, unless extended by mutual written agreement.
This Agreement is not intended to derogate from or amend
legislation of the United States of America or the European Union or
its Member States. This Agreement does not create or confer any right
or benefit on any other person or entity, private or public.
This Agreement shall be drawn up in duplicate in the English
language. It shall also be drawn up in the Czech, Danish, Dutch,
Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian,
Lithuanian, Maltese, Polish, Portuguese, Slovak, Slovenian, Spanish and
Swedish languages, and the Parties shall approve these language
versions. Once approved, the versions in these languages shall be
equally authentic.
Done at Washington D.C. on 19 October 2006 and at Luxembourg on
16 October 2006.
For the United States of America
Michael Chertoff,
Secretary, Department of Homeland Security.
For the European Union
Erkki Tuomioja,
Minister for Foreign Affairs, President of the Council of the European
Union.
Text of U.S. letter:
Via Electronic Delivery
ATTN: Director General Jonathan Faull, European Commission
B-1049 Bruxelles, Belgium 22.
ATTN: Ms. Irma Ertman, Presidency of the Council of the European Union
Ministry of Foreign Affairs, P.O Box 176, Laivastokatu, FIN-00161
Helsinki, Finland.
Dear Jonathan and Irma:
This letter is intended to set forth our understandings with regard
to the interpretation of a number of provisions of the Passenger Name
Record (PNR) Undertakings issued on May 11, 2004 by the Department of
Homeland Security (DHS). For the purposes of this letter, DHS means the
Bureau of Customs and Border Protection, U.S. Immigration and Customs
Enforcement and the Office of the Secretary and the entities that
directly support it, but does not include other components of DHS such
as the Citizenship and Immigration Services, Transportation Security
Administration, United States Secret Service, the United States Coast
Guard, and the Federal Emergency Management Agency. We look forward to
further reviewing these and other issues in the context of future
discussions toward a comprehensive, reciprocal agreement based on
common principles.
[[Page 350]]
Sharing and Disclosure of PNR
The Intelligence Reform and Terrorism Prevention Act of 2004
required the President to establish an Information Sharing Environment
``that facilitates the sharing of terrorism information.'' Following
this enactment, on October 25, 2005 the President issued Executive
Order 13388, directing that DHS and other agencies ``promptly give
access to * * * terrorism information to the head of each other agency
that has counterterrorism functions'' and establishing a mechanism for
implementing the Information Sharing Environment.
Pursuant to Paragraph 35 of the Undertakings (which states that
``No statement in these Undertakings shall impede the use or disclosure
of PNR data in any criminal judicial proceedings or as otherwise
required by law'' and allows DHS to ``advise the European Commission
regarding the passage of any U.S. legislation which materially affects
the statements made in these Undertakings''), the U.S. has now advised
the EU that the implementation of the Information Sharing Environment
required by the Act and the Executive Order described above may be
impeded by certain provisions of the Undertakings that restrict
information sharing among U.S. agencies, particularly all or portions
of paragraphs 17, 28, 29, 30, 31, and 32.
In light of these developments and in accordance with what follows,
the Undertakings should be interpreted and applied so as to not impede
the sharing of PNR data by DHS with other authorities of the U.S.
government responsible for preventing or combating of terrorism and
related crimes as set forth in Paragraph 3 of the Undertakings.
DHS will therefore facilitate the disclosure (without providing
unconditional direct electronic access) of PNR data to U.S. government
authorities exercising a counter-terrorism function that need PNR for
the purpose of preventing or combating terrorism and related crimes in
cases (including threats, flights, individuals, and routes of concern)
that they are examining or investigating. DHS will ensure that such
authorities respect comparable standards of data protection to that
applicable to DHS, in particular in relation to purpose limitation,
data retention, further disclosure, awareness and training, security
standards and sanctions for abuse, and procedures for information,
complaints and rectification. Prior to commencing facilitated
disclosure, each receiving authority will confirm in writing to DHS
that it respects those standards. DHS will inform the EU in writing of
the implementation of such facilitated disclosure and respect for the
applicable standards before the expiration of the Agreement.
Early Access Period for PNR
While Paragraph 14 limits the number of times PNR can be pulled,
the provision puts no such restriction on the ``pushing'' of data to
DHS. The push system is considered by the EU to be less intrusive from
a data privacy perspective. The push system does not confer on airlines
any discretion to decide when, how or what data to push, however. That
decision is conferred on DHS by U.S. law. Therefore, it is understood
that DHS will utilize a method of pushing the necessary PNR data that
meets the agency's needs for effective risk assessment, taking into
account the economic impact upon air carriers.
In determining when the initial push of data is to occur, DHS has
discretion to obtain PNR more than 72 hours prior to the departure of a
flight so long as action is essential to combat an offense enumerated
in Paragraph 3. Additionally, while there are instances in which the
U.S. government may have specific information regarding a particular
threat, in most instances the available intelligence is less definitive
and may require the casting of a broader net to try and uncover both
the nature of the threat and the persons involved. Paragraph 14 is
therefore understood to permit access to PNR outside of the 72 hour
mark when there is an indication that early access is likely to assist
in responding to a specific threat to a flight, set of flights, route,
or other circumstances associated with offenses described in Paragraph
3 of the Undertakings. In exercising this discretion, DHS will act
judiciously and with proportionality.
DHS will move as soon as practicable to a push system for the
transfer of PNR data in accordance with the Undertakings and will carry
out no later than the end of 2006 the necessary tests for at least one
system currently in development if DHS's technical requirements are
satisfied by the design to be tested. Without derogating from the
Undertakings and in order to avoid prejudging the possible future needs
of the system any filters employed in a push system, and the design of
the system itself must permit any PNR data in the airline reservation
or departure control systems to be pushed to DHS in exceptional
circumstances where augmented disclosure is strictly necessary to
address a threat to the vital interests of the data subject or other
persons.
Data Retention
Several important uses for PNR data help to identify potential
terrorists; even data that is more than 3.5 years old can be crucial in
identifying links among terrorism suspects. The Agreement will have
expired before Paragraph 15 of the Undertakings requires the
destruction of any data, and questions of whether and when to destroy
PNR data collected in accordance with the Undertakings will be
addressed by the United States and the European Union as part of future
discussions.
The Joint Review
Given the extensive joint analysis of the Undertakings conducted in
September 2005 and the expiration of the agreement prior to the next
Joint Review, the question of how and whether to conduct a joint review
in 2007 will be addressed during the discussions regarding a future
agreement.
Data Elements
The frequent flyer field may offer addresses, telephone numbers, e-
mail addresses; all of these, as well as the frequent flyer number
itself, may provide crucial evidence of links to terrorism. Similarly,
information about the number of bags carried by a passenger may have
value in a counterterrorism context. The Undertakings authorize DHS to
add data elements to the 34 previously set forth in Attachment ``A'' of
the Undertakings, if such data is necessary to fulfill the purposes set
forth in paragraph 3.
With this letter the U.S. has consulted under Paragraph 7 with the
EU in connection with item 11 of Attachment A regarding DHS's need to
obtain the frequent flier number and any data element listed in
Attachment A to the Undertakings wherever that element may be found.
Vital Interests of the Data Subject or Others
Recognizing the potential importance of PNR data in the context of
infectious disease and other risks to passengers, DHS reconfirms that
access to such information is authorized by paragraph 34, which
provides that the Undertakings must not impede the use of PNR for the
protection of the vital interests of the data subject or of other
persons or inhibit the direct availability of PNR to relevant
authorities for the purposes set forth in Paragraph 3 of the
Undertakings. ``Vital interests'' encompasses circumstances in which
[[Page 351]]
the lives of the data subject or of others could be at stake and
includes access to information necessary to ensure that those who may
carry or may have been exposed to a dangerous communicable disease can
be readily identified, located, and informed without delay. Such data
will be protected in a manner commensurate with its nature and used
strictly for the purposes for which it was accessed.
Sincerely yours,
Stewart Baker,
Assistant Secretary for Policy.
[FR Doc. 06-9980 Filed 1-3-07; 8:45 am]
BILLING CODE 9114-14-P