Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

Fact Sheet: US-EU Passenger Name Record Agreement Signed

Release Date: 05/28/04 00:00:00

Milestone Agreement will be in place for at least 3½ years

On May 17, the European Commission announced that it had found the U.S. Department of Homeland Security's program to collect air passenger data regarding flights between the U.S. and the European Union (EU) adequate under EU laws. This announcement was the culmination of more than a year of negotiations between the United States and the European Commission. The agreement pertains to airline passenger data collected by Homeland Security's U.S. Customs and Border Protection (CBP), for use in screening passengers destined to and departing from the United States.

The PNR Arrangement

The CBP Undertakings document represents a unilateral declaration on how CBP will handle and utilize the PNR data originating from the EU. The Undertakings are the basis for the Commission's adequacy finding and reflect the details of the arrangement reached between Secretary Ridge and Commissioner Bolkestein in December 2003. The Undertakings, the adequacy finding, and the accompanying international agreement work together to provide that:

  • The agreement will be in effect for three and a half years after it is implemented, with renegotiations to commence after two and a half years.

  • Data will be retained by CBP for three and a half years, unless associated with an enforcement action.

  • Only 34 PNR data elements will be accessed by CBP, to the extent collected in the air carriers' reservation and departure control systems.

  • CBP will filter and delete "sensitive data," as mutually identified by CBP and the European Commission.

  • PNR data will be used by CBP strictly for purposes of preventing and combating:
    1) terrorism and related crimes;
    2) other serious crimes, including organized crime, that are transnational in nature; and
    3) flight from warrants or custody for the crimes described above.

  • TSA may use PNR originating in the EU for testing of CAPPS II, but not until CAPPS II is authorized to begin testing with domestic data.

  • There will be a yearly joint DHS and EU review regarding the implementation of the Undertakings.

  • A special channel of direct access has been established between European Data Protection Authorities and the DHS Office of the Chief Privacy Officer as a redress mechanism for concerns of European citizens.

Background

Consistent with the authority granted to U.S. Customs and Border Protection (CBP) under the Aviation and Transportation Security Act of 2001 and its interim implementing regulations, each air carrier operating passenger flights in foreign air transportation to or from the United States must provide CBP with electronic access to passenger name record (PNR) data to the extent it is collected and contained in the air carrier's automated reservation and departure control systems ("reservation systems"). This requirement has come into conflict with the 1995 European Commission “Data Protection Directive,” which substantially affects the collection and use of personal data in the private sector including requirements concerning the purposes for which data may be used, how data may be collected, handled and stored and what types of mechanisms must be available to redress incorrect information or the misuse of information.

The Department of Homeland Security (DHS) has been negotiating with the European Commission for more than one year to obtain an adequacy finding under the European privacy directive, which would allow CBP to access PNR data from the airlines in a manner consistent with European Union (EU) privacy laws in order to conduct targeted border screening to combat terrorism and other serious transnational crimes. The negotiations have taken place through regular video conferences and a series of trips by both delegations for face-to-face discussions. Without an adequacy finding, a number of airlines would have been put in a position where they could be subject to fines from EU member states for providing PNR data to the U.S. Airlines flying between the U.S and the European Union have been transferring PNR data to CBP since March 5, 2003, pursuant to an interim arrangement with the European Commission, which suggests to member states that they need not take enforcement action against the airlines pending the issuance of a proper adequacy finding.

In December 2003, DHS reached an agreement in principle with the European Commission that would allow airlines to legally provide CBP access to PNR data originating within the EU, subject to carefully negotiated limitations. Based on this arrangement for CBP access, on December 16, 2003, EU Commissioner for Internal Market Frits Bolkestein led the effort for the Commission to adopt an "adequacy finding," stating that safeguards in CBP's system are adequate to protect passenger privacy. This finding was affirmed by the EU's Article 31 Committee, made up of member state representatives on February 27, 2004 and then again on May 11, 2004 by the now enlarged Article 31 Committee comprised of 25 member states. Despite this support for the Commission's adequacy finding, the European Parliament has not taken a favorable view, holding non-binding votes on more than one occasion that challenged the U.S.-EU PNR arrangement. Nevertheless, on May 17, the European Commission announced that it had adopted the “adequacy finding”, and the accompanying international agreement was approved by the Council.

###

This page was last reviewed/modified on 05/28/04 00:00:00.