Passenger Name Record Data and Privacy

In July 2007, the U.S. Department of Homeland Security (DHS) and the Council of the European Union (Council) signed an agreement and exchanged letters regarding the transfer of Passenger Name Record (PNR) data to DHS by air carriers operating flights between the U.S. and the European Union (EU). Included was a provision to “periodically review the implementation of this agreement, the DHS letter, and U.S. and EU PNR policies and practices” to assess the “effective operation and privacy protection of their systems.” In a series of communications between the European Commission and the Department, the parties agreed that a Joint Review would be conducted this December.

In preparation for the Joint Review, my team conducted a review of DHS PNR processing practices, the results of which are published in A Report Concerning Passenger Name Record Information Derived From Flights Between The U.S. And The European Union, posted on the privacy website. In short, we found that the Department complies with the representations made in the Agreement and Letters, as well as those representations made in the System of Records Notice for the Automated Targeting System (published in the Federal Register on August 6, 2007), the system where PNR resides.

I am proud that our team was able to complete this important task in my final days as Chief Privacy Officer, but I am disappointed that our European counterparts chose to postpone participation in this exercise. The Joint Review is meant to illustrate a common commitment to effective oversight and to promote further transparency. The review DHS hopes to hold with the European Commission in early 2009 will be of considerable value to DHS, as it will identify areas for improvement and confirmed best practices.

The EU is now considering use of PNR as a screening tool, and some Member States have begun national PNR programs. In the spirit of reciprocity and transparency, and to contribute to our shared goals of protection of citizens and their personal information, we look forward to a comparable review of European PNR systems.

Hugo Teufel III
Chief Privacy Officer