Data protection recommendations on PNR

By EDRi · July 2, 2003

The European Data Protection Authorities, convened in the European Working Party (Article 29 Data Protection Working Party), have published an opinion on the transfer of EU airline passenger data to the US. The Working Party also published a US Customs document dated 22 May 2003 that refines the US wishes and demands towards PNR data transfer and which the Working Party’ opinion is commenting on.

Since 5 March U.S. authorities have access to most European airlines’ passenger data bases after an agreement between the European Commission and US Customs. The transfer of the so-called Passenger Name Record (PNR) data has outraged the European Parliament, Data Commissioners and privacy groups. The scope of the original agreement between the European Commission and US Customs is wide. The agreement states that data can be stored as long as necessary and that the use of the data is not limited to combating terrorism but any “legitimate law enforcement purposes”. Ongoing talks between the EU and the US need to result in a final agreement that gives the transfer a legal basis which it currently lacks.

The new 22 May list of US Customs defines more than 40 data fields that European airlines should transfer to the US such as all forms of payment information, billing address, email address, complete home address and home phone number of the passenger. The documents also state that data can be kept by the US for a 7 year period. PNR data that have not been manually accessed during that period of time, will be destroyed. PNR data that has been manually accessed during the initial seven year period will be transferred to a ‘deleted record file’, where they will remain for a period of eight years before it is destroyed.

The Working Party proposes a much shorter list of data fields than the one envisaged by the US Authorities, excluding unnecessary information and, in any case, sensitive data. The Woking Party also wants a much shorter retention period that should not exceed some weeks or even months following the entry to the US.

Regarding the method of transfer the Working Party favours the ‘push’ method – whereby the data are selected and transferred by airline companies to US authorities – rather than the ‘pull’ one – whereby US authorities have direct online access to airline and reservation systems databases.

The use of the PNR data by the US should be limited to fighting acts of terrorism without expanding their scope to other unspecified ‘serious criminal offences’. The Working Party also wants effective enforcement of data subjects’ rights and independent third-party supervision.

Opinion 4/2003 of the Art. 29 Working Party (13.06.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp78_en.pdf

Annex: Undertakings of the United States Bureau of Customs and Border Protection and the United States Transportation Security Administration (22.05.2003)
http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp78-pnrf-annex_en.pdf

European Commission / US Customs talk on Passenger Name Record (PNR) transmission (05.03.2003)
http://europa.eu.int/comm/external_relations/us/intro/pnr.htm