Final agreements between EU and USA on PNR and SWIFT

By EDRi · July 4, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

After a long and difficult period of negotiations, on 28-29 June 2007, final
agreements were reached between EU and USA on the data regarding European
financial transactions operated by Belgian consortium SWIFT and on the
passenger name records (PNR) issue respectively.

Regarding the access to financial data from SWIFT, the US has committed to
use any data received from SWIFT exclusively for counter-terrorism purposes,
the data retention period being of 5 years.

SWIFT is also bound to “adequately” protect the privacy of data according to
EU principles as laid out in 2000 and further more, from now on, all banks
using SWIFT will have to inform their customers about any transfers of their

According to a spokesman for Commission Vice-President Franco
Frattini, an “agreement had been reached on the substance of the new
Passenger Name Records (PNR) system, with only technical details and EU
national parliaments’ opinion still to be resolved”. The agreement will
replace the interim agreement due to expire at the end of July 2007.

Both sets of negotiations resulted in the EU having obtained the power to
inspect US investigators’ use of European data. The EU has insisted on this,
considering that US privacy laws would not protect European citizens’ data
from being abused. However, according to Gus Hosein from Privacy
International, the EU won only limited oversight over the US use of PNR

The PNR agreement reduced the number of pieces of data that can be collected
by the US authorities from 34 pieces to 19, including name, contact
information, payment details, travel agency, itinerary and baggage
information, but excluding sensitive data such as ethnicity.

The US will be allowed to store the data for a seven year period under an
“active” or “operational” regime and can extend this period by 8 years for
“dormant” data which would be accessible under stricter rules. This means a
15 year storage period in total as compared to three years as previously
agreed. The EU officials however state that the agreement has more
safeguards than before.

In a letter to the German interior minister Wolfgang Schauble, the European
Data Protection Supervisor Peter Hustinx has still shown concern believing
that the privacy rights of air passengers between the EU and US will be
threatened by the agreement struck on 29 June.

A good point is that, for the first time, EU citizens will also be covered
by the US Privacy Act which means they can enforce their rights in US
courts. The new PNR system deal must be ratified by national parliaments
before taking effect as expected at the end of July 2007.

But the PNR data started to look interesting also for the European
officials. Just a few days after the car bomb attack in Glasgow and London,
the commissioner Franco Frattini announced that he would propose in October
a new draft containing anti-terrorism measures, including creating a
European PNR system. In this way, the airlines flying to the EU would be
obliged to share passengers private data with Europe’s secret services. It
is not clear yet if the scheme will cover intra-European flights.

Draft text – PNR Agreement (28.06.2007)

EU-US data-sharing deals renew privacy concerns (29.06.2007)

EU legitimises US travel and bank data snoops (28.06.2007)

US gives in to EU demands over data (29.06.2007)

Europe’s banks must inform customers of US snooping (27.06.2007)

New PNR Agreement with the United States of America – Peter Hustinx letter
to the German Minister of Interior (27.06.2007)

Air passengers to face EU anti-terror screening (4.07.2007)

EU plans air passenger data exchange system (3.07.2007)