US gains new advantages in the EU-USA PNR agreement

By EDRi · September 12, 2007

In some recently published documents, Statewatch revealed that very soon
after the EU-USA agreement on PNR (passenger name record) was signed on 28
June 2007, the US government announced some changes in its Privacy Act that
give exemptions from responding to request for personal information held to
DHS (Department of Homeland Security) and ATS (Automated Targeting System).
US Government also sent a written request to the Council of EU to agree on
keeping secret all the documents on the negotiations for at least 10 years.

The declared purpose of the above-mentioned exemptions is for “national
security, law enforcement, immigration and intelligence activities. These
exemptions are needed to protect information relating to DHS investigatory
and enforcement activities from disclosure to subjects or others related to
these activities (….) Disclosure of information to the subject of an
inquiry could also permit the subject to avoid detection or apprehension.”

The exemptions are related to the new “Arrival and Departure System” (ADIS)
that the USA is to introduce and which is meant to authorise people to
travel only after PNR and API (Advance Passenger Information) data has been
checked and cleared by US agency watchlists: “ADIS consists of centralized
computerized records for and will be used by DHS and its components. .. The
information is collected by, on behalf of, in support of, or in cooperation
with DHS and its components and may contain personally identifiable
information collected by other Federal, state, local, tribal, foreign, or
international government agencies.”

The Automated Targeting System, that is to be exempted as well, is a system
of 6 modules of dealing with Passenger Name Record (PNR) data.

The exemptions seem to be meant to counterbalance “the set backs” for the US
government in the EU-US PNR agreement signed in June. In the text of the
agreement it is stated that DHS has taken the decision “to extend
administrative Privacy Act protections to PNR data stored in the ATS
regardless of the nationality or country of residence of the data subject,
including data that relates to European citizens. Consistent with U.S. law,
DHS also maintains a system accessible by individuals, regardless of their
nationality or country of residence, for providing redress to persons
seeking information about or correction of PNR.”

The exemptions introduced now contradict this statement, as also notice Tony
Bunyan, Statewatch editor : “The adoption of these two exemptions will
seriously diminish any rights EU citizens have to find out what data is held
on them and who it is held by. Did the Council and the Commission, who
negotiated the agreement, know the US was planning to introduce them, and if
not why not?”

Another measure taken by the US Government related to the agreement signed
in June is one regarding the confidentiality of the negotiations that led to
signing the act. On 30 July 2007, Mr Paul Rosenzweig, Acting Assistant
Secretary for Policy at the US Department for Homeland Security sent a
written request to the Council of European Union to agree on keeping secret
all the documents on the negotiations for at least 10 years after the
entering into force of the agreement.

EU’s Article 29 Data Protection Working Party issued on 17 August an opinion
on the new EU-USA PNR agreement concluding that it sensibly weakened the
safeguards provided by the previous agreement and that “the new agreement
leaves open serious questions and shortcomings, and contains too many
emergency exceptions.”

“Yet again we see the USA telling the EU what to do. In this case how it
should operate the EU Regulation on access to documents. How can any request
for PNR documents be fairly considered under EU law when it has already
agreed to exercise a US veto? Are we going to see documents for all future
EU-US agreements kept secret too? US access to PNR data and its further
processing is an issue of substantial public interest which directly effects
the rights and privacy of EU citizens and therefore all the documentation
should be in the public domain for parliaments and people to see and
discuss. It is a quite outrageous request and it is even more outrageous
that the EU is going to agree to it” commented Tony Bunyan, Statewatch

US changes the privacy rules to exemption access to personal data

US demands 10 year ban on access to PNR documents (2.09.2007)

Proposed Rules, Federal Register – DHS, 6 CFR Part 5, Privacy Act of 1974:
Implementation of Exemptions (22.08.2007)

Article 29 Data Protection Working Part – Opinion 5/2007 on the follow-up
agreement between the European Union and the United States of America on the
processing and transfer of passenger name record (PNR) data by air carriers
to the United States Department of Homeland Security concluded in July 2007

EDRI-gram: Final agreements between EU and USA on PNR and SWIFT (4.07.2007)