Proposed US-EU PNR Agreement made public

By EDRi · November 30, 2011

This article is also available in:
Deutsch: [Details zum geplanten US-EU PNR-Abkommen durchgesickert |]

On 17 November 2011, U.S. and EU officials initialled a proposed agreement
to authorize airlines to forward passenger name record (PNR) data to the
U.S. Department of Homeland Security (DHS). Although the agreement cannot
take effect without the approval of the European Parliament and the Council,
MEPs could read the proposed agreement only in a sealed room where they
could not take notes or make copies.

This week the complete text on which the European Parliament will vote has
finally been made public, revealing a failure to address the concerns raised
by the Parliament and continued shortfalls in data protection, due process,
and protection of fundamental rights.

In its resolution of 5 May 2010, the Parliament said that the PNR agreement
should take the form of a treaty, recognize the fundamental right to
freedom of movement, prohibit the use of PNR data for data mining or
profiling, and take into consideration “PNR data which may be available
from sources not covered by international agreements, such as computer
reservation systems located outside the EU.” The proposed agreement
does not meet these criteria, and does not mention any of these issues.

The agreement would require that DHS copies of PNRs be “depersonalized”
after 6 months. But the “depersonalized” DHS copy of each PNR would still
include a unique record locator. There is no data protection law in the
U.S. for commercial data. So, at any time – secretly, without a court
order, and without violating U.S. law or the U.S.-EU agreement – the DHS
could use the record locator to obtain a copy of the complete PNR from the
computer reservation systems.

The agreement claims that all DHS access to PNR data will be logged. But
when individuals have requested these logs, both the DHS and European
airlines have said that they didn’t exist. Without access logs, there can
be no accountability or oversight.

According to the agreement, any individual is entitled to “request” access
or corrections to their PNR data under the Freedom of Information Act
(FOIA). But most PNR data is exempt from FOIA. Under both the agreement
and U.S. law, you are entitled to request your PNR data, and the DHS is
entitled to say “No”.

FOIA is not a data protection law. FOIA never requires any accounting of
usage or disclosure of data. FOIA never requires correction of records.
FOIA does not restrict what information is collected or how it is used.
U.S. courts have no authority under FOIA to take any action against misuse
or disclosure of personal information. The agreement says that individuals
may “seek” or “petition” for judicial review in U.S. courts. But such a
petition related to violations of the agreement would be denied.

The proposed agreement would protect travel companies against enforcement
of EU data protection laws, while failing to protect the rights of
travellers. Because the proposed agreement does not provide an adequate
level of protection for the processing of personal data, as required by
the EU Data Protection Directive and Article 8 of the Charter of
Fundamental Rights, EDRi recommends that the Council and the Parliament
should reject the proposed agreement.

Text of the PNR Agreement (23.11.2011)

Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS
(with links to the full text in English, German, and French, 28.11.2011)

Revised EU-US agreement on PNR data still protects only travel companies, not travelers

Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011)

EDRi archive of articles about PNR

(Contribution by Edward Hasbrouck, – EDRi Observer)