Out-Law News 4 min. read
18 Nov 2011, 11:43 am
The agreement specifies that airline carriers flying from the EU into the US must share PNR data about all passengers with the US Department of Homeland Security (DHS) with the main purpose of the "prevention, detection, investigation and prosecution of terrorism and certain transnational crimes," the Commission said. PNR data may include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
"PNR will be used to tackle serious crimes, such as drug trafficking, trafficking in human beings and terrorism," the Commission said in a statement.
Under the agreement PNR data can also be used "on a case-by-case basis for the protection of vital interests of passengers, for example to protect against communicable diseases, or if ordered by a US court," it said.
Under the agreement the DHS is "obliged" to share PNR data and any "analytical information" it obtains from it with EU "law enforcement and judicial authorities" for the same purposes, which the Commission said would "be of direct benefit for the EU". The agreement, which would replace the existing PNR agreement the EU and US formed in 2007, has still to be formally approved by the European Parliament and Council of Ministers before it can come into effect.
The UK already has a separate PNR data sharing arrangement with the US which Justice Secretary Ken Clarke described earlier this year as "absolutely critical to improving US and EU security".
Under the new agreement US security will be able to store identifying information about passengers for six months after it is sent. After this period the information will be "depersonalised" and can be retained for another 14 and a half years, the Commission said.
"This is a considerable improvement compared to the existing PNR Agreement from 2007 which allows all PNR data to be retained for 15 years, without any depersonalisation at all, and with data moved to the dormant database only after 7 years," the Commission said.
US authorities will be allowed to access PNR data in relation to terrorism offences for 15 years in total, but for only 10 years in total in relation to transnational crimes. Stricter access requirements will also be placed on PNR data after it has been stored for five years when the data is moved to "a dormant database," the Commission said.
Individuals will be able to access PNR data stored about them and can request that the information is updated or even deleted. Separate rules around the storage of sensitive personal data have also been agreed, the Commission said.
"To make sure personal data are fully protected, the new agreement also provides that passengers can obtain access to their PNR, can request the correction of their data, including their erasure and deletion, and can seek administrative and judicial redress as provided for under US law. Sensitive data (such as health information or the type of meal requested by the passenger) will be stored in a different archive and deleted after 30 days," the Commission said.
US authorities will not be able to access the PNR data directly from airline carriers' databases except if "it is necessary to prevent an urgent and serious threat" or if the airline suffers a "technical failure" that prevents the data being sent.
The agreement has also established "new data protection guarantees", including to require a human to be present when PNR data is being processed. "It will not be possible to take decisions adversely affecting passengers based only on automated processing of data. The aim of this is to prevent illegal profiling," the Commission said.
The new guarantees also ensure "stricter rules" have to be followed to "prevent loss or unauthorised disclosure of personal data". Independent bodies, including the US' Chief Privacy Officer and US Congress, will provide "oversight" to PNR data processing by DHS which itself will have to log all PNR data processing it does, the Commission said.
The Commission said the new agreement would bring "more clarity and legal certainty" to both airline passengers and airline carriers.
"It ensures better information sharing by US authorities with law enforcement and judicial authorities from the EU, it sets clear limits on what purposes PNR data may be used for, and it contains a series of new and stronger data protection guarantees," the Commission said.
The Commission said that clarity in the way the agreement has been drafted could result in speedier border control systems for passengers.
"The agreement clarifies that PNR may, in accordance with its purpose and scope, be processed to identify persons who may require further examination. This ensures that authorities are adequately prepared for the arrival and departure of such persons. This process therefore provides very important advantages in terms of facilitating legitimate travel, by contributing towards faster border controls for persons who may not require further examination," it said.
Cecilia Malmström, EU Commissioner for Home Affairs, said the new agreement was a "big improvement" on the existing arrangements on PNR data transfer to the US.
"The new agreement contains robust safeguards for European citizens' privacy, without undermining the effectiveness of the agreement in terms of EU and US security,'' she said.
The EU's PNR arrangements have previously been criticised by privacy watchdogs. Earlier this year the European Data Protection Supervisor said that PNR data should be deleted after 30 days in order to meet EU data protection safeguards.
The Commission has proposed a Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-EU flights.
