Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Approved US PNR agreement will provide legal certainty to airlines, says EU

The European Parliament has approved a controversial new agreement allowing the EU to exchange airline passenger information with the US, it has announced.19 Apr 2012

The EU said that the agreement (37-page / 138KB PDF), which sets out the conditions under which passenger name record (PNR) data can be transferred, would provide "legal certainty" to airlines. However, it acknowledged that a "significant minority" of MEPs had voted against the agreement due to concerns over data protection safeguards, including Dutch MEP Sophie in't Veld who authored the Parliament's initial report into the agreement.

The new agreement, which will be formally approved by justice ministers next week, replaces a provisional arrangement which has been in place since 2007. The UK announced that it had opted in to the agreement in a ministerial statement last month.

EU privacy watchdogs the European Data Protection Supervisor (EDPS) and Article 29 Working Party have both expressed their concerns about certain aspects of the agreement. However, Home Affairs Commissioner Cecilia Malmström said that the three European institutions had created an agreement that they could be "proud of".

"[The agreement] providers stronger protection of EU citizens' right to privacy and more legal certainty for air carriers than the existing EU-US PNR Agreement from 2007," she said. "At the same time, it fully meets the security needs of the United States of America and the EU. Under the new agreement, data of passengers travelling to the United States of America will be used to fight serious transnational crime and terrorism. It will be made anonymous six months after a passengers' flight."

The agreement requires airline carriers flying from the EU into the US to share PNR data about all their passengers with the US Department of Homeland Security (DHS) for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases. The DHS is similarly "obliged" to share PNR data with EU law enforcement for the same purposes.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details. US authorities will be able to store this information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data will be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

The agreement contains new data protection provisions, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data. EU citizens will also have the right to access their own PNR data and seek corrections or possible erasure by the DHS where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.

Earlier this year the Article 29 Working Party, which is made up of representatives from the data protection authorities of the EU's 27 member states, said that the new agreement enabled overly prescriptive collection of personal data. In December, EDPS Peter Hustinx said that any passenger data transferred under a new agreement should be deleted "immediately after its analysis" or after a maximum of six months. He also said that any data should only be used to combat terrorism or a well-defined list of serious international crimes.

The European Parliament adopted a PNR agreement with Australia in October 2011, and is currently negotiating a similar deal with Canada. The Commission has also proposed its own Passenger Name Record Directive, which could extend passenger-tracking systems to all flights to and from countries outside the EU for the first time as well as intra-UK flights.

Join My Out-Law

  • See only the content that matters to you
  • Tailor Out-Law to your exact needs
  • Save the most useful content for later reading
  • Tailor our weekly eNewsletter to your interests

Join My Out-Law

Already signed up to My Out-Law? Sign in

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information