An EC-U.S. Agreement on Passenger Name Record (PNR)

Inhoud

Delen

enveloppe
  1. Tekst
  2. Originele weergave
  1. Meer informatie

1.

Tekst

to : Mr Javier SOLANA, Secretary-General/High Representative

Subject : An EC-U.S. Agreement on Passenger Name Record (PNR) Delegations will find attached Commission document SEC(2004) 81.

1

________________________

Encl.: SEC(2004) 81

1

This working paper has been transmitted to the Council in English only.

COMMISSION OF THE EUROPEAN COMMUNITIES

Brussels, 21.1.2004 SEC(2004) 81

COMMISSION STAFF WORKING PAPER

"An EC-U.S. Agreement on Passenger Name Record (PNR)"

  • 1. 
    US M EASURES th

In the aftermath of the tragic events of 11 September 2001, the Congress of the United States

passed a series of laws aimed at enhancing domestic security against terrorist threats. The European Union fully supports the US in the fight against terrorism and other serious crimes that are trans-national in nature, including organised crime.

th

In particular, the US Aviation Transportation and Security Act (ATSA) of 19 November

2001 establishes that air carriers operating passenger flights to or from the United States must make Passenger Name Record (PNR) information available to the Customs Service (today Bureau of Customs and Border Protection, CBP ­ Department of Homeland Security, DHS) upon request. It also requires the Transportation Security Administration (TSA), also part of the DHS, to evaluate all passengers before they board an aircraft using a computer-assisted passenger pre-screening system.

In the framework of air transport, the "Passenger Name Record" (PNR) is a record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines.

th

Since 5 February 2003, CBP requires carriers operating passenger flights in foreign air

transportation to or from the United States to provide CBP with electronic access to PNR to the extent it is collected and contained in the air carrier's automated reservation system.

TSA has determined that in order to carry out its screening and security functions it requires access to PNR data collected by air carriers and Computer Reservation Systems (CRS). The system that it plans to put in place, known as Computer-Assisted Passenger Pre-Screening (CAPPS II) has not yet become operational.

  • 1. 
    P OTENTIAL C ONFLICT WITH C OMMUNITY & M EMBER S TATES ' L AW These measures potentially conflicted with Community and Member States' legislation on data protection, and in particular with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and with Regulation 2299/89 of the Council of 24 July 1989 on a Code of Conduct for Computerised Reservation Systems (CRS).

Airlines potentially face sanctions for non-compliance on both sides of the Atlantic, while not being in a position to solve the legal problems at stake. A solution is urgently required that would end the legal uncertainty for airlines, while ensuring the protection of citizens' personal privacy as well as their physical security. In addition, this solution would have to be applied homogeneously throughout the Community in order to avoid fragmentation of the internal market.

The European Parliament also raised concerns with regard to the compatibility between the US measures and Community legislation in its Resolutions of 13

th th

March 2003 and 9 October 2003 and invited the Commission to take action.

  • 3. 
    A L EGAL F RAMEWORK FOR THE T RANSFERS OF PNR The Commission has been working with the US over the last year to try to put in place a sound legal framework for the transfers of PNR data to the US. The Joint Statement issued on 18

th

February 2003 provided that the search for a solution would focus on obtaining improved

commitments from the US with respect to the protection to be afforded to PNR data that would be of a nature to allow the Commission to adopt a finding of adequate protection under Article 25 paragraph 6 of the Data Protection Directive (95/46/EC).

In view of the outcome of the talks with the US in December 2003 and the final Undertakings to be issued by CBP, the Commission concluded at its meeting of 16

th

December 2003 that

this legal framework should take the form of a Decision ("Adequacy Finding") by the Commission under Article 25 paragraph 6 of the Data Protection Directive (95/46/EC), subject to the completion of the procedures laid down in Article 32 of the Data Protection Directive and Council Decision 99/468/EC (`comitology' Decision), accompanied by a bilateral international agreement. The latter is necessary to deal with such legal problems as are not addressed by the adequacy finding.

2

This conclusion is one of the elements set out in the Communication from the Commission to th

the Council and the Parliament of 16 December 2003, where the Commission outlines a global EU approach in response to the challenges raised by the use of PNR data by law enforcement agencies.

  • 4. 
    O BJECTIVES OF THE I NTERNATIONAL A GREEMENT

There are two legal problems that need to be addressed in the international agreement. Firstly, access by US law enforcement authorities to PNR databases situated on Community territory (`pull') amounts to exercise of US sovereign power in Community territory. The exercise of extra-territorial authority is only possible under international law if there is consent. An international agreement would thus be required to authorise US authorities to pull PNR data from the EU, as long as a system whereby PNR data would be `pushed' from the Community to the US is not in place.

Secondly, Article 7 of Directive 95/46/EC establishes a list of circumstances under which, and only under which, personal data may be processed. One of the circumstances foreseen (under paragraph (c)) is that processing be necessary for compliance with a legal obligation to which the controller is subject. However, the legal obligations in question are understood to be those imposed by Community or Member States' law and not by a third country. Hence, an international agreement imposing an obligation on air carriers and CRS to process PNR data as required by CBP and TSA, insofar as they are covered by an adequacy finding, would be an appropriate way of achieving the aim of providing a legitimate basis for air carriers and CRS to process data in accordance with Directive 95/46/EC.

Beyond these concrete legal issues, the objective of this Agreement would also be to enshrine general principles such as non-discrimination (i.e. the way in which PNR data are used by the US should not unlawfully discriminate against EU passengers) and reciprocity (i.e. the Agreement should ensure reciprocal support from the US for any European passenger

2

COM(2003) 826 final, "Transfer of Air Passenger Name record (PNR) Data: a Global EU Approach", available at:

http://europa.eu.int/comm/internal_market/privacy/docs/adequacy/apis-

communication/apis_en.pdf

identification system that may be adopted in the future). In addition, the Agreement could incorporate the mechanism of joint reviews of the implementation of the US Undertakings on the protection of PNR data that has already been agreed with the US (as will be reflected in the US Undertakings).

  • 5. 
    US A GENCIES C OVERED BY THE A GREEMENT

Although the immediate aim is to provide a legal framework for the transfers of data to CBP that are already taking place, it will also be necessary in the near future to cover transfers of PNR data to TSA, subject to CAPPS II receiving all the necessary clearances within the US and once TSA has issued Undertakings analogous to those issued by CBP that can justify the adoption of an adequacy finding by the Commission. The international agreement should thus cover both CBP and TSA.

In the case of both Agencies, the application of the Agreement would be subject to the adoption of an Adequacy Finding for that Agency. In this way, any persistent non-compliance with the Undertakings by the US, leading to the suspension of the adequacy Decision by the Commission, would lead automatically to suspension of the application of the International Agreement, thus ensuring a coherent link between the three instruments that will, together, provide a legal framework for the transmission of PNR data to the US.

2.

Originele weergave

afbeelding document
 
 

3.

Meer informatie