The Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security is an international agreement between the United States of America and the European Union that was signed on 14 December 2011 for the purpose of providing passenger name records (PNR) from air carriers operating passenger flights to the United States Department of Homeland Security to "ensure security and to protect the life and safety of the public" (Article 1).
Access and transfer of passenger name records (PNRs) fall under the purview of European Data Protection Law. Under the Organisation for Economic Co-operation and Development (OECD) 1980 Privacy Guidelines, and the 1995 European Union Directive on data protection, PNRs may only be transferred to countries with comparable data protection laws.[1] Also, law enforcement authorities are permitted to access the passenger data only on a case-by-case basis, and where there exists a particular suspicion.
In the aftermath of the 11 September 2001 attacks, the US government determined that PNRs (both archived and real-time) were invaluable tools for investigating and thwarting terrorist attacks. Accordingly, the US government has sought the collection, transfer and retention of PNRs by the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection.
In May 2004, the US government negotiated the 2004 Passenger Name Record Data Transfer agreement[2] (aka. US-EU PNR agreement) – a safe harbor PNR transfer agreement with the European Commission. Specifically, the European Commission deemed that the level of protection afforded to such PNR transfers would satisfy the standard of "adequacy" required by the 1995 EU Data Directive, as long as the data would be transferred and used solely for the purposes for which it was collected. These purposes being limited to "preventing and combating: terrorism and related crimes; other serious crimes, including organized crime, that are trans-national in nature; and flight from warrants or custody for those crimes."[3] The US-EU-PNR agreement required European airlines to supply PNR data to US authorities within 15 minutes of a plane taking off. While this agreement was invalidated by the European Court of Justice on 30 May 2006 due to lack of legal authority, the European Council worked to substantively resurrect the agreement before the court-mandated deadline of 30 September 2006.[4] [5]
In July 2007, a new, controversial, PNR agreement between the US and the EU was undersigned.[6] A short time afterward, the Bush administration gave exemption for the Department of Homeland Security, for the Arrival and Departure System (ADIS) and for the Automated Target System from the 1974 Privacy Act, raising concerns from Statewatch about the protection of EU citizens' data.[7]
In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR.[8] The US had signed in February 2008 a memorandum of understanding[9] with the Czech Republic in exchange for a visa waiver scheme, without consulting in advance with Brussels.[10] The tensions between Washington and Brussels are mainly caused by a lesser level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974. Data privacy in the EU is regulated by the Directive 95/46/EC on the protection of personal data, and the US Safe Harbor arrangement made to converge with European norms is still being controversial for alleged lack of protection. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece.[11]
On 28 November 2011, a new agreement on the transfer and use of PNR data between the EU and US DHS was authored.[12] The full text is available online.[13]
In April 2012, the agreement was approved and adopted by the European Parliament.[14] The agreement provides protections for PNR data, however critics express concerns that there is insufficient recourse should the data be misused. The parliament's approval of the agreement was warmly welcome by the Justice and Home Affairs Council of Ministers.[15]
On 6 January 2011, the Article 29 Working Party responded to a request for its opinion:
Reports by the Legal Service of the European Commission as well as two professors funded by The Greens–European Free Alliance critiqued the agreement because of perceived reductions of privacy rights.[16] [17]