Tuesday, 25 March 2003, 9 a.m. - 12.30 p.m.


Paul-Henri Spaak Building, 3rd floor

Rue Wiertz 60



Data protection since 11 September 2001 :
what strategy for Europe ?


Three years ago now, on 2 February 2000, the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs organised a hearing ((1)) to discuss the threats to data protection, in both the private sector and the public sector in the European Union. Three years on, we need to look at this matter again, not only in the light of the first report evaluating Directive 95/46/EC and the reform of the Union treaties, but also the impact of the tragic events of 11 September 2001 and government strategies for undifferentiated access to data of all kinds in order to detect threats of terrorism and organised crime at the earliest possible stage. Parliament recently debated this issue in Plenary. How can the European Union strike a balance between the requirements of freedom and security?

In an effort to answer this question, the seminar will cover the following issues:

9.00 : Opening of the proceedings

by Mr Jorge Salvador HERNÁNDEZ MOLLAR, Chairman of the Committee on Citizens' Freedoms, Justice and Home Affairs, and Mr Vitaliano GEMELLI, Chairman of the Committee on Petitions

9.10 - 9.50 : Current state of affairs and prospects for data protection within the Union:

- Directive 95/46/EC and other Community data protection measures: (Mrs Susan BINNS representing the Commission) presentation of the first evaluation exercise for the Directive

- coexistence and conflict between the Community data protection system and regulations and practice in the security sphere (third pillar) (Mr Giovanni BUTTARELLI, President of the Schengen Authority)

- towards common principles and a common system : the Charter, reform of the Treaties and the German initiative for data protection in the security sphere (Professor Spiros SIMITIS)

9.50 - 10.30 : Presentations scheduled from EUROJUST, EUROPOL and NGOs (BEUC, Statewatch (Mr Tony BUNYAN), EPIC (Mr Cedric LAURANT) and the European Parliament's rapporteurs, Mr Carlos COELHO and Mrs Elena PACIOTTI

10.30 - 12.15 : Relations between the EU and USA on data protection in the case of transatlantic flights

10.30 - 10.50 : the Homeland Security Act and interconnection of public and private databases for security purposes. Data protection by the immigration and customs authorities (representative of the United States Mission)

10.50 - 11.10 : measures introduced or envisaged by airlines and IATA for transferring data while ensuring data protection (airline representative - IATA representative)

11.10 - 11.30 : measures introduced or envisaged by the national data protection agencies (Mr Stefano RODOTÁ, Chairman of the Working Party set up under Article 29 of Directive 95/46)

11.30 - 12.15 : Presentations scheduled from representatives of the national data protection agencies (ES, PT, DE, FR, UK, NL, …..), and airlines

12.15 - 12.30 : Conclusions of the seminar and messages, if any, from the Presidency of the Council and/or the Commission and the chairmen of the EP Legal Affairs, Regional Policy, Transport and Tourism and Petitions Committees

Background note

This seminar is designed to give experts and the national authorities faced with data protection problems an opportunity to brief Members of the European Parliament on their points of view on a number of paradoxes facing citizens and politicians. Within the Union:

- coherence is advocated, but how can the Union define a coherent and balanced approach in negotiations with third countries such as the United States when it has no clear competences for security matters, has great difficulty in legislating in the absence of any concept of European public order accepted by the Member States ((2)), is forced to rely on principles defined outside the Union ((3)) and there is no effective review by the Court? Will we have to wait for the ratification of the future Treaty in two or three years time before there is an institutional framework and coherent rules at Union level((4)) ?

- there is a call for targeted data protection, but how is it possible to ensure this with the widespread use of methods requiring the undifferentiated processing of unlimited volumes of data to allow profiling, be it in the case of consumers or potential criminals? How would the 'data mining' techniques advocated in the United States be compatible with European legislation which defines in advance all the types of data that may be processed by the security authorities (see, for example, the list in the Customs Convention and the Schengen Information System);

- compiling data in the name of the fight against terrorism is justified, but no limits have been put on this concept which, in itself, is enough to justify intrusion in the private lives of citizens;

- professionalism is demanded but private companies are increasingly being asked to carry out public functions (for example, the possibility being envisaged in Europe of requiring Internet access providers to keep data or, in the United States, the involvement of the private sector in homeland security ((5));

- synergies between public authorities and Member States are called for, but there is a proliferation of networks to be used by the public authorities for the transfer of security data (Schengen, SID, VISAS, EURODAC, EUROPOL, EUROJUST, FIDE...) without there being any master plan for the various systems or common standards and criteria to ensure compliance with the requirement of relevance and integrity of data((6)).

- effective checks are promised, but there is a proliferation of monitoring authorities, particularly in the security sphere without any framework of cooperation being defined((7));

- comparable protection outside Union borders is promised, but the very authorities that check standards are those that have an interest in exchanging data (the Commission in the Community sphere, Europol for security data).


Representatives of the Council and the Commission and representatives of the United States Mission to the Union

the Chairman of the Article 29 Working Party, Mr Stefano Rodotà, President of the Schengen Information System Data Protection Authority, and the authorities of Europol, Eurojust and other Union bodies or networks concerned with data protection

representatives of NGOs and private companies (airlines) more directly affected by data protection issues

members of the Citizens' Freedoms, Foreign Affairs, Legal Affairs, Transport and Petitions Committees

External contributions

Contributions could be invited from the coordinator of the network of experts on fundamental rights, Professor De Schutter, and from the authors of the research commissioned from the Seville Research Centre. Fact sheets on the different aspects of data protection should be available so that a simplified presentation can be made to the press.

N.B. As speaking time will be strictly limited, it is suggested that those wishing to speak should also present written contributions before the meeting so that these can be duplicated and distributed at the meeting.

Secretariat Telephone e-mail


2. The EP debated this aspect at length in its Committee of Inquiry into the ECHELON system.

3. In particular, Council of Europe Convention 108 and Recommendation 187 on data protection in police cooperation.

4. The Union protects data on the basis of different standards depending on whether it is in the Community sphere or as part of intergovernmental cooperation under the third pillar. In order to provide a minimum basis, will we have to wait for the new Constitution or could we use of the link (Article 42) allowing such matters to be transferred to the Community framework?

5. This is the explicit aim of the Homeland Security Act adopted recently.

6. In the absence of real European standards, the Member States are reluctant to exchange data or use the increasingly numerous and complex networks that the Union makes available (for instance the future Schengen II system or the EUROPOL computer system).

7. A joint Secretariat has been created in the Council but there is still not any common Authority or any common rules.

Hearing on Data protection March 25th
Overview of the US legislative framework concerning airlines' passengers data transfer and access to PNR.

1.1. Relevant Legislation

1. Section 115 of the Aviation and Transportation Security Act (19/11/2001), amending 49 U.S.C. 44909 to add a new paragraph (c), in order to impose information requirements to air carriers operating a passenger flight to the US. This information includes passenger and crew manifests (49 U.S.C. 44909(c)(1), (c)(2) and (c)(4)), as well as Passenger Name Record (PNR) upon request (49 U.S.C. 44909(c)(3)). Furthermore, 49 U.S.C. 44909(c)(5) allows the sharing of information with other Federal agencies for the purpose of protecting national security.

2. Section 122.49a, title 19 ("Customs Regulations") Code of Federal Regulations, concerning "Passenger and crew Manifests", added by an interim rule of 31/12/2001 in order to implement the requirement in Section 44909(c)(1), (c)(2) and (c)(4) of the "Aviation and Transportation Security Act".

3. Section 122.49b, title 19 ("Customs Regulations") Code of Federal Regulations, concerning "Passenger Name Record information", added by an interim rule of Customs Service of 25/6/02, in order to implement the requirement in Section 44909(c)(3) of the "Aviation and Transportation Security Act"

4. The Freedom of Information Act ("FOIA", 5 U.S.C. §552), as amended in 2002, concerning disclosure of records and information held by Federal Agencies.

5. Section 103, title 19 ("Customs Regulations") of the Code of Federal Regulations, implementing the FOIA in the US Customs Service.

6. The "Enhanced Border Security and Visa Entry Reform Act of 2002" (23/1/2002).

7. Section 1905 of title 18 U.S.C., concerning sanctions in case of disclosure of confidential information by Federal Officers.

8. Proposed "Domestic Security Enhancement Act of 2003" also known as "PATRIOT Act II" (draft text of 9/1/2003), expanding the definition of "terrorist", enhancing the government's ability to obtain sensitive information without prior judicial approval, permitting, without any connection to anti-terrorism efforts, sensitive personal information to be shared with local and state law enforcement (Section 311). For a more detailed report, see

Brief remarks on the legislation in force (the numbering refers to the aforementioned legislative documents):

1. The list of information required under parragraph (c)(2) lays down a very general clause (F), providing for the possibility to extend the passenger and crew manifest information to such other information "reasonably necessary to ensure aviation safety".
As regards PNR information, parragraph (c)(3) states that the carriers shall make PNR information available to the Customs Service upon request.

2. The implementation of Section 44909(c)(1), (c)(2) and (c)(4), adding Section 122.49a, title 19 to the Code of Federal Regulations, poses no major problems.

3. On the contary, the new Section 122.49b raises some delicate issues concerning its implementation of Section 44909(c)(3).
First of all, as stated in the preliminary part of the interim rule, unlike c(1), c(2) and c(4), where the information requirement is expressly limited to those passenger flights that are destined to the US, section c(3) has no such limitation. Therefore, PNR information should be provided by each air carrier operating a passenger flight to or from the US. This considerably extends the scope of the provision.

Section 44909(c)(3) requires air carriers to "make PNR information available".

According to Section 122.49b(b), information refers to reservation information contained in an air carrier's electronic reservation system and/or departure control system (1). This means that the air carrier must provide Customs with information concerning any and all PNR data elements relating to the identity and travel plans of a passenger. The elements contained in an air carrier's automated PNR database can be more than 50.

With regard to sharing of PNR information, Section 122.49b(d) recalls 49 U.S.C. 44909(c)(5), allowing information to be shared with other Federal agencies for the purpose of protecting national security, and states explicitly that Customs may also share such data as otherwise authorised by law.

Therefore, the implementation gives a broad and extensive interpretation of the scope of the provision, the obligations of the air carriers, the information required and the possibility of sharing the information obtained.

4. The most important provision imposing an obligation to share information held by federal agencies is the FOIA. It imposes a legal obligation on all Federal Agencies to make available information (agency rules, opinions, orders, records, proceedings) to the public. There is no need for specific legitimation or interest to ask for the aforementioned information. Therefore, the requester might obtain the information on the basis of a mere commercial interest.

The FOIA lays down a conclusive list of exemptions to the general principle of disclosure (§552(b)). According to the follow exemptions - which might be relevant in relation to APIS - an agency can withhold a record where: - the information is confidential commercial information; - disclosure of the information would constitute a clearly unwarranted invasion of personal privacy; - where the information is compiled for law enforcement purposes, to the extent disclosure may reasonably be expected to constitute an unwarranted invasion of personal privacy.

Furthermore, even when exemptions apply, any reasonably segregable portion of a record shall be provided to any person requesting such record after deletion of the portions which are exempt (§552(b)).

5. The FOIA provisions are implemented, without any relevant change with respect to the framework act, by Section 103, title 19 ("Customs Regulations") of the Code of Federal Regulations.

6. Here follows an outlook of the most relevant provision:

Title II deals with "interagency information sharing". In particular, Section 202 establishes an "Interoperable law enforcement and intelligence data system with name-matching capacity" (the so called "Chimera System"), providing that the Immigration service shall fully integrate all databases maintained by the Service that process or contain information on aliens.

Section 303 establishes that not later than 26/10/2004, aliens will be issued only machine-readable, tamper-resistant visas and other travel documents that use biometric identifiers(§303(3)(b)). This will oblige those countries adhering to the Visa waiver Program to start issuing passports complying with these requisites (§303(3)(c)).

Section 401 prompts a study of feasibility of a North American National Security Program, including US, Canada and Mexico.
Section 402 amends Section 231 of the Immigration and Nationality Act by imposing an obligation for all commercial vessels and aircrafts arriving or leaving the US, to provide to US border officers with, respectively, arrival or departure manifests about all the occupants. This information shall include all the elements listed in §402(c) and might include such other information necessary to the identification of the persons transported and for the enforcement of the immigration laws and to protect safety and national security. Should the information not be provided (or provided inaccurately), no clearance paper will be granted and a fine of 1000$ per person can be imposed.

7. The Section provides for fines and/or imprisoning for officers or employees who disclose confidential business information.

2. Issues arising from the US/EU joint statement

2.1. Disclosure to third parties

All the exemptions laid down by the FOIA (and its implementation Act by the Customs Service) can possibly be applied to the PNR information but none of them will prevent for sure the information from being disclosed to third parties.

Even if Customs will treat information as law enforcement sensitive, confidential personal information of the data subject and confidential commercial information of the air carrier (see Annex to the US/EU joint statement), this does not entail that the same treatment will be afforded by the administrative and judicial authorities (although Customs committed itself to take the position that such records are exempt).

The restrictive interpretation of the exemptions and the principle of segregability will make it very difficult to consider all the PNR information as falling within the scope of one or more of the exemptions provided, thus rendering a partial disclosure likely to happen in most of the cases.

In conclusion, the commitments by the Customs Service show good intentions but cannot ensure the outcome of a judicial proceeding concerning a FOIA request.

2.2. Data sharing with other agencies

With regard to the data sharing with other law enforcement entities, the broad interpretation of the "national security" concept will allow data to be transferred to several other Federal agencies.

2.3. Storage time

Customs will retain data "no longer than it is required for the purpose for which it was stored". Since the purposes are quite broad (identification of potential terrorists and other threats to national and public security), this provision is likely to allow Customs to retain data permanently.

Statewatch News online | Join Statewatch news e-mail list | Statewatch websites