European airlines are handing PNR data over to US Customs - Evidence from Spain

- full documentation of all the data collected and passed over for one return flight by one passenger
- full list of the 43 categories of personal data demanded by USA


Introduction

European airlines are passing on the PNR (Passenger Name Record) data they hold on passengers who have travelled to, from or through the US, to the US customs authorities. This measure was agreed in an interim agreement between the European Commission and the United States Customs on 17 and 18 February 2003, and has been in force from the US side since 5 March to comply with the requirements in the US Transport Security Act (November 2001).

A letter with which the Spanish airline Iberia sent in answer to the inquiries made by Spanish citizen, Arturo Quirantes Sierra, as to whether his data had been made available to US authorities when he flew to New York on 26 March 2003, says that "The information to which the United States Customs has had access is only the one contained in the PNR (Passenger Name Register) of the passenger, and not those that are contained in the Iberia Plus frequent flyer databases or other "ticketing" systems."

Quirantes Sierra has put in a complaint with the Spanish data protection authority (Agencia de Proteccion de Datos), as he considers that "According to EU privacy rules, the transfer of personal data to third countries that do not have laws that adequately protect the privacy of individuals is forbidden, unless the individual consents to the transfer of his/her data." In the formal complaint, Quirantes Sierra lists the kind of information that is included, as well as expressing his concern about the fact that at the time when the agreement was reached it was announced that the information could be used for "law enforcement purposes", and that they would be held for "the time required for the objective for which they were collected".

He has opened a webpage (see below) showing the files concerning him that Iberia has made available to him (including data held on the PNR, "ticketing" and Amadeus systems) after his inquiry, as well as correspondence between himself and the airline and data protection authorities, and background articles.

He highlights that the interim agreement between the European Commission and US Customs stipulates that the latter body may share the data with other law enforcement agencies for "legitimate security policing", without including limitations included in EU legislation such as the need for the reasons for the use, retention and processing of personal data to be clearly stated, and for the data to be used solely for the purpose for which it was collected.

He says: "Following a trip to the USA on 26 March I filed a complaint to the Spanish Data Protection Authority (Agencia de Protección de Datos) for the disclosure of my personal data by Iberia airline."

Below, in Spanish and English, is the full documentation on his case. Also below are eight documents created and exchanged for his flight and return from the USA plus the list of data demanded by US agencies - which contains not 39 categories but 43 categories.

See: Spanish: www.ugr.es/~aquiran/cripto/novuelan.htm
See: English: http://www.ugr.es/~aquiran/cripto/nofly.htm

A. List of 43 categories of PNR (personal data) wanted by US on every passenger: List of categories

B.
Data recorded by Iberia, data sent to Amadeus, PNR data and ticketing data held on Arturo Quirantes Sierra:

1: data in Iberia.com (profile 1)
2: data in Iberia.com (profile 2)
3: data in Amadeus (profile 1)
4: data in Amadeus (profile 2)
5: PNR - Reservation Record (legend)
6: PNR - Booking Record (legend)
7: PNR data - Madrid-New York flight
8: PNR data - Granada/Madrid flight
9: ticketing data

Iberia and data transfers by Arturo Quirantes Sierra


Dear comrade (friend) of the web,

Since 5 March 2003, the US authorities have access to the majority of databases on the passengers of European airlines. An agreement between the European Commission and the United States Customs grants the US authorities online access to data on the passenger name register (PNR)of all European-based airlines whose flights travel to, come from or cross the US.

The PNR data consists of all the relevant information on a passenger´s flight: departure and return flights, connecting flights, special services required on board the flight (ie. kosher or halal meals) and payment information such as the credit card numbers used to buy the tickets, among others. According to EU privacy norms, the transfer of personal data to third countries which do not have laws that adequately protect the privacy of individuals is forbidden, unless the individual consents to the transfer of his/her data. European privacy laws also state that the use, retention and processing of personal data, must be clearly defined, and that the use of this data should be limited to the scope for which it was collected.

Nonetheless, the agreement between the European Commission and the US government hardly establishes any limit at all. The agreement says that the data can be used for "police purposes" and that it can be stored for as long as "is necessary for the purpose for which it was collected". The agreement also mentions that the US Customs can share the data with other US agencies for the "legitimate end of security policing". These terms sound like a guarantee that all the information on European passengers can be stored in the data bases of the FBI and of other North American agencies for many years, and that it will be used for ill-defined crime combating purposes. Many of us think that it is unacceptable to play with our intimate information in this way. For this reason, several initiatives have appeared all over Europe with this aim. With this letter, I am starting one such initiative. On 26 March I travelled to the US, and for this reason my personal data has been sent to the US without my consent, in contravention of data protection legislation. I reported the behaviour of the airline - Iberia - before the Data Protection Agency, which has allowed it to be examined. And I have decided to publish the related documents on the web: http://www.ugr.es/~aquiran/cripto/novuelan.htm

If you want more information on this and other campaigns concerning data transfer by European airlines, I invite you to examine the aforementioned page; likewise, I am available for any queries that you may have on the subject. Finally, if you know anyone who has travelled to the United States after 5 March 2003, I encourage you to talk to them about this problem, and if they want, to present a complaint before the Data Protection Agency. It is only through pressure by customers - and the fear of sanctions - that we will manage to have our rights as European citizens respected. Thanks for your interest.

Arturo Quirantes Sierra, September 2003. The distribution and reproduction, total or partial, of this text is authorised, mentioning the author.
e-mail: aquiran@ugr.es

IBERIA Y LA TRANSFERENCIA DE DATOS por Arturo Quirantes Sierra


Estimado compañero de la Red,

Desde el 5 de marzo de 2003, las autoridades de Estados Unidos tienen acceso a la mayoría de las bases de datos sobre pasajeros de las aerolíneas europeas. Un acuerdo entre la Comisión Europea y Aduanas de Estados Unidos otorga a EEUU acceso online a los datos sobre registro de nombre de pasajero (PNR) de todas las aerolíneas basadas en Europa que hacen vuelos destinados a, provenientes de, o atravesando EEUU.

Los datos PNR consisten en toda la información relevante relativa al vuelo de un pasajero: vuelos de partida y regreso, vuelos de conexión, servicios especiales requeridos a bordo del vuelo (comidas kosher o halal) e información de pago como las tarjetas de crédito usadas para comprar el billete, entre otros.

Según las normas sobre privacidad de la UE, la transferencia de datos personales a países terceros que no tienen leyes para proteger adecuadamente la privacidad de los individuos está prohibida, a no ser que el individuo consienta a la transferencia de sus datos. Las leyes europeas sobre privacidad también afirman que el uso, retención y procesamiento de datos personales deben ser especificados con claridad, y que el uso de esos datos se limiten a los fines para los que fueron recogidos.

Sin embargo, el acuerdo entre la Comisión Europea y el gobierno de EEUU apenas establece limitación alguna. El acuerdo menciona que los
datos pueden usarse "para fines policiales" y que pueden ser retenidos todo lo que "se precise para el fin para el que fueron almacenados". El
acuerdo también menciona que Aduanas de EEUU puede compartir los datos con otras agencias de EEUU para "fines legítimos de seguridad
policial".

Estos términos suenan como una garantía de que todos los datos de los pasajeros europeos pueden ser almacenados en las bases de datos del FBI
y otras agencias norteamericanas durante muchos años, y que serán usados para vagos fines de persecución de delitos.

Muchos pensamos que jugar con nuestros datos íntimos de esta forma es inaceptable. Por ese motivo, diversas iniciativas han aparecido en toda Europa con ese propósito. Yo inauguro aquí una de ellas. El 26 de marzo viajé a Estados Unidos, por lo que mis datos personales han sido enviados a EEUU sin mi consentimiento y de forma contraria a las leyes sobre protección de datos. He denunciado la actuación de la aerolínea -Iberia- ante la Agencia de Protección de Datos, quien la ha admitido a trámite. Y he decidido publicar los documentos relacionados con el caso en la Red: http://www.ugr.es/~aquiran/cripto/novuelan.htm

Si deseas más información sobre estas y otras campañas relativas a la transferencia de datos de las aerolíneas europeas, te invito a que examines la página antedicha; asimismo, estoy a tu disposición para cualquier pregunta que tengas al respecto.

Finalmente, si conoces a alguna persona que haya viajado a Estados Unidos tras el 5 de Marzo de 2.003, te animo a que le hables de este problema, y en su caso, que presente su propia denuncia ante la Agencia de Protección de Datos. Solamente mediante la presión de los
usuarios -y el miedo a las sanciones - conseguiremos que nuestros derechos como ciudadanos europeos sean respetados.


Statewatch coverage, analysis and documentation on the transfer of passenger data to USA

1. EU tells USA to stop making new requests to airlines for personal passenger data (Statewatch: filed 4.10.03) Includes letter from Bolkstein to Tom Ridge.

2. European Parliament report opposes giving passenger data to USA without strict data protection safeguards - and says if these are not met by 1 December all data transfers should stop: Statewatch report

3. European Commission tells USA that demands for access to data on airline passengers breaches EU Data Protection Directive - but hints at a deal that would "fudge" the issue:
Statewatch report

4. Full-text of Mr Bolkstein's speech in the European Parliament on 9 September 2003: Speech (pdf)

5. Text of Commissioner Bolkstein's letter to the USA (thanks to Edward Hasbrouck): Text

6. EU airlines allowing access to all personal details on passengers by US authorities: Report

7. EU working party on data protection highly critical of proposed deal on US access to passenger data: Report

8. EU: Major commercial associations express strong concerns about plans for data retention: Report

9. EU: Campaign launched against the illegal transfer of European travellers' data to the USA: Report

10. Massive majority in European Parliament against deal with US on access to passenger data: Full report, resolution and amendments and verbatim debate

11. European Parliament resolution on airline passenger data gains wide support: Report

12. European Parliament committee to hold emergency session on the transfer of personal data to USA: Report

13. Direct access to personal details of EU passengers: How US Customs bounced the European Commission into a quick decision: Report

14. EU data protection chair calls for US access to passenger details to be postponed: Report

15. EU Working Party on data protection report on passenger data access by USA: Report

"it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the directive"

16. US Customs to have direct access to EU airlines reservations databases: Report

17. European Commission caves in to US demands for airline and shipping passenger lists: Report

18. EU-US: US demands EU airlines and ships provide passengers list - UK is first EU government to back US scheme: Report

Google search for Statewatch's coverage of: Data protection and PNR (Passenger Name Record) (link)

Official documents


EU

a. European Union code of conduct for computerized reservation systems (Council Regulation (EEC) No. 2299/89, 24 July 1989:
Full-Text

b. European Parliament adopted strong resolution on exchange of passenger data (PNR) with USA: EP-PNR (pdf)

USA

a. USA Department of Transportation regulations governing computerized reservations systems (Note that although Notices of Proposed Rulemaking are pending under all four docket numbers below, neither the current regulations nor any of the proposed revisions include any consumer privacy
protection provisions):
http://www.access.gpo.gov/nara/cfr/waisidx_03/14cfr255_03.html - Current regulations, "Carrier-Owned Computer Reservations Systems", 14 C.F.R. 255

b. Notice of Proposed Rulemaking, Docket No. OST-1999-5888

c. Notice of Proposed Rulemaking, Docket No. OST-1998-4775

d. Notice of Proposed Rulemaking, Docket No. OST-1997-3014

e. Notice of Proposed Rulemaking, Docket No. OST-1997-2881

US information thanks to: Edward Hasbrouck edward@hasbrouck.org website: http://hasbrouck.org


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin