Letter from the European Commission
to US Secretary of Homeland Security Tom Ridge

(12 June 2003)

Frits Bolkestein
Member of the European Commission
Rue de la Loi 200 - B - 1049 Bruxelles
Wetstraat, 200 - B - 1049 Brussel
Tel. (32-2) 298.07.00

Mr. Tom Ridge
US Department of Homeland Security

Brussels, 12.06.2003 [12 June 2003]
CL/ebc [?] - CAB D/442

Dear Mr. Secretary,

When we met in Brussels in November, we spoke briefly about the difficulties which airlines faced in the EU in complying with the new US requirements for Passenger Name Record (PNR) data.

Data protection authorities here take the view that PNR data is flowing to the US in breach of our Data Protection Directive. It is thus urgent to establish a framework which is more legally secure. Your Department has been working with Commission officials on this, with the agreed aim of establishing such a framework by September. The centrepiece would be a decision by the Commission finding that the protection provided for PNR data in the US meets our "adequacy" requirement.

I must emphasize that an "adequacy" finding is not a mere formality. It is not a device by which something that was previously illegal becomes legal: it requires binding undertakings to be made by the US authorities concerned which meet a series of data protection concerns. You will understand that I cannot recommend the Commission to adopt an "adequacy" decision, or even consult the Member States on such a decision, until I am convinced that the undertakings provided by the US side to amount to adequate protection.

As things stand today, I have to say that the draft undertakings provided by the US so far are not such as to convince me. Let me pay tribute straightaway to the excellent contributions made by your staff which has allowed some significant progress to be made. Nevertheless, on a number of important points, the US undertakings fall short of what we need and it is urgent that these issues now be looked at from a political perspective

Against this background, I would like to ask you personally to look at four specific issues on which I believe that further movement towards our requirements must be achieved. Without a better result on these issues, I shall in any case have great difficulty in recommending a positive decision to the Commission.

The first issue is that of purpose limitation. Any possibility of our excepting the US arrangements as legally "adequate", rests on the justification that these measures are necessary to combat terrorism. We recognize that you need also to be able to tackle some forms of serious crime that are related to terrorism and that the wording of the undertakings has to reflect that.

But I must tell you that there is a strong consensus on [?] in the EU that only a tightly worded undertaking both about the way that US Customs and Border Protection (CBP) will use the data and about the conditions under which the data may be shared with and used by other agencies is acceptable. For more general law enforcement needs, it remains possible -- and is in our view necessary -- to rely on the usual channels of co-operation.

The second issue concerns sensitive data. Certain categories of data must receive reinforced protection under our law. Some such data may be included in certain PNR's -- for example data that may reveal religion or a health condition. US Customs and Border Protection officials have said throughout the discussion that they would have no objection to the airlines filtering out such data. The airlines are, however, unable to install such a filter quickly and US CBP therefor committed itself to filtering such data in its public statement of 4 March.

Given that US Customs and Border Protection and Transportation Security Administration have no objection to not receiving these data, they should filter them and then delete them altogether. I find it hard to believe that it is not possible to meet our request on this point, pending the installation of filters by the airlines. The positive effect of such a step on the general assessment that will be made here of the "adequacy" of US protections is not to be under- estimated.

The third issue is that the US does not guarantee a redress mechanism involving a truly independent body. Your officials say that individuals with a grievance can take the matter to a Court, but in that case the undertakings will need to have binding legal force. We have been led to understand that some of them may be enshrined in regulations, but not necessarily all of them. The possibility of taking a matter to a Court in a country that is not your own is not a very assessable sort of justice. I would therefore ask you to consider the introduction of an independent arbiter outside the US Government.

Failing this, we shall have to insist that the undertakings as a whole be made legally binding, either via departmental regulations or possibly via an international agreement, as currently under discussion between our legal teams. More generally, the more binding the undertakings, the stronger the justification for finding they provide "adequate" protection.

The fourth issue is that of Advance Passenger Information (API) data, which are currently not covered by the undertakings. These data are equally subject to the European data protection rules, and we therefore need a clear commitment from the US side to work with us to find a mutually satisfactory solution on this point also.

This is not a complete list of the points that still concern us, but they are essential in our search for a legally secure solution.

It would be a mistake to see this purely in terms of applying the Data Protection Directive. We are concerned here about fundamental rights and liberties which are constitutionally protected in the law of several Member States. These liberties are fiercely cherished in the European Union. Furthermore, political support for them, which will shortly lead to them being enshrined in the European Constitution, is already backed by strong jurisprudence from both the European Court of Justice and the European Court of Human Rights. Europe and the US share the same basic values as regards civil liberties. You are probably tired of having Franklin quoted at you on "temporary security", but it is hard to disagree with him. I therefore believe that a mature consideration of these requests at a political level will ensure that they find a positive echo. indeed, I sincerely hope that this will be the case since, if current efforts fail, we risk a highly charged trans-Atlantic confrontation with no obvious way out. Such confrontations are best avoided. Where efforts to combat terrorism are concerned, it is even more important that we show a solid front, but that we do so in a way that does not undermine the very values we are defending.

Yours sincerely,

[signed] Frits Bolkestein

cc: Mr. William Asa Hutchinson
Under Secretary of Border and Transportation Security
US Department of Homeland Security

[Released at a European Commission press briefing 2 September 2003. Transcribed from a fax copy provided by Commission Bolkestein's spokesperson through the European Commission Directorate-General Press and Communication; emphasis in original. Additional background information and other statements by Commissioner Bolkestein on this topic are available at: http://hasbrouck.org/articles/travelprivacy.html]