EU planning to nod through use of PNR data for use by CAPPS II

A new document on the exchange access to passenger data records (PNR) between states has become available. This is a Commission Staff Working Paper on "An EU-US Agreement on Passenger Name Record (PNR)" (SEC 2004/81, 21.1.04) which assumes - and see as quite unproblematic - that a further agreement with the USA will authorise the use of this data for CAPPS II (Computer-Assisted Passenger Pre-Screening).

The document on the EU-US agreement on PNR says that: "it will be necessary in the near future to cover transfers of PNR data to the TSA" (US Transport Security Administration) for use by CAPPS II (ie: the screening and checking of passengers against a multitude of state and commercial databases). The Commission expects the TSA to simply issue:

"undertakings analogous to the issues by the CBP that can justify the adoption of an adequacy finding by the Commission. The international agreement should thus cover both CBP and TSA"

Put in simple terms the current state of play is that:

1) on 16 December 2003 the European Commission declared that it could make a statement of "adequacy" (under Article 25.6 of the 1995 EC Directive on data protection) on the "Undertakings" given by the USA Customs and Border Protection agency (CBP);

2) on 12 January these "Undertakings" were submitted by the USA but not made public (but see: Full text of:
"Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP)" (pdf)

3) on 29 January the EU's Article 29 Working Party of national Data Protection Commissioners produces a highly critical report on the "Undertakings" which required substantial changes: Article 29: Opinion on Adequate Protection of Personal Data (pdf) (the European Parliament also passed critical Resolutions on 13 March 2003 and 9 October 2003);

4) on 2 February NGOs (Privacy International, European Digital Rights, Foundation for Information Policy Research and Statewatch) published a highly critical report looking especially at how the PNR would be used for surveillance purposes by US agencies: Privacy International report (pdf)

5) the Commission's Article 31 Committee has to formally adopted the Commission's statement of adequacy - the European Parliament can only intervene if it passes a Resolution saying the the Commission has exceeded its powers under Article 25.6 of the 1995 Directive

6) the Commission has to produced a "light international agreement" authorising airlines to hand over passenger data

5) Throughout the negotiations on the EU-US PNR agreement European Commissioner Bolkestein has said that the use of PNR data by CAPPS II would be the subject of separate negotiations and discussions - now it is clear that the Commission simply expect to extend the PNR agreement to CAPPS II with "analogous" undertakings of the highly unacceptable PNR agreement and to make an international agreement covering both.

6) The Commission working paper says that an international agreement is necessary because:

"access by US law enforcement authorities to PNR databases situated on Community territory ("pull") amounts to exercise of US sovereign power in Community territory"

and because "the legal obligations" are those "imposed" by a third country.


A. The EU-US agreement to give access to personal details of passengers (PNR data) to US agencies giving away the rights of EU citizens under the 1995 EC Directive on data protection and is opposed by the Article 29 Working Party - this constitutes a denial of rights under EU law

B. The further step that this personal data is then used to "screen" all passengers and through "data-mining" to gather information on them through CAPPS II from state and commercial databases (eg: details of e-mail accounts and credit card usage) that constitutes a fundamental threat to peoples' civil liberties

Tony Bunyan, Statewatch editor, comments:

"The ink on the 12 January agreement with the USA on PNR is hardly dry and the Commission is intending, at a stroke, to extend the same controversial agreement to intrusive data gathering on all passengers. The decision to use of PNR data for CAPPS II should be the subject of quite a separate public debate and measure. The EU must not be allowed allowed to hand over citizens' rights to privacy and data protection and freedom from unwarranted surveillance to a state where there will be no control over its use or misuse"


1. Commission Staff Working Paper on "An EU-US Agreement on Passenger Name Record (PNR)" (SEC 2004/81, 21.1.04)
. "Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP)" (pdf)
3. Article 29: Opinion on Adequate Protection of Personal Data (pdf)
Privacy International report (pdf) - released 2 February 2004

5. See also Statewatch's Observatory on PNR & USA
6. See also Statewatch's Observatory on EU PNR scheme
Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author.
Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.