Statewatch News online: EU draft Commission Decision declaring data protection in USA "adequate"

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

"The US is a democratic country, governed by the rule of law and with a strong civil liberties tradition. The legitimacy of its law-making process and strength and independence of its judiciary are not in question. Press freedom is a further strong guarantee against the abuse of civil liberties.

The Community is fully committed to supporting the US in the fight against terrorism. The Community should not interpret and apply its own rules in a way incompatible with this commitment or raise obstacles to US measures to protect its own borders unless these are clearly dictated by the law of the Community or the European Union"

(Commission draft Decision declaring on PNR data protection in the USA "adequate")

"Privacy is one of the basic values of human life and personal data is the main gateway enabling entry into it. The citizens of countries that experienced a period of totalitarian regimes have that a hard experience - when privacy was not considered of value and was sacrificed to the interest of the state"

(Hana Stepankova, Czech Office for Personal Data Protection, on handing over personal passenger data to the USA, Prague Post, 11.12.03)

The Commission has produced a draft Decision declaring that the "Undertakings" provided by the USA for access to passenger record data (PNR) are "adequate" under EC law (Article 25.6 of the 1995 Data Protection Directive). In this Decision it claims that there is a "strong civil liberties tradition" in that country. There certainly is, but civil liberties groups in the USA are opposed to the collection of PNR data on passengers, the introduction of CAPPS II (Computer assisted passenger pre-screening) and the US-VISIT system (which will create life-long travel histories, see: US-VISIT Program, Increment 1, Privacy Impact Assessment (pdf).

Indeed such is the opposition in the USA that no US airlines will provide the TSA (Transport Security Administration) with passenger data in order to test CAPPS II - as a result it is running months behind schedule (see: GAO report on CAPPS II). The European Commission though is preparing an international agreement with the USA to allow not just for the transfer of passengers' personal data (PNR) but also to allow EU passenger data to be used to test CAPPS II (see: EU planning to nod through use of PNR data for use by CAPPS II: Report and documentation and: Commission Staff Working Paper on "An EU-US Agreement on Passenger Name Record (PNR)" (SEC 2004/81, 21.1.04).

The Commission also argues above that no obstacles should be put in the way of this deal "unless these are clearly dictated by the law of the Community or the European Union". As the EU's own Article 29 Working Party on data protection has forcefully argued the "Undertakings" from the USA would, on a number of issues, be contrary the "the law of the Community" (Article 29: Report and documentation)

The Commission says that: "The Community is fully committed to supporting the US in the fight against terrorism". But this deal is not limited to terrorism. it extends to "other serious crimes". The EU-US agreement on judicial cooperation, signed on 25 June 2003, covers any suspected offence which carries a prison sentence of one year or more - an exceptionally low standard.

Tony Bunyan, Statewatch editor, comments:

"Hana Stepankova, an official from the Czech Data Protection Office, reminds us all what is at stake, that in the past it has been totalitarian regimes who have sacrificed personal privacy in the interests of security and the demands of state agencies. Is this really the road that EU citizens want to go down?"

EU draft Decision on the "adequacy" of the US "Undertakings" on access to PNR

Draft Commission Decision on the adequate protection of personal data contained in the PNR of air passengers transferred to the United States Bureau of Customs and Border Protection: Full-text (pdf)

The draft Decision has 25 Preambular clauses (Whereas...) and 8 Articles.

1. Clause 3 says that "the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation". "All the circumstances" presumably includes assessing how the data will be used give the US's declared intention of running it through CAPPS II to gather further data from an unspecified number of state and commercial databases.

2. Clause 4 suggests that the PNR data is simply that needed for an airline to fulfil its contract with a passenger. As has been observed only 9 data items are related to this not 34 elements as requested by the US.

3. Clause 9 says that there will be "only one recipient in the US namely the Customs and Border Protection agency of the Department of Homeland Security". It is silent on how many other agencies will use the data under CAPPS II and the proposed US-VISIT project (see: GAO report on CAPPS II, which says the CIA and two other intelligence agencies will have access) and US-VISIT Program, Increment 1, Privacy Impact Assessment, which refers to an unlimited number of federal, state and local agencies).

4. Clause 12 refers to the US Freedom of Information Act which allows the US Customs Border Protection agency to "resist" requests for data and will govern the data subject's access - but this too can be denied where there is an ongoing "suspicion".

5. Clause 13 refers to the Undertakings being published in the Federal Register (the only point made by the Article 29 Working Party that is included in the Decision). However, this does not make the Undertakings binding clause 47 of which says: "These Undertakings do not create or confer any right or benefit on any person or party, private or public."

6. Clause 14 states blandly that the CBP processing of "passengers' PNR data" will be on the basis of "US legislation" (which does not have a data protection law) and the Undertakings: "cover the basic principles necessary for an adequate level of protection for natural persons". The whole point is exactly that they do not protect peoples' privacy rights - see the Article 29 Working Party's long list of objections (Article 29: Report and documentation).

7. Clause 16 states that: "PNR data provided to US CBP will not subsequently be changed by it". This is true the US CBP will not change change or add to the data other agencies given access under the CAPPS II and US-VISIT projects will do this. The Clause also says that the US will only "consult" the EU if it wants to add other data elements on each passenger's PNR from the airlines.

8. Clause 20 says that "onwards transfers are limited to case by case transfers" - the GAO report on the development says that the data will be checked in bulk, that is,100% of the passengers will be checked through CAPPS II. This is not a "case by case" basis. It goes on to say that law enforcement agencies "may only use the data for the uses for which it was requested" - well, law enforcement agencies will do exactly that, they will run every person's details through intelligence, internal security and police databases as well as an unspecified number of commercial databases then categorise people into one of three groups (allowed to fly, carry out further checks and denial of boarding). In turn this data will form part of the long-term, life-long, travel history of the individual under the US-VISIT project

9. Clause 24 says that this Decision has "taken into account" the three reports produced by the Article 29 Working Party on data protection (comprised of the Data Protection Commissioners from all 15 member states) - this is blatant nonsense, it has not taken the slighted notice of these reports.

10. The six Articles in the Decision add little, except for Article 3 which would allow an EU member state to suspend the transfer of data if there is a "substantial likelihood" that the protections in the Undertakings are being infringed and there is "an imminent risk of grave harm to data subjects".


1. Draft Commission Decision on declaration of "adequacy" under Article 25.6 of the 1995 EC Data Protection Directive: Full-text (pdf)
2. Proposal for an "international agreement" covering both PNR and CAPPS II: Commission Staff Working Paper on "An EU-US Agreement on Passenger Name Record (PNR)" (SEC 2004/81, 21.1.04)
2. "Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP)" (pdf)
3. Article 29: Opinion on Adequate Protection of Personal Data (pdf)
4. Privacy International report (pdf) - released 2 February 2004

5. See also Statewatch's Observatory on PNR & USA
6. See also Statewatch's Observatory on EU PNR scheme
Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author.
Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error