EU: European Commission to propose EU PNR travel surveillance system
- why have we heard so little about the EU's API system?
- what is the difference between API, APP and PNR?
- new US PNR list the same as the old one
updated 15 July 2007
After the EU concluded a controversial new agreement with the USA giving its agencies access to PNR (passenger name record) personal data on everyone flying to and from that country the European Commissioner for justice and home affairs, Mr Frattini, said that he would present a Framework Decision for a EU PNR system in October.
Mr Frattini is reported as saying that, in the wake of the attempted attacks in London and Glasgow: "I suggest that all member states should equip themselves with a PNR system and share information with others when relevant".
Mr Frattini's proposal is all the more confusing as there appears to have been no reference to the implementation of the April 2004 EU Directive on the obligation of carriers to communicate passenger data which had to be implemented in all member states by 5 September 2006.
The 2004 Directive
The 2004 EU Directive was adopted in the wake of the dreadful train bombings in March that year: 2004 Directive
The Directive is aimed at "improving border controls and combating illegal immigration" and places an obligation on airlines to send by the "end of check-in" details on the passengers they will bring into the EU to the "authorities" in the receiving member state - this covers all passengers both EU citizens and visitors.
The data to be sent comprises (Article 3):
- personal data on each passenger: type of travel document (eg: passport/visa), nationality, full name and date of birth, that is, the data held on the "machine readable zone" (MRZ) of passports (just four items of data). This is known as Advance Passenger Information or "API".
- second, details of the flight: place on entry into EU, plane code, departure and arrival time, number of passengers and point of embarkation.
Sanctions are to be in place to fine airlines which fails to transmit the data or provide incomplete or false data (Article 4).
If the data is not needed later for "statutory functions" of national border agencies then it should be deleted 24 hours after transmission. The data can also be processed for law enforcement purposes (Article 6.1). In short, most data will be deleted but this will not prevent border, security and law enforcement agencies from retaining data they think is needed.
It appears that Spain is the first EU country to start collecting API (Advance Passenger Information) from incoming travellers as from 13 June 2007 - the UK requires API from targeted countries.
Article 3.1 refer to transferring data "by the end of check-in". However, airlines are likely to collect API data when the ticket is booked days or weeks before the flight, see for example, Advance Passenger Information (link) This data could be passed to the national agencies well prior to check-in and be followed by a final passenger manifest after check-in.
So the question has to be asked: If the collection of API at the flight booking stage becomes the norm why is PNR needed?
What is the difference between API, APP and PNR?
The transmission of API is an ICAO (International Civil Aviation Organisation) standard and contains only the personal data currently available in the MRZ of EU passports. This data can be, and is, used to carry out checks against security and intelligence "watch-lists" through what is called "Advance Passenger Processing" (APP).
APP also known as a "Board/No Board" and "Red Light/Green Light System" whereby a directive for each passenger, is transmitted back to the airline permitting or denying boarding (ICAO-FAL/12-WP/60, 10.3.04). US Customs and Border Protection call this process AQQ (Apis Quick Query) leading to a "cleared" or "not cleared" message being sent back for each passenger.
API is thus the collection of data to be checked against "watch-lists" and APP the issuing of "authority to travel" for each passenger.
The issue of who is on a "watch-list" and why is another issue. Are the lists used to check for known or suspected terrorists or a broader category of criminal "suspects", is it based on "good" intelligence or unproven/unverified "third party" sources, how does a person get off the lists?
PNR is a different "kettle of fish".
Under the EU-USA agreement PNR data on each passenger - the data items demanded though reduced from 34 to 19 are virtually the same under the new agreement to the old one - are passed over 72 hours before a flight, with updates if needed for any later changes. This data is passed on to an unspecified number of agencies who can added other data or "intelligence" from state or commercial sources and can be kept for up to 15 years.
An EU API or PNR system?
When the 2004 Directive, based on the collection of API data for air travel, was being discussed there was an attempt to limit its scope to border checks on foreign nationals in line with the legal base being used. This failed and it covers everyone entering the EU including EU citizens.
The scope of the 2004 Directive is more limited that the EU-USA PNR agreement:
- no more personal data is collected and passed over than is already available in the machine-readable zone (MRZ) on EU passports. This means that the individual knows what data is collected (it is the same as printed on the passport page).
- once used for the purpose of checking who is travelling the data has to be deleted 24 hours after the flight has landed unless
- border control agencies or law enforcement agencies need the data "later". In theory this should mean that most people's data is deleted unless there is a suspicion or a "trace" which would justify retention.
The Directive is not yet in force across the EU but its implementation creates a number of concerns:
- will the norm be for airlines to collect API data at the booking stage?
- will this be sent to authorities responsible for checks at external borders before check-in?
- which other national authorities will get access to the data?
- what are the limits on the further processing of this data, presumably that allowed under national laws, what is the scope of each of these laws?
- how large and what is the scope of national watch-lists?
- do national laws permit the passing of this data outside the EU, for example, under bilateral agreements with the USA?
- why has the Commission not produced a report on the failure to implement this Directive by September 2006 and what is the scope of planned national legislation?
And what of an EU PNR system?
The primary concerns with the EU-USA PNR agreement are:
1. It is based on an "agreement" and an "exchange of letters" (see Appendix I on legal position)
2. The data items demanded though reduced from 34 to 19 are virtually the same under the new agreement to the old one including "open fields" (see Item 19) - see Appendix II below
3. The data can be passed on to an unspecified number of US agencies
4. The data can be added to and further processed
5. The individual's data will be checked against unspecified US "watch-lists"
6. If US law changes in this field then so do the US undertakings
7. The US can pass the data (or processed data) to third countries without restriction
8. For the individual to track what has happened to their data is almost impossible
9. The data can now be held for 15 years (it was 3 and a half years under the old agreement) see Appendix III
See also Euroipean Parliament Resolution:
On the new EU-USA PNR agreement: "substantially flawed"
An EU PNR system would face many of the same questions:
1. It would be legally binding but unlike the single, unified, US federal system it would be composed of 27 national systems.
2. How many data items would be required? Would they include open fields?
3. Would data just be passed just to the agencies in the state the flight is going to or would it, under the so-called "principle of availability", be available to all agencies in all 27 member states?
4. Would data be added to by information/intelligence from other agencies and commercial sources?
5. Which "watch-lists" would the data be checked against? Would these watch-lists be limited to terrorist suspects and those listed to be denied re-entry to the EU (eg: on the Schengen Information System)? Or would they include a wider net of suspected criminal or public order offences?
6. How will the individual be able to track to whom their data has been passed and further processed?
7. How long will data be held for? 24 hours, three and a half years or 15 years? And will the EU have its own "EU-VISIT" system keeping the records of everyone travel by air for up to 75 years?
8. Will the Commission propose, as hinted at by Mr Frattini, that an EU PNR system will not just cover flights into the EU but within the EU as well?
And what of the actual effectiveness of the EU-USA PNR system and the US-VISIT scheme, do they work? Few facts and figures are available. The Acting Director of US Homeland Security said last autumn that US-VISIT has tracked 63 million visitors and found "1,200 criminals and immigration violators".
Finally, before considering yet another level of travel surveillance it is important to re-cap on what is already in place or is planned in the EU. First, there is VIS (Visa Information System) under which all visitors countries requiring people from 136 countries to be finger-printed and security-vetted before being issued with a visa (this is expected to contain 70 million people within ten years). Second, the planned SIS II which will hold list of those to be denied entry (largely expelled asylum-seekers), those on a known or "suspect" file (for criminal and terrorist offences) and another covering those to be placed under surveillance. Third, there is the EU API system.
Tony Bunyan, Statewatch editor, comments:
"The link made by Mr Frattini between the attempted attacks in London and Glasgow and the need to copy the US PNR system is not at all clear.
Would those currently being held by the police who entered the UK since 11 September 2001 have been refused entry if a EU-PNR system been in place or would they have been allowed to enter - none of them it appears were under surveillance nor on any watch-lists.
PNR systems - like other grand and expensive schemes - are only as good as the intelligence they are checked against - if a person is not on the list they will simply enter freely. At the same time the mountains of data gathered and stored can be counter-productive making the location of the "needles in the haystack" even more difficult to find."
2004 EC Directive on API and Observatory on its adoption
ICAO: Facilitation Section (FAL): Advance Passenger Information (API)
Background: EU-USA-PNR AGREEMENT: Agreement, letter, 28 June 2007: full-text (pdf) Letter (pdf)
The legal status of the Agreement and letters - Note from Steve Peers, Professor of Law, University of Essex:
Is it a treaty? The "agreement" is, surely. The question is whether the connected exchange of letters is part of the treaty or is otherwise legally binding.
In a treaty law textbook, Aust's Modern Treaty Law and Practice, it is pointed out that the Vienna Convention on the law of treaties provides for a document to be considered a treaty 'whatever its particular designation'. At pages 20-21 it is stated that if an exchange of letters is to constitute a treaty, it generally provides that 'it shall constitute an agreement'; if not, it generally provides that 'it shall constitute an understanding'.
At 355-56 it is stated that if an exchange of letters is meant to constitute a treaty, one party will set out its 'proposals' which will 'constitute an agreement', and the other party will respond in the same terms. If it is not to be binding, the words 'understanding' and 'arrangements' are used instead.
The exchange of letters in the PNR agreement does not use either the classic phrases to indicate that the letters constitute a treaty, or the classic phrases to indicate that they do not.
So it is necessary to look at the text of the agreement to find whether it the US letter is intended to be binding.
Although the text of the agreement does refer to the exchange of letters, it does not state that the US side "shall" implement the safeguards in the letter, rather that the US "shall" process PNR data in accordance with domestic law; the letter "sets forth" the safeguards in national law. The EU "shall ensure" that the PNR is sent "on the basis of the assurances" in the letter; also the agreement constitutes an adequacy determination and an obligation not to interfere in US relations with third parties.
The agreement can be denounced by the EU if the EU determines that the US has breached it; there is no explicit reference to the US breaching the safeguards in the letter. The US can denounce the agreement and revoke the letter if it determines that the EU has breached the agreement.
It seems clear that the parties wished to leave the legal effect of the letter ambiguous, or that they could not agree on the precise legal status of the letter. The best view, although the issue is far from doubt, is that the parties have agreed that the letter, while not binding in itself, is closely connected to the operation of the treaty, as it is an express condition of entering into the agreement (on the EU side) and will be revoked in the event of a breach of the agreement by the EU (on the US side). It also appears implicitly that if the safeguards in the letter are not applied in practice, in the view of the EU, then the EU will consider that this is valid grounds to denounce the treaty.
Therefore the assertion that the letter is "legally binding"is, as such, incorrect. It is more accurate to say that the letter has an indirect legal force, since the EU has entered into the treaty on the basis of the safeguards explained in the letter.
Comparison PNR data items - new and old agreements
The number of items of information demanded has been reduced from 34 to 19. This disguises the fact that all but two of the items have simply been amalgamated.
1. PNR record locator code
2. Date of reservation/ issue of ticket:
In previous list 2 separate data items (data items: 2 & 22)
3. Date(s) of intended travel
5. Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)
In previous list limited to "miles flown and address(es)" (data item 11)
6. Other names on PNR, including number of travellers on PNR
In previous list 2 separate data items (data item: 5 & 30)
7. All available contact information (including originator information)
In previous list 4 separate data items:
- 6. Address,
- 9. Contact telephone numbers
- 17. E-mail address
- 28. Received from information
8. All available payment/billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)
In previous list 2 data items:
- 7. All forms of payment information
- 8. Billing address
9. Travel itinerary for specific PNR
10. Travel agency/travel agent
In previous list 2 separate data items (data items: 12 & 13)
11. Code share (PNR) information
12. Split/divided (PNR) information
13. Travel status of passenger (including confirmations and check-in status)
14. Ticketing information, including ticket number, one way tickets and Automated Ticket Fare Quote
In previous list 4 separate data items (data items: 18, 20, 32 & 34)
15. All Baggage information
In previous list limited to "Bag tag numbers" (data element 24)
16. Seat information, including seat number
In previous list 2 separate data items (data items: 21 & 31)
17. General remarks including OSI, SSI and SSR information (see Note below)
In previous list 3 separate data items (data items: 19, 26 & 27)
18. Any collected APIS information
19. All historical changes to the PNR listed in numbers 1 to 18
Removed required data items:
23. No Show history
25. Go Show history
OSI: Other service related information
SSI: Special Services Information
SSR: Special Service Requests
Previous Agreement PNR data
PNR data items required by CBP from air carriers
1. PNR record locator code
2. Date of reservation
3. Date(s) of intended travel
5. Other names on PNR
7. All forms of payment information
8. Billing address
9. Contact telephone numbers
10. All travel itinerary for specific PNR
11. Frequent flyer information (limited to miles flown and address(es))
12. Travel agency
13. Travel agent
14. Code share PNR information
15. Travel status of passenger
16. Split/divided PNR information
17. E-mail address
18. Ticketing field information
19. General remarks
20 Ticket number
21. Seat number
22. Date of ticket issuance
23. No show history
24. Bag tag numbers
25. Go show information
26. OSI information
27. SSI/SSR information
28. Received from information
29. All historical changes to the PNR
30. Number of travellers on PNR
31. Seat information
32. One-way tickets
33. Any collected APIS (Advanced Passenger Information System) information
34. ATFQ (Automatic Ticketing Fare Quote) fields
Comparison of data retention periods under the 2004 and 2006 agreements
Under the 2004 Agreement:
1. PNR personal data is directly accessible for 7 days
2. And accessible for a further 3.5 years
3. After 3.5 years data which has "not been manually accessed during that period of time, will be destroyed"
Text of 2004 Agreement
"Storage of PNR Data
15) Subject to the approval of the National Archives and Records Administration (44 U.S.C. 2101, et seq.), CBP will limit on-line access to PNR data to authorized CBP users [Footnote: 6] for a period of seven (7) days, after which the number of officers authorized to access the PNR data will be even further limited for a period of three years and 6 months (3.5 years) from the date the data is accessed (or received) from the air carrier's reservation system. After 3.5 years, PNR data that has not been manually accessed during that period of time, will be destroyed. PNR data that has been manually accessed during the initial 3.5 year period will be transferred by CBP to a deleted record file,[Footnote 7] paragraph 35 hereof, CBP will make every effort to limit the release of "sensitive" PNR data, consistent with U.S. law."
Footnote 6: These authorized CBP users would include employees assigned to analytical units in the field offices, as well as employees assigned to the National Targeting Center. As indicated previously, persons charged with maintaining, developing or auditing the CBP database will also have access to such data for those limited purposes.
Footnote 7: Although the PNR record is not technically deleted when it is transferred to the Deleted Record File, it is stored as raw data (not a readily searchable form and, therefore, of no use for "traditional" law enforcement investigations) and is only available to authorized personnel in the Office of Internal Affairs for CBP (and in some cases the Office of the Inspector General in connection with audits) and personnel responsible for maintaining the database in CBPs Office of Information Technology, on a need to know basis."
Under the 2007 Agreement:
1. PNR personal data will be held in "an active analytical database for seven years"
2. It will then be moved to a "dormant, non-operational status" for a further 8 years
3. The USA "expect that EU PNR data shall be deleted at the end of this period (ie: 15 years); questions of whether and when to destroy PNR data.. will be addressed by DHS and the EU as part of future discussions". In other words it may not be deleted after 15 years.
Text of the 2007 Agreement
"VII. Data retention: DHS retains EU PNR data in an active analytical database for seven years, after which time the data will be moved to dormant, non-operational status. Data in dormant status will be retained for eight years and may be accessed only with approval of a senior DHS official designated by the Secretary of Homeland Security and only in response to an identifiable case, threat, or risk. We expect that EU PNR data shall be deleted at the end of this period; questions of whether and when to destroy PNR data collected in accordance with this letter will be addressed by DHS and the EU as part of future discussions."
In a statement to the European Parliament on 9 July 2007 in Strabourg - at part of the debate on the parliament's Resolution - Mr Frattini (Commissioner for freedom, seurity and justice in the Commission) said:
"There is not an extension of the time during which passenger data are kept from 3.5 to 15 years. There is an increase from 3.5 to 7 years of the time during which data are kept in an active file. The further period of 8 years that was already provided for in the previous agreements and that undertaking is not newly introduced in this new agreement."
However, the above texts indiciate that:
1. There is an extension of the time passenger data can be "kept" from 3.5 years to 15 years. Under the new agreement all passenger data can be kept for 15 years or longer. Under the old agreement only passenger data which had not been "manually accessed" was "destroyed" after 3.5 years - that is to say for the great majority of passengers.
2. The further period of 8 years was not already provided for in the old agreement, any period beyond 3.5 years only referred to passenger data that had not been "destroyed" because it had been manually accessed for further processing.
Council report on the EP's debate: EU doc no: 11770/07
Statewatch News online | Join Statewatch news e-mail list | EU research resources: Joint online subscription
© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.