EU-US PNR agreement
US changes the privacy rules to exemption access to personal data

- USA to give exemptions for the Department of Home Security from its Privacy Act
- USA to give exemptions for the "Arrival and Departure System" (ADIS) from its Privacy Act
- Did the EU know that the US was planning to introduce these exemptions?


No sooner is the ink dry on the 28 June 2007 EU-USA PNR (passenger name record) agreement than the USA announced changes its Privacy law to give exemptions to the Department of Homeland Security (DHS) and the Automated Targeting System (ATS) from responding to request for personal information held. Both use PNR data gathered on travellers to and from the USA.

The DHS (and all the agencies that share its data) exemptions are from giving access to personal data gathered for:

"immigrant and non-immigrant pre-entry, entry, status management and exit processes"

which will include PNR data on EU citizens.

The scope covers:

"national security, law enforcement, immigration and intelligence activities".

The proposed change also covers revealing other agencies to whom the data is passed to and/or data provided by "foreign governments": US Department of Homeland Security: Notice of proposed rulemaking, 15 August 2007

The new exemptions relate to the new "Arrival and Departure System" (ADIS) that the USA is to introduce. ADIS is intended to authorise people to travel only after PNR and API (Advance Passenger Information) data has been checked and cleared by US agency watchlists:

"The Department of Homeland Security (DHS) is republishing the Privacy Act system of records notice for the Arrival and Departure Information System (ADIS) in order to expand its authority and capability to serve additional programs that require information on individuals throughout the immigrant and non-immigrant pre-entry, entry, status management, and exit processes....

The Department of Homeland Security Arrival and Departure Information System (ADIS) consists of centralized computerized records and will be used by DHS and its components. ADIS is the primary repository of data held by DHS for near real-time immigrant and non-immigrant status tracking through pre-entry, entry, status management, and exit processes, based on data collected by DHS or other Federal or foreign government agencies and used in connection with DHS national security, law enforcement, immigration, intelligence, and other DHS mission-related functions, and to provide associated testing, training, management reporting, planning and analysis, or other administrative uses. The information is collected by, on behalf of, in support of, or in cooperation with DHS and its components and may contain personally identifiable information collected by other Federal, state, local, tribal, foreign, or international government agencies."

And why are these exemptions needed:

"DHS is claiming exemption from certain requirements of the Privacy Act for ADIS. Information in ADIS relates to official DHS national security, law enforcement, immigration, and intelligence activities. These exemptions are needed to protect information relating to DHS investigatory and enforcement activities from disclosure to subjects or others related to these activities. Specifically, the exemptions are required to preclude subjects of these activities from frustrating these processes; to avoid disclosure of activity techniques; to protect the identities and physical safety of confidential informants and of immigration and border management and law enforcement personnel; to ensure DHS's ability to obtain information from third parties and other sources; to protect the privacy of third parties; and to safeguard classified information. Disclosure of information to the subject of an inquiry could also permit the subject to avoid detection or apprehension."

As the exemptions are to be applied to everyone going to or leaving the USA under ADIS people travelling from the EU (and their PNR and US-VISIT history) fall within its ambit.

Automated Targeting System to be exempt too


There are also to be changes to the rules under the US Privacy Act to exempt Automated Targeting System (ATS): Privacy Act of 1974: Implementation of Exemptions; Automated Targeting System (31 July 2007, pdf). Although created to combat terrorism the ATS covers "other crime" and indeed any:

"activity in violation of US law".

The ATS has a number of "modules" covering cargo and customs. The one directly relevant to EU travellers is ATS-Passenger (ATS-P):

"ATS-Passenger (ATS-P), one of six modules contained within ATS, maintains Passenger Name Record (PNR) data (data provided to airlines and travel agents by or on behalf of air passengers seeking to book travel) that has been collected by CBP as part of its border enforcement mission. ATS-P's screening relies upon information from the following databases: Treasury Enforcement Communications System (TECS), Advanced Passenger Information System (APIS), Non Immigrant Information System (NIIS), Suspect and Violator Indices (SAVI), and the Visa databases (maintained by the Department of State) with the PNR information that it maintains."

The use of PNR data is explicit. In addition ATS-P sources include APIS which gathers and evaluates passenger data prior to departure - when ADIS takes over to authorise boarding - and the "Non Immigrant Information System (NIIS)" which also covers all EU visitors.

The latest report on the ATS is the: Privacy Impact Assessment for the Automated Targeting System, 3 August 2007 (pdf). This says the ATS applies the "same methodology to all individuals", that is, everyone arriving and leaving the USA, and is looking for "suspicious or unusual behaviour". Thus:

"Every individual is subject to inspection under U.S. law, so, all individuals are always at risk of referral to secondary inspection"

"Secondary inspection" means being checked against the agencies' watch and "lookout" lists.

Data on the ATS is generally kept for 15 years when it is deleted except where a person has been linked "law enforement lookout records", DHS enforcement activities or investigations.

Did the EU know the US was going to make these changes?


When the agreement was signed in June the Council and the Commission made great play over the extension of protections in the US Privacy Act to travellers from the EU. The text from the EU-US PNR agreement (28 June 2007) says:

"IV. Access and Redress: DHS has made a policy decision to extend administrative Privacy Act protections to PNR data stored in the ATS regardless of the nationality or country of residence of the data subject, including data that relates to European citizens. Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless of their nationality or country of residence, for providing redress to persons seeking information about or correction of PNR."

Certainly the report from the EU's Article 29 Data Protection Working Party report: Opinion 5/2007 on the follow-up agreement (17 August 2007) makes no reference to this proposed exemptions.

Tony Bunyan, Statewatch editor, comments:

"The adoption of these two exemptions will seriously diminsh any rights EU citizens have to find out what data is held on them and who it is held by.

Did the Council and the Commission, who negotiated the agreement, know the US was planning to introduce them, and if not why not?"


Statewatch News online | Join Statewatch news e-mail list | EU research resources: Joint online subscription

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.