European Commission's Legal Service says EU-USA PNR agreement is not compatible with fundamental rights

Topic
Country/Region

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

  • Scope covers minor crimes: "proportionality of the agreement in question"
  • Retention period goes far beyond that of the Agreement with Australia
  • Agreement extended to cover US border security: "which is not linked to the purpose of preventing terrorism or serious crime"
  • "no judicial redress to data subjects"
  • "no guarantee of independent oversight"
  • Legal Service advice ignored

The European Commission's Legal Service has sent a Note to the Director-General of DG Home Affairs stating that it does not consider the planned agreement with the USA to exchange PNR (Passenger Name Record) data on individuals is "compatible with fundamental rights": Note from Commission Legal Services to DG Home Affairs (18.5.11, pdf).

The Commission, which has been in charge of negotiating the agreement with the USA, has circulated the final agreement prior to formally submitting to the Council of the European Union and the European Parliament for their agreement: EU-US PNR Agreement (20.5.11, pdf) - this has not been amended to meet the concerns of the Legal Service. Formally, the European Parliament cannot amend the agreement but it has to agree it - in effect, the parliament can veto the planned Agreement.

The Legal Service Note


The Note says that the Legal Service has reviewed the draft agreement in respect of fundamental rights and:

"consider that there are grave doubts as to its compatibility with the fundamental right to data protection."

Their "most serious concerns" are:

First, Article 4.1.b. allows for the processing of personal data for the purpose of preventing and detecting "serious crime" which is defined with reference to an "extraditable offence" in the EU-US Extradition Agreement. However, this Agreement says that an offence is extraditable:

"if it is punishable under the laws of the requesting and requested States by deprivation of liberty for a maximum period of more than one year" [emphasis added]

This is an exceptionally low threshold.

Thus, the definition of a "serious crime" is "considerably larger" than that in the EU-US PNR agreement where the maximum period has to be for a "period of more than three years" or that in the EU-AUSTRALIA-PNR Agreement which is four years.

The Legal Service conclude that:

"Given the low maximum penalty [one year], it is likely to include a very large number of crimes which cannot be regarded as serious."

And:

"This point alone puts the proportionality of the agreement in question."

Moreover, the definition of an extraditable offence is not relevant as it concerns, "unlike PNR", only:

"persons suspected or convicted of a came, not a priori innocent individuals"

In simple terms, PNR data covers all those travelling who are effectively treated as "suspects".

Second, the Legal Service, is concerned about Article 4.2 which would allow the use of PNR data:

"provided only it is ordered by a court. This cannot be regarded as a meaningful purpose limitation."

Under the Charter of Fundamental Rights (Article 52.1) any limitation on the exercise of rights and freedoms "must be provided for by law". And the Court of Justice has confirmed that a requirement flowing from this principle is that a measure provided by law is "foreseeable":

"The Legal Service considers that this requirement is not met by the clause in question."

Third, the Legal Service is concerned about Article 4.3. which allows PNR to be used to "ensure border security", in order to:

"identify persons who would be subject to closer questioning or examination upon arrival or departure from the United States"

On which the Legal Services comments:

"This clause, which is not linked to the purpose of preventing terrorism or serious crime, seems to allow the use of PNR also for the purpose of border security, ie: for preventing detecting customs or immigration offences, even it they are minor in nature. This again raises serious questions of proportionality."

Fourth, the Retention Period in Article 8. It allows for an initial period of five years followed by a "dormant data basis" for ten years and thus data is retained for a period of 15 years. This data retention period goes "far beyond" the EU PNR proposal (30 days plus five years) and the draft Agreement with Australia - three years plus 2.5 years) and:

"represents almost no improvement compared to the current EU-US Agreement, which the Parliament refused to approve."

Fifth, Redress, Article 13:

"This article guarantees basically no judicial redress to data subjects, since all judicial redress is made subject to US law, while the forms of redress explicitly guaranteed are administrative only and thus at the discretion of the DHS."

Sixth, Oversight, Article 14 is to be carried out by DHS privacy officers with "a proven record of autonomy":

"This does not amount to a guarantee of independent oversight as required by our data protection rules and also obtained in the agreement with Australia."

Damningly the Legal Service notes that its advice has been ignored:

"all [these] comments were already transmitted to your services in the course of the negotiations."

Legal Service conclusions


The Legal Service of the Commission concludes that, "despite some presentational changes", the Agreement does not represent a "sufficiently substantial" improvement on the existing temporary Agreement - and does not meet the European Parliament's concerns. In addition it notes that the use of PNR data for border security "even represents a setback from the point of view of data protection."

And finally, that:

"For these reasons, the Legal Service does not consider the agreement in its present form as compatible with fundamental rights."

Tony Bunyan, Statewatch Director, comments:

"Secret Minutes of EU-US meetings since 2001 show that they have always been a one-way channel with the US setting the agenda by making demands on the EU. When the EU does make rare requests like on data protection, because US law only offers protection and redress to US citizens, they are bluntly told that the the US is not going to change its data protection system - as they were at the EU-US JHA Ministerial Meeting in Washington on 8-9 December 2010.

This Agreement does not meet EU data protection standards of proportionality or purpose limitation, nor does it provide judicial redress to data subjects or any guarantee of independent oversight.

The European Parliament should refuse to consent to this Agreement as it is empowered to do under the Lisbon Treaty."

See: (2003 - ongoing) Statewatch Observatory on the exchange of data on passengers (PNR) with USA

And: Air passenger data plans in US-EU agreement are illegal, say lawyers (Guardian, link)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error