European airlines are handing PNR data over to US Customs - Evidence from Spain

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

European airlines are passing on the PNR (Passenger Name Record) data they hold on passengers who have travelled to, from or through the US, to the US customs authorities. This measure was agreed in an interim agreement between the European Commission and the United States Customs on 17 and 18 February 2003, and has been in force from the US side since 5 March to comply with the requirements in the US Transport Security Act (November 2001).

A letter with which the Spanish airline Iberia sent in answer to the inquiries made by Spanish citizen, Arturo Quirantes Sierra, as to whether his data had been made available to US authorities when he flew to New York on 26 March 2003, says that "The information to which the United States Customs has had access is only the one contained in the PNR (Passenger Name Register) of the passenger, and not those that are contained in the Iberia Plus frequent flyer databases or other "ticketing" systems."

Quirantes Sierra has put in a complaint with the Spanish data protection authority (Agencia de Proteccion de Datos), as he considers that "According to EU privacy rules, the transfer of personal data to third countries that do not have laws that adequately protect the privacy of individuals is forbidden, unless the individual consents to the transfer of his/her data." In the formal complaint, Quirantes Sierra lists the kind of information that is included, as well as expressing his concern about the fact that at the time when the agreement was reached it was announced that the information could be used for "law enforcement purposes", and that they would be held for "the time required for the objective for which they were collected".

He has opened a webpage (see below) showing the files concerning him that Iberia has made available to him (including data held on the PNR, "ticketing" and Amadeus systems) after his inquiry, as well as correspondence between himself and the airline and data protection authorities, and background articles.

He highlights that the interim agreement between the European Commission and US Customs stipulates that the latter body may share the data with other law enforcement agencies for "legitimate security policing", without including limitations included in EU legislation such as the need for the reasons for the use, retention and processing of personal data to be clearly stated, and for the data to be used solely for the purpose for which it was collected.

He says: "Following a trip to the USA on 26 March I filed a complaint to the Spanish Data Protection Authority (Agencia de Protección de Datos) for the disclosure of my personal data by Iberia airline."

Below, in Spanish and English, is the full documentation on his case. Also below are eight documents created and exchanged for his flight and return from the USA plus the list of data demanded by US agencies - which contains not 39 categories but 43 categories.

See: Spanish:
See: English:

A. List of 43 categories of PNR (personal data) wanted by US on every passenger: List of categories

B. Data recorded by Iberia, data sent to Amadeus, PNR data and ticketing data held on Arturo Quirantes Sierra:

1: data in (profile 1)
2: data in (profile 2)
3: data in Amadeus (profile 1)
4: data in Amadeus (profile 2)
5: PNR - Reservation Record (legend)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error