EU-USA: PNR agreement renegotiated to meet US demands
01 October 2006
- when the law changes in the USA so too does access to data and how it is processed
The USA has used the successful challenge against the legal basis of the 2004 EU-US agreement (plus "Undertakings") on the transfer of PNR (passenger name record) in the European Court of Justice by the European Parliament to put forward significant changes - to which the EU has agreed.
On Friday 6 October 2006 the Council of the European Union adopted a Decision to change the legal basis of the EU-US PNR agreement from the TEC (Treaty establishing the European Community, "first pillar") to the TEU (Articles 24 and 38 of the Treaty establishing the European Union, "third pillar") in line with the court's decision.
However, the Agreement (Annex 2) and the letter from the USA (Annex 3) show the USA has used this change to the legal basis to exact changes in the operation of the agreement. These are based on changes in the US laws and the demands of the US Department of Homeland Security (DHS). The Decision in para 1 says data shall be passed over:
"as required by DHS"
while para 3 says the DHS will process PNR data:
"in accordance with applicable US laws"
So if the law changes in the USA - as it has done since 2004 - then the USA can change how it processes data and who it can be passed to.
However, the interpretation on the US-side of the agreement is set out in the letter from the DHS, an interpretation which is accepted by the EU. So as a Presidential Executive Order (no 13388) was enacted on 25 October 2005 laying down to the DHS and other agencies that "terrorism information" has to be given promptly "to the head of each other agency that has counterterrorist functions" then US law defines how PNR data is passed to for further processing.
Thus as this US Executive Order:
"may be impeded by certain provisions in the Undertakings that restrict information sharing among US agencies... the Undertaking should be interpreted and applied so as not to impede the sharing of PNR data by DHS and other authorities..."
There is one positive aspect to the agreement - namely the intention to introduce a "push" system whereby data is passed over in response to requests from the USA rater than the present "pull" one where the USA has direct access to airline reservation systems based in the EU.
However this will be exploited under the US interpretation. While the number of times data can be "pulled" from airline reservation databases is limited there is no limit on the number of times data can be "pushed". The airlines, the DHS letter says, do not have any "discretion":
"That decision is conferred on DHS by US law"
The initial (first) "push" of PNR data can be "more than 72 hours prior to the departure". The DHS letter also says that the "push" system:
"must permit any PNR data in airline reservation or departure control systems to be pushed in exceptional circumstances.. to address a threat to the vital interests of the data subject or other persons"
This extension to cover "departure control systems" is new.
When the agreement is renegotiated next year the US side want to question the time limit on the keeping of PNR currently 3.5 years.
Finally, the DHS letter notes that the Undertakings:
"authorise DHS to add data elements to the 34 previously set forth"
Tony Bunyan, Statewatch editor, comments:
"The USA has used the need to change the legal basis of the PNR agreement to lay down its own new "interpretations".
What is particularly outrageous is that if the law changes in the USA the way the agreement is implemented changes too without any renegotiation - which is very worrying given the nature of new laws which remove the rights of suspects including habeaus corpus"
1. EU-USA PNR (passenger name record) agreement of 6 October 2006
(full text, pdf)