2004/535/EC:Commission Decision of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection (notified under document number C(2004) 1914)
| Published date | 12 October 2005 |
| Subject Matter | Principles, objectives and tasks of the Treaties,Information and verification,Human rights |
| 6.7.2004 | EN | Official Journal of the European Union | L 235/11 |
COMMISSION DECISION
of 14 May 2004
on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection
(notified under document number C(2004) 1914)
(Text with EEA relevance)
(2004/535/EC)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,
Whereas:
| (1) | Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer. |
| (2) | The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary. |
| (3) | Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration being given to a number of elements relevant for the transfer and listed in Article 25(2) thereof. |
| (4) | In the framework of air transport, the ‘Passenger Name Record’ (PNR) is a record of each passenger’s travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines. For the purposes of this Decision, the terms ‘passenger’ and ‘passengers’ include crew members. ‘Booking airline’ means an airline with which the passenger made his original reservations or with which additional reservations were made after commencement of the journey. ‘Participating airlines’ means any airline on which the booking airline has requested space, on one or more of its flights, to be held for a passenger. |
| (5) | The United States Bureau of Customs and Border Protection (CBP) of the Department of Homeland Security (DHS) requires each carrier, operating passenger flights in foreign air transportation to or from the United States, to provide it with electronic access to PNR to the extent that PNR is collected and contained in the air carrier’s automated reservation system. |
| (6) | The requirements for personal data contained in the PNR of air passengers to be transferred to CBP, are based on a statute enacted by the United States in November 2001 (2), and upon implementing regulations adopted by CBP under that statute (3). |
| (7) | The United States legislation in question concerns the enhancement of security and the conditions under which persons may enter and leave the country, matters on which the United States has the sovereign power to decide within its jurisdiction. The requirements laid down are not, moreover, inconsistent with any international commitments which the United States has undertaken. The United States is a democratic country, governed by the rule of law and with a strong civil liberties tradition. The legitimacy of its law-making process and strength and independence of its judiciary are not in question. Press freedom is a further strong guarantee against the abuse of civil liberties. |
| (8) | The Community is fully committed to supporting the United States in the fight against terrorism within the limits imposed by Community law. Community law provides for striking the necessary balances between security concerns and privacy concerns. For example, Article 13 of Directive 95/46/EC provides that Member States may legislate to restrict the scope of certain requirements of that Directive, where it is necessary to do so for reasons of national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences. |
| (9) | The data transfers concerned involve specific controllers, namely airlines operating flights between the Community and the United States, and only one recipient in the United States, namely CBP. |
| (10) | Any arrangement to provide a legal framework for PNR transfers to the United States, in particular through this Decision should be time-limited. A period of three and a half years has been agreed. During this period, the context may change significantly and the Community and the United States agree that a review of the arrangements will be necessary. |
| (11) | The processing by CBP of personal data contained in the PNR of air passengers transferred to it is governed by conditions set out in the Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) of 11 May 2004 (hereinafter referred to as the Undertakings) and in United States domestic legislation to the extent indicated in the Undertakings. |
| (12) | As regards domestic law in the United States, the Freedom of Information Act (FOIA) is relevant in the present context in so far as it controls the conditions under which CBP may resist requests for disclosure and thus keep PNR confidential. The Act governs the disclosure of PNR to the person whom it concerns, closely linked to the data subject’s right of access. It applies without distinction to United States and non-United States citizens. |
| (13) | As regards the Undertakings, and as provided in paragraph 44 thereof, the statements in the Undertakings will be, or have already been, incorporated in statutes, regulations, directives or other policy instruments in the United States and will thus have varying degrees of legal effect. The Undertakings will be published in full in the Federal Register under the authority of the DHS. As such, they represent a serious and well considered political commitment on the part of the DHS and their compliance will be subject to joint review by the United States and the Community. Non-compliance could be challenged as appropriate through legal, administrative and political channels and, if persistent, would lead to the suspension of the effects of this Decision. |
| (14) | The standards by which CBP will process passengers’ PNR data on the basis of United States legislation and the Undertakings cover the basic principles necessary for an adequate level of protection for natural persons. |
| (15) | As regards the purpose limitation principle, air passengers’ personal data contained in the PNR transferred to CBP will be processed for a specific purpose and subsequently used or further communicated only in so far as this is not incompatible with the purpose of the transfer. In particular, PNR data will be used strictly for purposes of preventing and combating: terrorism and related crimes; other serious crimes, including organised crime, that are transnational in nature; and flight from warrants or custody for those crimes. |
| (16) | As regards the data quality and proportionality principle, which need to be considered in relation to the important public interest grounds for which PNR data are transferred, PNR data provided to CBP will not subsequently be changed by it. A maximum of 34 PNR data categories will be transferred and the United States authorities will consult the Commission before adding any new requirements. Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels. As a general rule, PNR will be deleted after a maximum of three years and six months, with exceptions for data that have been accessed for specific investigations, or otherwise manually accessed. |
| (17) | As regards the transparency principle, CBP will provide information to travellers as to the purpose of the transfer and processing, and the identity of the data controller in the third country, as well as other information. |
| (18) | As regards the security principle, technical and organisational security measures are taken by CBP which are appropriate to the risks presented by the processing. |
| (19) | The rights of access and rectification are recognised, in that the data subject may request a copy of PNR data and rectification of inaccurate data. The exceptions provided for are broadly comparable with the restrictions which may be imposed by Member States under Article 13 of Directive 95/46/EC. |
| (20) | Onward transfers will be made to other government authorities, including foreign government authorities, with counter-terrorism or law-enforcement functions, on a case-by-case basis, for purposes that correspond to those set out in the statement of purpose limitation. Transfers may also be made for the protection of the vital interests of the data subject or of other persons, in particular as regards significant health risks, or in any criminal judicial proceedings or as otherwise required by law. Receiving agencies are bound by the express terms of disclosure to use the data only for those purposes and may not transfer the data onwards without the agreement of CBP. No other foreign, federal, State or local agency has direct electronic access to PNR data through CBP databases. CBP will refuse public disclosure of PNR, by virtue of exemptions from the relevant provisions of FOIA. |
| (21) | CBP does not use sensitive data as referred to in Article 8 of Directive 95/46/EC, and, until a system of filters to exclude such data from PNR transferred to the |
To continue reading
Request your trial