European Parliament
Texts Adopted by Parliament
Provisional Edition : 31/03/2004

Passenger name records



European Parliament resolution on the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (2004/2011(INI))

The European Parliament,

-       having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) and, in particular, Article 25 thereof, and also Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code of conduct for computerised reservation systems(2),

-       having regard to the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (C5-0124/2004),

-       having regard to the opinions delivered on 29 January 2004 by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data referred to in Article 29 of Directive 95/46/EC and on 17 February 2004 by the committee referred to in Article 31 of that Directive,

-       having regard to its resolution of 9 March 2004 on the First Report on the implementation of the Data Protection Directive (95/46/EC)(3),

-       having regard to the position expressed by the national parliaments on this subject,

-       having regard to the opinion of the Belgian Committee on Privacy concerning two cases involving the transfer by three airlines of the personal data relating to certain transatlantic passengers (including those relating to an MEP), an opinion in which it is stated that both Belgian and EU privacy laws have been infringed; having regard to the Council's observation that 'the US measures potentially conflict with Community and Member States' legislation on data protection' (2562nd meeting of the General Affairs Council held in Brussels on 23 February 2004); having regard to the internal Commission document which confirms that such a conflict does indeed exist; whereas Parliament has condemned the blatant violation of privacy laws, and whereas major responsibilities lie with the Commission, the Member States and certain authorities whose task is to safeguard privacy,

-       having regard to Article 8 of Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission(4),

-       having regard to Rule 88 of its Rules of Procedure,

A.       whereas, pursuant to the Transport Security Act and the implementing provisions thereof (such as Aviation Security Screening Records(5)), the US Administration requires airlines operating in Europe to provide access to the commercial data contained in Passenger Name Records (PNRs), so as to enable the potential threat which each passenger could present to be established in advance and to ensure that any terrorist or individual responsible for serious crime is identified and apprehended or denied entry to the US,

B.       whereas such access requires a clear legal framework if it is to be permitted under the privacy laws of the Member States and the Community, in spite of which fact neither the Commission nor the Member States nor the authorities which are responsible for safeguarding privacy and which have been granted binding powers have taken any action to ensure that the laws are enforced,

C.       whereas in the air-transport field a Passenger Name Record (PNR) is a file containing a package of commercial information including in particular:

a)       data enabling both the passenger and the persons accompanying him to be identified, together with the person who requested the reservation on the passenger's behalf, the agency or the employee who made the reservation and/or issued the ticket, and so on,

b)       the data relating to the journey for which the ticket has been issued, and also all the other sectors which make up the entire routing of a journey which may comprise a number of legs and therefore involve a number of tickets,

c)       data relating to means of payment, the passenger's credit card number, the special terms granted to particular groups (such as frequent flyers and members of special groups), e-mail addresses, physical addresses and private and/or office telephone numbers disclosed when the reservation was made, contact persons, and so on,

d)       data concerning a particular service relating to the passenger's state of health, his dietary preferences, and so on,

e)       specific remarks made by airline staff,

f)       where appropriate, details of reservations in respect of car hire and hotel rooms,

D.       whereas PNR data vary according to the commercial practices followed by each airline and are processed by means of reservation centres, and whereas appropriate extraction programmes would therefore have to be devised by the airlines for the purpose of extracting the data which could legitimately be transferred,

As regards the principles of data protection on the European side

E.       whereas Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) as interpreted by the European Court of Human Rights(6) allows interference in private life only '...where it is provided for by law(7), where it is necessary(8) in a democratic society(9) to the pursuit of legitimate aims and where it is not disproportionate(10) in relation to the objective pursued,'

F.       whereas, at this stage, there is no legal basis in the European Union permitting the use of PNR commercial data for public-security purposes and whereas such a legal basis is essential in order to modify the purpose for which such were originally collected and to permit them to be used for public-security purposes,

G.       whereas such a legal basis must define the exact data to be collected, the rules to be followed for the processing of those data and the responsibilities of each party involved (passengers, airlines and public authorities),

H.       whereas the Council recently approved the Commission's negotiating mandate for an international agreement in this field,

... and on the US side

I.       whereas in the USA the protection of privacy, although mentioned in the Fourth Amendment to the Constitution, is not regarded as a fundamental right but

a)       is regulated by specific provisions (which do not, however, cover the transport sector) and by the Freedom of Information Act,

b)       grants only to US citizens and those legally resident the right to data protection and, in particular, the right of access to, and rectification of, only data held by the federal public authorities (1974 Privacy Act), with the result that

c)       no legal protection is currently granted in the case of data relating to non-US (and in particular European) passengers, nor is there any right of legal redress should the measures restricting the freedom to travel be abused,

As regards the legal impact of a decision on adequacy taken pursuant to Article 25 of Directive 95/46/EC

J.       aware of the fact that the draft Decision submitted by the Commission:

a)       is a measure designed merely to implement Directive 95/46/EC, which may not result in a lowering of the data-protection standards within the EU as established by means of Directive 95/46/EC,

b)       relates to a state of affairs which is still in a legal limbo both in the USA (since the 'undertakings' provided by the US side do not in all cases have legal effect) and in Europe (since no specific legal basis has yet been adopted which will enable PNR data to be legitimately transferred to public authorities),

c)       once it is adopted, will in practice deprive the Member States (which are currently responsible for protecting individuals as regards PNR data) of any scope for blocking transfers in order to uphold the rights of their citizens,

K.       regretting the fact that, throughout 2003, the Commission did not heed the repeated requests from Parliament and the data-supervision authorities calling upon it to:

a)       specify the data which could be legitimately transferred without risk (see the list of the 19 items suggested on 13 June 2003 by the Working Party referred to in Article 29 of Directive 95/46/EC(11)),

b)       immediately replace the 'pull' system (which is used without a legal basis by the US Administration and which has no filters for sensitive data or for non-transatlantic flights) with the 'push' system (which enables each airline to transfer only legitimate data and only in respect of flights to US destinations),

c)       negotiate an international agreement with the USA which will offer genuine guarantees for passengers or, at the very least, the same protection as is afforded to US citizens,

L.       sharing most of the reservations expressed unanimously by the data supervision authorities meeting within the Working Party referred to in Article 29 of Directive 95/46/EC, in particular on 29 January 2004(12),

1.  Considers that the Commission Decision of ... noting the adequate level of protection provided for personal data contained in the Passenger Name Records transferred to the US Bureau of Customs and Border Protection goes beyond the executive powers conferred on the Commission since:

As regards the legal basis and the form

1.1  The draft Decision is not (and could not be):

a)        a legal basis capable of enabling, within the European Union, the purpose for which the data were collected in the PNR to be changed and enabling them to be transferred by the airlines, in whole or in part, to third parties(13); its effect, however, may well be a lowering of the data-protection standards established by means of Directive 95/46/EC within the EU or the creation of new standards in agreement with third countries,

b)       an international agreement pursuant to which the Commission would be obliged to authorise the transfer of such data; one can only regret the ambiguous wording of some of the clauses contained in the Decision and of the appended undertakings (such as those concerning duration, monitoring arrangements, cases in which the Decision may be suspended or withdrawn, the terms and conditions under which the Member States may intervene, etc.), which might give the false impression that obligations could be derived from that text as they are explicitly excluded by clause 47, which stipulates that 'these Undertakings do not create any right or benefit on any person or party, private or public';

As regards substance

1.2  The draft decision is based on 'Undertakings', the binding nature of which is far from proven as regards both:

a)       the source, which is purely administrative (and therefore subject to possible re-organisations within the Department of Home Security which would make the separations between internal structures obsolete); and

b)       the substance (since, on the one hand, guarantees are mentioned for which there is as yet no legal basis in the USA and, on the other, the option is kept open of amending the rules at any time, with particular reference to the arrangements for using and re-using the data);

1.3.  The 'pull' system for accessing PNR data undermines any limitations that may be agreed and must be replaced by a 'push' system with appropriate filters,

2.  Considers the importance of the issue to be such that the European Union should come to an arrangement with the USA on the basis of a proper international agreement which, with due respect for fundamental rights, stipulates:

a)       the data which could be transferred in an automated way (APIS) and the data which could possibly be transferred on a case-by-case basis,

b)       the list of the serious crimes in respect of which an additional request could be made,

c)       the list of authorities and agencies which could share the data and the data-protection conditions to be respected,

d)       the data-retention period for the two kinds of data, it being clear that data dealing with the prevention of serious crimes have to be exchanged in accordance with the EU-US agreement on judicial cooperation and extradition,

e)       the role to be played by airlines in transferring passengers' data and the means envisaged (APIS, PNR, etc.) for public-security purposes,

f)       the guarantees to be offered to passengers in order to enable them to correct the data relating to them or provide an explanation in the event of a discrepancy between the data relating to a travel contract and the data shown in identity documents, visas, passports and so on,

g)       the airlines' responsibilities vis-à-vis passengers and the public authorities in the event of transcription or encoding errors and as regards protection of the data processed,

h)       the right to appeal to an independent authority and redress mechanisms in the event of infringements of passengers' rights;

3.  Declares itself ready to deal under urgent procedure with an international agreement which complies with the above-mentioned principles; considers that if such an agreement were to be adopted, the Commission could legitimately declare that data would be adequately protected in the USA;

4.  Calls on the Commission to submit to Parliament a new adequacy-finding decision and to ask the Council for a mandate for a strong new international agreement in compliance with the principles outlined in this resolution;

5.  Pending a permanent legislative solution or the conclusion of one or more international agreements, calls upon:

a)       the Member States to require immediate compliance with Community legislation and their own domestic laws on privacy and draws particular attention to the obligation imposed (pursuant to Article 26(1)(a) of Directive 95/46/EC) on airlines and travel agencies to obtain passengers' consent for the transfer of data; such consent must be given freely and passengers must be informed of the options open to them for influencing the content of their PNR, of the implications of failing to give consent and of the fact that an adequate level of protection does not exist in the USA;

b)       the Commission to act in order to ensure that Regulation (EC) No 2299/89 is enforced and, in particular, to check that data are not transferred (in particular by means of computer reservation systems) without a passenger's consent and that the administrations of third countries have no access to those systems;

6.  Calls on the Commission to block:

a)       the 'pull' system from 1 July 2004, and from that date onwards to apply the 'push' system with the 19 items suggested on 13 June 2003 by theWorking Party referred to in Article 29 of Directive 95/46/EC,

b)       the initiatives for establishing European centralised management of the PNR data as outlined in Communication COM(2003) 826 and recently confirmed by the competent Commissioner to the parliamentary committee, as such initiatives are for the time being in breach of the proportionality and subsidiarity principles;

7.  In the meantime, reserves the right to appeal to the Court of Justice should the draft decision be adopted by the Commission; reminds the Commission of the requirement for cooperation between institutions which is laid down in Article 10 of the Treaty and calls upon it not to take, during the election period, any decision such as the one with which this resolution is concerned;

8.  Reserves the right to bring an action before the Court of Justice in order to seek verification of the legality of the projected international agreement and, in particular, the compatibility thereof with the protection of a fundamental right;

9.  Considers it extremely important that the outcome of the negotiations should not be taken as a model for the EU's further work on the development of its own anti-crime measures, data storage and protection of confidentiality;

10.  Calls upon the Commission to withdraw the draft decision;

11.  Instructs its President to forward this resolution to the Council, the Commission, the parliaments and governments of the Member States and the US Congress.

(1)      OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
(2)      OJ L 220, 29.7.1989. Regulation as last amended by Regulation (EC) No 323/1999 (OJ L 40, 13.2.1999, p. 1).
(3)      P5_TA(2004)0141.
(4)      OJ L 184, 17.7.1999, p. 23.
(5)      FEDERAL REGISTER 68 FR 2101. TSA intends to use this system of records to facilitate TSA's passenger and aviation security screening programme under the Aviation and Transportation Security Act. TSA intends to use the CAPPS II system to conduct risk assessments to ensure passenger and aviation security.
(6)      European Court of Human Rights, Amann v. Switzerland judgment of 16 February 2000, Reports of Judgments and Decisions 2000-II, paragraph 65, and Rotaru v. Romania judgment of 4 May 2000, Reports of Judgments and Decisions 2000-V, paragraph 43.
(7)      Recourse to a 'law' is all the more justified where protection of a fundamental right is called for, since such protection cannot be left to administrative or purely implementing measures. A 'law' must be worded with a sufficient degree of precision to enable those who are covered by its provisions to regulate their conduct and it must meet the foreseeability requirement which emerges from the European Court of Human Rights case law (see in particular ECHR judgment, Rekvényi v. Hungary, 20 May 1999, Reports of Judgments and Decisions 1999-III, paragraph 34). In the case under consideration the law must also include explicit and detailed provisions concerning the persons authorised to consult records, the nature of those records, the procedure to be followed and the use which may be made of the information thus obtained (see ECHR judgment, Rotaru v. Romania, 4 May 2000).
(8)      The concept of 'necessity' implies that 'a pressing social need' is at issue and that the action taken must be 'proportionate to the legitimate aim pursued ' (see in particular ECHR judgment, Gillow v. United Kingdom, 24 November 1986, Series A No 109, paragraph 55), and that in this area the legislature enjoys a margin of discretion the scope of which will depend not only on the nature of the legitimate aim pursued but also on the particular nature of the interference involved (see ECHR judgment, Leander v. Sweden, 26 March 1987, Series A No 116, paragraph 59).
(9)      The 'democratic' society criterion applies to relations between public authorities and the general public and is to be regarded as being all the more in evidence where the general public controls the institutions, rather than the other way round. Of course, in any democracy, irrespective of the nature of such relations, any arrangement for gathering and systematically storing data must be very carefully assessed, particularly in cases where such data relate to individuals who do not constitute a threat to the community.
(10)      The proportionality criterion applies to all data-processing parameters (e.g. at what stage the data are transferred, which data are transferred, to whom and for what purpose, the length of data storage and the length of the dispensation). Under European law, such assessments must also be carried out bearing in mind the subsidiarity requirements which govern relations between the Member States and the European Union. This is all the more necessary in cases where, by virtue of an act passed by an institution, the Member States are prevented from intervening.
(11)      The data should include the following information: PNR record locator code, date of reservation, date(s) of travel, passenger name, other names held in the PNR, routing, free ticket identifiers, one-way tickets, ticketing field information, ATFQ (Automatic Ticket Fare Quote) data, ticket number, date upon which the ticket was issued, no-show history, number of items of luggage, luggage-label numbers, no-show information, number of items of luggage on each sector, voluntary or involuntary changes of class, details of changes made to the PNR data and relating to the above-mentioned items.
(13)      Furthermore, the obligation imposed on airlines under US law cannot be regarded as a sufficient 'legal obligation' within the meaning of Article 7(c) of Directive 95/46/EC, since the latter is to be interpreted in the light of the 'fundamental rights [which, according to settled case law,] form an integral part of the general principles of law, whose observance the Court ensures' (see in particular the judgment of 6 March 2001, in Case C-274/99 P Connolly v Commission, ECR I-1611, paragraph 37).