Comments from USA: The Practical Nomad blog: "Undertakings" by the USA on use of reservation data

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Edward Hasbrouck's blog

Monday, 2 February 2004
"Undertakings" by the USA on use of reservation data


...Statewatch has posted the complete text of the 12 January 2004 draft "Undertakings of the [USA] Department of Homeland Security Bureau of Customs and Border Protection (CBP)" on transfers of airline reservations data (passenger name records, or PNR's) from the European Union to the USA.....

But it's obvious on inspection to any travel agent or airline reservation representative that the "Undertakings" were written by people who've never seen a PNR, and have no idea what it contains, how the data is structured, or how it is entered.

Since I work with PNR's on a daily basis at Airtreks.com, and since my readers include Congressional and Parliamentary staff in several countries who need to evaluate the "Undertakings", it seems worth taking a few extra electrons hear to explain how the "undertakings" depart from reservation realities.

All this points to the need for a much more open process, in which privacy advocates with expertise in reservation data are involved in developing policies like these to govern their use.

The following numbered paragraphs are quoted from the "Undertakings", followed by my comments on each. The detailed breakdown of PNR data categories (Attachment "A" of the "Undertakings") is at the very bottom.

Legal Authority to Obtain PNR [2]

1) By legal statute (title 49, United States Code, section 44909© (3)) and its implementing (interim) regulations (title 19, Code of Federal Regulations, section 122.49b), each air carrier operating passenger flights in foreign air transportation to or from the United States, must provide CBP (formerly, the U.S. Customs Service) with electronic access to PNR data to the extent it is collected and contained in the air carrier's automated reservation/departure control systems ("reservation systems");

This is a correct statement of the law, but the data proposed to be transferred substantially exceeds that required by the law, in 2 respects:

1. The requirements of USA law and regulations are limited to data on passengers. But the draft "Undertakings" provide for transfer of all PNR's associated with the flight, including those related to those who never actually become passengers: PNR's that were never ticketed, cancelled PNR's , PNR's that were changed to other flights (and may have been changed to routings not touching the USA), no-show PNR's, etc.

2. Neither the USA law nor regulations makes any mention of data transfer in advance of flights. Implicitly, they apply only from the time of flight departure ("wheels up"), since only at that time can it be determined who is a passenger, and who is merely a potential passenger.

The portion of the undertakings related to non-passenger PNR's, and to access to PNR's in advance of "wheels up", must be evaluated as providing for transfer of data not required by any USA law or regulation. It does not come under the exceptions to EU law or regulations for data required by law.

Use of PNR Data by CBP

2) Most data elements contained in PNR data can be obtained by CBP upon examining a data subject's airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically will significantly enhance CBP's ability to facilitate bona fide travel and conduct efficient and effective advance risk assessment of passengers;

The point of this clause is to minimize the violation of rights inherent in mandatory government access to PNR's, by claiming that only the manner, not the content, of data access is changing from current inspection of tickets and travel documents by border control officers.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error