- Home /
- News /
- 2007 /
- June /
- EU-USA: European Data Protection Supervisor writes to German Council Presidency expressing "grave concern" at PNR proposals
EU-USA: European Data Protection Supervisor writes to German Council Presidency expressing "grave concern" at PNR proposals
01 June 2007
European Data Protection Supervisor, Peter Hustinx, letter to the German Council Presidency:
Hustinx letter, 27 June 2007: full-text (pdf). The letter expresses "grave concern" at the proposals to:
- extend the time personal data is held from 3.5 years to 15 years:
- data can be passed to a "broad range of US agencies" with "no limitation" on its further processing;
- the absence of a "robust legal mechanism" for EU citizens to "challenge misuse" of their data;
- and the fact that the US "wants to avoid a binding agreement"
Previous Statewatch coverage (21 June 2007):
EU-USA-PNR (passenger name record):
EU negotiators agree that PNR data will be held for 7 years, doubling the current 3.5 years, and in addition agree that data can be access for a further 8 years (so-called "dormant" data).
An "Extraordinary meeting" of the Permanent Representatives Committee (COREPER) was held in Luxembourg on 12 June 2007 during the Justice and Home Affairs Council. The sole subject on the agenda as the EU-USA PNR (passenger name record) agreement:
Minutes of COREPER meeting: EU doc no: 10994/07
The current "Undertakings" state that PNR data will be held for:
"3.5 years from the date the data is accessed (or received) from the air carrier's reservation system. After 3.5 years, PNR data that has not been manually accessed during that period of time, will be destroyed. PNR data that has been manually accessed during the initial 3.5 year period will be transferred by CBP to a deleted record file."
Under the proposed new agreement:
"PNR data would be kept for 7 years as "active" data and 8 years as "dormant" data."
Under the existing agreement data which has not been accessed for 3.5 years is destroyed. Under the proposed agreement all data will be held for 15 years.
Moreover, the new agreement will be
"supplemented by an exchange of letters acknowledging the unilateral undertakings that the Department of Homeland Security (DHS) is ready to adopt to protect the PNR data through a Statement of Record Notice (SORN). The precise nexus between the two is not agreed yet (the US side wants to avoid that the exchange of letters amounts to an agreement)."
The EU negotiators thus intend to accept the US demand that the protection of personal data is not covered by the formal agreement.
Moreover, the Department of Homeland Security (DHS) would get access to PNR data and not only the Customs and Border Protection Department (CBP).- the DHS, under US law, has to ensure that "terrorism information" is passed promptly
"to the head of each other agency that has counterterrorist functions". The EU is effectively agreeing that the USA can pass personal data to a multitude of agencies (who may further process it).
The only apparent concession is that the data fields will be reduced from 34 to 19 - though it is not known which will be deleted.
Background:
EU-USA PNR agreement renegotiated to meet US demands - when the law changes in the USA so too does access to data and how it is processed:
EU-USA PNR (passenger name record) agreement of 6 October 2006: Full-text plus
Original agreement of 17 May 2004 (pdf)
US Undertakings attached to agreement, 2004 (pdf). See: House of Lords EU Committee report:
The EU/US Passenger Name Record (PNR) Agreement (139 pages, pdf) See for full historical background: