U.S.-EU PNR Arrangement

Overview
In the aftermath of September 11th, the United States Congress required the U.S. Customs Service (what would become the United States Department of Homeland Security’s Bureau of Customs and Border Protection (CBP) with the creation of the United States Department of Homeland Security (DHS)) to require air carriers to provide Customs with access to passenger name records (PNR) for purposes of screening individuals traveling to and from the United States.3 PNR is originally collected by airlines and airline reservation systems for commercial purposes and then shared with CBP consistent with the Aviation Transportation Security Act of 2001 (ATSA).

In 2002, following the publication of the U.S. Customs Service interim PNR implementing regulations, the European Commission (EC) advised DHS that an EU Data Protection Directive4 generally prohibited cross-border sharing with non-EU countries. Transfers outside the EU could only be made following a determination that the receiving entity in the third country was deemed to have “adequate” data protection standards.

To avoid a potential conflict of laws between the U.S. and EU, DHS and the EU negotiated an Interim Arrangement on PNR. The Arrangement was concluded in March 2003. CBP then issued implementation guidance to its Officers in the field to ensure that PNR data received from Europe was treated consistent with the Interim Arrangement.

On May 28, 2004, U.S. Department of Homeland Security (DHS) and the European Union (EU) signed an international agreement regarding the processing of PNR, which replaced the Interim Arrangement. The Agreement followed CBP’s issuance of a set of Undertakings setting forth how CBP would process and transfer PNR data received in connection with flights between the EU and the U.S. and the subsequent issuance of an Adequacy Finding by the EU concerning such transfers. As part of the Undertakings, DHS and CBP provided for a Joint Review to take place between the U.S. and EU to examine CBP’s implementation of the Undertakings. The Undertakings also created a compliance and complaint resolution role for the DHS Chief Privacy Officer and specified that the Privacy Office should lead an annual review of the Arrangements.

In December 2004, the Congress strengthened DHS’s authority for collecting PNR by requiring that, where practicable, the Department should conduct passenger screening before individuals depart on a flight destined for the United States.5 In September 2005, the Privacy Office completed its review of the PNR program and issued a public report reviewing CBP’s policies and practices consistent with the U.S.-EU arrangement. That review resulted in findings of substantial compliance, but included key areas for improvement. The Report was issued in conjunction with the U.S.-EU Joint Review of the Undertakings on EU PNR held September 2005.

PNR information is a critical tool used by CBP in such screening of travelers to identify individuals of interest who are planning to travel to the United States.

In May 2006, the European Court of Justice (ECJ) responded to a complaint filed by the European Parliament that challenged the legal basis for the PNR Agreement. The ECJ found that the Agreement had in fact been concluded under inappropriate EU legal authority and therefore found the Agreement invalid.

As a result, the DHS and the EU negotiated and concluded interim agreement in October 2006. The Agreement responded to the ECJ decision and lessons learned from the implementation of the 2004 Agreement. This Interim Agreement self terminated in 2007. In July 2007, DHS and the EU signed a superseding Agreement and exchanged Letters describing commitments made with regard to the use of PNR. In August 2007, DHS issued an updated Privacy Act System of Records Notice (SORN) for the Automated Targeting System (ATS), the system in which PNR resides. With the 2007 Agreement, the parties agreed to conduct periodic reviews. Compared with the earlier arrangement, this agreement did not specify that any one component of DHS or the European Union was responsible for conducting the review. Instead the agreement deemed the Secretary of Homeland Security and the Commissioner for Justice, Freedom and Security would be responsible for review.

In advance of the second Joint Review with the European Union, the Privacy Office conducted an assessment of the Department’s and CBP’s policies and uses of EU PNR. The Privacy Office reviewed the requirements of the ATS SORN, the 2007 Agreement, the 2007 Letter and the issues identified in the 2005 Report Concerning Passenger Name Record Information Delivered from Flights between the U.S. and European Union.