- Latest available (Revised)
- Point in Time (14/05/2004)
- Original (As adopted by EU)
After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.
The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.
Point in time view as at 14/05/2004.
There are currently no known outstanding effects for the Commission Decision of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection (notified under document number C(2004) 1914) (Text with EEA relevance) (2004/535/EC).
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof,
Whereas:
(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration being given to a number of elements relevant for the transfer and listed in Article 25(2) thereof.
(4) In the framework of air transport, the ‘Passenger Name Record’ (PNR) is a record of each passenger’s travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines. For the purposes of this Decision, the terms ‘passenger’ and ‘passengers’ include crew members. ‘Booking airline’ means an airline with which the passenger made his original reservations or with which additional reservations were made after commencement of the journey. ‘Participating airlines’ means any airline on which the booking airline has requested space, on one or more of its flights, to be held for a passenger.
(5) The United States Bureau of Customs and Border Protection (CBP) of the Department of Homeland Security (DHS) requires each carrier, operating passenger flights in foreign air transportation to or from the United States, to provide it with electronic access to PNR to the extent that PNR is collected and contained in the air carrier’s automated reservation system.
(6) The requirements for personal data contained in the PNR of air passengers to be transferred to CBP, are based on a statute enacted by the United States in November 2001(2), and upon implementing regulations adopted by CBP under that statute(3).
(7) The United States legislation in question concerns the enhancement of security and the conditions under which persons may enter and leave the country, matters on which the United States has the sovereign power to decide within its jurisdiction. The requirements laid down are not, moreover, inconsistent with any international commitments which the United States has undertaken. The United States is a democratic country, governed by the rule of law and with a strong civil liberties tradition. The legitimacy of its law-making process and strength and independence of its judiciary are not in question. Press freedom is a further strong guarantee against the abuse of civil liberties.
(8) The Community is fully committed to supporting the United States in the fight against terrorism within the limits imposed by Community law. Community law provides for striking the necessary balances between security concerns and privacy concerns. For example, Article 13 of Directive 95/46/EC provides that Member States may legislate to restrict the scope of certain requirements of that Directive, where it is necessary to do so for reasons of national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.
(9) The data transfers concerned involve specific controllers, namely airlines operating flights between the Community and the United States, and only one recipient in the United States, namely CBP.
(10) Any arrangement to provide a legal framework for PNR transfers to the United States, in particular through this Decision should be time-limited. A period of three and a half years has been agreed. During this period, the context may change significantly and the Community and the United States agree that a review of the arrangements will be necessary.
(11) The processing by CBP of personal data contained in the PNR of air passengers transferred to it is governed by conditions set out in the Undertakings of the Department of Homeland Security Bureau of Customs and Border Protection (CBP) of 11 May 2004 (hereinafter referred to as the Undertakings) and in United States domestic legislation to the extent indicated in the Undertakings.
(12) As regards domestic law in the United States, the Freedom of Information Act (FOIA) is relevant in the present context in so far as it controls the conditions under which CBP may resist requests for disclosure and thus keep PNR confidential. The Act governs the disclosure of PNR to the person whom it concerns, closely linked to the data subject’s right of access. It applies without distinction to United States and non-United States citizens.
(13) As regards the Undertakings, and as provided in paragraph 44 thereof, the statements in the Undertakings will be, or have already been, incorporated in statutes, regulations, directives or other policy instruments in the United States and will thus have varying degrees of legal effect. The Undertakings will be published in full in the Federal Register under the authority of the DHS. As such, they represent a serious and well considered political commitment on the part of the DHS and their compliance will be subject to joint review by the United States and the Community. Non-compliance could be challenged as appropriate through legal, administrative and political channels and, if persistent, would lead to the suspension of the effects of this Decision.
(14) The standards by which CBP will process passengers’ PNR data on the basis of United States legislation and the Undertakings cover the basic principles necessary for an adequate level of protection for natural persons.
(15) As regards the purpose limitation principle, air passengers’ personal data contained in the PNR transferred to CBP will be processed for a specific purpose and subsequently used or further communicated only in so far as this is not incompatible with the purpose of the transfer. In particular, PNR data will be used strictly for purposes of preventing and combating: terrorism and related crimes; other serious crimes, including organised crime, that are transnational in nature; and flight from warrants or custody for those crimes.
(16) As regards the data quality and proportionality principle, which need to be considered in relation to the important public interest grounds for which PNR data are transferred, PNR data provided to CBP will not subsequently be changed by it. A maximum of 34 PNR data categories will be transferred and the United States authorities will consult the Commission before adding any new requirements. Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels. As a general rule, PNR will be deleted after a maximum of three years and six months, with exceptions for data that have been accessed for specific investigations, or otherwise manually accessed.
(17) As regards the transparency principle, CBP will provide information to travellers as to the purpose of the transfer and processing, and the identity of the data controller in the third country, as well as other information.
(18) As regards the security principle, technical and organisational security measures are taken by CBP which are appropriate to the risks presented by the processing.
(19) The rights of access and rectification are recognised, in that the data subject may request a copy of PNR data and rectification of inaccurate data. The exceptions provided for are broadly comparable with the restrictions which may be imposed by Member States under Article 13 of Directive 95/46/EC.
(20) Onward transfers will be made to other government authorities, including foreign government authorities, with counter-terrorism or law-enforcement functions, on a case-by-case basis, for purposes that correspond to those set out in the statement of purpose limitation. Transfers may also be made for the protection of the vital interests of the data subject or of other persons, in particular as regards significant health risks, or in any criminal judicial proceedings or as otherwise required by law. Receiving agencies are bound by the express terms of disclosure to use the data only for those purposes and may not transfer the data onwards without the agreement of CBP. No other foreign, federal, State or local agency has direct electronic access to PNR data through CBP databases. CBP will refuse public disclosure of PNR, by virtue of exemptions from the relevant provisions of FOIA.
(21) CBP does not use sensitive data as referred to in Article 8 of Directive 95/46/EC, and, until a system of filters to exclude such data from PNR transferred to the United States is in place, undertakes to introduce the means to delete them and in the meantime not to use them.
(22) As regards the enforcement mechanisms to ensure compliance by CBP with these principles, the training and information of CBP staff is provided for, as well as sanctions with regard to individual staff members. CBP’s respect for privacy in general will be under the scrutiny of the DHS’s Chief Privacy Officer, who is an official of the DHS but has a large measure of organisational autonomy and must report annually to Congress. Persons whose PNR data has been transferred may address complaints to CBP, or if unresolved, to the DHS Chief Privacy Officer, directly or through data protection authorities in Member States. The DHS Privacy Office will address, on an expedited basis, complaints referred to it by data protection authorities in Member States on behalf of residents of the Community, if the resident believes his or her complaint has not been satisfactorily dealt with by CBP or the DHS Privacy Office. Compliance with the Undertakings will be the subject of annual joint review to be conducted by CBP, in conjunction with DHS, and a Commission-led team.
(23) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(24) The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered opinions on the level of protection provided by the United States authorities for passengers’ data, which have guided the Commission throughout its negotiations with the DHS. The Commission has taken note of these opinions in the preparation of this Decision(4).
(25) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
For the purposes of Article 25(2) of Directive 95/46/EC, the United States’ Bureau of Customs and Border Protection (hereinafter referred to as CBP) is considered to ensure an adequate level of protection for PNR data transferred from the Community concerning flights to or from the United States, in accordance with the Undertakings set out in the Annex.
This Decision concerns the adequacy of protection provided by CBP with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and shall not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
1.Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to CBP in order to protect individuals with regard to the processing of their personal data in the following cases:
(a)where a competent United States authority has determined that CBP is in breach of the applicable standards of protection; or
(b)where there is a substantial likelihood that the standards of protection set out in the Annex are being infringed, there are reasonable grounds for believing that CBP is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects, and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide CBP with notice and an opportunity to respond.
2.Suspension shall cease as soon as the standards of protection are assured and the competent authorities of the Member States concerned are notified thereof.
1.Member States shall inform the Commission without delay when measures are adopted pursuant to Article 3.
2.The Member States and the Commission shall inform each other of any changes in the standards of protection and of cases where the action of bodies responsible for ensuring compliance with the standards of protection by CBP as set out in the Annex fails to secure such compliance.
3.If the information collected pursuant to Article 3 and pursuant to paragraphs 1 and 2 of this Article provides evidence that the basic principles necessary for an adequate level of protection for natural persons are no longer being complied with, or that any body responsible for ensuring compliance with the standards of protection by CBP as set out in the Annex is not effectively fulfilling its role, CBP shall be informed and, if necessary, the procedure referred to in Article 31(2) of Directive 95/46/EC shall apply with a view to repealing or suspending this Decision.
The functioning of this Decision shall be monitored and any pertinent findings reported to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection of personal data contained in the PNR of air passengers transferred to CBP is adequate within the meaning of Article 25 of Directive 95/46/EC.
Member States shall take all the measures necessary to comply with the Decision within four months of the date of its notification.
This Decision shall expire three years and six months after the date of its notification, unless extended in accordance with the procedure set out in Article 31(2) of Directive 95/46/EC.
This Decision is addressed to the Member States.
Done at Brussels, 14 May 2004.
For the Commission
Frederik Bolkestein
Member of the Commission
In support of the plan of the European Commission (Commission) to exercise the powers conferred on it by Article 25(6) of Directive 95/46/EC (the Directive) and to adopt a decision recognising the Department of Homeland Security Bureau of Customs and Border Protection (CBP) as providing adequate protection for the purposes of air carrier transfers of Passenger(5) Name Record (PNR) data which may fall within the scope of the Directive, CBP undertakes as follows:
11 May 2004
PNR record locator code
Date of reservation
Date(s) of intended travel
Name
Other names on PNR
Address
All forms of payment information
Billing address
Contact telephone numbers
All travel itinerary for specific PNR
Frequent flyer information (limited to miles flown and address(es))
Travel agency
Travel agent
Code share PNR information
Travel status of passenger
Split/divided PNR information
E-mail address
Ticketing field information
General remarks
Ticket number
Seat number
Date of ticket issuance
No show history
Bag tag numbers
Go show information
OSI information
SSI/SSR information
Received from information
All historical changes to the PNR
Number of travellers on PNR
Seat information
One-way tickets
Any collected APIS (Advanced Passenger Information System) information
ATFQ (Automatic Ticketing Fare Quote) fields
OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
Title 49, United States Code, section 44909(c)(3).
Title 19, Code of Federal Regulations, section 122.49b.
Opinion 6/2002 on transmission of passenger manifest information and other data from airlines to the United States, adopted by the Working Party on 24 October 2002, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp66_en.pdf;
Opinion 4/2003 on the level of protection ensured in the United States for the transfer of passengers’ data, adopted by the Working Party on 13 June 2003, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2003/wp78_en.pdf;
Opinion 2/2004 on the adequate protection of personal data contained in the PNR of air passengers to be transferred to the United States’ Bureau of Customs and Border Protection (US CBP), adopted by the Working Party on 29 January 2004, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp87_en.pdf
For the purposes of these Undertakings, the terms ‘passenger’ and ‘passengers’ shall include crew members.
For purposes of this provision, CBP is not considered a party directly involved in the CAPPS II testing or a ‘third party’.
Prior to CBP’s implementation of automated filters (as referenced in paragraph 10 hereof), if ‘sensitive’ data exists in a PNR which is the subject of a non-discretionary disclosure by CBP as described in paragraph 35 hereof, CBP will make every effort to limit the release of ‘sensitive’ PNR data, consistent with US law.
This would include persons transiting through the United States.
In the event that the air carriers agree to push the PNR data to CBP, the agency will engage in discussions with the air carriers regarding the possibility of pushing PNR data at periodic intervals between 72 hours before departure of the flight from a foreign point and the flight’s arrival in the United States, or within 72 hours before the departure of the flight from the United States, as applicable. CBP seeks to utilise a method of pushing the necessary PNR data that meets the agency’s needs for effective risk assessment, while minimising the economic impact upon air carriers.
These authorised CBP users would include employees assigned to analytical units in the field offices, as well as employees assigned to the National Targeting Center. As indicated previously, persons charged with maintaining, developing or auditing the CBP database will also have access to such data for those limited purposes.
Although the PNR record is not technically deleted when it is transferred to the Deleted Record File, it is stored as raw data (not a readily searchable form and, therefore, of no use for ‘traditional’ law enforcement investigations) and is only available to authorised personnel in the Office of Internal Affairs for CBP (and in some cases the Office of the Inspector General in connection with audits) and personnel responsible for maintaining the database in CBP’s Office of Information Technology, on a ‘need to know’ basis.
Access by ‘contractors’ to any PNR data contained in the CBP computer systems would be confined to persons under contract with CBP to assist in the maintenance or development of CBP’s computer system.
CBP would invoke these exemptions uniformly, without regard to the nationality or country of residence of the subject of the data.
By ‘rectify’, CBP wishes to make clear that it will not be authorised to revise the data within the PNR record that it accesses from the air carriers. Rather, a separate record linked to the PNR record will be created to note that the data were determined to be inaccurate and the proper correction. Specifically, CBP will annotate the passenger’s secondary examination record to reflect that certain data in the PNR may be or are inaccurate.
The DHS Chief Privacy Officer is independent of any directorate within the Department of Homeland Security. She is statutorily obligated to ensure that personal information is used in a manner that complies with relevant laws (see footnote 13). The determinations of the Chief Privacy Officer shall be binding on the Department and may not be overturned on political grounds.
Pursuant to section 222 of the Homeland Security Act of 2002 (the Act) (Public Law 107-296, dated 25 November 2002), the Privacy Officer for DHS is charged with conducting a ‘privacy impact assessment’ of proposed rules of the Department on ‘the privacy of personal information, including the type of personal information collected and the number of people affected’ and must report to Congress on an annual basis regarding the ‘activities of the Department that affect privacy ...’. Section 222(5) of the Act also expressly directs the DHS Privacy Officer to hear and report to Congress regarding all ‘complaints of privacy violations’.
The composition of the teams on both sides will be notified to each other in advance and may include appropriate authorities concerned with privacy/data protection, customs control and other forms of law enforcement, border security and/or aviation security. Participating authorities will be required to obtain any necessary security clearances and will adhere to the confidentiality of the discussions and documentation to which they may be given access. Confidentiality will not however be an obstacle to each side making an appropriate report on the results of the joint review to their respective competent authorities, including the US Congress and the European Parliament. However, under no circumstances may participating authorities disclose any personal data of a data subject; nor may participating authorities disclose any non-public information derived from documents to which they are given access, or any operational or internal agency information they obtain during the joint review. The two sides will mutually determine the detailed modalities of the joint review.
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: