Commission Decision of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States’ Bureau of Customs and Border Protection (notified under document number C(2004) 1914) (Text with EEA relevance) (2004/535/EC)

  1. Introductory Text

  2. Article 1.For the purposes of Article 25(2) of Directive 95/46/EC, the...

  3. Article 2.This Decision concerns the adequacy of protection provided by CBP...

  4. Article 3.(1) Without prejudice to their powers to take action to...

  5. Article 4.(1) Member States shall inform the Commission without delay when...

  6. Article 5.The functioning of this Decision shall be monitored and any...

  7. Article 6.Member States shall take all the measures necessary to comply...

  8. Article 7.This Decision shall expire three years and six months after...

  9. Article 8.This Decision is addressed to the Member States.

  10. Signature

    1. ANNEX

      UNDERTAKINGS OF THE DEPARTMENT OF HOMELAND SECURITY BUREAU OF CUSTOMS AND BORDER PROTECTION (CBP)

      1. In support of the plan of the European Commission (Commission)...

      2. Legal authority to obtain PNR

        1. 1. By legal statute (title 49, United States Code, section 44909(c)(3))...

      3. Use of PNR data by CBP

        1. 2. Most data elements contained in PNR data can be obtained...

        2. 3. PNR data are used by CBP strictly for purposes of...

      4. Data requirements

        1. 4. Data elements which CBP require are listed herein at Attachment...

        2. 5. With respect to the data elements identified as ‘OSI’ and...

        3. 6. Additional personal information sought as a direct result of PNR...

        4. 7. CBP will consult with the European Commission regarding revision of...

        5. 8. CBP may transfer PNRs on a bulk basis to the...

      5. Treatment of ‘sensitive’ data

        1. 9. CBP will not use ‘sensitive’ data (i.e. personal data revealing...

        2. 10. CBP will implement, with the least possible delay, an automated...

        3. 11. Until such automated filters can be implemented CBP represents that...

      6. Method of accessing PNR data

        1. 12. With regard to the PNR data which CBP access (or...

        2. 13. CBP will ‘pull’ passenger information from air carrier reservation systems...

        3. 14. CBP will pull PNR data associated with a particular flight...

      7. Storage of PNR data

        1. 15. Subject to the approval of the National Archives and Records...

      8. CBP computer system security

        1. 16. Authorised CBP personnel obtain access to PNR through the closed...

        2. 17. No other foreign, federal, State or local agency has direct...

        3. 18. Details regarding access to information in CBP databases (such as...

        4. 19. Only certain CBP officers, employees or information technology contractors (under...

        5. 20. CBP officers, employees and contractors are required to complete security...

        6. 21. Unauthorised access by CBP personnel to air carrier reservation systems...

        7. 22. CBP policy and regulations also provide for stringent disciplinary action...

        8. 23. Criminal penalties (including fines, imprisonment of up to one year,...

      9. CBP treatment and protection of PNR data

        1. 24. CBP treats PNR information regarding persons of any nationality or...

        2. 25. Public disclosure of PNR data is generally governed by the...

        3. 26. CBP regulations (title 19, Code of Federal Regulations, section 103.12),...

        4. 27. CBP will take the position in connection with any administrative...

      10. Transfer of PNR data to other government authorities

        1. 28. With the exception of transfers between CBP and TSA pursuant...

        2. 29. CBP, in its discretion, will only provide PNR data to...

        3. 30. CBP will judiciously exercise its discretion to transfer PNR data...

        4. 31. For purposes of regulating the dissemination of PNR data which...

        5. 32. Each disclosure of PNR data by CBP will be conditioned...

        6. 33. Persons employed by such Designated Authorities who without appropriate authorisation...

        7. 34. No statement herein shall impede the use or disclosure of...

        8. 35. No statement in these Undertakings shall impede the use or...

      11. Notice, access and opportunities for redress for PNR data subjects...

        1. 36. CBP will provide information to the travelling public regarding the...

        2. 37. Requests by the data subject (also known as first party...

        3. 38. In certain exceptional circumstances, CBP may exercise its authority under...

        4. 39. CBP will undertake to rectify data at the request of...

        5. 40. Requests for rectification of PNR data contained in CBP’s database...

        6. 41. In the event that a complaint cannot be resolved by...

        7. 42. Additionally, the DHS Privacy Office will address on an expedited...

      12. Compliance issues

        1. 43. CBP, in conjunction with DHS, undertakes to conduct once a...

        2. 44. CBP will issue regulations, directives or other policy documents incorporating...

      13. Reciprocity

        1. 45. In the event that an airline passenger identification system is...

      14. Review and termination of Undertakings

        1. 46. These Undertakings shall apply for a term of three years...

      15. No private right or precedent created

        1. 47. These Undertakings do not create or confer any right or...

        2. 48. The provisions of these Undertakings shall not constitute a precedent...

      16. 11 May 2004

    2. ATTACHMENT A

      PNR data elements required by CBP from air carriers

      1. PNR record locator code Date of reservation Date(s) of intended...