By legal statute (title 49, United States Code, section 44909(c)(3)) and its implementing (interim) regulations (title 19, Code of Federal Regulations, section 122.49b), each air carrier operating passenger flights in foreign air transportation to or from the United States, must provide CBP (formerly, the US Customs Service) with electronic access to PNR data to the extent it is collected and contained in the air carrier’s automated reservation/departure control systems (reservation systems).

Most data elements contained in PNR data can be obtained by CBP upon examining a data subject’s airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically will significantly enhance CBP’s ability to facilitate bona fide travel and conduct efficient and effective advance risk assessment of passengers.

PNR data are used by CBP strictly for purposes of preventing and combating: 1. terrorism and related crimes; 2. other serious crimes, including organised crime, that are transnational in nature; and 3. flight from warrants or custody for the crimes described above. Use of PNR data for these purposes permits CBP to focus its resources on high-risk concerns, thereby facilitating and safeguarding bona fide travel.

Data elements which CBP require are listed herein at Attachment A. (Such identified elements are hereinafter referred to as ‘PNR’ for purposes of these Undertakings.) Although CBP requires access to each of those 34 (thirty-four) data elements listed in Attachment A, CBP believes that it will be rare that an individual PNR will include a full set of the identified data. In those instances where the PNR does not include a full set of the identified data, CBP will not seek direct access from the air carrier’s reservation system to other PNR data which are not listed on Attachment A.

With respect to the data elements identified as ‘OSI’ and ‘SSI/SSR’ (commonly referred to as general remarks and open fields), CBP’s automated system will search those fields for any of the other data elements identified in Attachment A. CBP personnel will not be authorised to manually review the full OSI and SSI/SSR fields unless the individual that is the subject of a PNR has been identified by CBP as high-risk in relation to any of the purposes identified in paragraph 3 hereof.

Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels, including through the use of mutual legal assistance channels where appropriate, and only for the purposes set forth in paragraph 3 hereof. For example, if a credit card number is listed in a PNR, transaction information linked to that account may be sought, pursuant to lawful process, such as a subpoena issued by a grand jury or a court order, or as otherwise authorised by law. In addition, access to records related to e-mail accounts derived from a PNR will follow US statutory requirements for subpoenas, court orders, warrants, and other processes as authorised by law, depending on the type of information being sought.

CBP will consult with the European Commission regarding revision of the required PNR data elements (Attachment A), prior to effecting any such revision, if CBP becomes aware of additional PNR fields that airlines may add to their systems which would significantly enhance CBP's ability to conduct passenger risk assessments or if circumstances indicate that a previously non-required PNR field will be needed to fulfil the limited purposes referred to in paragraph 3 of these Undertakings.

CBP will not use ‘sensitive’ data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning the health or sex life of the individual) from the PNR, as described below.

CBP will implement, with the least possible delay, an automated system which filters and deletes certain ‘sensitive’ PNR codes and terms which CBP has identified in consultation with the European Commission.

CBP will ‘pull’ passenger information from air carrier reservation systems until such time as air carriers are able to implement a system to ‘push’ the data to CBP.

Authorised CBP personnel obtain access to PNR through the closed CBP intranet system which is encrypted end-to-end and the connection is controlled by the Customs Data Center. PNR data stored in the CBP database are limited to ‘read only’ access by authorised personnel, meaning that the substance of the data may be programmatically reformatted, but will not be substantively altered in any manner by CBP once accessed from an air carrier’s reservation system.

No other foreign, federal, State or local agency has direct electronic access to PNR data through CBP databases (including through the Interagency Border Inspection System (IBIS)).

Details regarding access to information in CBP databases (such as who, where, when (date and time) and any revisions to the data) are automatically recorded and routinely audited by the Office of Internal Affairs to prevent unauthorised use of the system.

CBP officers, employees and contractors are required to complete security and data privacy training, including passage of a test, on a biennial basis. CBP system auditing is used to monitor and ensure compliance with all privacy and data security requirements.

Unauthorised access by CBP personnel to air carrier reservation systems or the CBP computerised system which stores PNR is subject to strict disciplinary action (which may include termination of employment) and may result in criminal sanctions being imposed (fines, imprisonment of up to one year, or both) (see title 18, United States Code, section 1030).

CBP policy and regulations also provide for stringent disciplinary action (which may include termination of employment) to be taken against any CBP employee who discloses information from CBP’s computerised systems without official authorisation (title 19, Code of Federal Regulations, section 103.34).

Criminal penalties (including fines, imprisonment of up to one year, or both) may be assessed against any officer or employee of the United States for disclosing PNR data obtained in the course of his employment, where such disclosure is not authorised by law (see title 18, United States Code, sections 641, 1030, 1905).

CBP treats PNR information regarding persons of any nationality or country of residence as law-enforcement sensitive, confidential personal information of the data subject, and confidential commercial information of the air carrier, and, therefore, would not make disclosures of such data to the public, except as in accordance with these Undertakings or as otherwise required by law.

Public disclosure of PNR data is generally governed by the Freedom of Information Act (FOIA) (title 5, United States Code, section 552) which permits any person (regardless of nationality or country of residence) access to a US federal agency’s records, except to the extent such records (or a portion thereof) are protected from public disclosure by an applicable exemption under the FOIA. Among its exemptions, the FOIA permits an agency to withhold a record (or a portion thereof) from disclosure where the information is confidential commercial information, where disclosure of the information would constitute a clearly unwarranted invasion of personal privacy, or where the information is compiled for law enforcement purposes, to the extent that disclosure may reasonably be expected to constitute an unwarranted invasion of personal privacy (title 5, United States Code, sections 552(b)(4), (6), (7)(C)).

CBP will take the position in connection with any administrative or judicial proceeding arising out of a FOIA request for PNR information accessed from air carriers, that such records are exempt from disclosure under the FOIA.

With the exception of transfers between CBP and TSA pursuant to paragraph 8 herein, Department of Homeland Security (DHS) components will be treated as ‘third agencies’, subject to the same rules and conditions for sharing of PNR data as other government authorities outside DHS.

CBP, in its discretion, will only provide PNR data to other government authorities, including foreign government authorities, with counter-terrorism or law-enforcement functions, on a case-by-case basis, for purposes of preventing and combating offences identified in paragraph 3 herein. (Authorities with whom CBP may share such data shall hereinafter be referred to as the Designated Authorities).

CBP will judiciously exercise its discretion to transfer PNR data for the stated purposes. CBP will first determine if the reason for disclosing the PNR data to another Designated Authority fits within the stated purpose (see paragraph 29 herein). If so, CBP will determine whether that Designated Authority is responsible for preventing, investigating or prosecuting the violations of, or enforcing or implementing, a statute or regulation related to that purpose, where CBP is aware of an indication of a violation or potential violation of law. The merits of disclosure will need to be reviewed in light of all the circumstances presented.

For purposes of regulating the dissemination of PNR data which may be shared with other Designated Authorities, CBP is considered the ‘owner’ of the data and such Designated Authorities are obligated by the express terms of disclosure to: 1. use the PNR data only for the purposes set forth in paragraph 29 or 34 herein, as applicable; 2. ensure the orderly disposal of PNR information that has been received, consistent with the Designated Authority’s record retention procedures; and 3. obtain CBP’s express authorisation for any further dissemination. Failure to respect the conditions for transfer may be investigated and reported by the DHS Chief Privacy Officer and may make the Designated Authority ineligible to receive subsequent transfers of PNR data from CBP.

Each disclosure of PNR data by CBP will be conditioned upon the receiving agency’s treatment of this data as confidential commercial information and law enforcement sensitive, confidential personal information of the data subject, as identified in paragraphs 25 and 26 hereof, which should be treated as exempt from disclosure under the Freedom of Information Act (5 U.S.C. 552). Further, the recipient agency will be advised that further disclosure of such information is not permitted without the express prior approval of CBP. CBP will not authorise any further transfer of PNR data for purposes other than those identified in paragraphs 29, 34 or 35 herein.

Persons employed by such Designated Authorities who without appropriate authorisation disclose PNR data, may be liable for criminal sanctions (title 18, United States Code, sections 641, 1030 and 1905).

No statement herein shall impede the use or disclosure of PNR data to relevant government authorities, where such disclosure is necessary for the protection of the vital interests of the data subject or of other persons, in particular as regards significant health risks. Disclosures for these purposes will be subject to the same conditions for transfers set forth in paragraphs 31 and 32 of these Undertakings.

No statement in these Undertakings shall impede the use or disclosure of PNR data in any criminal judicial proceedings or as otherwise required by law. CBP will advise the European Commission regarding the passage of any US legislation which materially affects the statements made in these Undertakings.

CBP will provide information to the travelling public regarding the PNR requirement and the issues associated with its use (i.e. general information regarding the authority under which the data are collected, the purpose for the collection, protection of the data, data-sharing, the identity of the responsible official, procedures available for redress and contact information for persons with questions or concerns, etc., for posting on CBP’s website, in travel pamphlets, etc.).

Requests by the data subject (also known as first party requesters) to receive a copy of PNR data contained in CBP databases regarding the data subject are processed under the Freedom of Information Act (FOIA). Such requests may be addressed to: Freedom of Information Act (FOIA) Request, US Customs and Border Protection, 1300 Pennsylvania Avenue, NW, Washington, DC 20229, if by mail; or such request may be delivered to the Disclosure Law Officer, US Customs and Border Protection, Headquarters, Washington, DC. Further information regarding the procedures for making FOIA requests is contained in section 103.5 of title 19 of the US Code of Federal Regulations. In the case of a first-party request, the fact that CBP otherwise considers PNR data to be confidential personal information of the data subject and confidential commercial information of the air carrier will not be used by CBP as a basis under FOIA for withholding PNR data from the data subject.

In certain exceptional circumstances, CBP may exercise its authority under FOIA to deny or postpone disclosure of all (or, more likely, part) of the PNR record to a first party requester, pursuant to title 5, United States Code, section 552(b) (e.g. if disclosure under FOIA ‘could reasonably be expected to interfere with enforcement proceedings’ or ‘would disclose techniques and procedures for law enforcement investigations (...) (which) could reasonably be expected to risk circumvention of the law’). Under FOIA, any requester has the authority to administratively and judicially challenge CBP’s decision to withhold information (see 5 U.S.C. 552(a)(4)(B); 19 CFR 103.7 to 103.9).

Requests for rectification of PNR data contained in CBP’s database and complaints by individuals about CBP’s handling of their PNR data may be made, either directly or via the relevant DPA (to the extent specifically authorised by the data subject) to the Assistant Commissioner, Office of Field Operations, US Bureau of Customs and Border Protection, 1300 Pennsylvania Avenue, NW, Washington, DC 20229.

CBP will issue regulations, directives or other policy documents incorporating the statements herein, to ensure compliance with these Undertakings by CBP officers, employees and contractors. As indicated herein, failure of CBP officers, employees and contractors to abide by CBP’s policies incorporated therein may result in strict disciplinary measures being taken, and criminal sanctions, as applicable.

In the event that an airline passenger identification system is implemented in the European Union which requires air carriers to provide authorities with access to PNR data for persons whose current travel itinerary includes a flight to or from the European Union, CBP shall, strictly on the basis of reciprocity, encourage US-based airlines to cooperate.

These Undertakings shall apply for a term of three years and six months (3,5 years), beginning on the date upon which an agreement enters into force between the United States and the European Community, authorising the processing of PNR data by air carriers for purposes of transferring such data to CBP, in accordance with the Directive. After these Undertakings have been in effect for two years and six months (2,5 years), CBP, in conjunction with DHS, will initiate discussions with the Commission with the goal of extending the Undertakings and any supporting arrangements, upon mutually acceptable terms. If no mutually acceptable arrangement can be concluded prior to the expiration date of these Undertakings, the Undertakings will cease to be in effect.

These Undertakings do not create or confer any right or benefit on any person or party, private or public.

The provisions of these Undertakings shall not constitute a precedent for any future discussions with the European Commission, the European Union, any related entity, or any third State regarding the transfer of any form of data.