Legal base	—
Department	Constitutional Affairs
Basis of consideration	Minister's letter of 5 March 2004
Previous Committee Report	HC 42-x (2003-04), para 2 (11 February 2004); and see (25422) 6949/04: HC 42-xii (2003-04) para 10 (10 March 2004)
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	Cleared

Background

8.1 Following the attacks on New York and Washington on 11 September 2001, the United States has passed legislation requiring airlines flying to, from, or over the United States to provide United States Customs with electronic access to information held by airlines on their passengers. The data is contained in automated reservation and departure control systems, known as Passenger Name Records (PNR).

8.2 In June 2002 the Commission informed the US authorities that these requirements could conflict with the obligations assumed by Member States under the Data Protection Directive[23] and with some provisions of Council Regulation (EEC) No. 2299/89 on a code of conduct for computerised reservation systems.[24] On 18 February 2003, the Commission and the US authorities issued a joint statement setting out initial data protection undertakings agreed by the United States Customs and recording the undertaking by the parties to pursue talks with a view to allowing the Commission to make a finding under Article 25(6) of the Data Protection Directive that the United States ensures an adequate level of protection (which would then permit the transfer of personal data from a Member State to a third country notwithstanding the restrictions in Article 25).

8.3 We considered on 11 February 2004 a Commission Communication setting out a possible EU approach, involving, first, a legal framework for existing transfers of PNR to the United States (consisting of a decision by the Commission under Article 25(6) of the Data Protection Directive that the United States ensures an adequate level of protection for personal data, accompanied by a bilateral agreement on the principles to be applied to such data); secondly, measures to ensure that passengers are fully and accurately informed about the uses to which PNR data will be put; and, thirdly, replacement of the present "pull" system (under which the US authorities are given direct access to airline databases in order to "pull" the data) by a "push" method of transfer under which data flows from airline reservations systems to the US authorities would be controlled within the EU (with the transfer of data limited to that which is strictly necessary for security purposes). In this latter regard, we noted that it had apparently been agreed that all classes of sensitive personal data covered by Article 8(1) of the Data Protection Directive[25] would be filtered out and deleted.

8.4 We also noted that the Commission had drawn a link between a future EU policy on the use of PNR data for security and law enforcement purposes and the development of a "push" system with filters, especially if this were to be done on a centralised basis, and that it advocated creating a centralised structure within the EU.

8.5 We asked the Minister why it had been agreed to filter out and exclude all classes of personal data covered by Article 8(1) of the Data Protection Directive and whether the Government agreed with the Commission's evident preference for a centralised European entity to handle the collection and transfer of PNR data.

The Minister's reply

8.6 In his letter of 5 March the Parliamentary Under-Secretary of State at the Department for Constitutional Affairs (Lord Filkin) replies that the US authorities have indicated that they do not need the sensitive personal data referred to in Article 8(1) of the Directive, and have agreed that such data will be filtered out and deleted. The Minister adds that the issue is linked to the development of a "push" system for transferring data. The Minister explains that until such a system is in place PNR data, including sensitive personal data, will be "pulled" by the US authorities but that they have undertaken to implement, with the least possible delay, an automated system which filters and deletes sensitive data. The Minister comments that it is clearly preferable in principle for such data to be deleted without the US authorities gaining access to them, and that this will be possible if a "push" system is developed.

8.7 As to our second question on the possible creation of a centralised European entity to collect and transfer PNR data, the Minister replies that the Government is not aware of any firm proposals having been made by the Commission, but that it is keeping an open mind on the need for a set of centralised arrangements. The Minister adds that, before taking a view, it will wish to consider the Commission's rationale for such arrangements and the detail of any proposal that it may make.

8.8 The Minister also informs us that the negotiating mandate for an EC/US agreement to accompany the Commission decision under Article 25(6) of the Data Protection Directive was approved by the Council on 23 February and that a draft agreement will be presented to the Council for its approval shortly and will be deposited by the Minister for scrutiny.

Conclusion

8.9 We thank the Minister for his reply, which addresses the two points we had raised on this document. We look forward to the deposit of the draft EC/US agreement for scrutiny and in the meantime we are content to clear this document.

24   OJ No. L 220, 29.7.89, p.1. Back

25   Article 8(1) refers to the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life. Back