Legal base	Articles 95, 300(2) EC ; consultation; QMV
Document originated	17 March 2004
Deposited in Parliament	19 March 2004
Department	Constitutional Affairs
Basis of consideration	EM of 31 March 2004
Previous Committee Report	None; but see (25422) 6949/04 : HC 42 -xii (2003-04) para 10 (10 March 2004) and (25256) 5119/04: HC 42-x (2003-04), para 2 (11 February 2004)
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	Cleared

Background

5.1 Following the attacks on New York and Washington on 11 September 2001, the United States has passed legislation requiring airlines flying to, from, or over the United States to provide United States Customs with electronic access to information held by airlines on their passengers. The data is contained in automated reservation and departure control systems, known as Passenger Name Records (PNR). Since the adoption of the legislation by the United States, a number of airlines have been making PNR data available to the Bureau of Customs and Border Protection in the Department of Homeland Security.

5.2 In June 2002 the Commission informed the US authorities that the requirements imposed by US law could conflict with the obligations assumed by Member States under the Data Protection Directive[9] and with some provisions of Council Regulation (EEC) No. 2299/89 on a code of conduct for computerised reservation systems.[10] On 23 February 2004 the Council authorised the Commission to negotiate an agreement with the United States which would contain data protection undertakings and allow the Commission to make a finding under Article 25(6) of the Data Protection Directive that the United States ensures an adequate level of protection (which would then permit the transfer of personal data from a Member State to a third country notwithstanding the restrictions in Article 25).

5.3 On 11 February 2004 we cleared from scrutiny a Communication from the Commission in which it set out its proposals for a global EU approach, including the negotiation of an agreement with the United States. On 10 March we also cleared from scrutiny a working paper by the Commission on developing international arrangements for PNR transfers within the International Civil Aviation Organisation (ICAO), which would be submitted by the Community and the Member States to the ICAO.

The draft Council Decision

5.4 The draft Council Decision approves the text of the agreement negotiated between the Commission and the United States and provides for its conclusion by the European Community. The text of the agreement is annexed to the draft Council Decision.

5.5 The agreement provides that the Bureau of Customs and Border Protection (CBP) may gain access to PNR data from air carriers' reservation/ departure control systems located within the territory of the Member States. Such access is to be in accordance with the Decision adopted by the Commission on the basis of Article 25(6) of the Data Protection Directive, whereby the CBP is considered as providing an adequate level of protection for PNR data transferred from the European Community concerning flights to or from the United States. Such access may be gained only for so long as the Decision applies and only until there is a satisfactory system in place allowing for the transmission of such data by the air carriers.

5.6 Air carriers operating flights to or from the United States are to process PNR data as required by the CBP in accordance with the law of the United States and with the Decision under the Data Protection Directive. For its part, the CBP takes note of the Decision and states that it is implementing the undertakings annexed to that Decision. (By virtue of these, the CBP undertakes to use PNR data strictly for the purpose of preventing terrorism and related crimes and other serious transnational crime. The CBP also undertakes to filter and delete such data, to treat PNR data as confidential, to limit access to such data by other US Government agencies and not to use sensitive personal data).

5.7 Under the agreement, the CBP undertakes to process PNR data and to treat data subjects in accordance with applicable US laws and constitutional requirements without unlawful discrimination, in particular on the basis of nationality or country of residence.

The Government's view

5.8 In his Explanatory Memorandum of 31 March 2004 the Parliamentary Under-Secretary of State at the Department for Constitutional Affairs (Lord Filkin) explains that the draft agreement deals with two main legal problems. First, it confirms the lawfulness of direct access by the CBP to airlines' reservation and departure databases located within the European Community. Secondly, the draft agreement provides the legal basis for the data processing which airlines must inevitably carry out before transferring data to the CBP. The Minister explains that Article 7 of the Data Protection Directive sets out a list of conditions which must be met if processing is to be lawful and that one of these conditions is Article 7(c), i.e. where "processing is necessary for compliance with a legal obligation to which [the airline] is subject". The Minister adds that the Commission believes that the legal obligation referred to must be an obligation imposed under Community law or the law of a Member State, not the law of a third country, and that the agreement accordingly creates a Community obligation to deal with this question.

5.9 On the policy implications of the proposal, the Minister comments as follows:

"The purpose of the draft agreement, and the 'adequacy' decision under Article 25 of Directive 95/46/EC which it will complement, is to provide a sound legal base for the transfer of PNR data to the CBP. The Government supports this initiative which will allow airlines operating from the EU to meet the obligation imposed on them by US law to transfer PNR data to the CBP while at the same [time] complying with the requirements of EU Member States' data protection law giving effect to Directive 95/46/EC.

"The provisions of the draft agreement are acceptable to the Government. Article 1 will be necessary only for so long as the CBP has direct access to airlines' databases located in the EU (under what is familiarly known as a 'pull' system.) As mentioned in section 2 of their Communication on a Global EU Approach, the Commission is considering with the industry the establishment of a central database which will allow the PNR data to be 'pushed' to the CBP. A 'push' system would provide more secure data protection safeguards.

"It is possible to argue that certain provisions of Article 7 of Directive 95/46/EC already provide a legal base for the processing of PNR data that is done by airlines before the data are transferred to the CBP. However, the Government welcomes the confirmation provided by Article 2 that there is a sound legal base for such processing.

"The Government also welcomes the inclusion in the body of the draft agreement of a statement by the CBP that it will implement the undertakings it has given (Article 3), the anti-discrimination provision in Article 4 and the requirement for the regular, joint review of the agreement in Article 5.

"Article 6 envisages the establishment within the EU of a system for the provision to the authorities within the EU of PNR data by airlines operating to or from the EU. The establishment of an EU policy on the use of PNR data is discussed in section 3.4 of the Communication from the Commission. This suggests that there should be reciprocity in the transfer of data between the EU and the US. This idea is taken up in Article 6 of the draft agreement. The Government believes that access to PNR data is important for counter-terrorism and other law enforcement purposes and can, therefore, accept the reference to reciprocity. Within the UK, the processing of PNR data is subject to the provisions of the Data Protection Act 1998".

Conclusion

5.10 We thank the Minister for his detailed and helpful Explanatory Memorandum. We agree with the Minister that the proposed agreement provides an appropriate basis for the Commission to reach the conclusion that the United States will provide adequate protection for Personal Name Records transferred by airlines based within the European Community and that it provides a sound legal basis for the processing of data which is involved.

5.11 In the light of the Minister's explanations, we are content to clear the document.

10   OJ No. L220, 29.7. 89, p.1. Back