Legal base	Articles 82(1)(d), 87(2)(a) and 218(6)(a) TFEU; QMV; consent
Document originated	17 December 2009
Deposited in Parliament	8 January 2010
Department	Home Office
Basis of consideration	EM of 21 January 2010
Previous Committee Report	None
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	Not cleared; further information requested

Background

4.1 The Agreement was signed by the EU and the US on 30 June 2007 and has been applied provisionally from that date. This proposal for a Council Decision seeks to conclude the Agreement.

4.2 The Council Decision to sign the Agreement[16] was not deposited for scrutiny. The reasons for this were outlined in the letter of the Parliamentary Under-Secretary of State at the Home Office (Meg Hillier) to Lord Roper dated 29 January 2009: policy officials believed that there was an exception in putting third country agreements forward for scrutiny. The Minister's letter accepted the assertion that the Council Decision authorising signature of the Agreement should have been deposited for scrutiny, and apologised that it was not deposited.

Opt-in

4.3 The proposal was published by the Commission on 17 December. The UK has three months from the date of its presentation to the Council to decide whether to opt in, so until 17 March. Under the new procedures set out in Article 218 of the Treaty on the Functioning of the European Union (TFEU) for this type of agreement, the Council must obtain the consent of the European Parliament before the Agreement can be concluded.

The 2007 PNR Agreement and US Letter

4.4 This short Agreement of nine Articles lays down principles governing the transfer of passenger name records (PNR) data held by air carriers in the EU to the United States Department of Homeland Security (DHS) on flights to and from the US. Attached to the Agreement is a "US Letter to EU" (the DHS letter), which contains "assurances" explaining DHS's policy on safeguarding PNR data. Passenger Name Record (PNR) data is booking information held by airlines about their passengers which can be useful to law enforcement authorities in identifying criminals and criminal activity. (PNR is different from Advanced Passenger Information (API), which is data derived from passports.)

THE AGREEMENT

4.5 Under the terms of the Agreement air carriers, whose reservation systems are located within the EU and which operate flights to and from the US, must make available to the DHS PNR data for passengers flying to and from the US. This should be made available normally 72 hours before a flight, or earlier in case of a specific threat. As of January 2008, that data should be transmitted (the "push" method) to DHS by airlines that have the technical capacity to do it, rather than allowing the DHS to electronically access the PNR from air carriers' reservation systems in advance of the flight (the "pull" method).

4.6 DHS is required to process PNR from the EU and treat EU passengers ("data subjects") in accordance with applicable U.S. laws, constitutional requirements and without unlawful discrimination. For the application of the Agreement, "DHS is deemed to ensure an adequate level of protection for PNR data transferred from the European Union. Concomitantly, the EU will not interfere with relationships between the United States and third countries for the exchange of passenger information on data protection grounds."

4.7 Further, DHS "expects that it is not being asked to undertake data protection measures in its PNR system that are more stringent than those applied by European authorities for their domestic PNR systems. DHS does not ask European authorities to adopt data protection measures in their PNR systems that are more stringent than those applied by the U.S. for its PNR system. If its expectation is not met, DHS reserves the right to suspend relevant provisions of the DHS letter while conducting consultations with the EU with a view to reaching a prompt and satisfactory resolution."

4.8 The exclusive remedy if the EU determines that the U.S. has breached this Agreement is the termination of this Agreement and the revocation of the adequacy determination referenced in paragraph 6. The exclusive remedy if the U.S. determines that the EU has breached this agreement is the termination of this Agreement and the revocation of the DHS letter.

THE US LETTER

4.9 This letter, appended to the Agreement as published in the Official Journal, is intended to explain how DHS handles the collection, use and storage of PNR. Importantly, "None of the policies articulated [in the letter] create or confer any right or benefit on any person or party, private or public, nor any remedy other than that specified in the Agreement between the EU and the U.S. on the processing and transfer of PNR by air carriers to DHS".

Purpose limitation

4.10 DHS uses PNR "strictly" for the purpose of:

i)  terrorism and related crimes;

ii)  serious crimes, including organised crime, that are transnational in nature; and

iii)  flight from warrants or custody for these crimes.

EU-sourced PNR may also be processed under US law where it is necessary for the protection of the vital interests of the data subject or other persons, in criminal judicial proceedings, "or as otherwise required by law.

Sharing PNR with third countries

4.11 The purpose limitation of the use of PNR by the DHS extends to sharing it with third countries. It will provide PNR data to other domestic government authorities in support of counterterrorism, transnational crime and public security related cases they are examining or investigating, according to law, and pursuant to written understandings and U.S. law on the exchange of information between U.S. government authorities. Access, the DHS letter states, shall be strictly and carefully limited to the cases described above in proportion to the nature of the case. And any such exchange of data will occur pursuant to express understandings between the parties that incorporate data privacy protections comparable to those applied to EU PNR by DHS.

Sensitive personal data

4.12 The DHS employs an automated system which filters sensitive EU PNR data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning the health or sex life of the individual) and deletes the information. However, the letter states that, in an exceptional case where the life of a data subject or of others could be imperilled or seriously impaired, DHS officials may use sensitive data. DHS will maintain a log of access to any sensitive data and will delete the data within 30 days once the purpose for which it has been accessed is accomplished and its retention is not required by law. DHS will also provide notice normally within 48 hours to the European Commission that sensitive data has been accessed.

Access and redress

4.13 The letter states that DHS has made a policy decision to extend administrative Privacy Act protections to PNR data stored in the Automated Targeting System, regardless of the nationality or country of residence of the data subject, including data that relates to European citizens. Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless of their nationality or country of residence, for providing redress to persons seeking information about or correction of PNR. Furthermore, PNR furnished by or on behalf of an individual shall be disclosed to the individual in accordance with the US Privacy Act and the US Freedom of Information Act (FOIA). FOIA permits any person (regardless of nationality or country of residence) access to a U.S. federal agency's records, except to the extent such records (or a portion thereof) are protected from disclosure by an applicable exemption under the FOIA. DHS does not disclose PNR data to the public, except to the data subjects or their agents in accordance with U.S. law.

4.14 In certain exceptional circumstances, DHS may exercise its authority under FOIA to deny or postpone disclosure of all or part of the PNR record to a first part requester, pursuant to Title 5, United States Code, Section 552(b). Under FOIA any requester has the authority to administratively and judicially challenge DHS's decision to withhold information.

Data retention

4.15 DHS retains EU PNR data in an active analytical database for seven years, after which time the data will be archived for eight years and may be accessed only with approval of a senior DHS official designated by the Secretary of Homeland Security and only in response to an identifiable case, threat, or risk. DHS "expects" that EU PNR data shall be deleted at the end of this period; questions of whether and when to destroy PNR data collected in accordance with this letter will be addressed by DHS and the EU as part of future discussions. Data that is related to a specific case or investigation may be retained in an active database until the case or investigation is archived.

The Minister's Explanatory Memorandum

4.16 The Parliamentary Under-Secretary of State at the Home Office (Meg Hillier) deposited an Explanatory Memorandum in Parliament on 21 January.

4.17 In overview, the Minister explains that the Government welcomes the proposal to conclude the Agreement with the US on the processing of PNR data. She says that the UK, in common with other EU Member States, views the US as a key partner. A clear EU-US PNR agreement will play a vital role in removing legal uncertainty for air carriers flying to the US and will help ensure that, where appropriate, PNR information can be shared quickly and securely with all necessary data protection safeguards in place.

PURPOSE LIMITATION

4.18 That said, the terms of the Agreement are not consistent with what the UK would want under an EU PNR proposal (for flights into the EU); the UK would like to have the ability to collect and process PNR data for a range of purposes broader than terrorism and serious crime (for example immigration offences). However, the Minister reports that it has subsequently become clear during EU PNR negotiations that most Member States are hostile to the use of PNR for purposes other than the prevention of terrorism and serious crime. The UK Government is willing to abide by the terms laid down in the scope of this Agreement, as it values the legal protection on PNR data transfer that this Agreement provides, but will continue to lobby for a broader scope during EU PNR negotiations.

IMPACT ON UK LAW

4.19 In terms of the impact of the Agreement on national law, the Minister states that:

·  the UK has the ability to obtain passenger, crew and service data from carriers in advance of all movements into and out of the UK under the Immigration Act 1971, the Immigration, Asylum and Nationality Act 2006 and the powers of the HMRC Commissioners' Directions under the Customs and Excise Management Act 1979. Section 36 of the Immigration, Asylum and Nationality Act 2006 also creates a duty for the UK Border Agency, the police and HM Revenue and Customs to share that data among themselves where it is likely to be of use for immigration, customs, or police purposes.

·  the Immigration and Police (Passenger, Crew and Service Information) Order 2008 (SI 2008/5) specifies the travel-related data that an immigration officer or a police officer can require from ships, aircraft and trains, entering and leaving the United Kingdom. The data are divided into:

a)  mandatory data which includes Advance Passenger Information (API) which must be collected and supplied when requested, and;

b)  additional data which includes PNR and must be supplied only to the extent to which the carrier knows the data.

This Agreement does not therefore have an impact on UK law.

FUNDAMENTAL RIGHTS

4.20 Concerning fundamental rights, the Minister acknowledges that the Agreement provides for the processing and transfer of personal data and therefore engages Article 8 of the European Convention on Human Rights (right to respect for private and family life). However, any interference with Article 8 rights would be justified under Article 8(2) of the Convention because the Agreement:

• restricts the purposes for which data can be processed to purposes included within Article 8(2) (the prevention of and combating of terrorist offences, serious crime and flight from warrants or custody for such crimes);
• provides that the DHS is deemed to ensure an adequate level of protection for PNR data transferred from the EU;
• has been entered into with regard to Article 6(2) of the Treaty on European Union on respect for fundamental rights, and in particular to the fundamental rights to privacy and the protection of personal data; and
• states that the onward data transmission to a third country is only done on a case-by-case basis. Apart from in emergency circumstances, any such exchange of data would occur pursuant to express undertakings incorporating data privacy protections comparable to those applied by the US to the PNR data.

SUBSIDIARITY

4.21 The Minister is confident that this is a proper area for Europe-wide action. The legislation will establish the legal principles for processing and transfer of PNR data from the EU to the US, and encourage collaboration on the development of PNR systems in individual Member States. It does not therefore infringe the principle of subsidiarity.

DATA PROTECTION AND SENSITIVE PERSONAL DATA

4.22 Data protection was a key issue during negotiations. The data protection regime which will apply to PNR data transferred to DHS under the Agreement is considered to be comparable to EU standards. That said, the Minister says that UK Government welcomes the decision to allow sensitive personal data to be used in exceptional circumstances under this Agreement. UK officials have found sensitive personal data contained in PNR to be useful operationally, often helping to rule passengers out of investigations.

OPT-IN

4.23 The Minister states that the UK is "keen to opt in". If it did so, however, it would not thereafter be able to conclude any PNR agreement with the US which would conflict with the terms of the EU-US Agreement. The UK is satisfied that this will not have an adverse effect on future relations with the US.

4.24 There is an existing Memorandum of Understanding (MoU) between the UK Border Agency's Joint Borders Operations Centre (JBOC) and DHS's National Targeting Center. This is designed to strengthen the operational capability of the US and the UK by exchanging critical passenger information to help verify travel documents, detect false identities, determine admissibility, carry out customs checks and identify persons traveling between our countries who may pose a security risk. Various forms of information may be exchanged under the MoU in relation to persons of interest, for example information on immigration history, details of known or suspected immigration abuse or offences, details of prior refusals of entry to the UK or US, Advance Passenger Information[17] and PNR. The UK-US MoU specifically provides for any transfer of PNR data under it also to be consistent with the terms of the 2007 EU-US PNR agreement. The Government considers that any constraint presented by that agreement to co-operation at national level is likely to be marginal.

Conclusion

4.25 This is a Decision which the Government has to opt into for it to become binding upon or applicable in the UK. The Government has three months within which to do so; this period expires on 17 March. The Government has given an undertaking to both Houses that it will not decide whether to opt into a proposal until eight weeks have elapsed since the proposal's publication; this is to give sufficient time for Parliamentary scrutiny of the decision to opt in. The eight-week period expires on 12 February.

4.26 We are concerned by the timing of the deposit of the Minister's Explanatory Memorandum. The proposal was published by the Commission on 17 December 2009 and yet the Explanatory Memorandum was deposited only on 20 January 2010. This delay contravenes the undertaking in Baroness Ashton's statement on JHA opt-ins that the Government will place an Explanatory Memorandum before Parliament "as swiftly as possible following publication of the proposal and no later than ten working days after the publication of the proposal". It leaves us with four weeks, rather than the agreed eight weeks, for scrutiny of the opt-in decision. We understand that the Minister will be writing to us with an explanation for the delay.

4.27 We regret that the Council decision to sign the Agreement in July 2007 was not deposited for scrutiny and note that it has been provisionally applied for over a year and a half. This limits the role Parliamentary scrutiny can play in influencing draft EU legislation.

4.28 We recognise that Agreement serves an important and legitimate aim, but several aspects of it leave us concerned. We are particularly disappointed that the handling, use and storage of PNR by the Department of Homeland Security (DHS) is not incorporated in the legally binding Agreement (unlike, say, in the PNR Agreements with Canada and Australia) but in assurances in a non-binding letter attached to it. The effect of this is that data protection safeguards applied by DHS can be unilaterally changed. In which circumstances we wonder what value can be placed on the deeming provision in paragraph 6 of the Agreement: "for the application of this Agreement, DHS is deemed to ensure an adequate level of protection of PNR data transferred from the European Union".

4.29 The letter states that DHS has extended the US Privacy Act to PNR data on European citizens. This means that European passengers, or data subjects, can access the records held by DHS, unless such records are protected from disclosure under the US Freedom of Information Act (FOIA). We ask the Government to confirm whether there are currently any exceptions under the Privacy Act or FOIA which would prevent an EU passenger from accessing his or her PNR records held by DHS, and if so, what the exceptions are.

4.30 We are also concerned by the retention periods of PNR date of seven years in an active file followed by eight years in a dormant file and question why such a long period is justified; and by the sharing PNR with third countries of PNR data for "public security related cases", which is not defined, as well as terrorism and transnational crime, and without the specification of any provisions governing the handling, use and storage of PNR by competent authorities in those third countries.

4.31 We would be grateful for a progress report of the negotiations with the European Parliament on giving its consent to the Conclusion of this Agreement.

4.32 We are keeping the document under scrutiny pending the Minister's answers to the questions above.

17   Full name (given names as on passport) including last name, gender, date of birth, nationality, passport number and expiry date, where passport was issued and country of residence.  Back