I am writing to you in connection with the UK e-Borders scheme that has been discussed by the European Commission and the UK Border Agency over the last months. This issue has given rise to extensive correspondence whereby your department has provided the European Commission with clarifications, commitments and assurances on the way in which implementation of the e-Borders scheme will be undertaken. I refer in particular to all the correspondence related to EU Pilot case 348/09/JLSE, the UKBA's letters of 12 June 2009, 24 August 2009, 20 November 2009 and UKBA's e-mails of 30 June 2009, 25 October 2009 and 5, 6, 10 and 20 November 2009.

  In light of the clarifications, commitments and assurances given in the abovementioned correspondence, it appears that, on the basis of the facts as described by your authority, the UK e-borders scheme would not be in breach either of Directive 1995/46/EC on the protection of personal data or of Directive 2004/3 8/EC on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States.

  I understand that the UKBA intends to collect only API (TPI) data at this stage, and has committed not to collect PNR (OPI) data for intra-EU travel as long as no EU PNR legislation has been adopted. Therefore the assessment only concerns the collection of API data. The legality of any PNR data collection within the UK e-Borders scheme for intra-EU travel has therefore not been assessed.

  Furthermore, I understand that the UK authorities are committed to ensuring that the relevant clarifications, commitments and assurances given in order to align the e-Borders system with the EU legal framework on free movement of persons and data protection are met in their entirety and in a legally binding manner. In addition, regulations, internal rules of conduct, and all other public documents and websites must also ensure that the above clarifications, commitments and assurances are respected in the everyday operation of the e-Borders scheme.

  More particularly, I refer to the following commitments and assurances:

— passengers who are EU citizens or their family members will not be refused entry/exit or incur sanctions in any way on the basis that their passenger data is unavailable to the UK authorities for whatever reason;

— carriers will not incur sanctions if they are unable to transmit data through no fault on their part;

— carriers will be instructed by the UK authorities not to deny boarding to travellers, regardless of their nationality, who do not communicate API data to the operator, and that the provision of API data to operators is neither compulsory nor is made a condition of purchase and sale of the ticket;

— UK authorities will make available to persons travelling to/from the UK the information required by Article 10 of Directive 95/46/EC and will also assist the carriers to communicate this information to travellers;

— a single contact point will be established by UK authorities to allow data subjects to exercise their data protection rights; and

— appropriate safeguards will be applied to transfers of data to third countries, in line with what is requested by the UK data protection authority.

  In addition, a reduction of the 10 year retention period of TPI (API) data would be highly recommended so as to not differ excessively from the retention period currently provided for in Directive 2004/82/EC.

  As regards the legal basis allowing the collection by the carrier of personal data in the Member State of departure, it seems to me that, pursuant to Article 4 (1) of Directive 1995/46/EC, such a legal basis must be found in the legislation of the Member States in which the processing takes place. This implies that where the processing is carried out by an establishment of the carrier on the territory of a Member State, the law of that Member State shall apply to this processing. Taking into account the specific safeguards implemented by the UK authorities, Articles 7 (e) and (f) of Directive 1995/46/EC could be used by those Member States to make the data collection referred to above lawful. It is necessary that the Member State in which the processing takes place expressly acknowledges that the "public interest" pursued by the third party requiring the data is shared by that Member State. A Member State might consider such a public interest on the basis of, for example, cooperation in the fight against illegal immigration or customs offences, or assisting another Member State in carrying out its law enforcement policy. As regards the precise form of such recognition, an opinion of the relevant national data protection supervisory authority or a governmental decision would seem to satisfy the requirements of Article 7 (e) of the Directive.

  Similar reasoning can apply to Article 7 (f) of the Directive. Again, the legitimate interests pursued by the third party to whom the data are disclosed can include the interests of a public authority of another Member State, subject to the condition that this interest is officially acknowledged by the authorities of the Member State in which the processing takes place as referred to above. Such an acknowledgement of the balance of interest cannot be made by carriers or other private entities.

  As regards the collection of personal data by Eurostar and ferries, the Member States in which data are collected will have to assess the proportionality of the processing taking into account the existing bilateral agreements with France and Belgium.

  Finally, I understand that pursuant to the UK Data Protection Act 1998, UK data protection legislation is applicable in its entirety to the UK e-Borders scheme, and the UK data protection authority, the Information Commissioner's Office (ICO), is competent to monitor and enforce compliance with UK legal provisions adopted to implement Directive 1995/46/EC.