PASSENGER NAME RECORDS (PNR): AGREEMENTS
WITH THE US (13216/06, 13226/06, 13668/06)
Letter from Rt Hon Baroness Ashton of
Upholland, Parliamentary Under Secretary of State, Department
for Constitutional Affairs to the Chairman
Thank you for your letter of 19 July 2006[113]
providing formal scrutiny clearance for the document on the termination
of the agreement between the European Community and the United
States of America on the processing and transfer of PNR data (Document
10613/06). Your letter also sought further information on five
related points: I am pleased to provide greater detail on each
of these issues below and also to provide you with a more general
update on this area. I would also like to take this opportunity
to apologise for the delay in responding to your letter. The situation
regarding the transfer of PNR data changed rapidly up to, and
after, the end of recess. I was keen to provide you with a detailed
and accurate picture of the EU-US arrangements and this has led
to an inevitable delay while the situation has stabilised.
As you will be aware, agreement was reached
on 6 October on an interim agreement which will be renegotiated
before the end of July next year. Our guiding principle during
negotiations was to ensure that the priority of fighting international
terrorism was properly balanced against individuals' privacy rights.
This involved sharing data with the US, but within a framework
providing adequate controls overamongst other thingswho
has access to those data, how they may be used and how long they
may be retained. The text of the new agreement reflects changes
made to US legislation and does not materially affect the level
of protection for individuals' data. The texts of the new agreement,
the US letter interpreting the undertakings to the agreement (the
undertakings themselves have not changed) and the Council Decision
on the signing of the agreement have been deposited and an EM
provided (13216/06) which sets out further detail. The new agreement
has applied provisionally since it was signed last month and will
come fully into force on the first day of the month following
the exchange of notifications, indicating that both sides have
completed their relevant internal procedures; a number of Member
States are still in the process of complying with the requirements
of their own constitutional procedures on this matter.
As you will see, the US continues to abide by
the undertakings and there is no extension to the number of data
elements the US may access (additional Frequent Flyer field information
can now be accessed, but only where it corresponds with the data
elements already permitted, for example, the billing address,
the reservation date and so on). The period of data retention
remains at 3.5 years and access by other US enforcement agencies
will be on a strictly case-specific basis and will not be automatic.
We believe that the new agreement strikes the balance we were
seeking.
Turning now to your more specific questions,
you asked whether the undertakings given by the US Bureau of Customs
and Border Protection (CBP) in the new agreement were likely to
differ from those in the original agreement. Strictly speaking,
the US undertakings were not in the agreement; they were annexed
instead to the Commission's adequacy decision and came into force
at the same time as the agreement, but your point is still an
important one. As you will now be aware, the new agreement still
refers to the undertakings (albeit there are fewer references
to them) and they have not been renegotiated. Our view on this
matter was that the text of the new agreement and undertakings
should change as little as possible, but that the agreement's
legal base should under the third pillar rather than the first.
Naturally, any amendment which reduced the protection of our nationals'
data would not have been welcomed.
You also asked whether, and if so why, an entirely
new agreement would be needed before October 2007. A new agreement
will be required by the end of October 2007 because the original
agreement was due to remain in force only until November 2007.
The purpose of the original timeframe was to provide an opportunity
for both the US and the EU to thoroughly review the agreement
and re-negotiate new and more permanent terms. As you know, the
ECJ ruling required the negotiation of a new agreement by the
end of September; both sides worked hard to meet this deadline,
reaching agreement on 6 October. Given the challenging timeframe
for the negotiation of this document, and in recognition of the
fact that it was originally considered necessary to provide for
an adequate opportunity for re-negotiation, it seemed sensible
to negotiate a "temporary" agreement along the lines
of the original and to revisit this interim document before July
next year.
You also sought information about attempts by
the government to ensure the data protection undertakings offered
by the CBP are more realistic than those in the original agreement.
Our view is that the undertakings agreed to by the US and annexed
to the original adequacy decision provided an adequate level of
data protection, taking into account both the US' and Member States'
data protection provisions. We were naturally keen to ensure that
a high level of data protection was maintained in the new agreement,
and will work with the Commission and other Member States to ensure
this is also the case in future agreements. I think it is worth
noting here that Commission conducted an adequacy test on US data
protection standards before the original agreement was entered
into and this test confirmed US data protection provisions to
be indeed adequate; you will of course be aware that the ECJ ruling
that declared this adequacy decision to be invalid was only on
the grounds of an incorrect legal base and did not question the
substance of the Commission's conclusion on the adequacy of US
data protection standards. You may be interested to know that
the EU's assessment of the US' implementation of the PNR undertakings
(conducted last summer) resulted in a generally positive report.
This report noted that the US authorities went significantly beyond
what was strictly necessary to comply with the Undertakings, including
putting in place systems to track disclosure of data & monitor
manual access.
You also asked whether the government considers
there to be a case for activating the passarelle on this matter.
We have general concerns about the potential impact of the Article
42 proposal. We could only begin to consider changes to current
arrangements for third pillar matters once we are satisfied that
our concerns can be met. Our view in this case was that in light
of the ECJ judgement, which of course declared the original agreement
invalid on the grounds of an incorrect first pillar legal base,
the new agreement with the US needed to be subject to third pillar
legislation. For this reason alone, it would appear to be inappropriate
to have activated the passarelle here. However, we are continuing
to look at the detailed implications of Article 42 more generally.
Additionally, you raise the issue of the parallel
agreement between the EC and Canada. Although the time has now
elapsed for a similar challenge to be mounted against this agreement,
it would appear that the reasoning behind the judgment on the
EU-US agreement would also seem to apply to the Canadian agreement
and the Commission and the Council will be reflecting on the implications
of the ECJ ruling. The UK's Air Navigation Order laid in relation
to the EU-US agreement has been drafted in such a way that it
may also apply to a future third pillar agreement with Canada.
I hope this letter provides you with the information
you were seeking. As ever, I am very happy to discuss any aspect
of this matter further.
13 November 2006
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland
Sub-Committee F (Home Affairs) of the European
Union Select Committee considered the PNR agreement and related
documents at a meeting on 22 November 2006.
As you know, the Committee considered on 19
July documents dealing with the termination of the earlier PNR
agreement, and I wrote to you with a number of questions. I am
grateful for your reply.
One of the matters I raised was the activation
of the passerelle. Since I wrote, this has become even
more of an issue on a number of fronts, and we agree with you
that it would not be appropriate to activate the passerelle
in relation to this issue alone.
Another question I raised was the parallel agreement
with Canada. We are glad that the Order in Council amending the
Air Navigation Order is in terms that allow it to be applied to
any country outside the EEA. You state that the Commission and
Council are reflecting on the implications of the ECJ ruling.
Since a challenge to the legal base of the EC/Canada agreement
would inevitably succeed, we are surprised that the Commission
has not already begun negotiations for a revised EU/Canada agreement.
We would be grateful if you could inform us in due course of any
developments on this front.
Aside from these two points, your letter deals
principally with the questions I raised about the negotiations
for a revised agreement, then being contemplated but now completed.
I am grateful to you for setting out what has happened, although
much of this of course duplicates what was in your Explanatory
Memorandum of 23 October.
The main question raised in my letter was how,
if at all, the Undertakings given by the US Bureau of Customs
and Border Protection (CBP) in the agreement which was then being
negotiated were likely to differ from those in the earlier agreement.
You explain that the Undertakings are now given by the Department
of Homeland Security DHS), and we agree that this makes no practical
difference.
Your explanatory memorandum states that "The
changes to the agreement do not materially affect the level of
data protection for individuals." In your letter you similarly
say: "The text of the new agreement reflects changes made
to US legislation and does not materially affect the level of
protection for individuals' data." You refer to the documents
deposited as including the new agreement and "the US letter
interpreting the undertakings to the agreement (the undertakings
themselves have not changed)".
The Undertakings, as you say, have not changed.
There were always some doubts about their adequacy, although not
on the part of the Commission. But your passing reference to the
letter from Mr Stewart Baker, the Assistant Secretary for Policy
at the DHS, is where in our view the problems lie.
It seems to us that this letter, annexed to
document 13668/06, makes a number of major changes to the effect
of the Undertakings, of which we list four.
The DHS letter says the Undertakings
authorise it to "add data elements" to the 34 already
listed. You say that "there is no extension to the number
of data elements the US may access". Paragraph 7 of the Undertakings
requires the DHS to consult with the Commission if it wishes to
add data elements. How are these statements to be reconciled?
Paragraph 29 requires PNR information
to be shared with other departments and with "counter-terrorism
and enforcement functions" (eg CIA and FBI) only on a case
by case basis. You say this is unchanged. The letter, relying
on the catch-all paragraph 35 that the Undertakings shall not
"impede the use or disclosure of PNR data... as required
by law", points out that US law changed last year, and now
requires DHS "promptly to give access to terrorism information
to the head of each agency that has counter-terrorism functions".
DHS now has to "facilitate the disclosure" of PNR data
to these authorities. We are not entirely reassured by the fact
that "DHS will ensure that such authorities respect comparable
standards of data protection to that applicable to the DHS".
The letter points out that data more
than 3.5 years old "can be crucial in identifying links among
terrorism suspects". Because the agreement will have expired
before the Undertakings require any destruction of data, "any
questions of whether and when to destroy PNR data... will be addressed
by the US and the EU as part of future discussions". You
tell us that the period of data retention remains at 3.5 years.
It seems to us rather that there is no limit at all other than
the limit prescribed by US law which, we are told, is currently
40 years.
Paragraph 3 provides: "PNR data
are used by [DHS] strictly for purposes of combating terrorism
and related crimes" and analogous matters, while paragraph
9 provides that DHS will not use sensitive data concerning the
health of the individual. This however is qualified by paragraph
34 where the vital interests of the data subject "or others"
are at stake. In effect, the letter is now saying that PNR data
will be used in the fight against "dangerous communicable
disease"no doubt avian flu.
The Undertakings were already in our view compromised
by the provisions of paragraphs 34 and 35 allowing them to be
departed from where the US authorities thought this essential,
or where US law so required. The letter is in our view simply
a statement showing that the US does intend to collect data which
it was not originally permitted to collect. does intend to use
it for purposes for which it was not originally intended, and
does intend to distribute it to bodies not previously allowed
to receive it in this form.
The Government may feel that there are excellent
reasons for these changes, whether for enhanced security or on
other grounds. If so, the changes should in our view have been
the subject of negotiation between the EU institutions and the
US authorities, and prior approval by the Member States, rather
than the subject of a unilateral declaration by the US in a letter
sent by email a week after the new agreement was finalised.
We would be grateful for your comments on the
points raised above, and for your answers to the following questions:
Was the Government aware, when it
approved the draft agreement, that the US intended to broaden
its scope in this way?
Is the Government still satisfied
that, despite the changes we have mentioned, the level of protection
of personal data is adequate?
What are the views of other Member
States on this question?
What line does the Government intend
to take when the German Presidency begins work on the negotiation
of a third agreement to replace this one, which expires in July
2007?
We have decided to clear from scrutiny documents
13216/06 and 13226/06, but to keep under scrutiny document 13668/06,
which includes Mr Baker's letter.
22 November 2007
Letter from Rt Hon Baroness Ashton of
Upholland to the Chairman
Thank you for your letter of 22 November regarding
the Agreement between the European Union and the United States
of America on the Processing of Passenger Name Record (PNR) data.
I am pleased that you have cleared documents 13216/06 and 13226/06
from scrutiny.
In your letter you ask for further information
on several issues and you also raise a number of specific points
in relation to Stewart Baker's letter to the EU. I have dealt
with each of these in turn below,
The first concern you raise relates to whether
the US may add "new data elements" to the 34 already
permitted under the Agreement. The US authorities may indeed seek
to add new data elements, but the EU must first be consulted over
any additions or revisions to the data elements, as required by
paragraph 7 of the undertakings. The interim Agreement of October
2006 does not increase the number of data elements the US authorities
may access, but the US letter of interpretation notes the US understanding
that it may access permitted data in whichever of the 34 permitted
data elements they occur. For example, the US may access reservation
date and billing address data: this was previously only obtained
from elements 2 and 8 in Annex A to the Undertakings but the US
will now also access those permitted data in the frequent flyer
fields too. The US consulted by way of the letter of interpretation
from Stuart Baker on its intention to also access the frequent
flying number; this number is part of the data contained within
the frequent flyer field, and so does not in fact comprise a new
additional data element.
You also raised concerns regarding the Department
for Homeland Security's (DHS) sharing of PNR data with other departments
possessing "counter-terrorism and enforcement functions",
following changes to US legislation. All disclosures will be facilitated
by the DHS and no agency will be given unconditional direct electronic
access to the PNR data. In addition, data will only be shared
with these agencies once they have confirmed in writing to the
DHS that they will provide comparable standards of data protection
to those applicable to the DHS. The DHS must then inform the EU
in writing of the implementation of such facilitated disclosure
and the agency's respect for comprarable data protection standards.
Under the terms of the Agreement, any EU Member State or the Commission
can refuse to supply PNR data if they are not confident that appropriate
data protection is being provided. Similarly, if airlines believe
that an inadequate level of data protection is being provided,
they can also refuse to supply PNR data. I am confident that the
mechanisms in place should ensure that all US authorities will
abide by comparable levels of data protection in order to have
continued access to PNR data.
You also raised concerns regarding the length
of time data may be retained by US authorities before deletion.
The period of data retention in the new Agreement remains at three
and a half years. As you note, this time limit will be reconsidered
during negotiations for a more permanent Agreement, due to begin
shortly. However, any data that are to have been transferred under
the original and current Agreements will cotinue to attract a
data retention period of 3.5 years.
The final concern you raise in relation to Stewart
Baker's letter is about the use of PNR data in situations involving
a "dangerous communicable disease". This issue is about
protecting the vital interests of the data subject if they were
believed to be in danger from such a virus or disease. Paragraph
34 of the undertakings notes that disclosure may be made for the
"protection of the vital interest of the data subject or
other persons, in particular as regards significant health risks".
In cases such as avian flu, where the disclosure of PNR data to
relevant authorities was in the vital interests of the data subject
or others, we would therefore be content with the use of PNR data
for this purpose.
In your letter you also asked whether the Government
was aware of the US intention to broaden the scope of the draft
Agreement. The Government was aware that the US authorities were
likely to press for fewer restrictions on the use of PNR data
and a relaxation of the undertakings. However, we do not believe
that the Agreement has been broadened to any significant or dangerous
degree. It would seem likely that negotiations on a new and more
permanent Agreement will be challenging and that the USA is likely
to press for more material changes to the Agreement and undertakings.
We understand that negotiations will begin very soon and expect
the Presidency and the Commission to negotiate on behalf of the
EU to ensure that our nationals data is protected and UK citizens'
privacy is maintained. The Government considers that PNR data
can help prevent and combat terrorism and related crimes but that
the use of this data must be appropriatly balanced against the
privacy and rights of UK citizens.
Further, you asked whether the Government was
still satisfied that an adequate level of data protection is provided
with regard to PNR data. The UK Government is of the view, as
are all other Member States and the Commission, that the level
of data protection set out in the underakings annexed to the current
Agreement is indeed adequate. Moreover, airlines will shortly
be moving from a "pull" to a "push" system
for transferring PNR data which will further improve data protection
safeguards: in short, airlines will extract the relevant data
from their reservation systems and transfer that data to the DHS,
instead of the DHS extracting it themselves. This transition is
expected to take place in around March or April and is supported
by the Information Commissioner. I am unable to comment on indivudal
Member States' positions during the negotiations due to the confidential
nature of those negotiations, but as I have noted above, all Member
States agreed that the terms of the Agreement and the undertakings
provided an appropriate level of protection.
I hope that this response provides you with
the information you were seeking. As ever, I would be very happy
to discuss this matter further.
16 February 2007
Letter from the Chairman to Rt Hon Baroness
Ashton of Upholland
I am grateful for your very full reply of 16
February 2007 to my letter of 22 November 2006. Sub-Committee
F (Home Affairs) of the European Union Select Committee considered
it at a meeting of 28 February 2007.
As you know, the Committee believe that the
PNR Agreement raises a number of important questions, and has
begun an inquiry into it. I understand that DCA will be giving
written evidence, and that you have kindly agreed to give oral
evidence on Wednesday 7 March. No doubt this will be the best
occasion for the Committee to raise with you any further questions.
Meanwhile we will continue to keep this document under scrutiny.
1 March 2007
Letter from Joan Ryan MP, Parliamentary
Under-Secretary of State, Home Office to the Chairman
During my appearance before sub-Committee F
(Home Affairs) on 7 March I undertook to write with some additional
information on the e-Borders Programme, Project Semaphore and
our successful use of passenger data.
e-Borders is a medium- to long-term initiative
to re-shape the UK's border co-ordinated by the Home Office Immigration
and Nationality Directorate (Border and Immigration Agency from
April 2007) in partnership with other border agencies (HM Revenue
and Customs, the Intelligence Agencies, the Police Service and
UKvisas). Other departments and agencies such as the Department
of Work and Pensions and the Identity and Passport Service are
involved as major potential beneficiaries of the e-Borders data.
The programme contract award is scheduled for 2007, with significant
operating capability planned for July 2008, and full e-Borders
capability in 2014.
Project Semaphore was launched in November 2004
as an operational prototype to trial e-Borders concepts and technology
in order to inform and de-risk e-Borders. The pilot has been capturing
passenger information on selected routes, and assessing it against
watch lists. Based on the assessment, where a passenger is of
interest, an alert is usually issued to the relevant partner agency
for appropriate action to be taken. The Joint Border Operations
Centre (JBOC) is the operational hub of Project Semaphore and
manages the data captured and generates alerts to the border security
agencies. Significant operational successes have been achieved,
including the arrests on arrival or departure of those wanted
for serious crimes, such as murder, rape, drug and tobacco smuggling
as well as passport offences. To date nearly 900 arrests have
been made.
The two key types of data received by project
Semaphore are Advanced Passenger Information (API) and Passenger
Name Records (PNR). API is usually used to refer to the information
contained in a passenger's travel document, including the name,
date of birth, gender, nationality and travel document type and
number. PNR data is a term specific to the air carrier industry
and relates to information held in a carrier's reservation system
and consists of a number of elements which may include date and
place of ticket issue, method of payment and travel itinerary.
We are currently collecting passenger data from
40 carriers, amounting to 20.9 million annualised passenger movements.
Project Semaphore currently receives API data on flights from
72 non-UK arrival and departure points. Recent API checks have
led to a number of police national computer matches, including
the identification of three men wanted for murder during riots
in Birmingham last year. They were arrested at Heathrow and have
since been convicted and sentenced to life imprisonment. These
checks have also led to immigration service matches, such as the
identification of holders of fraudulently obtained passports who
have consequently been refused leave to enter the UK. We are negotiating
with carriers to expand our data access in order to achieve the
IND Review target of 30 million movements by April 2008.
PNR data is used in Semaphore to identify "associated
passengers" on bookings. It is also used to identify passengers
who are in-transit through the UK rather than arriving (thus reducing
unnecessary alerts). In January 2007 23 successes were recorded
by Project Semaphore as a result of automated profiling based
on passenger data. For example, HMRC were alerted by PNR data
to a passenger whose booking was made the day before travel and
paid for in cash, who had an overnight stay in the UK before onward
travel to Houston. The check of onboard details by a JBOC analyst
showed a change in the routing to depart from Gatwick to Houston,
which matched a previous successful HMRC profile. The alert was
passed directly to HMRC at Heathrow, where he was intercepted
on arrival and five kilos of cocaine was found in his baggage.
He was arrested and charged.
I would also like to advise you that a future
EU common framework on PNR data is being considered by the European
Commission. An informal consultation has been carried out and
a draft framework decision may be brought forward later this year.
There is no set date. We look forward to this proposal, and hope
that it will be as flexible as possible to maximise the benefits
of PNR data.
30 March 2007
113 Correspondence with Ministers, 40th Report of Session
2006-07, HL Paper 187, pp 443-444. Back
|