Correspondence with Ministers October 2006 to April 2007 - European Union Committee Contents


PASSENGER NAME RECORDS (PNR): AGREEMENTS WITH THE US (13216/06, 13226/06, 13668/06)

Letter from Rt Hon Baroness Ashton of Upholland, Parliamentary Under Secretary of State, Department for Constitutional Affairs to the Chairman

  Thank you for your letter of 19 July 2006[113] providing formal scrutiny clearance for the document on the termination of the agreement between the European Community and the United States of America on the processing and transfer of PNR data (Document 10613/06). Your letter also sought further information on five related points: I am pleased to provide greater detail on each of these issues below and also to provide you with a more general update on this area. I would also like to take this opportunity to apologise for the delay in responding to your letter. The situation regarding the transfer of PNR data changed rapidly up to, and after, the end of recess. I was keen to provide you with a detailed and accurate picture of the EU-US arrangements and this has led to an inevitable delay while the situation has stabilised.

  As you will be aware, agreement was reached on 6 October on an interim agreement which will be renegotiated before the end of July next year. Our guiding principle during negotiations was to ensure that the priority of fighting international terrorism was properly balanced against individuals' privacy rights. This involved sharing data with the US, but within a framework providing adequate controls over—amongst other things—who has access to those data, how they may be used and how long they may be retained. The text of the new agreement reflects changes made to US legislation and does not materially affect the level of protection for individuals' data. The texts of the new agreement, the US letter interpreting the undertakings to the agreement (the undertakings themselves have not changed) and the Council Decision on the signing of the agreement have been deposited and an EM provided (13216/06) which sets out further detail. The new agreement has applied provisionally since it was signed last month and will come fully into force on the first day of the month following the exchange of notifications, indicating that both sides have completed their relevant internal procedures; a number of Member States are still in the process of complying with the requirements of their own constitutional procedures on this matter.

  As you will see, the US continues to abide by the undertakings and there is no extension to the number of data elements the US may access (additional Frequent Flyer field information can now be accessed, but only where it corresponds with the data elements already permitted, for example, the billing address, the reservation date and so on). The period of data retention remains at 3.5 years and access by other US enforcement agencies will be on a strictly case-specific basis and will not be automatic. We believe that the new agreement strikes the balance we were seeking.

  Turning now to your more specific questions, you asked whether the undertakings given by the US Bureau of Customs and Border Protection (CBP) in the new agreement were likely to differ from those in the original agreement. Strictly speaking, the US undertakings were not in the agreement; they were annexed instead to the Commission's adequacy decision and came into force at the same time as the agreement, but your point is still an important one. As you will now be aware, the new agreement still refers to the undertakings (albeit there are fewer references to them) and they have not been renegotiated. Our view on this matter was that the text of the new agreement and undertakings should change as little as possible, but that the agreement's legal base should under the third pillar rather than the first. Naturally, any amendment which reduced the protection of our nationals' data would not have been welcomed.

  You also asked whether, and if so why, an entirely new agreement would be needed before October 2007. A new agreement will be required by the end of October 2007 because the original agreement was due to remain in force only until November 2007. The purpose of the original timeframe was to provide an opportunity for both the US and the EU to thoroughly review the agreement and re-negotiate new and more permanent terms. As you know, the ECJ ruling required the negotiation of a new agreement by the end of September; both sides worked hard to meet this deadline, reaching agreement on 6 October. Given the challenging timeframe for the negotiation of this document, and in recognition of the fact that it was originally considered necessary to provide for an adequate opportunity for re-negotiation, it seemed sensible to negotiate a "temporary" agreement along the lines of the original and to revisit this interim document before July next year.

  You also sought information about attempts by the government to ensure the data protection undertakings offered by the CBP are more realistic than those in the original agreement. Our view is that the undertakings agreed to by the US and annexed to the original adequacy decision provided an adequate level of data protection, taking into account both the US' and Member States' data protection provisions. We were naturally keen to ensure that a high level of data protection was maintained in the new agreement, and will work with the Commission and other Member States to ensure this is also the case in future agreements. I think it is worth noting here that Commission conducted an adequacy test on US data protection standards before the original agreement was entered into and this test confirmed US data protection provisions to be indeed adequate; you will of course be aware that the ECJ ruling that declared this adequacy decision to be invalid was only on the grounds of an incorrect legal base and did not question the substance of the Commission's conclusion on the adequacy of US data protection standards. You may be interested to know that the EU's assessment of the US' implementation of the PNR undertakings (conducted last summer) resulted in a generally positive report. This report noted that the US authorities went significantly beyond what was strictly necessary to comply with the Undertakings, including putting in place systems to track disclosure of data & monitor manual access.

  You also asked whether the government considers there to be a case for activating the passarelle on this matter. We have general concerns about the potential impact of the Article 42 proposal. We could only begin to consider changes to current arrangements for third pillar matters once we are satisfied that our concerns can be met. Our view in this case was that in light of the ECJ judgement, which of course declared the original agreement invalid on the grounds of an incorrect first pillar legal base, the new agreement with the US needed to be subject to third pillar legislation. For this reason alone, it would appear to be inappropriate to have activated the passarelle here. However, we are continuing to look at the detailed implications of Article 42 more generally.

  Additionally, you raise the issue of the parallel agreement between the EC and Canada. Although the time has now elapsed for a similar challenge to be mounted against this agreement, it would appear that the reasoning behind the judgment on the EU-US agreement would also seem to apply to the Canadian agreement and the Commission and the Council will be reflecting on the implications of the ECJ ruling. The UK's Air Navigation Order laid in relation to the EU-US agreement has been drafted in such a way that it may also apply to a future third pillar agreement with Canada.

  I hope this letter provides you with the information you were seeking. As ever, I am very happy to discuss any aspect of this matter further.

13 November 2006

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland

  Sub-Committee F (Home Affairs) of the European Union Select Committee considered the PNR agreement and related documents at a meeting on 22 November 2006.

  As you know, the Committee considered on 19 July documents dealing with the termination of the earlier PNR agreement, and I wrote to you with a number of questions. I am grateful for your reply.

  One of the matters I raised was the activation of the passerelle. Since I wrote, this has become even more of an issue on a number of fronts, and we agree with you that it would not be appropriate to activate the passerelle in relation to this issue alone.

  Another question I raised was the parallel agreement with Canada. We are glad that the Order in Council amending the Air Navigation Order is in terms that allow it to be applied to any country outside the EEA. You state that the Commission and Council are reflecting on the implications of the ECJ ruling. Since a challenge to the legal base of the EC/Canada agreement would inevitably succeed, we are surprised that the Commission has not already begun negotiations for a revised EU/Canada agreement. We would be grateful if you could inform us in due course of any developments on this front.

  Aside from these two points, your letter deals principally with the questions I raised about the negotiations for a revised agreement, then being contemplated but now completed. I am grateful to you for setting out what has happened, although much of this of course duplicates what was in your Explanatory Memorandum of 23 October.

  The main question raised in my letter was how, if at all, the Undertakings given by the US Bureau of Customs and Border Protection (CBP) in the agreement which was then being negotiated were likely to differ from those in the earlier agreement. You explain that the Undertakings are now given by the Department of Homeland Security DHS), and we agree that this makes no practical difference.

  Your explanatory memorandum states that "The changes to the agreement do not materially affect the level of data protection for individuals." In your letter you similarly say: "The text of the new agreement reflects changes made to US legislation and does not materially affect the level of protection for individuals' data." You refer to the documents deposited as including the new agreement and "the US letter interpreting the undertakings to the agreement (the undertakings themselves have not changed)".

  The Undertakings, as you say, have not changed. There were always some doubts about their adequacy, although not on the part of the Commission. But your passing reference to the letter from Mr Stewart Baker, the Assistant Secretary for Policy at the DHS, is where in our view the problems lie.

  It seems to us that this letter, annexed to document 13668/06, makes a number of major changes to the effect of the Undertakings, of which we list four.

    —  The DHS letter says the Undertakings authorise it to "add data elements" to the 34 already listed. You say that "there is no extension to the number of data elements the US may access". Paragraph 7 of the Undertakings requires the DHS to consult with the Commission if it wishes to add data elements. How are these statements to be reconciled?

    —  Paragraph 29 requires PNR information to be shared with other departments and with "counter-terrorism and enforcement functions" (eg CIA and FBI) only on a case by case basis. You say this is unchanged. The letter, relying on the catch-all paragraph 35 that the Undertakings shall not "impede the use or disclosure of PNR data... as required by law", points out that US law changed last year, and now requires DHS "promptly to give access to terrorism information to the head of each agency that has counter-terrorism functions". DHS now has to "facilitate the disclosure" of PNR data to these authorities. We are not entirely reassured by the fact that "DHS will ensure that such authorities respect comparable standards of data protection to that applicable to the DHS".

    —  The letter points out that data more than 3.5 years old "can be crucial in identifying links among terrorism suspects". Because the agreement will have expired before the Undertakings require any destruction of data, "any questions of whether and when to destroy PNR data... will be addressed by the US and the EU as part of future discussions". You tell us that the period of data retention remains at 3.5 years. It seems to us rather that there is no limit at all other than the limit prescribed by US law which, we are told, is currently 40 years.

    —  Paragraph 3 provides: "PNR data are used by [DHS] strictly for purposes of combating terrorism and related crimes" and analogous matters, while paragraph 9 provides that DHS will not use sensitive data concerning the health of the individual. This however is qualified by paragraph 34 where the vital interests of the data subject "or others" are at stake. In effect, the letter is now saying that PNR data will be used in the fight against "dangerous communicable disease"—no doubt avian flu.

  The Undertakings were already in our view compromised by the provisions of paragraphs 34 and 35 allowing them to be departed from where the US authorities thought this essential, or where US law so required. The letter is in our view simply a statement showing that the US does intend to collect data which it was not originally permitted to collect. does intend to use it for purposes for which it was not originally intended, and does intend to distribute it to bodies not previously allowed to receive it in this form.

  The Government may feel that there are excellent reasons for these changes, whether for enhanced security or on other grounds. If so, the changes should in our view have been the subject of negotiation between the EU institutions and the US authorities, and prior approval by the Member States, rather than the subject of a unilateral declaration by the US in a letter sent by email a week after the new agreement was finalised.

  We would be grateful for your comments on the points raised above, and for your answers to the following questions:

    —  Was the Government aware, when it approved the draft agreement, that the US intended to broaden its scope in this way?

    —  Is the Government still satisfied that, despite the changes we have mentioned, the level of protection of personal data is adequate?

    —  What are the views of other Member States on this question?

    —  What line does the Government intend to take when the German Presidency begins work on the negotiation of a third agreement to replace this one, which expires in July 2007?

  We have decided to clear from scrutiny documents 13216/06 and 13226/06, but to keep under scrutiny document 13668/06, which includes Mr Baker's letter.

22 November 2007

Letter from Rt Hon Baroness Ashton of Upholland to the Chairman

  Thank you for your letter of 22 November regarding the Agreement between the European Union and the United States of America on the Processing of Passenger Name Record (PNR) data. I am pleased that you have cleared documents 13216/06 and 13226/06 from scrutiny.

  In your letter you ask for further information on several issues and you also raise a number of specific points in relation to Stewart Baker's letter to the EU. I have dealt with each of these in turn below,

  The first concern you raise relates to whether the US may add "new data elements" to the 34 already permitted under the Agreement. The US authorities may indeed seek to add new data elements, but the EU must first be consulted over any additions or revisions to the data elements, as required by paragraph 7 of the undertakings. The interim Agreement of October 2006 does not increase the number of data elements the US authorities may access, but the US letter of interpretation notes the US understanding that it may access permitted data in whichever of the 34 permitted data elements they occur. For example, the US may access reservation date and billing address data: this was previously only obtained from elements 2 and 8 in Annex A to the Undertakings but the US will now also access those permitted data in the frequent flyer fields too. The US consulted by way of the letter of interpretation from Stuart Baker on its intention to also access the frequent flying number; this number is part of the data contained within the frequent flyer field, and so does not in fact comprise a new additional data element.

  You also raised concerns regarding the Department for Homeland Security's (DHS) sharing of PNR data with other departments possessing "counter-terrorism and enforcement functions", following changes to US legislation. All disclosures will be facilitated by the DHS and no agency will be given unconditional direct electronic access to the PNR data. In addition, data will only be shared with these agencies once they have confirmed in writing to the DHS that they will provide comparable standards of data protection to those applicable to the DHS. The DHS must then inform the EU in writing of the implementation of such facilitated disclosure and the agency's respect for comprarable data protection standards. Under the terms of the Agreement, any EU Member State or the Commission can refuse to supply PNR data if they are not confident that appropriate data protection is being provided. Similarly, if airlines believe that an inadequate level of data protection is being provided, they can also refuse to supply PNR data. I am confident that the mechanisms in place should ensure that all US authorities will abide by comparable levels of data protection in order to have continued access to PNR data.

  You also raised concerns regarding the length of time data may be retained by US authorities before deletion. The period of data retention in the new Agreement remains at three and a half years. As you note, this time limit will be reconsidered during negotiations for a more permanent Agreement, due to begin shortly. However, any data that are to have been transferred under the original and current Agreements will cotinue to attract a data retention period of 3.5 years.

  The final concern you raise in relation to Stewart Baker's letter is about the use of PNR data in situations involving a "dangerous communicable disease". This issue is about protecting the vital interests of the data subject if they were believed to be in danger from such a virus or disease. Paragraph 34 of the undertakings notes that disclosure may be made for the "protection of the vital interest of the data subject or other persons, in particular as regards significant health risks". In cases such as avian flu, where the disclosure of PNR data to relevant authorities was in the vital interests of the data subject or others, we would therefore be content with the use of PNR data for this purpose.

  In your letter you also asked whether the Government was aware of the US intention to broaden the scope of the draft Agreement. The Government was aware that the US authorities were likely to press for fewer restrictions on the use of PNR data and a relaxation of the undertakings. However, we do not believe that the Agreement has been broadened to any significant or dangerous degree. It would seem likely that negotiations on a new and more permanent Agreement will be challenging and that the USA is likely to press for more material changes to the Agreement and undertakings. We understand that negotiations will begin very soon and expect the Presidency and the Commission to negotiate on behalf of the EU to ensure that our nationals data is protected and UK citizens' privacy is maintained. The Government considers that PNR data can help prevent and combat terrorism and related crimes but that the use of this data must be appropriatly balanced against the privacy and rights of UK citizens.

  Further, you asked whether the Government was still satisfied that an adequate level of data protection is provided with regard to PNR data. The UK Government is of the view, as are all other Member States and the Commission, that the level of data protection set out in the underakings annexed to the current Agreement is indeed adequate. Moreover, airlines will shortly be moving from a "pull" to a "push" system for transferring PNR data which will further improve data protection safeguards: in short, airlines will extract the relevant data from their reservation systems and transfer that data to the DHS, instead of the DHS extracting it themselves. This transition is expected to take place in around March or April and is supported by the Information Commissioner. I am unable to comment on indivudal Member States' positions during the negotiations due to the confidential nature of those negotiations, but as I have noted above, all Member States agreed that the terms of the Agreement and the undertakings provided an appropriate level of protection.

  I hope that this response provides you with the information you were seeking. As ever, I would be very happy to discuss this matter further.

16 February 2007

Letter from the Chairman to Rt Hon Baroness Ashton of Upholland

  I am grateful for your very full reply of 16 February 2007 to my letter of 22 November 2006. Sub-Committee F (Home Affairs) of the European Union Select Committee considered it at a meeting of 28 February 2007.

  As you know, the Committee believe that the PNR Agreement raises a number of important questions, and has begun an inquiry into it. I understand that DCA will be giving written evidence, and that you have kindly agreed to give oral evidence on Wednesday 7 March. No doubt this will be the best occasion for the Committee to raise with you any further questions. Meanwhile we will continue to keep this document under scrutiny.

1 March 2007

Letter from Joan Ryan MP, Parliamentary Under-Secretary of State, Home Office to the Chairman

  During my appearance before sub-Committee F (Home Affairs) on 7 March I undertook to write with some additional information on the e-Borders Programme, Project Semaphore and our successful use of passenger data.

  e-Borders is a medium- to long-term initiative to re-shape the UK's border co-ordinated by the Home Office Immigration and Nationality Directorate (Border and Immigration Agency from April 2007) in partnership with other border agencies (HM Revenue and Customs, the Intelligence Agencies, the Police Service and UKvisas). Other departments and agencies such as the Department of Work and Pensions and the Identity and Passport Service are involved as major potential beneficiaries of the e-Borders data. The programme contract award is scheduled for 2007, with significant operating capability planned for July 2008, and full e-Borders capability in 2014.

  Project Semaphore was launched in November 2004 as an operational prototype to trial e-Borders concepts and technology in order to inform and de-risk e-Borders. The pilot has been capturing passenger information on selected routes, and assessing it against watch lists. Based on the assessment, where a passenger is of interest, an alert is usually issued to the relevant partner agency for appropriate action to be taken. The Joint Border Operations Centre (JBOC) is the operational hub of Project Semaphore and manages the data captured and generates alerts to the border security agencies. Significant operational successes have been achieved, including the arrests on arrival or departure of those wanted for serious crimes, such as murder, rape, drug and tobacco smuggling as well as passport offences. To date nearly 900 arrests have been made.

  The two key types of data received by project Semaphore are Advanced Passenger Information (API) and Passenger Name Records (PNR). API is usually used to refer to the information contained in a passenger's travel document, including the name, date of birth, gender, nationality and travel document type and number. PNR data is a term specific to the air carrier industry and relates to information held in a carrier's reservation system and consists of a number of elements which may include date and place of ticket issue, method of payment and travel itinerary.

  We are currently collecting passenger data from 40 carriers, amounting to 20.9 million annualised passenger movements. Project Semaphore currently receives API data on flights from 72 non-UK arrival and departure points. Recent API checks have led to a number of police national computer matches, including the identification of three men wanted for murder during riots in Birmingham last year. They were arrested at Heathrow and have since been convicted and sentenced to life imprisonment. These checks have also led to immigration service matches, such as the identification of holders of fraudulently obtained passports who have consequently been refused leave to enter the UK. We are negotiating with carriers to expand our data access in order to achieve the IND Review target of 30 million movements by April 2008.

  PNR data is used in Semaphore to identify "associated passengers" on bookings. It is also used to identify passengers who are in-transit through the UK rather than arriving (thus reducing unnecessary alerts). In January 2007 23 successes were recorded by Project Semaphore as a result of automated profiling based on passenger data. For example, HMRC were alerted by PNR data to a passenger whose booking was made the day before travel and paid for in cash, who had an overnight stay in the UK before onward travel to Houston. The check of onboard details by a JBOC analyst showed a change in the routing to depart from Gatwick to Houston, which matched a previous successful HMRC profile. The alert was passed directly to HMRC at Heathrow, where he was intercepted on arrival and five kilos of cocaine was found in his baggage. He was arrested and charged.

  I would also like to advise you that a future EU common framework on PNR data is being considered by the European Commission. An informal consultation has been carried out and a draft framework decision may be brought forward later this year. There is no set date. We look forward to this proposal, and hope that it will be as flexible as possible to maximise the benefits of PNR data.

30 March 2007



113   Correspondence with Ministers, 40th Report of Session 2006-07, HL Paper 187, pp 443-444. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2009