Thank you for your letter of 16 July. I am grateful to you for your report on The EU/US Passenger Name Record (PNR) Agreement. I was pleased to learn that the Select Committee fully accept the potential value of PNR data in the fight against terrorism.

  Your report was very valuable. A copy of the report was given to the EU Commission and the UK Permanent Representation to the European Union discussed it with them. The Commission was aware of all the points at the time of the negotiations, which was helpful. As you would expect these were tough negotiations, where the US has a strongly held position.

  The EU Commission and Member States are satisfied that the necessary data protection safeguards for the processing and transfer of PNR data by air carriers to the Department for Homeland Security are in place through the Agreement. It is clear that this Agreement is much better than no agreement. The UK Government believes that this Agreement provides a good level of data protection for UK passengers.

  We expect the Agreement to be agreed by the General Affairs & External Relations Council when it meets on Monday, 23 July.

  We intend to respond formally to the report by the end of this month, as well as submit an Explanatory Memorandum on the final Agreement, once the Agreement has been signed, in the normal way.

23 July 2007

  I apologise for the delay in responding to the European Union Committee's report—The EU/US Passenger Name Record (PNR) Agreement.

  The Government is grateful to the Select Committee for its report and is pleased that the Committee fully accept the potential of PNR data in the fight against terrorism. A copy of the report was given to the EU Commission and the Commission was aware of the points at the time of negotiation, which was helpful. As we have already explained, these were tough negotiations, where the US has a strongly held position. It is clearly better to have an Agreement that provides proper safeguards for data protection than no Agreement at all.

  On 31 July 2007 the European Union and the United States of America signed an Agreement on the processing and transfer of Passenger Name Record (PNR) data by air carriers to US authorities. The agreement will be valid for seven years. That Agreement is supplemented by an exchange of letters between the US and the EU. The US letter contains a series of conditions about how the US Department for Homeland Security (DHS) handles the collection, use and storage of EU PNR data. The EU letter states that the assurances explained in the US letter allow the EU to deem that DHS ensures an adequate level of data protection for the purposes of the Agreement. The letters form part of the Agreement.

  The attached response details the Government's reactions to the recommendations made by the Committee.

11 October 2007

GOVERNMENT RESPONSE

  157.  It is the perennial conflict between the security of the public and the privacy of the individuals who make up the public which is at the heart of our inquiry. A balance has to be struck, and the guiding consideration must be the principle of proportionality: the collection and retention of data for security purposes must be no more invasive of individual privacy than is necessary to achieve the objective for which they are collected. That objective must be narrowly and clearly defined.

    The Government believes that this Agreement balances the need to prevent and combat serious crime and terrorism with the need to provide data protection safeguards for UK passengers.

    The letter from the Department for Homeland Security (DHS) that accompanies the Agreement sets out that the "DHS uses EU PNR strictly for the purpose of preventing and combating: (1) terrorism and related crimes; (2) other serious crimes, including organised crime, that are transnational in nature; and (3) flight from warrants or custody for crimes described above." We believe this undertaking by the DHS ensures that the objective for EU PNR data is sufficiently narrow and clearly defined.

Passenger Name Records

  158.  It is an important principle of democratic accountability that Parliament should be able to reach its own conclusions on the value of PNR in combating terrorism, and not have to rely on statements from the executive. This would help to secure public confidence.

  159.  Nonetheless, having received no evidence to the contrary, we are prepared to accept that PNR data constitute a valuable weapon in the fight against terrorism and serious crime, and that their continued use is both necessary and justified.

    The Government welcomes the view reached by the Committee that the use of PNR data is a valuable weapon in the fight against terrorism and serious crime. The Government is fully committed to the fight against such acts.

    The data exchanged under the Agreement has proven to be a most important source of data for risk assessment and intelligence purposes. For example, through a combination of operational experience, specific intelligence and historical analysis, we can build up pictures of suspect passengers or patterns of travel behaviour. PNR data may then be used to indicate suspect behaviour by enabling the identification of individuals whose travel details share common characteristics with those pre-defined profiles.

    The Committee was provided with evidence from the Government, in the context of Project Semaphore, and from the US about the successful operational use of PNR data. We believe PNR can play a valuable part in this work and it is important that we have an agreement with the US to enable us to work effectively together whilst respecting fundamental rights and freedoms, notably privacy.

  160.  The principal risk of error in using PNR data seems to us to arise, not from the quality of the data, but from the erroneous interpretation of the data, even if accurate.

    The Government notes the Committee's views. The Government acknowledges that it is possible to draw an erroneous interpretation from accurate data, including PNR data. However, account is given to this risk in the context of PNR as it is in any other context. No-fly lists are completely independent of PNR, although PNR data are checked against them. In the example set out in the report, the Committee acknowledges that the authorities correctly identified Mr Arar, however the problem lay not with the PNR data but that Project A-O Canada supplied the American agencies with a good deal of inaccurate information about Mr Arar, some of which was inflammatory and unfairly prejudicial to him.[4]

  161.  It is important that intending passengers should be aware of who will receive their personal data, and subject to what conditions. We agree with the Working Party of national data protection authorities that the airlines should be responsible for informing passengers, and we endorse the Working Party's proposals.

    The Government welcomes the Committee's recommendation in this area. Under the Data Protection Act, data controllers must ensure, so far as is practicable, that individuals have, are provided with, or have readily made available to them certain information, including information about the purpose for which data is intended to be processed. It is important that people understand what their personal data will be used for.

    The Department for Transport is working with air carriers to raise awareness amongst passengers of PNR data and the main UK airlines already provide passengers with information about how their data will be used.

    As part of the new Agreement the DHS will provide airlines with a form of notice concerning PNR collection and redress practices to be available for public display. Both the DHS and the EU will work with the aviation industry to promote greater visibility of this notice, including incorporating it in the official contract of carriage.

The Interim Agreement

  162.  The negotiators should as a matter of principle insist that data transferred under the 2004 and 2006 Agreements must be destroyed no later than 3.5 years after the transfer, unless a formal Agreement is negotiated allowing these data to be retained longer.

    The Government notes the Committee's concerns. The retention periods negotiated under the new Agreement will also apply to data collected under the 2004 and 2006 Agreements.

    Under the Data Protection Act, data controllers have the flexibility to retain data for as long as is necessary for the purpose for which the data is processed. Terrorist groups often operate over a long period of time and the recruitment and training of their personnel may be spaced over several years. It is important therefore for data to be retained to allow retrospective analysis of intelligence to identify links between known operatives and others.

    The new Agreement increases the retention period for active data from 3.5 years to seven years. After seven years the data will move to a dormant non-operational status for eight years, accessible only in exceptional circumstances and under strict conditions.

  163.  Whatever the justification for extending data elements, for wider sharing of data, or for using data to identify possible carriers of dangerous communicable diseases, there is no justification at all for doing so through a unilateral declaration by one of the parties to an agreement.

  164.  An undertaking which includes a provision allowing the party giving it to amend it virtually at will is of very limited value, and scarcely deserves the name. No such provision should be included in any future agreement.

    The Government notes the Committee's views. The new Agreement takes account of the changed legal environment and the legal duties that US authorities are under to share information. This Agreement and the DHS letter are binding on both parties. If the US does not comply with the Agreement the EU can terminate the Agreement (under Article 8).

Negotiations for a new Agreement

  165.  In our view the worst possible result of the negotiations would be an agreement to extend the current Interim Agreement.

    The Government believes that this Agreement is much better than no agreement, particularly as the new Agreement provides an appropriate level of data protection for data subjects. The Information Commissioner has also welcomed the conclusion of an agreement with the US authorities as it is important to have safeguards in place for the personal details of passengers passed on to the US authorities.

    Under US legislation, if people wish to fly to the United States then carriers must provide their data to the US authorities. If there were no agreement, the consequences would have meant that airlines in breach of US rules would be liable for fines of $6,000 per passenger, and could have their US landing rights withdrawn. As you would expect these were tough negotiations where the US had a strongly held position.

    The agreed package contains important commitments by DHS on how they will handle EU PNR data in full respect of data protection. The EU Commission and Member States are satisfied that the necessary data protection safeguards for the processing and transfer of PNR data by air carriers to the Department for Homeland Security are in place through the new Agreement.

42.  EU/US PASSENGER NAME RECORD (PNR) AGREEMENT

The views of the European Parliament and the data protection authorities

  166.  The fact that the European Parliament no longer has a formal role to play is not a reason why the views of its members should be disregarded. On the contrary, in a Union of democracies special attention must be paid to the views of representatives, since they are well placed to balance the public good against private rights.

  167.  The European Data Protection Supervisor, and national data protection authorities individually and collectively in the Article 29 Working Party, have great experience of the practical working of data protection laws and of nonbinding declarations on the handling of personal data. Those negotiating a new agreement should be guided by their opinions.

    The Government agrees that the views of experts and representatives, including MEPs, are important. The Government believes that the way to achieve the best outcome for the EU, and hence for the UK, that balances the rights of UK citizens with the use of PNR data to combat terrorism and other serious crimes, was for the negotiations to be led by the Commission and the Presidency. As Jonathan Faull made clear in his evidence to the Committee for this Report, the Commission was very well aware of the views of the European Parliament and had numerous meetings with interested MEPs, and took their views into account. The Commission also participated in the "March seminars" with the Article 29 Committee and the European Parliament's LIBE Committee. They were also aware of the European Data Protection Supervisor's views in relation to the negotiating mandate and kept him updated through the Article 29 Committee. We believe that the Agreement reached ensures an adequate balance between security and data protection concerns.

The EC/Canada PNR Agreement

  168.  We believe that the PNR Agreement with Canada couid be a useful starting point for the negotiations with the United States.

    The Government notes the Commission opinion, as given during evidence to the Committee, that that there was no question of topping and tailing the agreement with Canada and replacing references to Canada with the United States. The Government is of the view that the Agreement reached is one that takes into account the needs of both the EU and the US and benefits both parties.

Data elements

  169.  We expect those negotiating the new Agreement to take a robust attitude in the negotiations before being satisfied that any additional data item is essential and therefore permissible.

  170.  It would be wrong to include among the agreed data elements open-ended data elements like "general remarks" or "open fields", which merely serve as a means of introducing other data elements not specifically listed.

    The Agreement does not allow more data to be exchanged. The number of accessible types of EU PNR collected is reduced from 34 to 19 as a result of merging a number of data elements that cover the same type of information. To the extent that the information that the passenger gives to an airline, and is then made available to the US authorities, is regarded as sensitive data, such data will be filtered and not used, except in an exceptional case where life is at risk. The DHS will maintain a log of any access to sensitive data and will inform the European Commission normally within 48 hours.

Undertakings

  171.  We hope that the talks will have started on the basis that the Undertakings being negotiated, unlike the current ones, are legally binding on the United States authorities.

  172.  All the terms of the Undertakings being negotiated must be specific,unequivocal, contained in the document itself, and not susceptible of amendment without the agreement of all the parties.

  173.  If any clarification is needed, this is a matter for subsequent open negotiation between the parties. There can be no scope for amendment by unilateral "interpretation" of the Undertakings.

    The Agreement between the EU and the US is intended to meet security and data protection requirements through assurances provided by the US. The new Agreement, which is binding, is in three parts: (i) an Agreement signed by both parties; (ii) a letter which the US sends to the EU in which it sets out assurances on the way in which it will handle EU PNR data and (iii) a letter from the EU to the US acknowledging receipt of the assurances and confirming that it considers the level of protection of EU PNR data in the US as adequate. Compared to the Undertakings, which formed part of the 2004 and 2006 Agreements, the agreed assurances are more precise. The Agreement ensures that the assurances set out in the US letter are binding upon DHS by explicitly referring to those assurances. The wording of the Agreement underlines its binding character. Either party may terminate or suspend the Agreement. Termination will take effect 30 days from the date of notification, unless either party deems a shorter notice period is essential for national security.

Purpose limitation

  174.  Under the 2004 Agreement the use of PNR data was to be limited to:

  —  the prevention and combating of terrorism and related crimes;

  —  other serious crimes, including organised crime, that are transnational in nature; and

  —  flights from warrants or custody for these crimes.

  The negotiators should seek to retain these limitations in the new Agreement.

    The Government notes the Committee's recommendation. The purposes set out in the previous interim agreement have been retained in the new Agreement. The new Agreement also states "PNR data may be used where necessary for the protection of the vital interests of the data subject of other persons, or in any criminal judicial proceedings, or as otherwise required by law". This is not a new concept. This use of PNR data was also mentioned in former undertakings.

EU/US PASSENGER NAME RECORD (PNR) AGREEMENT 43

  175.  We believe that the use of PNR data for general law enforcement purposes, as opposed to countering terrorism and serious crime, is undesirable and unacceptable.

  176.  If, contrary to our view, it is agreed that data should be used for other purposes, those purposes must be specifically listed at the outset. Words such as "vital interests of the data subject" are too vague.

    The use of data transferred under the new Agreement is limited to certain purposes. The Agreement also enshrines the principle of proportionality. PNR may be used where necessary for the protection of the vital interests of the data subject or other persons, or in any criminal judicial proceedings, or as otherwise required by law. The term "vital interests of the data subject" is one which is drawn from the Data Protection Directive and which is recognised in the Data Protection Act 1998. The first data protection principle is that personal data must be processed fairly and lawfully and in particular, shall not be processed unless one of the conditions in Schedule 2 is met. One of the conditions in Schedule 2 is that "The processing is necessary in order to protect the vital interests of the data subject". It is generally recognised that "vital interests" covers situations where the processing is necessary for matters of life and death.

Retention of future data

  177.  We are prepared to accept that routine retention of data for longer than 3.5 years may be necessary, and may be acceptable so long as the data are kept and handled securely. What is not acceptable is for these data to be used in that time for purposes other than those strictly permitted under the Agreement.

    The Government welcomes the Committee's conclusion that routine retention of data for longer than 3.5 years may be necessary. The purposes for which the data may be used are set out in the Agreement. The new Agreement increases the retention period for active data from 3.5 years to seven years. After seven years the data will move to adormant non-operational status for eight years. The new Agreement imposes stringent conditions that it may be accessed only with the approval of a senior DHS official designated by the Secretary of Homeland Security and only in response to an identifiable case, threat or risk.

Data sharing

  178.  If United States government authorities with whom data are shared by the Bureau for Customs and Border Protection (CBP) believe that other authorities need access to such data, the decision must be for CBP. Access should be subject to the same undertakings as CBP has given. Records of this data sharing should be kept for independent inspection.

  179.  It may not always be possible for data to be scrutinised on a case by case basis before they are shared with other authorities, but indiscriminate bulk sharing should not be permitted. It must be for CBP to "push" the information to other authorities, not for those authorities to "pull" it from the CBP database.

    DHS will share EU PNR data with other US Government authorities only for the same purpose for which it may use the data itself, i.e. focusing on the purpose of preventing and combating terrorism and other serious crimes. Although other US agencies will have the right to obtain EU PNR information under the new Agreement, they will not have automatic or unconditional access to DHS's database. Access will be strictly limited to these purposes and in proportion to the nature of the case for which the data are being sought.

  180.  The negotiators must stress how serious it is for an individual to be wrongly placed on a no-fly list, and must ensure that provision is made for rapid access to an enforceable means of redress.

    A passenger may be placed on a no-fly list for reasons that are unconnected with the use of PNR data. The Department for Homeland Security has launched a Traveller Redress Inquiry Programme (DHS TRIP) that enables people to file complaints on its website. DHS TRIP is a central gateway to address: watch list misidentification issues; situations where travellers believe they have faced screening problems at ports of entry; and situations where travellers believe they have been unfairly or incorrectly delayed, denied boarding or identified for additional screening at transportation hubs.

    Furthermore, the DHS has made a policy decision to extend the administrative Privacy Act protections providing redress to data subjects seeking information about or correction of their PNR data to non-US citizens. EU citizens will have the same legal remedies as US citizens. This is a significant improvement to the 2006 Agreement.

"Pull" v "Push"

  181.  The negotiators should ensure that the United States honours the commitment given three years ago to move to a system allowing the airlines to "push" the data to them, and should insist on a single "push" of data at the time of departure.

    The Government welcomes the recommendation. A deadline, 1 January 2008, has been set obliging DHS to move to a "push" system for all carriers operating out of the EU that have implemented a system that complies with the DHS technical requirements. PNR data will continue to be pulled from other carriers operating out of the EU until such time as their systems comply with the technical requirements.

Review of the working of the Agreement

  182.  The new Agreement must provide for thorough annual reviews of the working of the PNR Agreement, and the parties must ensure that they take place as intended. The EDPS and National Data Protection Authorities must take part. The EU team must be allowed the fullest access to data to enable it to assess the value of PNR data in the fight against terrorism.

  183.  This is an Agreement between equal parties. The EU team should not have to sign general non-disclosure agreements, even though there will of course be matters which they will agree not to disclose.

  184.  Reports of reviews should set out in detail the degree to which data are shared by CBP with other US authorities, and the conditions applying to such data sharing.

    The parties will periodically review the implementation of the Agreement. For the EU, this task will be undertaken by the Commissioner responsible for Justice, Freedom and Security or by another person designated by him. The modalities of how there views will be carried out will be mutually agreed by the EU and DHS.

44.  EU/US PASSENGER NAME RECORD (PNR) AGREEMENT

  185.  Reports of reviews must be published. Any editing of a report prior to publication should be confined to what is strictly necessary for security reasons.

    The Government is committed to open and transparent government. Unless there are good grounds for non disclosure, for example, for national security reasons or because disclosure would prejudice law enforcement functions, the information should be disclosed.

Report

  186.  We recommend this Report to the House for debate.

  Thank you for your letter of 11 October 2007 with which you enclosed the Government's response to this report. It was considered by Sub-Committee F (Home Affairs) of the Select Committee on the European Union at a meeting on 14 November 2007 and by the Select Committee itself on 20 November 2007.

  We agree with you when you say that "it is clearly better to have an Agreement that provides proper safeguards for data protection than no Agreement at all." Where we differ from you is in the implication, throughout the response, that the new agreement does in fact provide proper safeguards. However, as you know, the report was recommended to the House for debate, and we will take that opportunity to put our views forward.

27 November 2007