Article 29 Working Party Claims Breach of PNR-Agreements

The letter – a copy of which was recently published on the website of the Dutch data protection authority – urges the European Commission to take immediate action to halt the breach and to resolve the matter with its US and Australian counterparts.   

The EU/US PNR Agreement

The EU/US PNR Agreement, which has been in force since 26 July 2007, is already the third agreement between the EU and US establishing a legal framework for transferring EU-sourced PNR data to the US Department of Homeland Security (DHS). On the basis of assurances from DHS that the data will be safeguarded, the EU has agreed to the release by air carriers transporting passengers between the EU and the US of certain PNR data contained in their reservation systems. The 2007 Agreement changed the mode of data transmission from a “pull” system into a “push” system, at least for those air carriers complying with DHS’ technical requirements. However, the Article 29 Working Party has now found that the US authorities continue to “pull” PNR data through terminals based at their offices, even in cases where airlines are compliant with DHS’ technical requirements. According to the Article 29 Working Party, DHS currently has access to all PNR data for all flights by a particular airline, even if the flights have no connection with the US. The Article 29 Working Party further claims that the continued practice of pulling data is a clear breach of the Agreement, constituting ”a sound reason to terminate the Agreement”. Under the Agreement, the EU has an exclusive remedy if it finds that the US has committed a breach: the EU can terminate the Agreement and revoke its determination that DHS is ensuring an adequate level of data protection. If the EU applies this remedy, the practical ramifications for air carriers will be significant in terms of EU data protection law compliance.                       

The EU/Australia PNR Agreement         

The EU/Australia PNR Agreement was entered into on 30 June 2008 to provide a legal basis for the processing and transfer of EU-sourced passenger name record data by air carriers to the Australian Customs Service. The Agreement applies to airlines that have reservations systems and/or PNR data processed in the EU and operate flights between the EU and Australia. The Agreement allows for 19 different types of information – including travel itineraries and payment details but excluding sensitive personal data such as race or religion – to be shared with Australian Customs for the purpose of preventing and combating terrorism and other serious crimes.

According to the Article 29 Working Party, the Australian authorities are receiving all passenger PNR data from airlines rather than just the data specified in the Agreement. The Article 29 Working Party claims that Australia is violating the terms of the Agreement by demanding more information (than listed in the Agreement), which suggests that some EU-sourced PNR data are currently being processed by Australian Customs without adequate protection. The Agreement foresees the possibility to initiate a joint review of each party’s implementation of the Agreement, which appears to be the Article 29 Working Party’s preferred course of action to remedy this situation.

To be continued…   

Authored by the HL Chronicle of Data Protection Team