EU-US Agreement on Personal (PNR) Data Of Air Passengers

On 23JUL2007, the General Affairs and External Relations Council of the European Union (the foreign ministers of the member states) has approved the new agreement with the US about the transfer of Passenger Name Record (PNR) data of air passengers.

There was an interim agreement in place since October 2006, which expired at the end of July 2007, so it was necessary to reach a new agreement. It is interesting that the agreement was accompanied by an “exchange of letters between the US and EU” – and is not officially a legal act (!). In the letter the US provides assurance (more like a description actually) on how the data will be handled on their side. The agreement, it said, will be valid for a period of seven years, and will ensure “an adequate level or protection of passengers’ personal data in line with European standards on fundamental rights and privacy.” But what is an “adequate level of protection” exactly?


Under the terms of the agreement, EU airlines will begin on 01JAN2008, to “push” PNR data in their reservation systems to the US Dept. of Homeland Security (DHS), replacing a system in which DHS “pulled” the data from the carriers’ systems. The data will be retained in an “active database” by DHS for no more than seven years (!) and afterwards data will be moved to a dormant, non-operational status for no more than eight years (!) and can be used by US authorities “only for the purpose of preventing and combating terrorism and related offenses and other serious offenses that are transnational in nature. This means that the new agreement will be in place between 2008 and 2015, BUT as the data can be stored for a maximum of 7+8 years, it means if you travel on New Year’s Eve in 2015, your data will still be stored by and available for US authorities in 2030!!! Long-long time ahead, and it basically foresees, that fighting terrorism will still be an important issue on our planet 23 years down the road… Not so promising actually…


According to the final agreement, there will be 19 data stored about each passenger entering US airspace. Previously as the negotiations were taking place, the parties were discussing 34 data, but this has been reduced. Many claim that it was not a real reduction, more of a simple transaction of merging data fields…

Files of personal data…

Data types of EU PNR Collected:

  1. PNR record locator code,
  2. Date of reservation / issue of ticket
  3. Date(s) of intended travel
  4. Name(s)
  5. Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)
  6. Other names on PNR, including number of travelers on PNR
  7. All available contact information (including originator information)
  8. All available payment/billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)
  9. Travel itinerary for specific PNR
  10. Travel agency/travel agent
  11. Code share information
  12. Split/divided information
  13. Travel status of passenger (including confirmations and check-in status)
  14. Ticketing information, including ticket number, one way tickets and Automated Ticket/Fare Quote
  15. All Baggage information
  16. Seat information, including seat number
  17. General remarks including OSI, SSI and SSR information
  18. Any collected APIS information
  19. All historical changes to the PNR listed in numbers 1 to 18

This actually means all data that an airline can and is able to store about a passenger in an IATA standard reservation will have to be forwarded to the US DHS. Line 17: “OSI, SSI and SSR information” would include such things as special meal requests for example which can give an idea to the authorities about religious beliefs of the passenger. If you’re somebody who would not like to disclose such information and think you would not order special meal and just leave the regular meal on the tray untouched, be careful, because flight attendants have to signal if a passenger is not eating or drinking throughout a flight, as they may be carrying drugs in their digestive system. If you’re suspected with such an act, you may end up in a more difficult situation than if you would have just requested your regular kosher/hindu/moslem meal…

And this data will most probably “meet up” at DHS with all the other data that is taken about all passengers on the border while entering the US (photo, fingerprint, etc.)…


As mentioned above, the US can store our data for “nore more than” 15 years altogether, which is quite scary. But what can be even more worrying for some of us is that the agreement (letter, sorry) does not contain guarantees about the US sharing this data with third countries! (“EU PNR data is only exchanged with other government authorities in third countries after consideration of the recipient’s intended use(s) and ability to protect the information.”) So you fly from the EU to the US, but if the US authorities feel the necessity to share your data with ANY third country in the world, they can do that according to this agreement… Also the agreement says that “sensitive data (e.g.: racial or ethnic origin) must be filtered and deleted unless an exceptional case. EU Commission will be informed if such data has been accessed”. That means after it has been accessed, so what’s the point??

As I wouldn’t want to influence anyone on forming their opinions about this agreement, I have uploaded the full text as an attachment to this article, (EU-US PNR Agreement and accompanying letters – full text) you can go ahead and read it for yourself. If you have any opinions or comments please share with us and the readers of this blog by leaving us a comment, thanks!

by balint01


2 Responses to “EU-US Agreement on Personal (PNR) Data Of Air Passengers”

  1. 1 Alexis October 23, 2007 at 12:39 am

    Let the paranoia begin!

  2. 2 balint01 November 8, 2007 at 6:36 am

    EU plans more comprehensive PNR collection system

    The EU intends to launch a PNR system similar to the collection procedure applied by the US.

    Under the plan unveiled this week as part of a broader counterterrorism package, the 27 member states would be required to collect 19 fields of data from passengers flying to or from the EU. Data would include the e-mail address and phone number of the passenger, ticket and travel agent information and payment details and would be provided 24 hr. before departure.

    Airlines would be responsible for collection. PNR information would be kept for 13 years and made available to specialized national “units” carrying out risk assessments and to law enforcement agents like police and customs officers that may be part of antiterror activities or investigations.

    “Our goal remains preserving the right balance between the fundamental right to security of citizens, the right to life and the other fundamental rights of individuals, including privacy and procedural rights,” VP-Justice, Freedom and Security Franco Frattini said after the Commission adopted the package. He indicated he wants the measures to enter into effect at the end of next year. Governments of all 27 EU member states must endorse the proposals unanimously if they are to become law.

    The collection of PNR data by the US has led to tension between the EU and US over the past several years, with the European Parliament arguing that the US requests and collection system may impinge on the civil liberties of EU citizens. An accord finally was reached over the summer as described in our current article.

    (ATW News)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog calendar

October 2007
« Sep   Nov »



%d bloggers like this: