On 23JUL2007, the General Affairs and External Relations Council of the European Union (the foreign ministers of the member states) has approved the new agreement with the US about the transfer of Passenger Name Record (PNR) data of air passengers.
There was an interim agreement in place since October 2006, which expired at the end of July 2007, so it was necessary to reach a new agreement. It is interesting that the agreement was accompanied by an “exchange of letters between the US and EU” – and is not officially a legal act (!). In the letter the US provides assurance (more like a description actually) on how the data will be handled on their side. The agreement, it said, will be valid for a period of seven years, and will ensure “an adequate level or protection of passengers’ personal data in line with European standards on fundamental rights and privacy.” But what is an “adequate level of protection” exactly?
Under the terms of the agreement, EU airlines will begin on 01JAN2008, to “push” PNR data in their reservation systems to the US Dept. of Homeland Security (DHS), replacing a system in which DHS “pulled” the data from the carriers’ systems. The data will be retained in an “active database” by DHS for no more than seven years (!) and afterwards data will be moved to a dormant, non-operational status for no more than eight years (!) and can be used by US authorities “only for the purpose of preventing and combating terrorism and related offenses and other serious offenses that are transnational in nature.“ This means that the new agreement will be in place between 2008 and 2015, BUT as the data can be stored for a maximum of 7+8 years, it means if you travel on New Year’s Eve in 2015, your data will still be stored by and available for US authorities in 2030!!! Long-long time ahead, and it basically foresees, that fighting terrorism will still be an important issue on our planet 23 years down the road… Not so promising actually…
According to the final agreement, there will be 19 data stored about each passenger entering US airspace. Previously as the negotiations were taking place, the parties were discussing 34 data, but this has been reduced. Many claim that it was not a real reduction, more of a simple transaction of merging data fields…
Data types of EU PNR Collected:
- PNR record locator code,
- Date of reservation / issue of ticket
- Date(s) of intended travel
- Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)
- Other names on PNR, including number of travelers on PNR
- All available contact information (including originator information)
- All available payment/billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)
- Travel itinerary for specific PNR
- Travel agency/travel agent
- Code share information
- Split/divided information
- Travel status of passenger (including confirmations and check-in status)
- Ticketing information, including ticket number, one way tickets and Automated Ticket/Fare Quote
- All Baggage information
- Seat information, including seat number
- General remarks including OSI, SSI and SSR information
- Any collected APIS information
- All historical changes to the PNR listed in numbers 1 to 18
This actually means all data that an airline can and is able to store about a passenger in an IATA standard reservation will have to be forwarded to the US DHS. Line 17: “OSI, SSI and SSR information” would include such things as special meal requests for example which can give an idea to the authorities about religious beliefs of the passenger. If you’re somebody who would not like to disclose such information and think you would not order special meal and just leave the regular meal on the tray untouched, be careful, because flight attendants have to signal if a passenger is not eating or drinking throughout a flight, as they may be carrying drugs in their digestive system. If you’re suspected with such an act, you may end up in a more difficult situation than if you would have just requested your regular kosher/hindu/moslem meal…
And this data will most probably “meet up” at DHS with all the other data that is taken about all passengers on the border while entering the US (photo, fingerprint, etc.)…
As mentioned above, the US can store our data for “nore more than” 15 years altogether, which is quite scary. But what can be even more worrying for some of us is that the agreement (letter, sorry) does not contain guarantees about the US sharing this data with third countries! (“EU PNR data is only exchanged with other government authorities in third countries after consideration of the recipient’s intended use(s) and ability to protect the information.”) So you fly from the EU to the US, but if the US authorities feel the necessity to share your data with ANY third country in the world, they can do that according to this agreement… Also the agreement says that “sensitive data (e.g.: racial or ethnic origin) must be filtered and deleted unless an exceptional case. EU Commission will be informed if such data has been accessed”. That means after it has been accessed, so what’s the point??
As I wouldn’t want to influence anyone on forming their opinions about this agreement, I have uploaded the full text as an attachment to this article, (EU-US PNR Agreement and accompanying letters – full text) you can go ahead and read it for yourself. If you have any opinions or comments please share with us and the readers of this blog by leaving us a comment, thanks!