Bureau of Customs and Border Protection; DHS.
This Notice is intended to update a General Notice published in the Federal Register on July 9, 2004, advising that the Department of Homeland Security, Customs and Border Protection, had issued a document on May 11, 2004 (referred to as the “Undertakings”) containing representations regarding the manner in which it would handle certain Passenger Name Record data relating to flights between the United States and European Union member states. This Notice describes updates and adjustments to the Undertakings to reflect changes in the law and circumstances surrounding these data transfers.
This Notice is effective January 4, 2007.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Michael Scardaville, (202) 282-8321.End Further Info End Preamble Start Supplemental Information
On July 9, 2004, a Notice was published in the Federal Register (69 FR 41543; corrected at 69 FR 44082 on July 23, 2004), advising that the Department of Homeland Security (DHS), Customs and Border Protection (CBP), had issued a document on May 11, 2004 (referred to as the “Undertakings”) containing representations regarding the manner in which CBP would handle certain Passenger Name Record (PNR) data relating to flights between the United States and European Union (EU) member states. When they were issued, these Undertakings were understood to provide the foundation for the European Community (EC) to enter into an agreement with the United States that permitted the transfer of PNR data to CBP consistent with applicable EC law. However, through a diplomatic note presented on July 3, 2006, the EC terminated the agreement as of September 30, 2006, as a consequence of the determination of the European Court of Justice that the agreement had been concluded on an inapplicable basis under European Union law.
On October 19, 2006, the United States and the EU concluded an agreement to last until July 31, 2007. This agreement was accompanied by a letter of the United States updating and adjusting the Undertakings to reflect changes in the law and circumstances surrounding this data transfer. The letter was discussed extensively with the EU, and the EU has acknowledged it without objection. Copies of the agreement and letter are contained in this notice. All representations contained in the Undertakings, as published on July 9 and 23, 2004 are to be interpreted consistently with the October 19, 2006 agreement and its accompanying letter. The letter reflects changes in U.S. law and experience since the Undertakings were issued and is consistent with existing relevant provisions of U.S. law.
Both the agreement and the Undertakings shall terminate on July 31, 2007, unless extended.Start Signature
Dated: December 19, 2006.
Assistant Secretary for Policy.
Text of agreement:
Between the European Union and the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security
THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA,
DESIRING to prevent and combat terrorism and transnational crime effectively as a means of protecting their respective democratic societies and common values,
RECOGNISING that, in order to safeguard public security and for law enforcement purposes, rules should be laid down on the transfer of Passenger Name Record (“PNR”) data by air carriers to the Department of Homeland Security (hereinafter “DHS”). For the purposes of this Agreement, DHS means the Bureau of Customs and Border Protection, U.S. Immigration and Customs Enforcement and the Office of the Secretary and the entities that directly support it, but does not include other components of DHS such as the Citizenship and Immigration Services, Transportation Security Administration, Start Printed Page 349United States Secret Service, the United States Coast Guard, and the Federal Emergency Management Agency,
RECOGNISING the importance of preventing and combating terrorism and related crimes, and other serious crimes that are transnational in nature, including organized crime, while respecting fundamental rights and freedoms, notably privacy,
HAVING REGARD to U.S. statutes and regulations requiring each air carrier operating passenger flights in foreign air transportation to or from the United States to provide DHS with electronic access to PNR data to the extent they are collected and contained in the air carrier's automated reservation/departure control systems (hereinafter “reservation systems”),
HAVING REGARD to Article 6(2) of the Treaty on European Union on respect for fundamental rights, and in particular to the related right to the protection of personal data,
HAVING REGARD to relevant provisions of the Aviation Transportation Security Act of 2001, the Homeland Security Act of 2002, the Intelligence Reform and Terrorism Prevention Act of 2004 and Executive Order 13388 regarding cooperation between agencies of the United States government in combating terrorism,
HAVING REGARD to the Undertakings as published in the U.S. Federal Register  and implemented by DHS,
NOTING that the European Union should ensure that air carriers with reservation systems located within the European Union arrange for transmission of PNR data to DHS as soon as this is technically feasible but that, until then, the U.S. authorities should be allowed to access the data directly, in accordance with the provisions of this Agreement,
AFFIRMING that this Agreement does not constitute a precedent for any future discussions or negotiations between the United States and the European Union, or between either of the Parties and any State regarding the processing and transfer of PNR or any other form of data,
HAVING REGARD to the commitment of both sides to work together to reach an appropriate and mutually satisfactory solution, without delay, on the processing of Advance Passenger Information (API) data from the European Union to the United States,
NOTING that in reliance on this Agreement, the EU confirms that it will not hinder the transfer of PNR data between Canada and the United States and that the same principle will be applied in any similar agreement on the processing and transfer of PNR data,
HAVE AGREED AS FOLLOWS
(1) In reliance upon DHS's continued implementation of the aforementioned Undertakings as interpreted in the light of subsequent events, the European Union shall ensure that air carriers operating passenger flights in foreign air transportation to or from the United States of America process PNR data contained in their reservation systems as required by DHS.
(2) Accordingly, DHS will electronically access the PNR data from air carriers' reservation systems located within the territory of the Member States of the European Union until there is a satisfactory system in place allowing for transmission of such data by the air carriers.
(3) DHS shall process PNR data received and treat data subjects concerned by such processing in accordance with applicable U.S. laws and constitutional requirements, without unlawful discrimination, in particular on the basis of nationality and country of residence.
(4) The implementation of this Agreement shall be jointly and regularly reviewed.
(5) In the event that an airline passenger information system is implemented in the European Union or in one or more of its Member States that requires air carriers to provide authorities with access to PNR data for persons whose travel itinerary includes a flight to or from the European Union, DHS shall, in so far as practicable and strictly on the basis of reciprocity, actively promote the cooperation of airlines within its jurisdiction.
(6) For the purpose of applying this Agreement, DHS is deemed to ensure an adequate level of protection for PNR data transferred from the European Union concerning passenger flights in foreign air transportation to or from the United States.
(7) This Agreement shall enter into force on the first day of the month after the date on which the Parties have exchanged notifications indicating that they have completed their internal procedures for this purpose. This Agreement shall apply provisionally as of the date of signature. Either Party may terminate or suspend this Agreement at any time by notification through diplomatic channels. Termination shall take effect thirty (30) days from the date of notification thereof to the other Party. This Agreement shall expire upon the date of application of any superseding agreement and in any event no later than 31 July 2007, unless extended by mutual written agreement.
This Agreement is not intended to derogate from or amend legislation of the United States of America or the European Union or its Member States. This Agreement does not create or confer any right or benefit on any other person or entity, private or public.
This Agreement shall be drawn up in duplicate in the English language. It shall also be drawn up in the Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Slovak, Slovenian, Spanish and Swedish languages, and the Parties shall approve these language versions. Once approved, the versions in these languages shall be equally authentic.Start Signature
Done at Washington D.C. on 19 October 2006 and at Luxembourg on 16 October 2006.
For the United States of America
Secretary, Department of Homeland Security.
For the European Union
Minister for Foreign Affairs, President of the Council of the European Union.
Text of U.S. letter:
Via Electronic Delivery
ATTN: Director General Jonathan Faull, European Commission
B-1049 Bruxelles, Belgium 22.
ATTN: Ms. Irma Ertman, Presidency of the Council of the European Union
Ministry of Foreign Affairs, P.O Box 176, Laivastokatu, FIN-00161 Helsinki, Finland.
Dear Jonathan and Irma:
This letter is intended to set forth our understandings with regard to the interpretation of a number of provisions of the Passenger Name Record (PNR) Undertakings issued on May 11, 2004 by the Department of Homeland Security (DHS). For the purposes of this letter, DHS means the Bureau of Customs and Border Protection, U.S. Immigration and Customs Enforcement and the Office of the Secretary and the entities that directly support it, but does not include other components of DHS such as the Citizenship and Immigration Services, Transportation Security Administration, United States Secret Service, the United States Coast Guard, and the Federal Emergency Management Agency. We look forward to further reviewing these and other issues in the context of future discussions toward a comprehensive, reciprocal agreement based on common principles. Start Printed Page 350
Sharing and Disclosure of PNR
The Intelligence Reform and Terrorism Prevention Act of 2004 required the President to establish an Information Sharing Environment “that facilitates the sharing of terrorism information.” Following this enactment, on October 25, 2005 the President issued Executive Order 13388, directing that DHS and other agencies “promptly give access to * * * terrorism information to the head of each other agency that has counterterrorism functions” and establishing a mechanism for implementing the Information Sharing Environment.
Pursuant to Paragraph 35 of the Undertakings (which states that “No statement in these Undertakings shall impede the use or disclosure of PNR data in any criminal judicial proceedings or as otherwise required by law” and allows DHS to “advise the European Commission regarding the passage of any U.S. legislation which materially affects the statements made in these Undertakings”), the U.S. has now advised the EU that the implementation of the Information Sharing Environment required by the Act and the Executive Order described above may be impeded by certain provisions of the Undertakings that restrict information sharing among U.S. agencies, particularly all or portions of paragraphs 17, 28, 29, 30, 31, and 32.
In light of these developments and in accordance with what follows, the Undertakings should be interpreted and applied so as to not impede the sharing of PNR data by DHS with other authorities of the U.S. government responsible for preventing or combating of terrorism and related crimes as set forth in Paragraph 3 of the Undertakings.
DHS will therefore facilitate the disclosure (without providing unconditional direct electronic access) of PNR data to U.S. government authorities exercising a counter-terrorism function that need PNR for the purpose of preventing or combating terrorism and related crimes in cases (including threats, flights, individuals, and routes of concern) that they are examining or investigating. DHS will ensure that such authorities respect comparable standards of data protection to that applicable to DHS, in particular in relation to purpose limitation, data retention, further disclosure, awareness and training, security standards and sanctions for abuse, and procedures for information, complaints and rectification. Prior to commencing facilitated disclosure, each receiving authority will confirm in writing to DHS that it respects those standards. DHS will inform the EU in writing of the implementation of such facilitated disclosure and respect for the applicable standards before the expiration of the Agreement.
Early Access Period for PNR
While Paragraph 14 limits the number of times PNR can be pulled, the provision puts no such restriction on the “pushing” of data to DHS. The push system is considered by the EU to be less intrusive from a data privacy perspective. The push system does not confer on airlines any discretion to decide when, how or what data to push, however. That decision is conferred on DHS by U.S. law. Therefore, it is understood that DHS will utilize a method of pushing the necessary PNR data that meets the agency's needs for effective risk assessment, taking into account the economic impact upon air carriers.
In determining when the initial push of data is to occur, DHS has discretion to obtain PNR more than 72 hours prior to the departure of a flight so long as action is essential to combat an offense enumerated in Paragraph 3. Additionally, while there are instances in which the U.S. government may have specific information regarding a particular threat, in most instances the available intelligence is less definitive and may require the casting of a broader net to try and uncover both the nature of the threat and the persons involved. Paragraph 14 is therefore understood to permit access to PNR outside of the 72 hour mark when there is an indication that early access is likely to assist in responding to a specific threat to a flight, set of flights, route, or other circumstances associated with offenses described in Paragraph 3 of the Undertakings. In exercising this discretion, DHS will act judiciously and with proportionality.
DHS will move as soon as practicable to a push system for the transfer of PNR data in accordance with the Undertakings and will carry out no later than the end of 2006 the necessary tests for at least one system currently in development if DHS's technical requirements are satisfied by the design to be tested. Without derogating from the Undertakings and in order to avoid prejudging the possible future needs of the system any filters employed in a push system, and the design of the system itself must permit any PNR data in the airline reservation or departure control systems to be pushed to DHS in exceptional circumstances where augmented disclosure is strictly necessary to address a threat to the vital interests of the data subject or other persons.
Several important uses for PNR data help to identify potential terrorists; even data that is more than 3.5 years old can be crucial in identifying links among terrorism suspects. The Agreement will have expired before Paragraph 15 of the Undertakings requires the destruction of any data, and questions of whether and when to destroy PNR data collected in accordance with the Undertakings will be addressed by the United States and the European Union as part of future discussions.
The Joint Review
Given the extensive joint analysis of the Undertakings conducted in September 2005 and the expiration of the agreement prior to the next Joint Review, the question of how and whether to conduct a joint review in 2007 will be addressed during the discussions regarding a future agreement.
The frequent flyer field may offer addresses, telephone numbers, e-mail addresses; all of these, as well as the frequent flyer number itself, may provide crucial evidence of links to terrorism. Similarly, information about the number of bags carried by a passenger may have value in a counterterrorism context. The Undertakings authorize DHS to add data elements to the 34 previously set forth in Attachment “A” of the Undertakings, if such data is necessary to fulfill the purposes set forth in paragraph 3.
With this letter the U.S. has consulted under Paragraph 7 with the EU in connection with item 11 of Attachment A regarding DHS's need to obtain the frequent flier number and any data element listed in Attachment A to the Undertakings wherever that element may be found.
Vital Interests of the Data Subject or Others
Recognizing the potential importance of PNR data in the context of infectious disease and other risks to passengers, DHS reconfirms that access to such information is authorized by paragraph 34, which provides that the Undertakings must not impede the use of PNR for the protection of the vital interests of the data subject or of other persons or inhibit the direct availability of PNR to relevant authorities for the purposes set forth in Paragraph 3 of the Undertakings. “Vital interests” encompasses circumstances in which Start Printed Page 351the lives of the data subject or of others could be at stake and includes access to information necessary to ensure that those who may carry or may have been exposed to a dangerous communicable disease can be readily identified, located, and informed without delay. Such data will be protected in a manner commensurate with its nature and used strictly for the purposes for which it was accessed.Start Signature
Assistant Secretary for Policy.
1. Vol. 69, No 131, p. 41543.Back to Citation
[FR Doc. 06-9980 Filed 1-3-07; 8:45 am]
BILLING CODE 9114-14-P