U.S. DEPARTMENT OF HOMELAND SECURITY
In response to the inquiry of the European Union and to reiterate the importance that
the United States government places on the protection of individual privacy, this
letter is intended to explain how the United States Department of Homeland Security
(DHS) handles the collection, use and storage of Passenger Name Records (PNR). None
of the policies articulated herein create or confer any right or benefit on any person
or party, private or public, nor any remedy other than that specified in the Agreement between the EU and the U.S. on the processing and transfer of PNR by air
carriers to DHS signed in July 2007 (the “Agreement”). Instead, this letter provides the assurances
and reflects the policies which DHS applies to PNR data derived from flights between
the U.S. and European Union (EU PNR) under U.S. law.
-
I. Purpose for which PNR is used: DHS uses EU PNR strictly for the purpose of preventing
and combating: (1) terrorism and related crimes; (2) other serious crimes, including
organized crime, that are transnational in nature; and (3) flight from warrants or
custody for crimes described above. PNR may be used where necessary for the protection
of the vital interests of the data subject or other persons, or in any criminal judicial
proceedings, or as otherwise required by law. DHS will advise the EU regarding the
passage of any U.S. legislation which materially affects the statements made in this
letter.
-
II. Sharing of PNR:
DHS shares EU PNR data only for the purposes named in article I.
DHS treats EU PNR data as sensitive and confidential in accordance with U.S. laws
and, at its discretion, provides PNR data only to other domestic government authorities
with law enforcement, public security, or counterterrorism functions, in support of
counterterrorism, transnational crime and public security related cases (including
threats, flights, individuals and routes of concern) they are examining or investigating,according
to law, and pursuant to written understandings and U.S. law on the exchange of information
between U.S. government authorities. Access shall be strictly and carefully limited
to the cases described above in proportion to the nature of the case.
EU PNR data is only exchanged with other government authorities in third countries
after consideration of the recipient’s intended use(s) and ability to protect the
information. Apart from emergency circumstances, any such exchange of data occurs
pursuant to express understandings between the parties that incorporate data privacy
protections comparable to those applied to EU PNR by DHS, as described in the second
paragraph of this article.
-
III. Types of Information Collected:
Most data elements contained in PNR data can be obtained by DHS upon examining an
individual’s airline ticket and other travel documents pursuant to its normal border
control authority, but the ability to receive this data electronically significantly
enhances DHS’s ability to focus its resources on high risk concerns, thereby facilitating
and safeguarding bona fide travel.
Types of EU PNR Collected:
-
1. PNR record locator code,
-
2. Date of reservation/ issue of ticket
-
3. Date(s) of intended travel
-
4. Name(s)
-
5. Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)
-
6. Other names on PNR, including number of travelers on PNR
-
7. All available contact information (including originator information)
-
8. All available payment/billing information (not including other transaction details
linked to a credit card or account and not connected to the travel transaction)
-
9. Travel itinerary for specific PNR
-
10. Travel agency/travel agent
-
11. Code share information
-
12. Split/divided information
-
13. Travel status of passenger (including confirmations and check-in status)
-
14. Ticketing information, including ticket number, one way tickets and Automated Ticket
Fare Quote
-
15. All Baggage information
-
16. Seat information, including seat number
-
17. General remarks including OSI, SSI and SSR information
-
18. Any collected APIS information
-
19. All historical changes to the PNR listed in numbers 1 to 18
To the extent that sensitive EU PNR data (i.e. personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership,
and data concerning the health or sex life of the individual), as specified by the
PNR codes and terms which DHS has identified in consultation with the European Commission,
are included in the above types of EU PNR data, DHS employs an automated system which
filters those sensitive PNR codes and terms and does not use this information. Unless
the data is accessed for an exceptional case, as described in the next paragraph,
DHS promptly deletes the sensitive EU PNR data.
If necessary in an exceptional case where the life of a data subject or of others
could be imperilled or seriously impaired. DHS officials may require and use information
in EU PNR other than those listed above, including sensitive data. In that event,
DHS will maintain a log of access to any sensitive data in EU PNR and will delete
the data within 30 days once the purpose for which it has been accessed is accomplished
and its retention is not required by law. DHS will provide notice normally within
48 hours to the European Commission (DG JLS) that such data, including sensitive data,
has been accessed.
-
IV. Access and Redress: DHS has made a policy decision to extend administrative Privacy
Act protections to PNR data stored in the ATS regardless of the nationality or country
of residence of the data subject, including data that relates to European citizens.
Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless
of their nationality or country of residence, for providing redress to persons seeking
information about or correction of PNR. These policies are accessible on the DHS website,
www.dhs.gov.
Furthermore, PNR furnished by or on behalf of an individual shall be disclosed to
the individual in accordance with the U. S. Privacy Act and the U. S. Freedom of Information
Act (FOIA). FOIA permits any person (regardless of nationality or country of residence)
access to a U.S. federal agency’s records, except to the extent such records (or a
portion thereof) are protected from disclosure by an applicable exemption under the
FOIA. DHS does not disclose PNR data to the public, except to the data subjects or
their agents in accordance with U.S. law. Requests for access to personally identifiable
information contained in PNR that was provided by the requestor may be submitted to
the FOIA/PA Unit, Office of Field Operations, U.S. Customs and Border Protection,
Room 5.5-C, 1300 Pennsylvania Avenue, NW, Washington, DC 20229 (phone: (202) 344-1850
and fax: (202) 344-2791).
In certain exceptional circumstances, DHS may exercise its authority under FOIA to
deny or postpone disclosure of all or part of the PNR record to a first part requester,
pursuant to Title 5, United States Code, Section 552(b). Under FOIA any requester
has the authority to administratively and judicially challenge DHS’s decision to withhold
information.
-
V. Enforcement: Administrative, civil, and criminal enforcement measures are available
under U.S. law for violations of U.S. privacy rules and unauthorized disclosure of
U.S. records. Relevant provisions include but are not limited to Title 18, United
States Code, Sections 641 and 1030 and Title 19, Code of Federal Regulations, Section
103.34.
-
VI. Notice: DHS has provided information to the travelling public about its processing
of PNR data through publications in the Federal Register and on its website. DHS further
will provide to airlines a form of notice concerning PNR collection and redress practices
to be available for public display. DHS and the EU will work with interested parties
in the aviation industry to promote greater visibility of this notice.
-
VII. Data retention: DHS retains EU PNR data in an active analytical database for seven
years, after which time the data will be moved to dormant, non-operational status.
Data in dormant status will be retained for eight years and may be accessed only with
approval of a senior DHS official designated by the Secretary of Homeland Security
and only in response to an identifiable case, threat, or risk. We expect that EU PNR
data shall be deleted at the end of this period; questions of whether and when to
destroy PNR data collected in accordance with this letter will be addressed by DHS
and the EU as part of future discussions. Data that is related to a specific case
or investigation may be retained in an active database until the case or investigation
is archived. It is DHS’ intention to review the effect of these retention rules on
operations and investigations based on its experience over the next seven years. DHS
will discuss the results of this review with the EU.
The above mentioned retention periods also apply to EU PNR data collected on the basis
of the Agreements between the EU and the US, of May 28, 2004 and October 19, 2006.
-
VIII. Transmission: Given our recent negotiations, you understand that DHS is prepared to
move as expeditiously as possible to a ‘‘push’’ system of transmitting PNR from airlines
operating flights between the EU and the U.S. to DHS. Thirteen airlines have already
adopted this approach. The responsibility for initiating a transition to ‘‘push’’
rests with the carriers, who must make resources available to migrate their systems
and work with DHS to comply with DHS’s technical requirements. DHS will immediately
transition to such a system for the transmission of data by such air carriers no later
than January 1, 2008 for all such air carriers that have implemented a system that
complies with all DHS technical requirements. For those air carriers that do not implement
such a system the current system shall remain in effect until the air carriers have
implemented a system that is compatible with DHS technical requirements for the transmission
of PNR data. The transition to a ‘‘push’’ system, however, does not confer on airlines
any discretion to decide when, how or what data to push. That decision is conferred
on DHS by U.S. law.
Under normal circumstances DHS will receive an initial transmission of PNR data 72
hours before a scheduled departure and afterwards will receive updates as necessary
to ensure data accuracy. Ensuring that decisions are made based on timely and complete
data is among the most essential safeguards for personal data protection and DHS works
with individual carriers to build this concept into their push systems. DHS may require
PNR prior to 72 hours before the scheduled departure of the flight, when there is
an indication that early access is necessary to assist in responding to a specific
threat to a flight, set of flights, route, or other circumstances associated with
the purposes defined in article I. In exercising this discretion, DHS will act judiciously
and with proportionality.
-
IX. Reciprocity: During our recent negotiations we agreed that DHS expects that it is
not being asked to undertake data protection measures in its PNR system that are more
stringent than those applied by European authorities for their domestic PNR systems.
DHS does not ask European authorities to adopt data protection measures in their PNR
systems that are more stringent than those applied by the U.S. for its PNR system.
If its expectation is not met, DHS reserves the right to suspend relevant provisions
of the DHS letter while conducting consultations with the EU with a view to reaching
a prompt and satisfactory resolution. In the event that an airline passenger information
system is implemented in the European Union or in one or more of its Member States
that requires air carriers to make available to authorities PNR data for persons whose
travel itinerary includes a flight between the U.S. and the European Union, DHS intends,
strictly on the basis of reciprocity, to actively promote the cooperation of the airlines
within its jurisdiction.
In order to foster police and judicial cooperation, DHS will encourage the transfer
of analytical information flowing from PNR data by competent US authorities to police
and judicial authorities of the Member States concerned and, where appropriate, to
Europol and Eurojust. DHS expects that the EU and its Member States will likewise
encourage their competent authorities to provide analytical information flowing from
PNR data to DHS and other US authorities concerned.
-
X. Review: DHS and the EU will periodically review the implementation of the agreement, this letter, U.S. and EU PNR policies and practices and any instances in which sensitive
data was accessed, for the purpose of contributing to the effective operation and
privacy protection of our practices for processing PNR. In the review, the EU will
be represented by the Commissioner for Justice, Freedom and Security, and DHS will
be represented by the Secretary of Homeland Security, or by such mutually acceptable
official as each may agree to designate. The EU and DHS will mutually determine the
detailed modalities of the reviews.
The U.S. will reciprocally seek information about Member State PNR systems as part
of this periodic review, and representatives of Member States maintaining PNR systems
will be invited to participate in the discussions.
We trust that this explanation has been helpful to you in understanding how we handle
EU PNR data.