You are currently browsing EDRi's old website. Our new website is available at

If you wish to help EDRI promote digital rights, please consider making a private donation.

Flattr this


EDRi booklets

EU-US negotiations about PNR Data

25 September, 2003

Negotiations about airline passenger data between the European Commission and the US are stuck but both parties have agreed to solve their differences before the end of this year. On 22 September, Asa Hutchinson, US Under Secretary for Border & Transportation Security met with EU Commissioner Bolkestein, but that didn't result in any public change of the US position.

Since March the US is demanding passenger data from European airlines flying to or through the US. The data is send to the US prior to flight departure and used by the US to screen passengers and apply a risk assessment. The passenger name record data (PNR) consist of 39 data items: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers. Airlines might loose landing rights if they do not comply with US demands.

At the same time, a scandal broke out around passenger data from the US carrier JetBlue. JetBlue voluntarily handed over the itinerary information of 1.5 million passengers, including passenger name, address, and phone number to a US Defence contractor. This contractor used the data to test passenger screening software. The US Electronic Privacy Information Center (EPIC) responded by filing a complaint with the Federal Trade Commission. Since there is no legal privacy protection for passengerdata in the US, the claim could only be based on violation of JetBlues own privacy policy. EPIC also requested information from several federal agencies about possible government use of JetBlue passenger data. The case illustrates why European passengers should worry when their data are transferred to the US.

The scope of the use of EU passenger data by the US is wide. An initial agreement between the EU and US that will now be revised, says that 'Customs will retain the data no longer than is required for the purpose for which it was stored'. But at the same time it is clear that the data is stored for an almost unlimited number of purposes, certainly not limited to the fight against terrorism: 'PNR data is used by Customs strictly for enforcement purposes, including use in threat analysis to identify and interdict potential terrorists and other threats to national and public security'.

The EU Commission and Parliament agree that the passenger data can only be given to the US if an adequate level of data protection is in place. The US handling of the data seems in no way adequate, as the purpose of the data processing is not clearly defined, retention time is not limited and supervision is not independent.

Bolkestein said on 9 September to the European Parliament Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (LIBE) that 'progress on the remaining issues has been rather disappointing'. It seems no surprise as Tom Ridge, US Secretary of Homeland Security, said only a few days earlier: "Looking at this request beyond just a data protection issue but as a mutual security issue is something that can help us get closer to resolving our differences". On 29 September, LIBE will vote about a proposal for a resolution by the European Parliament to stop all transfer by 1 December 2003, if the US cannot guarantee adequate data protection.

Draft motion for a European Parliament Resolution on PNR-data (24.09.2003)

Speech Bolkestein on EU/US talks (09.09.2003)

EPIC dossier on passenger profiling



Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo