The European Parliament,

–   having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) and, in particular, Article 25 thereof, and also Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code of conduct for computerised reservation systems(2),

–   having regard to the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (C5-0124/2004),

–   having regard to the opinions delivered on 29 January 2004 by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data referred to in Article 29 of Directive 95/46/EC and on 17 February 2004 by the committee referred to in Article 31 of that Directive,

–   having regard to its resolution of 9 March 2004 on the First Report on the implementation of the Data Protection Directive (95/46/EC)(3),

–   having regard to the position expressed by the national parliaments on this subject,

–   having regard to the opinion of the Belgian Committee on Privacy concerning two cases involving the transfer by three airlines of the personal data relating to certain transatlantic passengers (including those relating to an MEP), an opinion in which it is stated that both Belgian and EU privacy laws have been infringed; having regard to the Council's observation that "the US measures potentially conflict with Community and Member States" legislation on data protection" (2562nd meeting of the General Affairs Council held in Brussels on 23 February 2004); having regard to the internal Commission document which confirms that such a conflict does indeed exist; whereas Parliament has condemned the blatant violation of privacy laws, and whereas major responsibilities lie with the Commission, the Member States and certain authorities whose task is to safeguard privacy,

–   having regard to Article 8 of Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission(4),

–   having regard to Rule 88 of its Rules of Procedure,

A.   whereas, pursuant to the Transport Security Act and the implementing provisions thereof (such as Aviation Security Screening Records(5)), the US Administration requires airlines operating in Europe to provide access to the commercial data contained in Passenger Name Records (PNRs), so as to enable the potential threat which each passenger could present to be established in advance and to ensure that any terrorist or individual responsible for serious crime is identified and apprehended or denied entry to the US,

B.   whereas such access requires a clear legal framework if it is to be permitted under the privacy laws of the Member States and the Community, in spite of which fact neither the Commission nor the Member States nor the authorities which are responsible for safeguarding privacy and which have been granted binding powers have taken any action to ensure that the laws are enforced,

C.   whereas in the air-transport field a Passenger Name Record (PNR) is a file containing a package of commercial information including in particular:

D.   whereas PNR data vary according to the commercial practices followed by each airline and are processed by means of reservation centres, and whereas appropriate extraction programmes would therefore have to be devised by the airlines for the purpose of extracting the data which could legitimately be transferred,

As regards the principles of data protection on the European side

E.   whereas Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) as interpreted by the European Court of Human Rights(6) allows interference in private life only '...where it is provided for by law(7), where it is necessary(8) in a democratic society(9) to the pursuit of legitimate aims and where it is not disproportionate(10) in relation to the objective pursued,'

F.   whereas, at this stage, there is no legal basis in the European Union permitting the use of PNR commercial data for public-security purposes and whereas such a legal basis is essential in order to modify the purpose for which such were originally collected and to permit them to be used for public-security purposes,

G.   whereas such a legal basis must define the exact data to be collected, the rules to be followed for the processing of those data and the responsibilities of each party involved (passengers, airlines and public authorities),

H.   whereas the Council recently approved the Commission's negotiating mandate for an international agreement in this field,

... and on the US side

I.   whereas in the USA the protection of privacy, although mentioned in the Fourth Amendment to the Constitution, is not regarded as a fundamental right but

As regards the legal impact of a decision on adequacy taken pursuant to Article 25 of Directive 95/46/EC

J.   aware of the fact that the draft Decision submitted by the Commission:

K.   regretting the fact that, throughout 2003, the Commission did not heed the repeated requests from Parliament and the data-supervision authorities calling upon it to:

L.   sharing most of the reservations expressed unanimously by the data supervision authorities meeting within the Working Party referred to in Article 29 of Directive 95/46/EC, in particular on 29 January 2004(12),

1.  Considers that the Commission Decision of ... noting the adequate level of protection provided for personal data contained in the Passenger Name Records transferred to the US Bureau of Customs and Border Protection goes beyond the executive powers conferred on the Commission since:

As regards the legal basis and the form

1.1.  The draft Decision is not (and could not be):

As regards substance

1.2.  The draft decision is based on 'Undertakings', the binding nature of which is far from proven as regards both:

1.3.  The 'pull' system for accessing PNR data undermines any limitations that may be agreed and must be replaced by a 'push' system with appropriate filters,

2.  Considers the importance of the issue to be such that the European Union should come to an arrangement with the USA on the basis of a proper international agreement which, with due respect for fundamental rights, stipulates:

3.  Declares itself ready to deal under urgent procedure with an international agreement which complies with the above-mentioned principles; considers that if such an agreement were to be adopted, the Commission could legitimately declare that data would be adequately protected in the USA;

4.  Calls on the Commission to submit to Parliament a new adequacy-finding decision and to ask the Council for a mandate for a strong new international agreement in compliance with the principles outlined in this resolution;

5.  Pending a permanent legislative solution or the conclusion of one or more international agreements, calls upon:

6.  Calls on the Commission to block:

7.  In the meantime, reserves the right to appeal to the Court of Justice should the draft decision be adopted by the Commission; reminds the Commission of the requirement for cooperation between institutions which is laid down in Article 10 of the Treaty and calls upon it not to take, during the election period, any decision such as the one with which this resolution is concerned;

8.  Reserves the right to bring an action before the Court of Justice in order to seek verification of the legality of the projected international agreement and, in particular, the compatibility thereof with the protection of a fundamental right;

9.  Considers it extremely important that the outcome of the negotiations should not be taken as a model for the EU's further work on the development of its own anti-crime measures, data storage and protection of confidentiality;

10.  Calls upon the Commission to withdraw the draft decision;

o
o   o

11.  Instructs its President to forward this resolution to the Council, the Commission, the parliaments and governments of the Member States and the US Congress.

(1) OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1). (2) OJ L 220, 29.7.1989, p. 1. Regulation as last amended by Regulation (EC) No 323/1999 (OJ L 40, 13.2.1999, p. 1). (3) P5_TA(2004)0141. (4) OJ L 184, 17.7.1999, p. 23. (5) FEDERAL REGISTER 68 FR 2101. TSA intends to use this system of records to facilitate TSA's passenger and aviation security screening programme under the Aviation and Transportation Security Act. TSA intends to use the CAPPS II system to conduct risk assessments to ensure passenger and aviation security. (6) European Court of Human Rights, Amann v. Switzerland judgment of 16 February 2000, Reports of Judgments and Decisions 2000-II, paragraph 65, and Rotaru v. Romania judgment of 4 May 2000, Reports of Judgments and Decisions 2000-V, paragraph 43. (7) Recourse to a 'law' is all the more justified where protection of a fundamental right is called for, since such protection cannot be left to administrative or purely implementing measures. A 'law' must be worded with a sufficient degree of precision to enable those who are covered by its provisions to regulate their conduct and it must meet the foreseeability requirement which emerges from the European Court of Human Rights case law (see in particular ECHR judgment, Rekvényi v. Hungary, 20 May 1999, Reports of Judgments and Decisions 1999-III, paragraph 34). In the case under consideration the law must also include explicit and detailed provisions concerning the persons authorised to consult records, the nature of those records, the procedure to be followed and the use which may be made of the information thus obtained (see ECHR judgment, Rotaru v. Romania, 4 May 2000). (8) The concept of 'necessity' implies that 'a pressing social need' is at issue and that the action taken must be 'proportionate to the legitimate aim pursued ' (see in particular ECHR judgment, Gillow v. United Kingdom, 24 November 1986, Series A No 109, paragraph 55), and that in this area the legislature enjoys a margin of discretion the scope of which will depend not only on the nature of the legitimate aim pursued but also on the particular nature of the interference involved (see ECHR judgment, Leander v. Sweden, 26 March 1987, Series A No 116, paragraph 59). (9) The 'democratic' society criterion applies to relations between public authorities and the general public and is to be regarded as being all the more in evidence where the general public controls the institutions, rather than the other way round. Of course, in any democracy, irrespective of the nature of such relations, any arrangement for gathering and systematically storing data must be very carefully assessed, particularly in cases where such data relate to individuals who do not constitute a threat to the community. (10) The proportionality criterion applies to all data-processing parameters (e.g. at what stage the data are transferred, which data are transferred, to whom and for what purpose, the length of data storage and the length of the dispensation). Under European law, such assessments must also be carried out bearing in mind the subsidiarity requirements which govern relations between the Member States and the European Union. This is all the more necessary in cases where, by virtue of an act passed by an institution, the Member States are prevented from intervening. (11) The data should include the following information: PNR record locator code, date of reservation, date(s) of travel, passenger name, other names held in the PNR, routing, free ticket identifiers, one-way tickets, ticketing field information, ATFQ (Automatic Ticket Fare Quote) data, ticket number, date upon which the ticket was issued, no-show history, number of items of luggage, luggage-label numbers, no-show information, number of items of luggage on each sector, voluntary or involuntary changes of class, details of changes made to the PNR data and relating to the above-mentioned items. (12) http://www.europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp87_en.pdf (13) Furthermore, the obligation imposed on airlines under US law cannot be regarded as a sufficient 'legal obligation' within the meaning of Article 7(c) of Directive 95/46/EC, since the latter is to be interpreted in the light of the 'fundamental rights [which, according to settled case law,] form an integral part of the general principles of law, whose observance the Court ensures' (see in particular the judgment of 6 March 2001, in Case C-274/99 P Connolly v Commission, ECR I-1611, paragraph 37).