The European Parliament,

–   having regard to European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1) and to Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code of conduct for computerised reservation systems(2),

A.   whereas, in the wake of 11 September 2001, the US has carried out a root-and-branch overhaul of its legislation with a view to tightening internal security, including security in the area of transport, adopting, on 19 November 2001, the Aviation and Transportation Security Act (ATSA)(3) and, on 5 May 2002, the Enhanced Border Security and Visa Entry Reform Act of 2002 (EBSV)(4), as well as other related measures, affecting, for transatlantic flights alone, between 10 and 11 million passengers a year,

B.   whereas at first the US Administration confined itself to asking airlines to supply data on passengers and crew (Passenger Manifest Information) ((5)) using the Advanced Passenger Information System (APIS); whereas, however, it has subsequently interpreted the interim agreement so as to impose, under threat of severe penalties, direct access to computerised reservation systems and, in particular, to the Passenger Name Record (PNR), which can be linked up not only with identification data but with other information of the most various kinds(6), including sensitive information as defined in Article 8 of Directive 95/46/EC,

C.   sharing the doubts and concerns that have been expressed by the national authorities(7) concerning the legitimacy of this demand, including its legitimacy under US law, and in particular doubts about its compliance with EU data protection legislation given the risk that reservation system databases may become de facto 'data-mining' territory for the US Administration,

D.   expressing its doubts as to whether these data will be protected ((8)i) in an 'adequate' fashion once they have been transferred to American databases; regretting the Commission's failure to set under way, in good time, the procedure for assessing the compatibility of the US legislation with Community law(9),

E.   noting that the new legislation proposed by the US Immigration services(10) would make it possible to go beyond the limits of the existing transmission system (known as US EDIFACT) via a more detailed format (UN EDIFACT) which would permit inclusion of the passenger's address in the US and of the number, date and place of issue of his visa (as required by Section 402 of the EBSV), as well as more clearly defining the effective scope of the PNR by limiting it to a set of predetermined data,

1.  Expresses its regret at the Commission's delay in submitting proposals to Parliament and the Council on a set of problems which have been on the agenda for more than fifteen months, affect data protection and have a huge impact on other Community policies (transport and immigration) and Union policies (police and judicial cooperation and the fight against terrorism and organised crime);

2.  Regrets the failure of the Commission, given its role as guardian of the Treaties and Community law, to assume its responsibilities with the necessary diligence insofar as:

3.  Regrets the joint declaration of 19 February 2003 by EU and US officials, which lacks any legal basis and could be interpreted as an indirect invitation to the national authorities to disregard Community law; instructs its President to activate the procedure provided for in Rule 91 of the Rules of Procedure with a view to determining whether an action may be brought before the European Court of Justice;

4.  Believes that, if negotiations are to be launched, they should be based, on the one hand, on the Community's powers in the field of air transport, which, as far as transatlantic links are concerned, affect between 10 and 11 million passengers a year, and for which the Commission is preparing to negotiate an 'open skies' accord, and, on the other, on its powers in the sphere of immigration policy; is, furthermore, surprised that these issues have not been considered in the context of the agreements on judicial and police cooperation, which have now reached an advanced stage;

5.  Calls on the Commission to secure the suspension of the effects of the measures taken by the US authorities pending the adoption of a decision regarding the compatibility of those measures with Community law;

6.  Calls on the Commission to examine the problems raised in this resolution; reserves the right to examine the action taken before the next EU-US summit;

7.  Instructs its President to forward this resolution to the Commission, the Council, the governments and parliaments of the Member States, the Permanent Representation of the United States to the European Union, and the US Congress.

(1) 1 OJ L 281, 23.11.1995, p. 31. (2) 2 OJ L 220, 29.7.1989, p. 1. (3) 3 Aviation and Transportation Security Act of 19 November 2001 (107-71), Interim Rules of the Department of the Treasury (Customs) – Passenger and Crew Manifests Required for Passenger Flights in Foreign Air Transportation to the United States (Federal Register, 31 December 2001), and Passenger Name Record Information Required for Passengers on Flights in Foreign Air Transportation to or from the United States (Federal Register, 25 June 2002). (4) 4 This act updates the relevant provisions of the Immigration and Nationality Act. (5) i Section 44909 is amended by adding at the end the following: (c) FLIGHTS IN FOREIGN AIR TRANSPORTATION TO THE UNITED STATES. (1) IN GENERAL. Not later than 60 days after the date of enactment of the Aviation and Transportation Security Act, each air carrier and foreign air carrier operating a passenger flight in foreign air transportation to the United States shall provide to the Commissioner of Customs by electronic transmission a passenger and crew manifest containing the information specified in paragraph (2). Carriers may use the Advanced Passenger Information System (APIS) established under section 431 of the Tariff Act of 1930 (19 U.S.C. 1431) to provide the information required by the preceding sentence. (2) INFORMATION. A passenger and crew manifest for a flight required under paragraph (1) shall contain the following information: (A) The full name of each passenger and crew member. (B) The date of birth and citizenship of each passenger and crew member. (C) The sex of each passenger and crew member. (D) The passport number and country of issuance of each passenger and crew member if required for travel. (E) The United States visa number or resident alien card number of each passenger and crew member, as applicable. (F) Such other information as the Under Secretary, in consultation with the Commissioner of Customs, determines is reasonably necessary to ensure aviation safety. (3) PASSENGER NAME RECORDS.‐The carriers shall make passenger name record information available to the Customs Service upon request. (4) TRANSMISSION OF MANIFEST.‐Subject to paragraph (5), a passenger and crew manifest required for a flight under paragraph (1) shall be transmitted to the Customs Service in advance of the aircraft landing in the United States in such manner, time, and form as the Customs Service prescribes. (5) TRANSMISSION OF MANIFESTS TO OTHER FEDERAL AGENCIES.‐Upon request, information provided to the Under Secretary or the Customs Service under this subsection may be shared with other Federal agencies for the purpose of protecting national security.' (6) 5 PNR number, date of reservation, travel agency, information appearing on the ticket, financial data (credit card number, expiry date, billing address, etc), itinerary and PNR history; the latter may include details of past journeys, but also religious or ethnic data (choice of meal, etc), affiliation to a particular group, residence data and contact information (email address, address of a friend, workplace, etc), medical data (medical assistance required; oxygen; vision, hearing or mobility problems or any other problem needing to be disclosed in the interests of the proper operation of the flight), and other data (e.g. membership of frequent flyer schemes). (7) See own-initiative opinion 6/2002 of the group set up under Article 29 of Directive 95/46/EC, at: http://www.europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wpdocs-2002.htm. (8) ii (EBSV page 6) On 'Chimera' system: '... The plan under this subsection shall establish conditions for using the information described in subsection (b) received by the Department of State and Immigration and Naturalization Service (A) to limit the redissemination of such information; (B) to ensure that such information is used solely to determine whether to issue a visa to an alien or to determine the admissibility or deportability of an alien to the United States, except as otherwise authorized under Federal law; (C) to ensure the accuracy, security, and confidentiality of such information; (D) to protect any privacy rights of individuals who are subjects of such information; (E) to provide data integrity through the timely removal and destruction of obsolete or erroneous names and information; and (F) in a manner that protects the sources and methods used to acquire intelligence information as required by section 103(c)(6) of the National Security Act of 1947 (50U.S.C. 403–3(c)(6)).' (9) Cf. Article 25 of Directive 95/46/EC. (10) Federal Register, 3 January 2003 (Vol. 68, No 2). (11) For example, the reorganisation of reservation systems, so as to isolate data which does not relate solely to the travel contract.