Motion for a resolution - B5-0156/2004Motion for a resolution
B5-0156/2004

MOTION FOR A RESOLUTION

22 March 2004

pursuant to Rule 88 of the Rules of Procedure
by the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs
on the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection
(C5‑0124/2004)

Procedure : 2004/2011(INI)
Document stages in plenary
Document selected :  
B5-0156/2004
Texts tabled :
B5-0156/2004
Debates :
Texts adopted :

B5‑0156/2004

European Parliament resolution on the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection
(2004/2011(INI)) (C5‑0124/2004)

The European Parliament,

– having regard to European Parliament and Council Directive 95/46/EC[1] and, in particular, Article 25 thereof, and also Regulation (EC) No 2299/89[2],

– having regard to the draft Commission decision noting the adequate level of protection provided for personal data contained in the Passenger Name Records (PNRs) transferred to the US Bureau of Customs and Border Protection (C5‑0124/2004),

– having regard to the opinions delivered on 29 January 2000 by the Article 29 Working Party on Data Protection and on 17 February 2004 by the committee referred to in Article 31 of the above directive,

– having regard to the Cappato report (A5-0104/2004) on the implementation of the data-protection directive (95/46/EC), which was adopted on 9 March 2004,

– having regard to the position expressed by the national parliaments on this subject,

– having regard to the opinion of the Belgian Committee on Privacy concerning two cases involving the transfer by three airlines of the personal data relating to certain transatlantic passengers (including those relating to an MEP), an opinion in which it is stated that both Belgian and EU privacy laws have been infringed; having regard to the Council’s observation that ‘the US measures potentially conflict with Community and Member States’ legislation on data protection’ (2562nd meeting of the General Affairs Council held in Brussels on 23 February 2004); having regard to the internal Commission document which confirms that such a conflict does indeed exist; whereas Parliament has condemned the blatant violation of privacy laws, and whereas major responsibilities lie with the Commission, the Member States and certain authorities whose task is to safeguard privacy,

– having regard to Article 8 of Council Decision 1999/468/EC of 28 June 1999 laying down the procedures for the exercise of implementing powers conferred on the Commission[3],

– having regard to Rule 88 of its Rules of Procedure,

A. whereas, pursuant to the Transport Security Act and the implementing provisions thereof (such as Aviation Security Screening Records[4]), the US Administration requires airlines operating in Europe to provide access to the commercial data contained in Passenger Name Records (PNRs), so as to enable the potential threat which each passenger could present to be established in advance and to ensure that any terrorist or individual responsible for serious crime is denied permission to board,

B. whereas such access is illegal under Member-State and EU privacy laws, in spite of which fact neither the Commission nor the Member States nor the authorities which are responsible for safeguarding privacy and which have been granted binding powers have taken any action to ensure that the laws are enforced,

C. whereas in the air-transport field a Passenger Name Record (PNR) is a file containing a package of commercial information including in particular:

(a) data enabling both the passenger and the persons accompanying him to be identified, together with the person who requested the reservation on the passenger's behalf, the agency or the employee who made the reservation and/or issued the ticket, and so on,

(b) the data relating to the journey for which the ticket has been issued, and also all the other sectors which make up the entire routing of a journey which may comprise a number of legs and therefore involve a number of tickets,

(c) data relating to means of payment, the passenger's credit card number, the special terms granted to particular groups (such as frequent flyers and members of special groups), e-mail addresses, physical addresses and private and/or office telephone numbers disclosed when the reservation was made, contact persons, and so on,

(d) data concerning a particular service relating to the passenger's state of health, his dietary preferences, and so on,

(e) specific remarks made by airline staff,

(f) where appropriate, details of reservations in respect of car hire and hotel rooms,

D. whereas PNR data vary according to the commercial practices followed by each airline and are processed by means of reservation centres, and whereas appropriate extraction programmes would therefore have to be devised by the airlines for the purpose of extracting the data which could legitimately be transferred,

E. whereas greater use ought to be made of openness as an instrument to prevent terrorist crimes; whereas it has been suggested in the academic debate that terrorism can sometimes be prevented by means of greater openness if the information which is available at the highest political and administrative levels is also passed on to more junior staff within the authorities concerned,

As regards the principles of data protection on the European side

F. whereas Article 8(2) of the European Convention on Human Rights (ECHR) as interpreted by the European Court of Human Rights[5] allows interference in private life only '...where it is provided for by law[6], where it is necessary[7] in a democratic society[8] to the pursuit of legitimate aims and where it is not disproportionate[9] in relation to the objective pursued,'

G. whereas, at this stage, there is no specific legislation in the European Union permitting the use of PNR commercial data for public-security purposes and whereas such legislation is essential in order for the data to be used for a purpose other than that for which they were originally collected and for the use of those data for public-security purposes to be authorised,

H. whereas such new legislation has to define the exact data to be collected, the rules to be followed for the processing and the responsibilities of each party involved (passengers, airlines and public authorities); whereas such new legislation could be adopted by the Member States (pursuant to Article 13 of Directive 95/46/EC and Article 9 of Council of Europe Convention 108) or by the European Union, for which the Commission has undertaken to prepare a legislative proposal for the second half of 2004, and whereas an initiative has already been submitted by the Kingdom of Spain,

I. whereas the Council recently approved the Commission's negotiating mandate for an international agreement in this field without any consultation of the national parliaments of the European Member States and whereas national parliamentary control is absolutely essential,

... and on the US side

J. whereas in the USA the protection of privacy, although mentioned in the Fourth Amendment to the Constitution, is not regarded as a fundamental right but

(a) is regulated by specific provisions (which do not, however, cover the transport sector) and by the Freedom of Information Act,

(b) grants only to US citizens and legal nationals the right to data protection and, in particular, the right of access to, and rectification of, only the data held by the federal public authorities (1974 Privacy Act), with the result that

(c) no legal protection is currently granted in the case of the data relating to non-US (and in particular European) passengers, nor is there any right of legal redress should the measures restricting the freedom to travel be abused,

As regards the legal impact of a decision on adequacy taken pursuant to Article 25 of Directive 95/46/EC

K. aware of the fact that the draft Decision submitted by the Commission:

(a) is a measure designed merely to implement Directive 95/46/EC, which may not result in a lowering of the data-protection standards within the EU as established by means of Directive 95/46/EC,

(b) relates to a state of affairs which is still in a legal limbo both in the USA (since no legislation on privacy has been adopted for the purpose of protecting each and every individual, irrespective of his or her nationality) and in Europe (since no specific legislation has been adopted which will enable PNR data to be legitimately transferred to public authorities),

(c) once it is adopted will practically deprive the Member States (which are currently responsible for protecting individuals as regards PNR data) of any scope for blocking transfers in order to uphold their citizens' rights,

L. regretting the fact that, throughout 2003, the Commission did not heed the repeated requests from Parliament and the data-supervision authorities calling upon it to:

(a) specify the data which could be legitimately transferred without risk (see the list of the 19 items suggested on 13 June 2003 by the Article 29[10] Working Party),

(b) immediately replace the 'pull' system (which is used without a legal basis by the US Administration and which has no filters for sensitive data or for non-transatlantic flights) with the 'push' system (which enables each airline to transfer only legitimate data and only in respect of flights to US destinations),

(c) negotiate an international agreement with the USA which will offer genuine guarantees for passengers or, at the very least, the same protection as is provided for US citizens,

M. sharing most of the reservations expressed unanimously by the data supervision authorities meeting within the Working Party referred to in Article 29 of the Directive, in particular on 29 January 2004[11],

1. Considers that the Commission Decision of ... noting the adequate level of protection provided for personal data contained in the Passenger Name Records transferred to the US Bureau of Customs and Border Protection goes beyond the executive powers conferred on the Commission since:

As regards the legal basis and the form

1.1 The draft Decision is not (and could not be):

(a) a legislative measure capable of enabling, within the European Union, the purpose for which the data were collected in the PNR to be changed and enabling them to be transferred by the airlines, in whole or in part, to third parties[12]; its effect, however, may well be a lowering of the data-protection standards established by means of Directive 95/46/EC within the EU or the creation of new standards in agreement with third countries,

(b) an international agreement pursuant to which the Commission would be obliged to authorise the transfer of such data; one can only regret the ambiguous wording of some of the clauses contained in the Decision and of the appended undertakings (such as those concerning duration, monitoring arrangements, cases in which the Decision may be suspended or withdrawn, the terms and conditions under which the Member States may intervene, etc.), which might give the false impression that obligations could be derived from that text as they are explicitly excluded by clause 47, which stipulates that 'these Undertakings do not create any right or benefit on any person or party, private or public';

As regards substance

1.2 The draft decision is based on 'Undertakings', the bindingness of which is far from proven as regards both:

(a) the source, which is purely administrative (and therefore subject to possible re-organisations within the Department of Home Security which would make the separations between internal structures obsolete), and

(b) the substance (since, on the one hand, guarantees are mentioned for which there is as yet no legal basis in the USA and, on the other, the option is kept open of amending the rules at any time, with particular reference to the arrangements for using and re-using the data);

2. Considers the importance of the issue to be such that the European Union should come to an arrangement with the USA on the basis of a proper international agreement which, with due respect for fundamental rights, stipulates:

(a) the data which could be transferred in an automated way (APIS) and the data which could possibly be transferred on a case-by-case basis,

(b) the list of the serious crimes for which an additional request could be made,

(c) the list of authorities and agencies which could share the data and the data-protection conditions to be respected,

(d) the data-retention period for the two kinds of data, it being clear that data dealing with the prevention of serious crimes have to be exchanged in accordance with the EU-US agreement on judicial cooperation and extradition,

(e) the role to be played by airlines in transferring passengers' data and the means envisaged (APIS, PNR, etc.) for public-security purposes,

(f) the guarantees to be offered to passengers in order to enable them to correct the data relating to them or provide an explanation in the event of a discrepancy between the data relating to a travel contract and the data shown in identity documents, visas, passports and so on,

(g) the airlines' responsibilities vis-à-vis passengers and the public authorities in the event of transcription or encoding errors and as regards protection of the data processed,

(h) the right to appeal to an independent authority and redress mechanisms in the event of infringements of passengers’ rights;

3. Declares itself ready to deal under urgent procedure with an international agreement which is compliant with the above-mentioned principles; considers that if such an agreement were to be adopted, the Commission could legitimately declare that data would be adequately protected in the USA;

4. Calls on the Commission to submit to Parliament a new adequacy-finding decision, to ask the Council for a mandate for a strong new international agreement in compliance with the principles outlined in this resolution, and to submit those texts to the June 2004 Transatlantic Summit with the US Administration;

5. Pending a permanent legislative solution or the conclusion of one or more international agreements, calls upon:

(a) the Member States to require immediate compliance with EU and their own domestic laws on privacy and draws particular attention to the obligation imposed (pursuant to Article 26(1)(a) of the Directive) on airlines and travel agencies to obtain passengers' consent for the transfer of data; such consent must be given freely and passengers must be informed of the options open to them for influencing the content of their PNR, of the implications of failing to give consent and of the fact that an adequate level of protection does not exist in the USA;

(b) the Commission to act in order to ensure that Regulation (EC) No 2299/89 is enforced and, in particular, to check that data are not transferred (in particular by means of computer reservation systems) without a passenger's consent and that the administrations of third countries have no access to those systems;

6. Calls on the Commission to block:

(a) the ‘pull’ system from 1 July 2004, and from that date onwards to apply the ‘push’ system with the 19 items suggested on 13 June 2003 by the Article 29 Working Party,

(b) the initiatives for establishing European centralised management of the PNR data as outlined in Communication COM(2003) 826 and recently confirmed by the competent Commissioner to the parliamentary committee, as such initiatives for the time being are in breach of the proportionality and subsidiarity principles;

7. In the meantime, reserves the right to appeal to the Court of Justice should the draft decision be adopted by the Commission; reminds the Commission of the requirement for cooperation between institutions which is laid down in Article 10 of the Treaty and calls upon it not to take, during the election period, any decision such as the one with which this resolution is concerned;

8. Reserves the right to bring an action before the Court of Justice in order to seek verification of the legality of the projected international agreement and, in particular, the compatibility thereof with the protection of a fundamental right;

9. Considers it extremely important that the outcome of the negotiations should not be taken as a model for the EU's further work on the development of its own anti-crime measures, data storage and protection of confidentiality;

10. Calls upon the Commission to withdraw the draft decision;

11. Instructs its President to forward this resolution to the Council, the Commission, the parliaments and governments of the Member States and the US Congress.