This article is also available in:
Deutsch: Details zum geplanten US-EU PNR-Abkommen durchgesickert

On 17 November 2011, U.S. and EU officials initialled a proposed agreement to authorize airlines to forward passenger name record (PNR) data to the U.S. Department of Homeland Security (DHS). Although the agreement cannot take effect without the approval of the European Parliament and the Council, MEPs could read the proposed agreement only in a sealed room where they could not take notes or make copies.

This week the complete text on which the European Parliament will vote has finally been made public, revealing a failure to address the concerns raised by the Parliament and continued shortfalls in data protection, due process, and protection of fundamental rights.

In its resolution of 5 May 2010, the Parliament said that the PNR agreement should take the form of a treaty, recognize the fundamental right to freedom of movement, prohibit the use of PNR data for data mining or profiling, and take into consideration "PNR data which may be available from sources not covered by international agreements, such as computer reservation systems located outside the EU." The proposed agreement does not meet these criteria, and does not mention any of these issues.

The agreement would require that DHS copies of PNRs be "depersonalized" after 6 months. But the "depersonalized" DHS copy of each PNR would still include a unique record locator. There is no data protection law in the U.S. for commercial data. So, at any time - secretly, without a court order, and without violating U.S. law or the U.S.-EU agreement - the DHS could use the record locator to obtain a copy of the complete PNR from the computer reservation systems.

The agreement claims that all DHS access to PNR data will be logged. But when individuals have requested these logs, both the DHS and European airlines have said that they didn't exist. Without access logs, there can be no accountability or oversight.

According to the agreement, any individual is entitled to "request" access or corrections to their PNR data under the Freedom of Information Act (FOIA). But most PNR data is exempt from FOIA. Under both the agreement and U.S. law, you are entitled to request your PNR data, and the DHS is entitled to say "No".

FOIA is not a data protection law. FOIA never requires any accounting of usage or disclosure of data. FOIA never requires correction of records. FOIA does not restrict what information is collected or how it is used. U.S. courts have no authority under FOIA to take any action against misuse or disclosure of personal information. The agreement says that individuals may "seek" or "petition" for judicial review in U.S. courts. But such a petition related to violations of the agreement would be denied.

The proposed agreement would protect travel companies against enforcement of EU data protection laws, while failing to protect the rights of travellers. Because the proposed agreement does not provide an adequate level of protection for the processing of personal data, as required by the EU Data Protection Directive and Article 8 of the Charter of Fundamental Rights, EDRi recommends that the Council and the Parliament should reject the proposed agreement.

Text of the PNR Agreement (23.11.2011)
http://www.ipex.eu/IPEXL-WEB/dossier/dossier.do?code=NLE&year=2011...

Analysis of the proposed U.S.-EU agreement on PNR transfers to the DHS (with links to the full text in English, German, and French, 28.11.2011)
http://papersplease.org/wp/2011/11/28/revised-eu-us-agreement-on-pnr-d...

Analysis of the proposed agreement by NoPNR! (only in in German, 28.11.2011)
http://www.nopnr.org/fluggastdaten-an-die-usa-analyse/

EDRi archive of articles about PNR
http://www.edri.org/issues/privacy/pnr

(Contribution by Edward Hasbrouck, PapersPlease.org - EDRi Observer)