In Process: The US-EU Passenger Name Recrods (PNR) Agreement by Bertelsmann Foundation

Inspiring People. Shaping the Future.

WASHINGTON, DC 1101 New York Avenue, NW Suite 901 Washington, DC 20005 USA Contact: Tyson Barker Contact: Tyson E-mail: tyson.barker@bertelsmanntyson.barker@bfna.org foundation.org Tel: (+1) 202.384.1993 Tel: (+1) 202.384.1993 www.bfna.org www.bertelsmann-foundation.org

BRUSSELS Résidence Palace Rue de la Loi 155 1040 Brussels, Belgium Contact: Thomas Fischer Contact: Thomas E-mail: E-mail: thomas.fischer@bertelsmannthomas.fischer@bertelsmann- stiftung.de Tel: (+32 2) 280.2830 Tel: www.bertelsmann-stiftung.de/brussels www.bertelsmann-stiftung.de/brussels

In Process: The US-EU Passenger Name Records (PNR) Agreement EuroWire is a joint publication of the Bertelsmann Foundation offices in Washington, DC and Brussels. It connects Capitol Hill to European Union policy and politics and contributes to a common trans-Atlantic political culture. EuroWire is an occasional publication that highlights issues, legislation and policymakers relevant to the Congressional legislative cycle. This publication looks at the European Union from the point of view of Capitol Hill staffers and offers timely operational analysis.

KEY POINTS • The new US-EU Passenger Name Records (PNR) data-sharing agreement was initialed in November 2011. US homeland-security issues and EU privacy concerns have been addressed. • The US Department of Homeland Security and the European Commission led the negotiations, but voices in Congress and the European Parliament (EP) shaped the debate. The EP’s role was integral: Since the Lisbon Treaty came into force December 2009, the EP must approve international agreements. • The EP’s position is unclear, but passage could occur in early 2012. • The overarching issues of contention, security and privacy, can be attributed to fundamental differences in cultural experiences and institutional mechanisms.

PNR as a Tool for Combating Terrorism The DHS collects PNR data prior to a trans-Atlantic flight’s departure to the US to identify passengers who could pose a security threat. The Department runs names against lists of known criminal suspects, known or suspected terrorists, and conducts analyses to identify those who may represent a risk. US authorities successfully used PNR data to track down and arrest Faisal Shahzad, who attempted to bomb New York City’s Times Square in May 2010; David Headley, the 2008 Mumbai-

attack plotter devising another attack in Denmark; and Najibullah Zazi, who planned a New York City subway bombing in 2009. From the American perspective, access to EU PNR data is crucial. Past terrorist acts have been attempted and carried out by foreign nationals entering the US via flights from Europe.

ABOUT THE BERTELSMANN FOUNDATION: The Bertelsmann Foundation is a private, nonpartisan operating foundation, working to promote and strengthen trans-Atlantic cooperation. Serving as a platform for open dialogue among key stakeholders, the Foundation develops practical policy recommendations on issues central to successful development of both sides of the ocean. ©Copyright 2011, Bertelsmann Foundation. All rights reserved.

DECEMBER 2011

The first Passenger Name Records (PNR) data-sharing agreement between the US and the EU was negotiated in 2004, primarily to enhance US homeland security. Whenever a passenger books a flight to, from, or through the US, airlines must transmit the passenger reservation data to the US Department of Homeland Security (DHS). PNR data includes the passenger’s itinerary, payment details, travel dates, seat numbers, co-travelers and baggage information.

The European Parliament’s Privacy ConcernsInspiring People. Shaping the Future. The current US-EU PNR agreement dates from 2007. It was negotiated by the DHS and the European Commission, the EU’s executive arm, and expires in 2014. The Lisbon Treaty’s entry into force in December 2009, however, means that the Council and the European Parliament (EP) must approve international agreements. The current agreement is thus provisional until approved by the EP.

In May 2010 the EP postponed approving the 2007 PNR agreement due to concerns that its provisions violated privacy and did not adhere to the EU Data Protection Directive (95/46/EC). The EP also called on the Commission to establish general guidelines to which countries requesting PNR data must adhere. The parliament’s move led to re-negotiations between the US Department of Homeland Security and the European Commission on the basis of new guidelines. The re-negotiated agreement now awaits a vote in the Council and in the EP.

The Debate on a New Agreement Negotiations on a new accord lay primarily within the jurisdiction of the US administration and the European Commission. In contrast to the EP, which must consent to ratifying the agreement, the US Congress has no such role. But a series of resolutions, both in Congress and in the EP, have framed the debate. In April 2011, House Homeland Security Committee Chair Peter King (R-NY) introduced a resolution urging the US administration to maintain the standards of the 2007 agreement due to its importance to US homeland security. Senate Homeland Security Chair Joseph Lieberman (I-CT) and Ranking Member Susan Collins (RME) introduced a similar resolution in the Senate. It passed unanimously. For its part, the EP adopted in May 2010 a resolution banning data mining or profiling. In November 2010 the EP adopted an

WASHINGTON, DC 1101 New York Avenue, NW Suite 901 Washington, DC 20005 USA Contact: Tyson Barker E-mail: tyson.barker@bertelsmannfoundation.org Tel: (+1) 202.384.1993 www.bertelsmann-foundation.org

BRUSSELS Résidence Palace Rue de la Loi 155 1040 Brussels, Belgium Contact: Thomas Fischer E-mail: thomas.fischer@bertelsmannstiftung.de Tel: (+32 2) 280.2830 www.bertelsmann-stiftung.de/brussels

additional resolution requesting that a new framework authorize the use of data only as a “necessary and proportionate” response to the threat level. Members of the European Parliament (MEPs) voiced concern that data would be retained for too long, and they wanted assurances that PNR data would not be used to deny boarding, or investigate or prosecute any passenger. The EP resolutions also called for barring the DHS from “pulling” information from airline carriers whose technical systems do not comply with the Department’s requirements. Finally, parliamentarians demanded that data analyses be shared immediately with EU law-enforcement officials and that all PNR guidelines be in accordance with the EU Data Protection Directive.

MEPs also expressed concern about EU citizens’ access to judicial redress; some insisted that every individual, regardless of nationality and place of residence, have the right of redress before an impartial and independent tribunal, as the Charter of Fundamental Rights stipulates. The US Privacy Act, however, limits judicial redress to US citizens and permanent residents. Although avenues of administrative redress are outlined in every PNR agreement since 2004, the EP wanted more explicit provisions giving their citizens access to judicial review. MEP Rui Tavares (NGL-Portugal) echoed this demand in an October 2010 EP public hearing on data protection in a trans-Atlantic perspective: “One of the most important issues is the recognition of rights of the EU citizens – the rights that US residents and citizens already have under the Privacy Act that can only be changed by Congress.” In sum, many MEPs were dismayed by what they believe is a lack of reciprocity on the redress issue.

European Parliament Consent The DHS and the Commission have made a few key changes in a new agreement that satisfy both bodies. EU Commissioner for Home Affairs Cecilia Malmström announced on November 24, 2011 that she sees a “huge improvement” over the previous agreement. The new agreement responds to EP demands that the DHS share its data analyses with European law-enforcement authorities. It also requires that airline carriers bring their technological capabilities to “push” data in line with DHS standards within two years.

p EU Commissioner for Home Affairs Cecilia Malmström has led the latest round of EU negotiations with US authorities. Photo: Atlantic Council

DECEMBER 2011

The new text also stipulates that data must be de-personalized after six months. In cases of trans-national crime, data may be retained in a dormant database for only 10 years. The agreement also includes a new article prohibiting unlawful discrimination. Regarding redress, the new agreement

grants any individual access to US courts. Access is provided under the provisions of the Administrative Procedure Act and other applicable laws (includingShaping the Freedom ofthe Information Inspiring People. Future. Act, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act) that allow an individual to petition for judicial review of DHS action in US federal court. A number of steps must still be taken before the agreement is ratified: • The Council, having approved the agreement during a December 13-14 meeting on justice and home affairs, must now officially request the European Parliament to give or withhold its consent. WASHINGTON, DC

BRUSSELS

Washington, DC 20005 USA

1040 Brussels, Belgium

• The EP’s Civil Liberties, Justice and Home Affairs (LIBE) must Palace have a public Résidence 1101 New York Avenue, NW Committee debate on the agreement. Rue de la Loi 155 Suite 901 Thomas Fischer Contact: Tyson Barker on the PNRContact: • MEP Sophie in ‘t Veld (ALDE- Netherlands), rapporteur agreements with third E-mail: tyson.barker@bertelsmannE-mail: thomas.fischer@bertelsmann countries, must present her draft recommendation to give or withhold consent after the foundation.org stiftung.de LIBE Committee’s public debate. Tel: (+1) 202.384.1993 www.bertelsmann-foundation.org

Tel: (+32 2) 280.2830 www.bertelsmann-stiftung.de/brussels

• The LIBE committee must give its consent to the draft recommendation. p MEP Sophie in ‘t Veld is LIBE committee rapporteur for the PNR agreement. Photo: ALDE

• The EP must give its consent to the draft recommendation. • If the EP gives its consent, the Council must officially ratify the agreement. The final ratification process could occur in early 2012. The EP’s consent is not assured. However, comparisons are often drawn between the PNR agreement and the Terrorist Finance Tracking Program (TFTP), also known as the SWIFT agreement. This US-EU data-sharing agreement was rejected by the EP before re-negotiations led to its subsequent approval by the EP in 2010. The EP’s decision on the PNR accord will in any case depend on how well it aligns with the criteria set out in the parliamentary resolutions of 2010. MEP in ‘t Veld has not yet publicly disclosed her position. She awaits the advice of legal experts and the European Data Protection Supervisor (EDPS) to be sure that the agreement complies with EU data-protection laws. Should the EP reject the agreement, the flow of data would continue to be required by US law. But this would create legal uncertainty for the airlines, which would subsequently have significant consequences in terms of trans-Atlantic flight delays and cancellations. American officials, such as Homeland Security Secretary Janet Napolitano, Attorney General Eric Holder and US Ambassador to the EU William Kennard, have been in regular contact with every relevant EU institution, particularly the EP, to promote the agreement’s passage.

p US Ambassador to the EU William Kennard spoke about American concerns at a LIBE hearing on the PNR agreement in October 2010. Photo: European Parliament

Same Values, Different Approach The overarching issue regarding the PNR agreement has been a fundamental misunderstanding between the US and the EU on how their systems work. The US created the DHS in response to the horrifying acts of September 11, 2001. Security is, therefore, a top DHS priority, although privacy remains a serious concern.

Europe, on the other hand, has recently experienced abuse of civil rights in the name of security. And past authoritarian regimes have made Europeans suspicious of government practices. Privacy, therefore, has been a priority in shaping important EU policy such as the EU Data Protection Directive and the Charter of Fundamental Rights, the latter of which was enshrined in the Lisbon Treaty. Both sides of the Atlantic value security and privacy, but the differences in cultural experiences and institutional mechanisms have left much room for compromise.

DECEMBER 2011