The Identity Project joins 20 other nonprofit, nongovernmental organizations from Europe and the USA in a joint letter being sent today to Members of the European Parliament (MEPs) to inform them about the real facts of the proposed EU-US agreement on U.S. DHS access to PNR (travel reservation) data from the EU, and to ask that MEPs reject the proposed and highly controversial agreement.
German version of press release: VIBE!AT und NoPNR.org senden offenen Brief an EU Parlamentarier um sie über das Fluggastdatenabkommen mit den USA zu informieren.
Text of letter (letter in PDF format):
Information on the upcoming vote on the EU-USA PNR Agreement
Soon you will be deciding on the EU-US agreement on passenger name records (PNR).
Since there is confusing information on this agreement, there are a few things we would like to clarify.
Please consider the following issues for your decision on the EU-US PNR Agreement:
The proposed agreement will not result in improved legal security for citizens.
Contrary to recent statements by EU Commissioner Cecilia Malmström, the PNR agreement will not increase legal security for citizens. It will, however, give legal protection to the current practice of data exchange. It does not provide any benefit for European citizens. The proposed agreement does not provide an adequate level of protection for the processing of personal data as required by the EU Data Protection Directive and Article 8 of the Charter of Fundamental Rights.
There is no access control or access logging.
PNRs are created whenever a booking is made. To faciliate exchange between airlines, central reservation systems are used (CRS). These CRS are the source of the PNRs discussed in the agreement. Access controls and access logs are mandatory for sensitive data like the one
stored in PNRs. But there are no geographic controls on access to PNR data. Any airline or CRS office worldwide can retrieve any PNR of that airline or CRS. The EU-US agreement claims that all access to PNR data is logged. But when individuals have requested the logs of who has accessed their PNR data, airlines, CRSs, and the DHS have all said that they have no access logs. Thus the PNR
data is open for abuse. Most of the CRS are located outside of the EU.
The proposed agreement does not meet the conditions set by the European Parliament.
The European Parliament’s resolution of May 5th, 2010, said that any PNR transfer agreement with the US should take the form of a treaty, recognize the fundamental right to freedom of movement, prohibit the use of PNR data for data mining or profiling, and take into consideration PNR data which may be available from sources not covered by international agreements, such as CRS located outside the EU. The proposed Agreement does not meet these criteria, and does not even mention any of these issues.
There is no appropriate information to travelers.
Right now travelers are not informed which personal data is stored and processed. Information requests to airlines and travel agencies are usually answered unsufficiently. The legal action neccessary here would be the enforcement of European data protection laws, not the creation of a legal exemption for this very critical information. The agreement states the right to be informed which personal data is processed under the Freedom of Information act in the US. Recent experiences showed that requests are answered insufficiently if at all. The Freedom of Information Act provides multiple exemptions, which together result in the inability to learn which personal information is processed.
In conclusion the EU-US PNR agreement does not provide any benefit to European citizens. The proposed Council Decision places all of the legal burdens on the EU without requiring corresponding obligations from the USA. Under the proposal, the EU is expected to provide support from both Council and the EP, but neither the US President nor Senate is bound by this agreement. Only an international treaty with strong data protection safeguards based on European standards, which is also ratified by the US Senate, can provide improved legal security and protection of European citizens.
Therefore we ask you to reject the agreement!
For further information please contact us at firstname.lastname@example.org
An initiative by Verein für Internet-Benutzer Österreichs and NoPNR.org
Arbeitskreis Vorratsdatenspeicherung Österreich
Initiative für Netzfreiheit
The Identity Project
Friends of Privacy USA
Center for Financial Privacy and Human Rights
Plattform gegen den Überwachungsstaat
Datenschutzraum e.V. Düsseldorf
The New Renaissance Network Sweden
World Privacy Forum
Liga voor Mensenrechten
Freedom not Fear Austria
Aktion Freiheit statt Angst e.V. [signed the letter, but not listed on PDF]