Folketinget — Europaudvalget

Christiansborg, den 11. oktober 2006

Folketingets repræsentant ved EU

 

 

 

 

 

Til

udvalgets medlemmer og stedfortrædere

 

 

Europa-Parlamentets ordfører om PNR-aftalen udspørger Kommissionen og Formandskabet

 

Sophie in’t Veld (ALDE, NL), som har stået i spidsen for Europa-Parlamentets behandling af PNR-aftalen[1], har sendt et brev til henholdsvis Europa-Kommissionens retskommissær, Franco Frattini, og det finske formandskab om konklusionerne af forhandlinger om en EU / US PNR-aftale. Kommissionen og Rådet vil have mulighed for at besvare in’t Velds spørgsmål i forbindelse med Europa-Parlamentets debat om PNR-aftalen, der finder sted den 11. oktober[2]. In’t Veld har anmodet de faste repræsentanter fra de nationale parlamenter om at sende brevene til parlamenterne.

 

Ordføreren gør i sin henvendelse opmærksom på, at de nationale parlamenter har mulighed for at behandle sagen, da PNR-aftalen er baseret på EU-traktatens artikler 24 og 38, som tilskriver, at ”ingen aftale er bindende for en medlemsstat, hvis repræsentant i Rådet meddeler, at medlemsstaten må opfylde de krav, der gælder ifølge dens egen forfatningsmæssige procedure…”.

 

Med venlig hilsen

 

Mongin Forrest

 

 

Brussels, 10 October 2006

 

 

Franco Frattini

Vice-President and Commissioner for Freedom, Security and Justice

European Commission

rue de la Loi 200

1049 Brussels

 

 

 

 

 

Dear Commissioner Frattini,

 

With a view to preparing the debate tomorrow on the EU-US agreement on Passenger Name Records during the plenary session of the European Parliament, I thought it might be helpful to send you my questions in advance. I would be grateful for a written reply as well.

 

After careful analysis of the draft Council decision, the Agreement and the letter by the DHS Assistant Secretary for Policy (Annex 3), there are several issues that need clarification, some of which are reason for serious concern. My overall impression is that the scope of the agreement has been widened substantially (more data requested, considerable weakening if not complete elimination of the purpose limitation, sharing with more and unspecified agencies and countries, undefined retention periods, allowing for more frequent and earlier pushing of data, no guarantees for a definitive switch to the PUSH system, the virtual abolition of the joint evaluation) whereas the protection of personal data of EU citizens and means of legal redress are at best unclear, and probably weaker than under the previous agreement.

 

Regardless of recital 9 of the Agreement, I am furthermore deeply concerned about the precedent this agreement may set for future agreements with the US on PNR, or on other categories of data (such as bank account details as in the case of SWIFT, or records of telecommunications). The lack of democratic legitimacy regarding rules on the transfer of data must be remedied as a matter of urgency.

 

Finally the legal status of the Agreement, the Undertakings and the US side letter must be clarified, so as to be able to fully assess the impact on the protection of data of EU citizens.

 

1) PULL-PUSH system

In your statement at the press conference of 6 October, you said that from now on the US authorities would no longer have direct access (PULL) to the European reservation systems, but the European airlines would forward (PUSH) filtered data to the US. However, according to the agreement, the US authorities will switch to the PUSH system “as soon as this is technically feasible but that, until then, the US authorities should be allowed to access the data directly”. The switch to the PUSH system had been foreseen under the previous agreement, and it has been technically feasible for about a year already. What were the obstacles to introducing the PUSH system immediately?

 

Moreover, the recitals of the agreement seem to imply that the US authorities should have direct access at all times: “US statutes and regulations requiring each air carrier operating passenger flights in foreign air transportation to or from the United States to provide DHS with electronic access to Passenger Name Record (hereinafter ‘PNR’) data”. Can the Commission elaborate on this?

 

2) Limits in time and frequency of data push

According to the DHS letter (Annex 3) it is for DHS to decide how often data must be pushed, though taking account of the economic impact on air carriers. DHS furthermore reserves the right to require data to be pushed outside the scope of the 72 hour mark. It seems to be at the sole discretion of DHS when and how often it wishes to receive data. Can the Commission clarify if this is the case?

 

3) Purpose limitation:

The purpose for which the data can be used is not actually included in the articles of the agreement, only in the recitals (“terrorism and related crimes as per article 3 of the undertakings”). However, in the side letter the US widens the scope to include “infectuous disease and other risks to passengers”. This purpose limitation is rather imprecise, to say the least. “Other risks” is an open category, thus justifying the use of data for a wide range of purposes, and making it virtually impossible to monitor the implementation of the undertakings. Can the Commission clarify how they intend to ensure that data will be used for the purpose of fighting terrorism and related crimes?

 

4) Sharing of data

The number of entities or agencies having access to the data has been expanded, but the DHS letter (Annex 3) does not fully specify which entities or agencies are meant. Can the Commission provide a detailed list of entities having access to PNR?

 

Can the Commission clarify in detail the conditions under which the US authorities can share data with third countries?

 

5) Number and nature of the data

The US states in the side letter that even in a PUSH system, the option must remain to ask for additional data, outside the regular set pushed by the air carriers. It is not clear from the side letter if these data are the ones defined in the undertakings, or additional data. Can the Commission clarify which data are meant?

 

The US authorities will also have access to frequent flyer information. Can the Commission clarify if that may include sensitive data?

 

6) Data retention

The previous agreement stipulated the destruction of data that had not been consulted after a retention period of 3,5 years. The US side letter seems to call the retention period into question, in any case for the future. Can the Commission confirm that all data that were transmitted to the US authorities under the previous agreement will be destroyed after the retention period foreseen in that agreement? Can the Commission explain what retention periods apply to the data transmitted under the new agreement?

 

7) Evaluation

Since the entry into force in May 2004 only one joint evaluation has taken place. The EC officials were not given full access during their on site visit, the final report was to be kept confidential and to date we do not know if the shortcomings observed in that report have been remedied. The new agreement states that a regular joint agreement must take place, but the DHS letter states no evaluation is necessary before the expiry of this agreement. Can the Commission explain which of the two takes precedence: the agreement or the side letter? Can the Commission inform Parliament if the shortcomings noted during the joint evaluation have been remedied? Can the Commission inform Parliament how the implementation of the undertakings will be monitored? Can the Commission confirm that any future evaluation report and its annexes will be made public, and that it will address not only the implementation of the undertakings, but also the effectiveness of the PNR policy?

 

8) Data protection

The references to the commitments regarding the protection of personal data are rather unclear. The only reference to data protection in the agreement is article 6, that states that “DHS is deemed to ensure an adequate level of protection for PNR data”. Can the Commission explain exactly what is meant (in legal terms) by “is deemed to ensure”, and what implications that may have for the protection of data against the backdrop of data sharing with other entities or agencies, or with third countries?

 

9) Legal position of EU citizens

Can the Commission:

- ensure that clear and comprehensible information to citizens on the transfer of PNR data will be provided from the day the agreement enters into force

- ensure that a proper procedure is put in place as a matter of urgency for complaints relating to the PNR policy

- clarify exactly how and under what rules the data of the individual citizens are protected, and what means of legal redress are at his/her disposal, including in its analysis the sharing of data other entities or agencies, and third countries

- provide a detailed legal analysis of the level of protection, and where there are potential gaps and risks for the individual citizen

 

 

10) Legal status

Can the Commission clarify the legal status of the DHS letter? Does the Commission consider that the agreement is open to legal challenge by a national data protection authority or a Member State government, being potentially in breach of national data protection rules, pursuant to Recital 3 of the Draft Council Decision?

 

11) Democratic legitimacy and parliamentary scrutiny

In June, the Presidency stated its firm commitment to involving and informing the European Parliament. However, the efforts of the Presidency have been rather disappointing in practice. Parliament has received hardly any information by the Presidency.

 

Given that the national parliaments do not have much opportunity to influence the process either, there is a glaring democratic deficit in this case.

 

The preparations for a future PNR agreement will have to start fairly soon. At this point in time the legal context for the negotiations is not clear, for example if the same legal base will be chosen, if the data protection rules for the third pillar will be in place, and if majority voting and co-decision will apply by way of the bridging clause.

 

It is clear, however, that the negotiations on the successor to this agreement will be much tougher. A clear mandate with strong democratic legitimacy is a precondition for successful negotiations resulting in a better, more balanced agreement that offers better protection to EU citizens. It is essential that the future mandate be drawn up in full collaboration with the European Parliament, and requires the consent of the European Parliament in order to have full democratic legitimacy.

 

12) Implications for transfer of other data

Can the Commission clarify the possible consequences of this agreement for the transfer of other data, such as data on bank accounts (as in the case of SWIFT) or records of telecommunications (records of telephone calls, sms, e-mails and internet, as covered by the Data Retention Directive) or other data?

 

 

 

Yours sincerely,

 

 

Sophie in ‘t Veld

Rapporteur for the EU-US agreement on PNR

 

 

Brussels, 10 October 2006

 

 

Minister for Foreign Affairs Erkki Tuomioja

Presidency of the Council

Ministry for Foreign Affairs
Merikasarmi, Laivastokatu 22
FI-00160 Helsinki

 

 

 

 

 

Dear Minister Tuomioja,

 

With a view to preparing the debate tomorrow on the EU-US agreement on Passenger Name Records during the plenary session of the European Parliament, I thought it might be helpful to send you my questions in advance. I would be grateful for a written reply as well.

 

After careful analysis of the draft Council decision, the Agreement and the letter by the DHS Assistant Secretary for Policy (Annex 3), there are several issues that need clarification, some of which are reason for serious concern. My overall impression is that the scope of the agreement has been widened substantially (more data requested, considerable weakening if not complete elimination of the purpose limitation, sharing with more and unspecified agencies and countries, undefined retention periods, allowing for more frequent and earlier pushing of data, no guarantees for a definitive switch to the PUSH system, the virtual abolition of the joint evaluation) whereas the protection of personal data of EU citizens and means of legal redress are at best unclear, and probably weaker than under the previous agreement.

 

Regardless of recital 9 of the Agreement, I am furthermore deeply concerned about the precedent this agreement may set for future agreements with the US on PNR, or on other categories of data (such as bank account details as in the case of SWIFT, or records of telecommunications). The lack of democratic legitimacy regarding rules on the transfer of data must be remedied as a matter of urgency.

 

Finally the legal status of the Agreement, the Undertakings and the US side letter must be clarified, so as to be able to fully assess the impact on the protection of data of EU citizens.

 

1) PULL-PUSH system

In his statement at the press conference of 6 October, Commissioner Frattini said that from now on the US authorities would no longer have direct access (PULL) to the European reservation systems, but the European airlines would forward (PUSH) filtered data to the US. However, according to the agreement, the US authorities will switch to the PUSH system “as soon as this is technically feasible but that, until then, the US authorities should be allowed to access the data directly”. The switch to the PUSH system had been foreseen under the previous agreement, and it has been technically feasible for about a year already. What were the obstacles to introducing the PUSH system immediately?

 

Moreover, the recitals of the agreement seem to imply that the US authorities should have direct access at all times: “US statutes and regulations requiring each air carrier operating passenger flights in foreign air transportation to or from the United States to provide DHS with electronic access to Passenger Name Record (hereinafter ‘PNR’) data”. Can the Presidency elaborate on this?

 

2) Limits in time and frequency of data push

According to the DHS letter (Annex 3) it is for DHS to decide how often data must be pushed, though taking account of the economic impact on air carriers. DHS furthermore reserves the right to require data to be pushed outside the scope of the 72 hour mark. It seems to be at the sole discretion of DHS when and how often it wishes to receive data. Can the Presidency clarify if this is the case?

 

3) Purpose limitation:

The purpose for which the data can be used is not actually included in the articles of the agreement, only in the recitals (“terrorism and related crimes as per article 3 of the undertakings”). However, in the side letter the US widens the scope to include “infectuous disease and other risks to passengers”. This purpose limitation is rather imprecise, to say the least. “Other risks” is an open category, thus justifying the use of data for a wide range of purposes, and making it virtually impossible to monitor the implementation of the undertakings. Can the Presidency clarify how they intend to ensure that data will be used for the purpose of fighting terrorism and related crimes?

 

4) Sharing of data

The number of entities or agencies having access to the data has been expanded, but the DHS letter (Annex 3) does not fully specify which entities or agencies are meant. Can the Presidency provide a detailed list of entities having access to PNR?

 

Can the Presidency clarify in detail the conditions under which the US authorities can share data with third countries?

 

5) Number and nature of the data

The US states in the side letter that even in a PUSH system, the option must remain to ask for additional data, outside the regular set pushed by the air carriers. It is not clear from the side letter if these data are the ones defined in the undertakings, or additional data. Can the Presidency clarify which data are meant?

 

The US authorities will also have access to frequent flyer information. Can the Presidency clarify if that may include sensitive data?

 

6) Data retention

The previous agreement stipulated the destruction of data that had not been consulted after a retention period of 3,5 years. The US side letter seems to call the retention period into question, in any case for the future. Can the Presidency confirm that all data that were transmitted to the US authorities under the previous agreement will be destroyed after the retention period foreseen in that agreement? Can the Presidency explain what retention periods apply to the data transmitted under the new agreement?

 

7) Evaluation

Since the entry into force in May 2004 only one joint evaluation has taken place. The EC officials were not given full access during their on site visit, the final report was to be kept confidential and to date we do not know if the shortcomings observed in that report have been remedied. The new agreement states that a regular joint agreement must take place, but the DHS letter states no evaluation is necessary before the expiry of this agreement. Can the Presidency explain which of the two takes precedence: the agreement or the side letter? Can the Presidency inform Parliament if the shortcomings noted during the joint evaluation have been remedied? Can the Presidency inform Parliament how the implementation of the undertakings will be monitored? Can the Presidency confirm that any future evaluation report and its annexes will be made public, and that it will address not only the implementation of the undertakings, but also the effectiveness of the PNR policy?

 

8) Data protection

The references to the commitments regarding the protection of personal data are rather unclear. The only reference to data protection in the agreement is article 6, that states that “DHS is deemed to ensure an adequate level of protection for PNR data”. Can the Presidency explain exactly what is meant (in legal terms) by “is deemed to ensure”, and what implications that may have for the protection of data against the backdrop of data sharing with other entities or agencies, or with third countries?

 

9) Legal position of EU citizens

Can the Presidency:

- ensure that clear and comprehensible information to citizens on the transfer of PNR data will be provided from the day the agreement enters into force

- ensure that a proper procedure is put in place as a matter of urgency for complaints relating to the PNR policy

- clarify exactly how and under what rules the data of the individual citizens are protected, and what means of legal redress are at his/her disposal, including in its analysis the sharing of data other entities or agencies, and third countries

- provide a detailed legal analysis of the level of protection, and where there are potential gaps and risks for the individual citizen

 

 10) Legal status

Can the Presidency clarify the legal status of the DHS letter? Does the Presidency consider that the agreement is open to legal challenge by a national data protection authority or a Member State government, being potentially in breach of national data protection rules, pursuant to Recital 3 of the Draft Council Decision?

 

11) Democratic legitimacy and parliamentary scrutiny

In June, the Presidency stated its firm commitment to involving and informing the European Parliament. However, the efforts of the Presidency have been rather disappointing in practice. Parliament has received hardly any information by the Presidency.

 

Given that the national parliaments do not have much opportunity to influence the process either, there is a glaring democratic deficit in this case.

 

The preparations for a future PNR agreement will have to start fairly soon. At this point in time the legal context for the negotiations is not clear, for example if the same legal base will be chosen, if the data protection rules for the third pillar will be in place, and if majority voting and co-decision will apply by way of the bridging clause.

 

It is clear, however, that the negotiations on the successor to this agreement will be much tougher. A clear mandate with strong democratic legitimacy is a precondition for successful negotiations resulting in a better, more balanced agreement that offers better protection to EU citizens. It is essential that the future mandate be drawn up in full collaboration with the European Parliament, and requires the consent of the European Parliament in order to have full democratic legitimacy.

 

12) Implications for transfer of other data

Can the Presidency clarify the possible consequences of this agreement for the transfer of other data, such as data on bank accounts (as in the case of SWIFT) or records of telecommunications (records of telephone calls, sms, e-mails and internet, as covered by the Data Retention Directive) or other data?

 

 

 

Yours sincerely,

 

 

Sophie in ‘t Veld

Rapporteur for the EU-US agreement on PNR