Cross-Border Data Forum Bannner

Avoiding the Next Transatlantic Security Crisis: The Looming Clash over Passenger Name Record Data

In “Avoiding the Next Transatlantic Security Crisis: The Looming Clash over Passenger Name Record Data,” Kenneth Propp examines how Passenger Name Record data may become another area for EU/U.S. negotiations about the handling of personal data.  In summary, the article states:

The ongoing negotiations between Washington and Brussels on how to reestablish a stable and durable legal framework for commercial data transfers from Europe to the United States may be the main focus of attention for the transatlantic data protection community these days, but it is not the only cause for concern.

Airlines must submit to U.S. Customs and Border Protection (CBP), a component of the Department of Homeland Security, personal data on all passengers on international flights to and from the United States. Passenger name record (PNR) data consist of the information an individual provides to an airline electronic reservation system, including address, telephone and credit card numbers, and potentially sensitive information such as meal preferences or special needs that may indicate ethnic origin or religious belief. CBP reviews these data before an international flight departs to screen for connections among passengers and any known or suspected terrorists or criminals. Its assessment can lead to questioning before boarding or denial of permission to travel.

The United States receives PNR data from Europe under a 2012 international agreement with the European Union that contains a series of privacy protections and other limitations on how the United States may use European-origin data.  However, a 2017 opinion by the Court of Justice of the European Union (CJEU) on a proposed similar Canada-EU PNR Agreement revealed that the US agreement did not measure up to Charter of Fundamental Rights standards in significant respects.

The European Commission recently acknowledged that the US-EU PNR Agreement is “not fully in line” with the court ruling, citing problematic provisions including “the retention of PNR data, the processing of sensitive data, notification to passengers, prior independent review of the use of PNR data, rules for domestic sharing and onward transfers, [and] independency of oversight…”

The Commission has not yet asked the United States to renegotiate the 2012 agreement, but it cannot ignore the CJEU jurisprudence indefinitely.  A recent European Parliament resolution added pressure by criticizing the US agreement as failing to meet the CJEU’s data protection standards.

EU member states support PNR analysis as an aviation security tool.  They have established their own systems for reviewing passenger data on travel within the EU, under the authority of an EU law that is itself now under challenge before the CJEU.  The Biden Administration is not eager to take on another difficult data protection negotiation with Brussels that carries security costs, but neither can it risk a potential disruption in vital transatlantic air links if the US-EU Agreement were to be terminated.  EU data protection law is a many-headed hydra.

To read the full article as published by the Atlantic Council, please click here.

To see an Atlantic Council video on these issues, please click here.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.