Skip to main content

Personal Records: USA

Volume 464: debated on Tuesday 9 October 2007

To ask the Secretary of State for Justice if he will make a statement on the Passenger Name Record system and the agreement with the US for the handing over of personal data; what restraints or limitations of use or storage of such data (a) are binding under the agreement and (b) are expected by the agreement but are not binding; and if he will make a statement. (156065)

The European Union, on 23 July 2007, and the United States of America, on 26 July 2007, signed an agreement on the processing and transfer of Passenger Name Record (PNR) data by air carriers to US authorities. The new agreement, which is binding, is in three parts:

(i) an agreement signed by both parties;

(ii) a letter which the US sent to the EU in which it sets out assurances about how the US handles the collection, use and storage of EU PNR data; and

(iii) a letter from the EU to the US acknowledging receipt of the assurances and confirming that it considers the level of protection of EU PNR data in the US as adequate.

The main features of the agreement and the accompanying letter are:

The purposes for the transfers are unchanged and are for preventing and combating (1) terrorism and related crimes; (2) other serious crimes, including organised crime, that are transnational in nature; and (3) flights from warrants or custody for crimes described above. PNR may be used where necessary for the protection of the vital interests of the data subject or other persons, or in any criminal judicial proceedings, or as otherwise required by law.

Data will be retained for seven years in an operational status and for a further eight years in a non-operational status. The new agreement imposes stringent conditions that it may be accessed only with the approval of a senior DHS official designated by the Secretary of Homeland Security and only in response to an identifiable case, threat or risk.

Sensitive personal data will be filtered out and will not be used by the DHS, except in exceptional cases where life is at risk. The DHS will maintain a log of any access to sensitive data and will inform the European Commission normally within 48 hours.

The Government believe that this agreement balances the need to prevent and combat crime with the need to provide data protection safeguards for UK passengers.

A copy of the agreement and the exchange of letters was published in the Official Journal of the European Union on 4 August 2007.