Skip to main content

Passenger Name Records

Volume 541: debated on Monday 27 February 2012

The coalition Government are firmly committed to protecting the security of UK citizens and to defending civil liberties. Our experience is that both security and privacy are possible. We must resist trading one off against the other as some would wish us to do.

We are firmly committed to consistency in our approach to civil liberties and will seek to translate our domestic agenda to the EU level—this includes purpose limitation; rigorous evidence-based arguments; the principles of necessity and proportionality; stringent data protection safeguards, especially when handling sensitive personal data; independent data protection oversight; and, of course, full compliance with EU law and the EU treaties.

We fully recognise the importance of working with partners outside the EU given that the threats we face are global in nature and, in common with other EU member states, we view the US as a key partner.

The UK, in common with many other EU member states and third countries, places considerable value on the collection and analysis of passenger name record (PNR) data (that data collected by carriers in the exercise of their business) for the purpose of preventing terrorism and serious crime. The appropriate use of PNR data is vital in keeping the public safe.

In line with this view, the Government continue to press for an EU PNR directive that includes provision for intra-EU flights. The Government also believe that clear PNR agreements between the EU and third countries play a vital role in removing legal uncertainty for air carriers flying to those countries, and help ensure that PNR information can be shared quickly and securely, with all necessary data protection safeguards in place. It is for this reason the Government have opted in to the EU-US agreement on the exchange of passenger name record data, notifying the President of the Council on 9 February 2012.

This agreement replaces the EU-US PNR agreement which has been applied provisionally from July 2007. The European Parliament postponed its vote on that agreement and asked the Commission to come forward with a single model for international agreements before it took a final vote. On 21 September 2010 the European Commission published a communication on the global approach to transfers of PNR data to third countries, together with a package of draft negotiating mandates for PNR agreements with Australia, Canada and the United States. In response to this, the Council presented a draft Council decision to authorise the Commission to open negotiations for PNR agreements with Australia, Canada and the US, together with draft negotiating guidelines (collectively referred to as the negotiating mandates). The UK opted in to these negotiating mandates in December 2010 and announced this decision to Parliament on 20 December 2010.

I listened very carefully to what hon. Members had to say during the scrutiny process and am pleased that the Committee agreed with the Government’s recommendation to participate in this agreement.

The agreement:

Restricts the purposes for which data can be processed to the prevention of and combating of terrorist offences and serious trans-national crime;

Makes express provision for data security;

Requires data to be masked after six months and transferred to a dormant database after five years. Data may be retained in the dormant database for a period of up to 10 years, during which additional controls will apply (including a more restricted number of personnel authorised to access it as well as a higher level of supervisory approval required).

Provides that masked data can only be re-personalised in connection with an identifiable case, threat or risk. After five years in the dormant database (10 years in total) data can only be re-personalised for the purpose of preventing and combating terrorist offences;

Provides that sensitive personal data must be filtered out and may only be accessed in exceptional circumstances where the life of an individual may be imperilled or seriously impaired;

Provides for independent review and oversight by departmental privacy officers with a proven record of autonomy, such as the Department of Homeland Security’s Chief Privacy Officer;

Sets out rights of access, rectification and erasure and redress;

Regulates the transfer of PNR data to other US Government authorities;

Only permits onward data transmission to a third country on a case-by-case basis and for the purposes outlined above.

The Council decisions to sign and conclude the agreement were deposited on 28 November 2011. These can be found at the following links:

Council Decision to Sign: uri=COM:2011:0807:FIN:EN:PDF.

Council Decision to Conclude: uri=COM:2011:0805:FIN:EN:PDF.