Access and transfer of passenger name records (PNRs) fall under the purview of European Data Protection Law. Under the
Organisation for Economic Co-operation and Development (OECD) 1980 Privacy Guidelines, and the
1995 European Union Directive on data protection, PNRs may only be transferred to countries with comparable data protection laws. Also, law enforcement authorities are permitted to access the passenger data only on a case-by-case basis, and where there exists a particular suspicion. In the aftermath of the
11 September 2001 attacks, the US government determined that PNRs (both archived and real-time) were invaluable tools for investigating and thwarting terrorist attacks. Accordingly, the US government has sought the collection, transfer and retention of PNRs by the
US Department of Homeland Security (DHS) Bureau of Customs and Border Protection. In May 2004, the US government negotiated the
2004 Passenger Name Record Data Transfer agreement (aka. US-EU PNR agreement) – a safe harbor PNR transfer agreement with the European Commission. Specifically, the European Commission deemed that the level of protection afforded to such PNR transfers would satisfy the standard of "adequacy" required by the 1995 EU Data Directive, as long as the data would be transferred and used solely for the purposes for which it was collected. These purposes being limited to "preventing and combating: terrorism and related crimes; other serious crimes, including
organized crime, that are trans-national in nature; and flight from warrants or custody for those crimes." The US-EU-PNR agreement required European airlines to supply PNR data to US authorities within 15 minutes of a plane taking off. While this agreement was invalidated by the
European Court of Justice on 30 May 2006 due to lack of legal authority, the
European Council worked to substantively resurrect the agreement before the court-mandated deadline of 30 September 2006. In July 2007, a new, controversial, A short time afterward, the
Bush administration gave exemption for the
Department of Homeland Security, for the Arrival and Departure System (ADIS) and for the
Automated Target System from the
1974 Privacy Act, raising concerns from
Statewatch about the protection of EU citizens' data. In February 2008, Jonathan Faull, the head of the EU's Commission of Home Affairs, complained about the US bilateral policy concerning PNR. The US had signed in February 2008 a memorandum of understanding with the
Czech Republic in exchange for a visa waiver scheme, without consulting in advance with Brussels. The tensions between Washington and Brussels are mainly caused by a lesser level of
data protection in the US, especially since foreigners do not benefit from the US
Privacy Act of 1974. Data privacy in the EU is regulated by the
Directive 95/46/EC on the protection of personal data, and the US
Safe Harbor arrangement made to converge with European norms is still being controversial for alleged lack of protection. Other countries approached for bilateral MOU included the United Kingdom, Estonia, Germany and Greece. On 28 November 2011, a new agreement on the transfer and use of PNR data between the EU and US DHS was authored. The full text is available online. In April 2012, the agreement was approved and adopted by the European Parliament. The agreement provides protections for PNR data, however critics express concerns that there is insufficient recourse should the data be misused. The parliament's approval of the agreement was warmly welcome by the Justice and Home Affairs Council of Ministers. ==Criticism==