U.S. Uejmfmmof Hm»t*iiir 4.'?c :urHy
liSl Homeland '$$S? Security
C ( 3 2 . >
INFORMATION
MEMORANDUM FOR: Stewart Baker
THROUGH: Mansa Lino, Senior Advisor, PLCY/OIA
FROM: Michael Scardavjlle, Deputy Director for European AfTairs
SUBJECT: Key Issues for ;h« May 3,2007 PNR VTC £ » )
Overviaw: (u_ 1
C ;'
TcY
ol'
I "1 ;» .... v y ' '*•
iv.. i Cf c> /
/ \ pi /' [ I / _ , •: . / ••*• ..«'"*•• / « » : ; :m .ma
C \
c c \
** ' : » 4 *' -.it/ .' '•?•
_ / v>
CO. O-i Cc ;
Cc
Tssue:
*
\
(s)
/
re
fe-nm«iit£ml|»
r c v C- bs-_3
'cO*
Comment rm21s -^ - N
CO
CO
Comfri«nt(mJj; i £
•L- **
CO
Afyf ^S4
X O
O )
CO
rj)
\ .
C ^
' The Article 29 Working Party £_, fo S . 3 ioted," The Working Party considers that information should be provided to passengers r.o later than the moment when (he passenger gives iheir agreement to buy the lickei.
/
0Bi2SS
(O
CO
CO
c • •
CO
-O -l iven i f the transfer of PNR d.iu has become- in practice a condition fro traveling to the US, passengers are only aware
of what that means m terms of the processing of their personal data if the information is given to them before thev buv the ticket c ; l < ^ ^
A f t * <""»«?«•"
Cc)
cc: Paul Rosenzwcig, Counselor
T hS. Departnwnf or ffoanfesd Secartfy Washington, DC 20528
Homeland ecurity
HI I
C lo-2- 3 INFORMATION
-; Delated; May 2. M07
MEMORANDUM FOR:
THROUGH:
FROM:
(_ LA ] SUBJECT:
f ^ Overview;
M
Lc)
Stewart Baker
Marisa Lino, Senior Advisor, PLCY/OIA
Michael Scardaville, Deputy Director for European Affairs
Key Issues for the May 3, 2007 PNR VTC \ Delated:
'•t Deleted
' (Deleted: ilu
(Deleted: am
..(Oalatedi ty
.•{ Oelcted; that
: Formatted: Indent: Left: OS", Rr» I tine: 0", Tabs: O.F, List tab + Not i it 1.25*
| Formatted; No buJets or | (lumbering
• Formatted:Indent: Left: OS", Hanging: 0.S", Tabs: t", List tab + Not at 1.25"
i Formatted: No buliets or numbering
• Formatted: Indent: Left oS", j Hanging: 0-S",TabK l". List tab + (Notat U S '
•rr. • fwnatted: 8u8ett aid HOThPftnp Deleted: lint
- -*™«^ 1Deleted: t
f Formatted: Mo bullets or I numbering
i Fomutted: Indent: Left' 0.5", Hanging: 0.5-, Tabs: 1", List lab +
i Notat IOT
A-i?; V/ Oeckss^M August lO/ Z£y%'( /
a"
/
Delated: thv
Cc)\ 0«l*t«Ji cd
o
v_ /
Q u ) ^u-^
c c V • r < ^
/•, ^ 3
C tinted: thu
Satetgds rod
Oafetedzof
0»l«t« l : the
'' DuJetBcfei
; OeJetadia
Deleted: •
!J!555*3*<*_55* "?•<
i Deleted: UIM«
[ Deleted: would
* DeleteO: j
Comment [null): This dgea't irak*
/
CO ! Deleted: j
0") CO
G~
Comment (mJ
C- ,r^
! Delete* S i m t l
Deleted: u»
s -•'• aetata* •«
foetated: A»mch,i
! Deleted:.-«
Formatted: (*x H $ « ^ * ^
Deleted! *hoiuve
CO ° 'C—Lr 3 Deleted; ~~1 Deleted: uMifcetl
6=
C c ' '
CO t Deleted: e<»
CO CO
CM
CO
•' Deleted:'
1 Formatted: Underline
; Deleted: lo jddMoa
' Formatted: Font: Bold
i Deleted: iia<
i
1
_ _^ 1
)
O • m
deleted: for
OeJeted:
luaatedsfw" r5el«edTifair
; Deleted! norite
! D e l e t e * . f
[Deleted: r—
: Delete* C- £>£ 3
' Comment fawfSj p*—' ~\
;' C b^ —' I Deleted:'
f5>l
CO
j Comment [mrt* . ^ - ^T"1
C— ** —
cf V
& )
1 Delated: their
j Deleted.-»
• Deleted; to
1 i
)
Deleted; C b ,S~ (Deleted; da
I Deleted: fu>
0) Deleted; C fej" 3
•Delated! it • Deleted £• ^ ^
--natedr'ffiie Working PartycoiiAjdq^ tlial mfutmatipn""' should be provided to passengers no later than the moment when the passenger gives (heir agreemsnt to buy the ticket.. . Even if Ihe transfer of PNR dala has become in practice a condition tpr Havelingto Ihe US, passengers are only aware of what that means in terms of the processing of their personal dala if the information is given to them before they buy die ticket." ^
! Octets* e
I Deleted:
Deleted: r
Deleted: '
c
CO
r,
<•£__)
cy\
^
: DBfottd: i
1 cxlatw) £> J Loeiet««:ar*«
| ocf««Bd; pKsio)
' Ogtettd: t
' Osfcawf; iuae
3
!
cc: Paul Rosenzweig, Counselor
/ ODf.271
Befatsd c: bs 3
I
VS. Department of Homeland Security Wuhingion, QC 20528
Homeland r Security
MEMORANDUM FOR:
THROUGH:
FROM:
( V "N SUBJECT:
( V \ Overview;
INFORMATION
Stewart Baker
Marisa Lino, Senior Advisor, PLCY/OtA
Michael Scardaville, Deputy Director for European Affairs
Key Issues for the May 3, 2007 PNR VTC
1/1.
[ Delated: M»y 2,2007
J /
en
CO
co
issues:
CO
/
te CO
cc)
/
.G-O
Cc).
Cc
CC) °
s
Cr
r \
(V \
(-c)
c
CO
(r ^ VJ
CO
\
US'
rc\
rc\
r-cA O
r $ )
CO' '-Thr Article mvortfng Paty - £ r - k ^ 3 aoteoT'l he Woflting Tarty considers ihaTrnfonnatian should be provided to passengers TO later than the moment *ben the passenger gives their agreement to Uuy the ticket.. . liven if the transfer of PNR data has become in practice a condition Mr traveling lo the US, passengers are only aware of what that means in terms of the processing of their personal data if the information is given to them before they buv the t i c k e t . " t . <•*"'' — 1
c 6 5 —i
f:.' 73
CO
CO
/
a)
CO cO
o= CO
/
f^u'./.-Cl)
/
ro
f- c V . /
cc: Paul Rosenzweig, Counselor
A*"v* CiJ..>iJ l
l!.S- Department of Hsrtirisetl iirctirfry WjihmgRjn, DC 2052S
1
LO O")
MEMORANDUM FOR:
THROUGH:
FROM:
SUBJECT:
Overview:
tJili Homeland ?1||F Security
Cb?~ 3 INFORMATION
Stewart Baker
Marisa Lino, Senior Advisor, PLCY/OIA
Michaci Scardaviiie, Deputy Director for European Affairs
Key issues for the May 3, 2007 PNR VTC
f'r "\
*/£•
: CsSltJt&d: Miy 2, Vm
Qeteteds.
Delated:
Deleted:
oef«t«f:
Oetatttfc.
Deleted:
Osleted:
fill!
' I i
t/
1 -J
v
•s
I ,'
"i , Formattsd: Indene Leu: «.„ , . •'ine: 0*. Tabs; 0.5". list tab ; Deleted: rt«t
; Formatted: 'to bidets or numbering
i Formatted: Indent: Left: 0.5", Harayng: 0,5', Tabs: r, List tab
Formatted: Mo bullets or numbering
(Deleted: £__ loS J
Formatted: indent: Left: O.S", ; mnqmQ: oj>', Tata: r . list tab
j Formatted: Burets and Numbering
i Delated: dui
Oeleted: ite Deleted: 1
: Deleted: 1
Formatted: Nobuletsof numbering. Tabs 1.25", List tab
Formatted: indent Left: 0.5*, waring: 0.S-, Tabs: 1", Lst ;ab
o
• ' /
fc)
r )
C.c)\
0 r
/
#
Qaletad: Out
• 0*!«t*d:«f
I Deleted: the
' oelatedi i
i Deleted: i
! Deleted;
' oeletsd: ih«
• Deleted: mi
I Oeteted: al
• Deleted: non-
Comment c u a r
__, , ,
-J
1 \ Issues: ;T" """";, — (
[ ro/mattad: Font fcaffc
r* )
: Delated: o»«
/
/
(C
(c N
(E\
' oatetad: wouia
Deleted: £ ^
0«f«ted: &
Oelettd:
ie>J 1
' deleted.. L_ r j '. CommenttenelZp ThadoMc-t null _ jcase. ^ ^ ^ ^
Oelettd:» ft
Deleted: «•—
JitetBt 1
fe-*~ 7 .
oeieted: £ £ r 3 | Formatted: Indent: Left: 0-25", j Tabs: 0.63", list tab + Not at CUT ; - « » » • • "" • . ^ . " • • - i ^ . ! - . — — . . , , - . . . . . . * « <
i Formatted; Bullets and Wurneering :
, formatted: rndeot: Left: 0.S8". ! Tot* 0.88", bst tao + 1.13", Left + j ; * t at_055* J
Deleted! Z -
• Formatted: Indent Left: 0.58", ! fabs: 0J3", Lists* + 0.88". List tab * Not atQ.5r
Formatted: indent: Left: Q.2S", I
i Formatted: Indent: Left: 0.25", I Spare After. 0 pt Outline nombered I i- level: 1 * Numbering Style: 1, 2,
3, f Start at: t + Alignment: Left i * Aligned at: <F* Tab after: Q.25*
* Indent at 0.«", Tabs: 0.63", List I tab * Not at 0.15"
.Tainted- ^~
~D«ieted:sia«t
; Deleted: m
ooleted:u
' Deleted: Ai wefc. i
• Deleted: u
' Deleted: ihji
Deleted: ire gorag to bs
Deleted: *d
! Deleted: »«iJd
! Deleted: te
' Deleted: «n
' formatted: Not figniight
oet««d: /X fcS1
1 , " •
- >
—wv-rs*
3
/
001.281
DsKitad:
,:0fmatisd: deists &nd Numb*;
III
" 1
S3
-.-
Deleted: bS
^ \
L /
' Delated:
, Os!«ed: i ; Deleted; w
• Deleted: cd
rc\ -
i C ° )
: Dtltled:'
Formatted: lindertne
Formatted: Fant: Sold
^ 2 0 3
rc\
iek.t«d: ilu<
( A \
rev, o
v y
, Deleted: fa
i oetgie*
dieted; for
] Deleted: their
Delete* [__ fc)
Comment {nw!3J: -
Deleted:' .
i. deleted:
• Comment [ m m J;
Delete* ^ o S
2 The Article 29 Working Party £ ^ l p < J noted, ",Ihe Working Party considersthat. inforTnrmqn should be provided to passengers no later than the mcmcr.t when the passenger jives their agreemenUo buy ihe ticket. . . Even if the transfer of FNR d-iuhas become in practice a condition i^r itaveKng to the US, passengers areoniy aware of what that means in terms of the orocessink of their ccrsonal data if the information is given to them before (hey buy ihe ticket.' 6r n
Oaimsd:
Deleted:
/ /
Cc\
/
OulatK): flair
OsHrtd: ji
daietad: ;o
C ^ l iclgted: C*. K ? 5
.-(•Mi do
>eiet»»:ha
Deleted; C fe> S J 3
• o«tet»d: n
• Deleted: it r Qeleted: t^. fe> 3 " ^
' • Delete* uo _
Deleted: sa
Mated: t
(?)
- ^
r^\ eted: I—-
Oefeted:
Deleted:
Jeted:
/
(?) h\
! OM*t»&. ofUie
\ Oalated; p.tt«4
; *- ~ _ , I MfeUMk c ;
Q«i«t«ii iuut
Deleted: ?C hS 3
cc: Paul Rasenzweig, Counssior
~'aas 3: f 1] Deleted michaal.*CBrdavU!e 5/2/2007 4 ;57J00 PM
L \o£ Page 3: [2] Delated infchael.scardaville 5/2/2007 4:5fi:Q0 PM
l.-S. Di'parmu'iH ofllfimi'lami Sraurilv W..:.hiRgian. DC 20528
•ant'. I Homeland H r Security
MEMORANDUM FOR:
THROUGH:
FROM:
SUBJECT:
Overview:
f'C ;
INFORMATION
Stewart Baker
Marisa Lino, Senior Advisor, PLCY/OIA
Michael Scardaviile. Deputy Director for European Affairs
Key Issues for the May 3. 2007 PNR VTC
T- T
ftf;1.2Sa
, ->
V;
' A,
DiJaS5( it* S»fl Wf«r T 2-012-
; c
<S>
S A~
/
b
Cc\ V .
b\
/
CO
a]
en
re
CO
'::U*
Comment [ml' ~"\
\
Comment (mil: ~\
Comment lm3!" y "\
re
/
aC)
re b
fO s .
C c )
Flic A/tide 2v Working Parry CL » S , 3 •mid be presided 10 passengers no iaicr than the momem >.<.
rated, " The Working Parts con.iiders liiai iniormation lien me passenger gives their agreement to buy the ticket.
... •..' ......««"J
>* :%
i a * ,
f ,
f C N
• < & •
O - /
. H'.tn ifthciranfTcf . i iTNlOjCiTiij "become ; ofwhat that means m terms of i!ic process;i>g t ine ticket."" '
! p;actice a conJitian !ro ;ia\clin'g to ;ii "their person;'! j.11,1 ifihe iitformatnTt :
enters .>'t only aware hem he'i.rc they buy
b£
n *>.» r^ r\
bar.,, :J-
ro
re N»
f£ ]
• e ^
/
cc: Paul Rosenzweig, Counselor
VJ?i..<..._Ao-*>*J'
T.S. Deparinitsii of Uonjciand Secuniy '.V jsinngion, DC 205 28
4 ^ | Homeland 1|p Security
INFORMATION
Deleted: May l, :oo?
Stewart Baker
Marisa Lino, Senior Advisor, PLCY/OIA
Michael Scardaville. Deputy Director for European Affairs
Key Issues for the May 3, 2007 ?NR VTC (_-*.) Deleted:.
Deleted:
Deleted:
Deleted:
Deleted:
Deleted!
Deleted:
Deleted:
Deleted:
Deleted:
Deleted:
X
y>
Formatte brie: 0*. TaM. 0.5", List tab
Deleted: tat
• formatted: No bullets or numbering
• Formatted: Indent left Q.S", Hanging: 0.5", Tabs: 1", List tab
Formatted: no cutlets or rturnDering
Deleted: C b 5 ^ Formatted: Indent Left: 0.5*, Hanging: 0.5*, Taos 1", List tab
Formatted: Scties and Numsenng
Deleted: ±u
Deleted: ftc
Deleted: 1
J
1
i 1
_, Deleted: 1
Formatted: Mo fciiiiets or .-.umfcering, T^os: s,25", US tab
Formatted: Insert: Left OS", ranging; 0.5*. Tabs: I", List Cab
Gf/J.3fl7
O e n W t r o w W1 '--e<V?.- "'F1*-
/
cO,
/
C O '
Deleted: ihai
Deleted: t<*
Oeleted: itai
Deleted: she
Deleted: i
Deleted: i
Deleted:
Formatted: Font: ItaBc
3
oci'ica
rO
CO
c
< c- i
cO
ri)
Deleted: thoM
deleted: »otild
Deleted: d
Comment [mill]: Tins diw^rt m^c •u t sc
Deleted:"
Formatted: Indent: Left: 0.25", j ; Tabs: 0.63", List tab + Mot at 0.25" j
• Formatted: Bullets and Numbering j
Formatted: Indent: Left: 0.S8", ] ; Tabs: 0.88", List tab + 1.13". Left* |
Mot at Q.5S* I
Formatted: Indent: Left- 0.58*, i Tabs: 0.63", List tab + 0.38", List [ t ab* Not at Q.sr J
. Formatted: Indent: Left: 0,25", Tabs: 0.63*, List tab + Not at 0,25"
Comment [ml]-
r O 3 Formatted: Indent: Left: 0.25", j Space After: 0 pi, Outline numbered j + Level: 1 + Numbering Style: 1, 2, j 3,... + Stan a t 1 + Alignment: Left I * Aligned at: 0" + Tab after: 0.25" j + Indent at: 0.2S", Tabs: 0.63", List !
: tab + Not at 0.25'
Deist**
u bS 3 Deleted: Since*
Deleted: us
Deleted: as
Deleted: As HK*. i
' Deleted: re 1 Deleted: tiut
' Deleted: are going to be
Deleted: icd
Deleted: »x>uM
„__ J
n ] _ i
!
_ ] - > — j
Deleted: to
Deleted: on
Formatted: Mot Highlight
CO
rO
i cO
(c-) •
CO
/
Deleted:
Formatted: Bullet* and Numbering •
Deleted
Deleted f£b* 2
Deleted;
Deleted:»
Deleted: £ . O S 3
Deleted: i
Deleted: v.
Deleted: cd
'
,
Deleted: •
Formatted: underline
•CNJ Deleted7 £ 1 ^ 3 3 • • " Formatted: Fo-tt: &oid
Oeleted: .feat
KS
re) •
V" J
The Article 29 Working Part) C — io -S" Z 3 noted, "J"he Working Parry considers thi» mfnrmr.rinn bhculd bo providad lu p . m m g m W later iltiili Ihe moment '•vl-.cn the passenger gives the i i j^e j^mer i t jo j )^ jhe_t
.—Even if llie transfer off'Nft•datylH!rtSgBiWeTtrr{g^Ti«T'J^?in^n~^f1raveTitig to the US, passengers aje only uv>,\;e of what that means in terms of the processing of their personal data if the information is EH en to diem before thev buy the ticket"
b^ J3
Deleted: fir
Deleted:
Deleted: tar
Deleted: tfcdr
Deleted: wece
Deteted:
Deleted: deployment
Deleted: f
CommerJ- l o
Deleted: O
Comment f mr i J i - J T
Deleted:
Oeleted:
s-to s
Deleted."
Deleted: r
Deleted: -
Deleted: tfttfr
Deleted: u
CO \ I
Deleted: a
Ct
< Deleted £ b
[Deleted: jo
Deleted: hu
Deleted
\Oeleted: (
; Deleted: T)
— — • • ' y
Deleted: 11 )
Deleted: _ ^ j -^
Oeleted: ua
Deleted: m
Deleted: e
^ )
Deleted: t
(5 1 L Deleted:
Deleted: ' Deleted:
b S ' "I
Deleted: of the
/> C:.ft nM -."_
re *,
cc: Paul Rosenzweig, Counselor
/• /
Deleted: Bussed
Deleted: ^ - -1
Deleted: c
Deleted: is^t.
ma"*' tbs" J
C')
Options for PNR Negotiations with the EU •_-7/28/06
Background: Z-, \o£ tJ an international agreement was struck between DHS and the EU in 2004 governing CBP's
access to PNR from the EU. The agreement was quickly challenged in court by the European Parliament. On 5/30/05 the European Court of Justice ruled that the EU inappropriately entered into this agreement on the grounds that the 1995 Directive did not apply £ . &> 5"
3 On 7/3/06, the Finnish Presidency and the Commission terminated the agreement effective 9/30/06. The Finnish Presidency also received a mandate from the European Council to negotiate a replacement agreement by 9/30. The Commission presented the USG with a proposed text on 7/16.
a
(ft
001369
European Parliament. Joint Motion for a Resolution on the interception of bank transfer data from/iheTSWIFT system by the US secret services. 7/5/2006 v . /
Otrtvi^' - ^ 4 *\ £»'/*" ^ ML?aw Enforcement Sensitive / /^zS
/)< MJ/.:. ..nluhi
re)
(c) '
"•"•" '"'"?=••»«..»
f<0
c 0
<0 >
a' ?£DPS Press ReJease, May 30, 2006
-
UwE"^m Sensitive
" • - " ~ - — - .
001370
(p >
^
Co
@
&
/ft* ^ o
/"W1
( > -
°"*-""'™ B K * " - * - -
'rcptieni U w E n f o r c '"Hn« Sensitive
/
001371
fr
°Ptfons for pNn V a .
7/28/06
O
'cj > ; V
V
V - H -i i
/
Law E^or^r Ln* Sensitive
Of) * n*?o
' 'P ' iom Cor i ' \ R ^•iLuihiii; ,,s >>, Hi , ; i c ;•
HiiikyroiKK/: £
J ^ ^ t a i ^ i u , , , .,
/, / ) vy
•i":ent. g : rer 'e : i
••• -'-r-c-j me i M ; >^:h ,. p, .,P, sol ;CM ,- r - '-" "' ' , ' e ' " ' : u : , ' ; ' l t ' r" ^<v^r - . •» 1 ( 1
/ ) vr
'""N
<•
^ A
M.»:. : * 1 : ; • <~u}
L,IW l- i 'h.
-W,|.
Vfr., ./ A : ^ /• L <* /," / ? s
i , _-- y
, l T / - -?
1313
• I
en (?) •
Options for PNR Negotiations wlrh the EV 7/28/06
Cr)
V
(A
Or) f i
m n '
2 EDPS Press Release, May 30.2006
Law Enforce! « W l Sensitive
3^
l*»™»M»edsfont color: Auto -J
001374
"""•""""asr--- EU
a > -
O r
Jo
( ' • 1
^
Law Enft 'orient Sensitive
/
001375
Options for PNR Negotiations with the EU 7/28/06
en
Pi' o
>r«knent: Law Enfonpment Sensiri ive
001375
/
Options for P \ R Negotiations with tht El " --v Oh
Background: C_ t > 5 " Z> a" inicrnaiionai agreement uas >rr';ek between DHS and the El, :v 200-3 covetr'n^ CBP's
.ic.cs> ;o i ' \R from the Ki... The agreement was quickly challenged :n eoiirt b> the Eu'-orea" Piirii;!:TV"it ():i 5.30,0 * '.he l-uropean Court oi Justice ruled lh.il the Ei. inappropriately entered into :-;i
/ / / A agreement on she grounds that the l''('5 Direct: \e did not appl\ C fcjey j ^ O l)n " 3 On, :he Finnish i'residetuv and the — i.et-irtr.ssior, terminated ;hc agreement et;ceu\e <"'. 30.06. The I 'innish Presidents also recessed a
truncate from the European Councii !o negotiate a replacement apreeinem n\ 9-M) 'I ;v: Comm,;j.'or •j'ever.ied the ' SCi with .» proposed text or, " : •>
r Deleted. bS 3
Deleted:
Deleted ' Ct.5 3
i? \
iCj ^ \
Deleted: _
Deleted: C^\> 5 Deleted:
Deleted £ _ ^ •
Deleted: m
Deleted: i
European Parliament, joint Motion If.r j Reflation or, the interception of bank transfer dala >k>m ihc SWIFT s\5!tnl by the I. S secret service, " 5 200ft
Law Lnforc&jfcent Sensitive
fa,;,<*: fr^"~f fit d\tt
fr P/L
7 lhrh\ Go\Vf?
-3>
Options for PNR Negotiations with the EL 7/28/06
^ O ». ! r~
ft &
Pi'
• P
£>< rf
. , / <^
>
< ,
>
\ J EDPS Press Release, May 30, 2006 v /
Law Enforcement Sensitive
id1
• ( O a l f d : M
Deleted C h S"
.... 1
1
J
)
5]
(toisU
#?
.'0
/ " I * /
Options for PNR Negotiations n i ih t i l t K l
.0
/ /
Deleted: v
Deleted: v.
Oeleted:
>. - ~ b (
7^ V • Deleted: ••
Deleted: A
Deleted; '• i
Deleted: M
Deleted: '«
Deleted: !>
Delated: "
Deleted:v
Deleted: '
deleted: i
Deleted: w
Deleted: v
Deleted :j>.
Deleted: s
Deleted: p
De le ted^
n . / Lavs cnicircdmern >enstuve
Deleted:
Deleted:^
Deleted: s1.
/
^0\S?°l
Options for PNR Negotiations with the Kl
" 28 06
X
y
Deleted:
Oeleted
Deleted
Deleted
Deleted
Deleted
Deleted:
C b5" 3
ft r
Deleted: w
Deleted: w
au Enforceri&m Sensitive
/
O^SO
background: £
Options f o r l » N R N o 8 o r i . , r . u n $ v v . ith the FA
W 3 an international a-rcer- - T •
J-ccss to i'NR ,-n)m ! h e / : * C l ; - ; t " * *n,ck heuwen D H S and ^ ,:
^'•(lament. On 5 30 >>5 the F . -nV "" C ^ r c e m e a t ' ^ s n ^ k i v .-h,;],.',.! .',
^ c e m e n t on the founds t h a t ^ ' i ^ Z r u ! ^ " ^ ^ f " e ^ - >-/,[..(.uve did nor •„ni, /-
commission rerm;,-,.,,.,... .,_ v J i n „ - -. , , . Commission terminated the
Ha
3 h l - « n nv ,he S.roDean inappropr, . , . , i v ,., . . • ^'U1
in>t::ppK £ iV - u - ! U \ .ntcred : n t o : h i s
^ ( ) n 7 3. <;fl r)
ie F'nni.-i, ».._- , v-v ;"<-J m e 1 -ie Commission
fa
<£
-^-. tf
0013SI
U<,,{:ji •/
r$
•^ p~v\ f
")''- '-«vni S..-n.'5(i
Co
-^i
Cs.
0 p " ° " s f w W R ^ " — » •
/
•» ~
0013S2
Cc]
t Cc]
Options for PNR Negotfoff, 7/28/06
ons wfth the EU
^ E n f o j & R j e i
001333 • i — - J
it Sensitive
0 0 p r t 0 " s f w P N R & ' — *»
0"\
/
Law Enfa on*m ment Sensitive
001334
bS
.. ,~ <•_'<""••'• -A!!I) i f i e K l .
background: £ 3 > ".•ein.1tii,n.i/ 3*,,-
^ • » ' : " * " ' ' f< :> "» i/-,e £ " , - h c . " " " • H ^ : ' H s 3 „ d l l , c .' he '"-I
-' ^ .. ,n , nu.ttc* >-• •• 1 ' ; '< ••••'.-.-ecu! , , H m _ , .L'/'.'ciiunf illxdve • }'> '->'> ! 'te
/ -O.
/ C
& ?>
- ' • ' • tdd: ,
->*<«t»d:
0«Mtod;
'") "0
• •al.Jun
AV,- , W . '
A . 1 . • y -
V, / >
k #U385-
•f>
/fv
-'Olions fop i i \ w v '"> « ' ' h the (/,
/
-«etw.
'4-
/ ? ;
/
o
n' ncenf _ ^ 0 ; , s „
^
£y formatted; - '••Jenr r f *
^ e t e d : „,-
/
0(i/386
fi
o p " " " " " P N R a — . . « /
0
1 1 0"
' ^
<a. a
— / " ; ^pnzzzzzz:
bl * " » • « * • * Konc any
SIT*—»«'«««*u< B«U i I -
°*«to*u.
/
/
001387
Options Tor PNR NeKaliaf.
/
(?)
'^WSensith La»E"*"^Se„s,,IVe
(Mate*.
001388
f- 'OROFHcW"! SKi >: OM.Y •XMF1DENTIAL Mtaihuienl B
r^ Siib.siijniivc JDHS £..irniTU'iils >;HI NSC 'l r ; )!lll!; ^lssi')Q. '.''JPST
fcs-
^ D
/ )
~1 J
fr b/
FOR O K F I C J ^ l S K O NI.V
T^F!rpir,,i ^ • o
••^WS4
(OK OFFICIO. I St ( ) \ L \ CONFIDENTS
'L
b
Pane 4 - U
V) L
\o 5
-y
u
F>0ENT!AL
DFFJO^T l FOR 0FFIO4L I SE OM.V
iMiVHtSS
liitorical Background ("J)
CONFIDENTIAL
O m/ fv\crA b
V) Hie Working Party underlines :he necessity to have commitments from the I ,'S side that are officially published at least at the le\e! of the Federal Register and fully binding on the US side. In particular, there should he no ambiguity about the capability to create rights in favour of third parties. —"\
b£
pit lo
<A C toS 3 die unadtan government mi'uipuraied iheii "f\nnmurnents", !he I'unctionar .quivalent at CliP's I ndertakings, into domestic regulations C fe> 5~ _ 3
"• 'ip. canadagazerte '^z.zx partlt 200: 2< '/? .2.4 html ior.!-o -c htm, anti*copy of'dm omrt>itfiW»tttc«t4Uied in Aufi«x A hereotC
I br J ^ ___
-./-».! r i UN HUM
•u 001456
J20 N'<r< CAr*(CL<- ^ c
-eo Us: SI ^ c cc^i
^ L br
I eaal Impact of Making Undertakings Binding" 6 * " /
CO
MiinrMini
,("• •i;5l457
<
FOR O f I \L i Sf, O.M.V
DFPF TIES MKD:TI.NT;ONP.NR
UAll::: T f M F : I . O C . V I ' I O V :
[ R O M :
i • :*.>.•.•<:.:-. J u l ; . . : 5 . : ' . . ' . ' '
no S:„••.',.nt Baker, A--.v.;i.t Secretary foiTuhc
' ' . ' • " • ( LLVf:S: nKSlRFnOUTUOMF. OF MFIFFPVC: » Fstablish :in interagency negotiating position
hS bl(U-) fa 7 < r
BACWIROIXO: • On May .30, 7006 the European Court of Justice (ECO ruit'd that the legal instrument the
nurcpean Union utilized as a basts tor entering into a 2004 •.wreenier.t with DHS on CBP's .K'tos to f'N'R was inapplicable and required the Eli to terminate the agreement by September ,30, 2006. i he EL' iias since prov ided notice '.hat it is terminating the agreement effective that date.
h
PARTICIPANTS: :•;.-:>:-1 Hit
Deputy Secretary Jackson
iW.:"-S.S PJUX: "Closed"
•iTLVrjIMKNTS: •\. Di-VL-ssion Document: Anal) sis «.--" F'-ii'ed Slates Inter; v. s in the t /.S.-fiU i"'\'R
cia!o :iue(7,1 : "6) U. .Memo: Summaiy of Potential Changes to the Undertakings (FES'DING) C. .'•• 'ember State Positions known a.- of 7:20 Oh D. Background on FU views of consent ;t> a solution F. D i t S ' R e s p o n v ' Optic-nc •-, '-'lirc-pe ,M C, -tin n ' l i n t f y n.-.-'.'<i,-... i P.-1 n II.IW- ^i.\PA)
P r e p a r e d i>\ : Michae : S lie. lOEY. 6 a (7*^) Jj> mtASB
FOR OFFtV/vf. I SI O.NLV
A
(ii) zc^
^
f u
r N \ !
Pin-pose
To provide you w ith background inforniariori on the Passenger Name Record (PNR) issue and .ciaied developments concerning law enforcement information sharing with the European Union 'EU) in preparation for a mid-July "uii-DC."
Summary
Before September 11. the government knew very little about the people gening on planes bound for :he United States. After the attacks, airlines were required to provide information about their U.S.-bound passengers. Some of this information - name, contact information, and the l ike- was drawn from information supplied to the airline as part of the reservation process. DHS uses the information to screen for no-fly violators and terrorist suspects prior to arrival, and even before the plane takes off1, protecting against mid-flight hijackings and bombings.
"or flights between Europe and the U.S., the data must be made available from European air carriers. IV law has long prohibited the commercial export of personal data to countries whose legal jmtections have not been deemed "adequate" in the view of European data protection authorities. s. hi'fe the U.S. has many privacy laws, it does no; have an overarching data protection regime that :T'lTesponds to every aspect of European law. It has therefore been viewed as "inadequate" by '•jropean standards, and commercial data transfers to the U.S. have long been restricted by the lack
M' a broad adequacy finding. While the EU lacks similar requirements for ihe transfer of law •nibreement information between the EU and third panics, a Framework Decision is currently being 'onsidcred that would mirror the requirements applied in the commercial realm. tZ
l hi 3
t\
iV'tiiVi-:-;•;•. =cnfc 12 pr. Fyni czlcr. Sfack
f&!';r,»:t,;-:>: Centered, Indent: Left; 0"
f armartad: Font: 12 pc Not italic, Font caton S a «
34l*t«di!-_*. *:•;?>--.......-.;.• ..-
NVmhJnpoo, DC 205281
Formatted: Top: 1", Bottom: 1"
Formatted: cohered
Formatted: Font- Not Italic
Deleted: 1
'A j ...;»P may automatically access PNR data from European carriers up to 72 hours in advance of a flight During this
predeparlure period, information is screened against CBP automated systems and risk scores begin to be generated. In some cases, particularly airports where CBP maintains a presence through the Immigration Advisory Program. .'•ir-n,tininftd law enforcement action is alsn planned in I J IMIHC with ideal autltorities. Analysis continues tip to arrival 4Tru^rnuttnerTuppoiieTBy the collection at manifest ml&rmaiton. Formatted: Cantered
C0I87S
/
j -
MOL
J(C\^>K Ze> "!SuU IQVI
1 5 <-i
uithority.
r \ M - V
" CBP can sliarc PNR data with other law enforcement agencies, but only on a case-by-case basis and only far ' , \ \ the purpose of combating terrorism and serious transnational crimes. This restriction prevents PNR
V information from being shared in bulk with the intelligence and law enforcement community, and it denies those agencies direct access to the records. Broader access would allow other agencies to look for patterns in the travel of individuals not deemed to be high risk and to assess connections between passengers. ICE, for example, has expressed its frustration over losing access to this information.
X^J- 1H.U':&>
^MJ.
ftiiSJ: Centaed
f \ \ i The PNR Agreement was also controversial in Europe. Ft was challenged by the European \ ,,J • Parliament as insufficiently protective of EL' prv> acy rights. On May 30 ihe European Court of
Justice (ECJ) struck down the Agreement. But it chose a ground that v. as highly procedural - the equivalent under US law of the Supreme Court ducking a fourth Amendment challenge by finding a law invalid because it exceeded Congress's Commerce Clause power. Under £U law, commercial issues fall within the jurisdiction of the EU as part of its "First Pi liar" authority. This is the authority that the EU relied on in entering the Agreement. The ECJ, however, held that the US wanted PNR .lata for law enforcement and public security reasons. Law enforcement and public security are exempt from the EU's commercial data protection laws and are only partly within the EU's authority. Instead, they fall under the "Third Pillar," where she authority of EU central institutions ;ihe Commission, Parliament and Court of Justice) is more limited and more authority is left to the Member States. This finding by the Court also eliminates the uncertainty diat led to the signing of the agreement in the first place, specifically the fear that some Member Slates might bring action against air carriers under the commercial legal framework.
. v\ Because the agreement was entered under the wrong authority, the Court ruled it invalid but delayed the effective date of its decision until September 30 in the hope that the jurisdictional problem could \ be quickly solved. To cure the problem, the EU has obtained authority from the Member States to / £ renegotiate the PNR Agreement under the Third Pillar. As required by the Agreement, the EU also notified the United S'afes 'hat it vv'll ter™v"ate ,fie cun-ent * grcement on September 10, 2006 and has set a goal of estubhsning <• new igutriem b\ ths date ^ _. proposed replacement text from ^ , M-n-h^M'i: ••..;-• ,.i-. •;• •.'•.;: '"• -. .:• ' o -nmss on rep'c.e-^Utnes ''•ave portrayed their proposal
chnical change that would put the same agreement back in place, albeit under a different legal
(5
bl
•> <rv« i"*!"?*" j'i.i >LO i i
7
i : Centered
( /
Background
Two converging events in Europe the recent European Court of Justice decision on the legality of the EU-US PNR Agreement and a draft EU Framework Decision on Exchange of Criminal Data --have major implications for US law enforcement and security.
<-v v \ The £l'-US PNR Agreement, As noted, in May 2004, after substantial negotiations, the
Department of Homeland Security entered into an agreement relating to the sharing of PNR information collected by air earners flying to the United States from Europe. The Agreement was ,ntended to resolve a perceived conflict between EU law (which limits the sharing of personal ^formation collected by commercial entities with governmental entities) and US law (which required the collection and dissemination of PNR data). Central to the Agreement was a set of Undertakings made by Customs and Border Protection (CBP) regarding how it would treat the PNR •.lata transmuted to it. Several of the limitations m those Undertakings significantly restrict US opportunities to use information for investigative and iaw enforcement purposes.
( r „ i h\
00:1673
\ A The most significant of these limitations, from
riffrffcVQ
l ( Z)
For Offiffdf frse Only
our perspective are the following:
0
r.
e c)
SE 001679
/ "" ; ; :or iaai t . ;d : Centered
c\
( i \N The ECJ PNR Case. The Agreement was no less controversial in Brussels. Disturbed over what it \ ^ • •viewed as an attack on personal privacy and its own authority, the European Parliament (EP) filed
two :;uits in the European Court of Justice (ECJ) challenging the information sharing arrangement.
/ \ On .Vfay 30. 2006, the ECJ issued its opinion m ihe lawsuits. The opinion did not address the merits ^ \ \ ) of ihe EU-US PNR Agreement or the role of the Parliament. Rather, the decision turned on the lack V of competence of the Commission and Council to enter into the Agreement in ihe first instance. The
El, had based its authority on the so-called "First Pillar," which allows the EU to regulate trade and commercial matters. The ECJ held (as the US had argued earlier) that the requirement that PNR data be sent to the US was a law enforcement and national security matter. Such transfers, the court held, were excluded from the data protection directive governing commercial data exports. If they are to be regulated, the court implied, it would have to be done under the "Third Pillar."8
Mi
'• This concern is consistent with Executive Order I33SS ami :he President's Memorandum issued on December 16.2006 to Heads of Executive Deportments and Agencies on "Guidelines and Requirements in Support of Information Sharing Environment."
M " Aoiim under ttie First nuar. tne hu nas atso entered into a I'NR sharing agreement with Canada, fn tight nf the EU's delermination that the US Undertakings provided "adequate" privacy protections, the EU-Canada
ftf.4 C
( J \ Thai is what the EU proposes :o do. It has obtained authority from its .Yiember Slates to erect \_ substantially She same agreement on a new foundation. In order to meet the European Court of
Justice deadline, the Commission will seek to codify its position over the next couple of weeks and then will call for agreement on the new arrangement by September 30.
S'
h
^ -\
f \ ! <;
Eli Proposals on Sharing Law Enforcement Information. If that were all that is at stake, this would be an interesting diplomatic and legal problem for DHS. But it is not. The PNR negotiations u ill be closely intertwined with a broader effort to establish restrictive, EU-wide rules for information sharing in the area of law enforcement. Last October the EU put forward two draft documents that concern data sharing and protection in the law enforcement context. They consist of a draft Framework Directive of the European Parliament and Council on the retention of data and a proposed Council decision on the protection of personal data in criminal matters. £-
7\ log
C b
s?
10^ ~\r
greemeni auihorizes Canada 10 share PNR data received from the EU with the US. Even though the ECJ has siruck down the EU-US agreement, the EU contends that its similar agreement with Canada remains in effect Some Canadian government sources are concerned, however, that the absence of an "adequacy" finding (which is a First Pillar concept) may now have the effect at"prohibiting US-Canada information sharing derived from EU-originated flights. 5 For example, the Draft Decision contains provisions on time limits for retention of shared data, ensuring the accuracy of shared data, logging and audit trails, as well as restrictions limiting further use of tile data to the original purpose for which it waf first transmitted. In iriTwt it hnrmm hp-.vjly frnm ih«» PMP i nr^mmi inH
-the Undertakings.
u
/
-\\J
'A Communicable Diseases. One indicator of the extent to which EU data protection authorities V> ' prioritize the expansion of such roles over public safety concerns can be found in the European v__ reaction to another US initiative relating to avian flu- If air passengers are exposed to a pandemic
iixairi of avian tlu, the government will need to locate all of ihe passengers and crew, quickly. So the
bl
V^)
' • 1 ne adequacy finding granted to me U.S. was specific to the transfer of i'NK data and only extended to its transmission to CBP. The May 30* decision of the ECJ also annuls this decision by the Commission on the grounds that the Commission did not have ihe legal authority to grant it :: If adopted without the offered exemptions, the Draft Decision could conflict with a number of binding and non-binding information sharing arrangements that die United States has signed. For example, we have signed a 2003 Mutual Legal Assistance Agreement (MLAT) with the European Union and a 2001 information sharing agreement with Europol (the EU-level police agency); with reject to member states, we signed a 2003 MLAT with Germany, which builds on numerous odier MLATs already in force with other EU member stales. The Lnited States also has many executive agreements and memoranda of understanding with member
-*MW*-under which critical information recurrently being shared. Under Eli law, directives supersede hilaif-rai treaties and agreements and member states must conform their existing agreemenis with the directive.
sy A •a .C O *,3u:~
^at'-'icj: Centered
/
Analysis & Recommendation
C^
a
9
'\
\v
"' Conversely, Paragraph .54 of the Undertakings allows for die exchange of PNR for public health purposes and neither the Commission or the Article 29 Committee have challenged (he DHS-HHS MOU. 14 Unlike in 2003, this nsk is present now because the Court has conclusively ruled that the transfer of PNR Jaia is a law enforcement matter. White European integration has been the greatest in areas associated with the Common Market, law enforcement and public security is a relatively new area of activity at the community level and many responsibilities still fall to the EL' Memher States. The FCJ firmly pl.-irwi PNR in
_Jaax&LaLlaB:-eniarff;meni and .pnhlir security, -ind as rrsnlt, any actions taken in this area are likely to set— precedents for further community involvement in other Saw enforcement mailers.
I U~£SU!J£JJl Formatted: Font Bold, Underline
( ^ J b
Deleted? C^ fc> J Zi
Conclusion
v \ \
^
The USG has a paramount interest in ensuring that law enforcement and border control information continues to flow to the United States. In creating the Information Sharing Environment we are working !o break down walla that resnHct the sharing of information between Federal agencies.
The PNR Agreement that the US signed with the EU in 2004 is an example of the old-style artificial limitation. We entered into the PNR Agreement based upon the EU's argument that the export of commercial information was subject to special restrictions under EU law. The European Court, of Justice has now held that the information is law enforcement information, not commercial information, so that the rationale for the agreement has now dissolved.
t
,-> e o
bxi&mite+Oi .-l°i'2!5i;';'-; Cantered
f C
b
x, ..: Catered
'•:-,:!: Font: Sold
rarmBits* font: (Dsfautt) Timai Mew Roman, U p t
Formatted: Indent Left: 0 -
t i\;'--\m
_ > i t 5
• II
._<_£_ A ;£._! i s t j i 1 «_' t_ ii_i:i.i
I . ' — \
, l - v
i i
• \ M ' 4 V ^ J S")
r\C%-* : «- .o f ••
^ulbJO
X i I _ (. 1 _ J J 1 III i
i l l _ _J_i i , i t ' . ' _ v i i I I
, _ _ ) - t i t | _ e ^ i j ; i i i
i i i . *- __ ^ . J t _ i i i i '
i
_ - _ _ 1 - - t _C -_!_ < I
» i - J - - _ . - _Cl- I II J _ j . J _, J i -
- *- • - - 4 , i : .,
% • Cc-nte.-ed
I 'ormattsd: Indent: Late 0"
^iAiikJiail^m^yiliiiili -*•-»« Formaa-siJ: Font; (Default) Times e^i- i j in ''Hi ; ,ni-iif.'...-i'k ni i».--lke a n d i ' l i j . icul rt'J()UMiut;i M . > n . : : » u i . u j i U U i t S . ^ . S ^ l . _ , „ _ _ „. „ _
.sorrr,at»>3<J: Indent: Left: Q". Kght: . _ 0", Space Before: 0 pt, Afta- o at .
Hyphenate, Don't adjust space oetween Latin and Asian text. Don't
, adjust space between Asian text and — numbers
Formattad: terx: (Default} r « e s hsv Roman, i2 pt, English (U.S.)
Formatted: fane (Default) Times New Roman
- ,t
I
' LI
•c
-\
— !
- !
a
t >-u
V 'U i
c*. l ..
— - i
J
r Sr
i
V
„
;
. ti
i U
V i - . - ,
t-fi 1 > 't i
L iHt C f
i lue
I ' i c r i i
- _ _ v„ i I - r > ' . i t
h i . -
- . _ , . i d v i
I J it i v iv u 'i i >•>.». u j r
" u u , l' i t v t» 1
. " . s -
S IUI Ml » j
- - l i . i l i «= . - I , Formatted: Fonc (Default) Times Mew Roman, !2pt
.-armstted: indent; Left 0.13"
twmatted: fmv (Default) Time* :^L.m^S.ihJi>iiAM^i ::h?*±-.v..SSiii>.-X M-MkH^-^^MlSj^'.dJki^hj-M '\M)M New Roman i-OlSil5 VJL ^L2HL4kiWh.^
f t , . '
i v ' t i - i . , -> - >- _ _ i • - ^ ,
i t« ill e IM ie> >. i MI i - IM 1 ; „
v^ tu -v^
Formatted: font (Default) Time* Maw Roman
. v- n Q
X-; . - . . : . , . , . . - . : • • ; • , , ; . e . .
r I
t.
> ' e i
-JL «" *^
.. .. C'JUi •-' : ; ; v " ?'-. ' - •'. '.'--.'•.':' .'-'.> '' V - •
- : - ^ ' - ~ ; - ' - ' - ^ - -^ - - •~ ' - - : ; • --i' - ' - i - . : - ! - - . ' . - . ^ — -
. ^ [ . ; : , ' . . _-•< ; - ; ' . ^ _ , ; - j . ' ; • . - . , . . ; , , - ' i " . ^ ! . • - • •
1 U 1
I » . i Li l i I i t •> I
' l l l l l - ( j ,J < U
. -i - f i r i
J ! ^ i , i
-
,i.r .-ir.t-J - .,. ., :-
,^;::7Tf ;;-'::;•;
- ....:.:.u;
i i
i n •>
. i .> i n 1
f ' ! c
_ i . • " " "
2: Centered
?fiirr.-«i;!: ftme (Default) Times Natv Roman
Formatted: Font: (Default) Times New Soman
14
0^ -i.iJi--:'J
\JKLfc<>
'iSoW
Homeland * Security
b$
DISCUSSION DOCUMENT Analysis of United States Interests in the U.S.-EU PNR dialogue
Department of'Homeland Security
iulv20. 2006
\K ,
Purpose
To provide you with background information on the Passenger Name Record (PNR) issue and related developments concerning law enforcement information sharing with the European Union (EU) in preparation for a mid-July "un-DC,"
fu>. Nummary
Before September 11, the government knew very little about the people getting on planes bound for ihe United States. After the attacks, airlines were required to provide information about their U.S.-bound passengers. Some of this informanon - name, contact information, and the like - was drawn from mfonnation supplied to the airline as part of the reservation process. DHS uses the information to screen for no-fly violators and terrorist suspects prior to arrival, and even before the plane takes off1, protecting against mid-flight hijackings and bombings.
For flights between Europe and the U.S., ihe data must be made available from European air carriers. hU law has long prohibited ihe commercial export of personal data to countries whose legal protections have not been deemed "adequate'' in the view of European data protection authorities. While the U.S. has many privacy laws, it does not have an overarching data protection regime that corresponds to every aspect of European law. It has therefore been viewed as "inadequate" by
r \ l
\
' CBP may- automatically access PNR data from European carriers up to 72 hours in advance of a flight. During this predeparture period, information is screened against CBP automated systems and risk scores begin to be generated. In some cases, particularly airports where CBP maintains a presence tJirough the Immigration Advisory Program, coordinated law enforcement action is also planned in advance 'vith local authorities. Analysis continues up ro arrival iiid is further supported by the collection of manifest information.
/ /
U?c^£o 3cHu?L-txzlde/ Mt-£-
SJQyK*: >-^\PAL *
\
'Y\ /
\ ^ v
European standards, and commercial data transfers to the U.S. have long been restricted by the lack of a broad adequacy finding. While the EU lacks similar requirements for the transfer of law enforcement information between the EU and third parties, a Framework Decision is currently being considered that would mirror the requirements applied in the commercial realm. c_
b
The PNR Agreement was also controversial in Europe. It was challenged by the European Parliament as insufficiently protective of EU privacy rights. On May 30 the European Court of Justice (ECJ) struck down the Agreement. But it chose a ground that was highly procedural - the equivalent under US law of the Supreme Court ducking a Fourth Amendment challenge by finding a law invalid because it exceeded Congress's Commerce Clause power. Under EU law, commercial issues fail within the jurisdiction of the EU as part of its "First Pillar" authority. This is the authority that the EU relied on in entering the Agreement. The ECJ, however, held that the US wanted PNR data for law enforcement and public security reasons. Law enforcement and public security are exempt from the Eli's commercial data protection laws and are only partly within the EU's authority Instead, they fall under the "Third Pillar," where the authority of EU central institutions (the Commission, Parliament and Court of Justice) is more limited and more authority is left to the Member States. This finding by the Court also eliminates the uncertainty that led to the signing of the agreement in the first place, specifically the fear that some Member States might bring action against air carriers under the commercial legal framework.
-Because the agreement was entered under the wrong authority, the Court ruled it-invalid but delayed the effective date of its decision until September 30 in the hope that the jurisdictional problem could be quickly solved. To cure the problem, the EUhas obtained authority from the Member States to renegotiate the PNR Agreement under the Third Pillar. As required by the Agreement, the EU also notified the United States that it will terminate the current Agreement on September 30, 2006 and
" CBP can share PNR data with other law enforcement agencies, but only on a case-by-case basis and only for the purpose of combating terrorism and serious transnational crimes. This restriction prevents PNR information from being shared in bulk with the intelligence and law enforcement community, and it denies those agencies direct access to the records. Broader access would allow other agencies to look for patterns in the travel of individuals not deemed to be high risk and to assess connections between passengers. ICE, for example, has expressed its frustration over losing access to this information.
(V v
/
has set a goal of csu-.biisbing a :iew agree-aent by this dale, d b 5 ^ --1M USG received a proposed replacement text from D ^ 5 3 theFiniiish Presiupcxsniuly i£±^-^il2ii£Jl£g.!^".^ i r 'n "•'T'^'ais have indicaied that this draft n;ayjioJ_fegJlML Comraission representatives have portrayed their proposal as a technical change that would put the same agreement back in place, albeit under a different legal authority.
5
-^~
V.
Background
Two converging events in Europe - the recent European Court of Justice decision on the legality of die EU-US PNR Agreement and a draft EU Framework Decision on Exchange of Criminal Data -have major implications for US law enforcement and security.
( Q \ The EU-US PNR Agreement. As noted, in May 2004, after substantial negotiations, the V . Department of Homeland Security entered into an. agreement relating to the sharing of PNR
information collected by air earners flying to the United States from Europe. The Agreement was
VA- ' vM4r£o£j.^ra;t!K...chyjcus. i-Kim-in:; .e^fiiLCcs io the European Convenr-on on Jjv>r: H ll<gh<$. AdJiiiunal poijey I -;,:?:u^is -s -jiKierway and ws!i he ft;mcr : r : . a bv ifae decisions of :hc D:.r<>;.ni s.
UB? VK J<"0-0
intended to resolve a perceived conflict between EU law (which limits the sharing of personal information collected by commercial entities with government entities) and US law (which required the collection and dissemination of PNR data). GenLral to the Agreement was a set of Undertakings made by Customs and Border Protection (CBP) regarding how it would treat the PNR data transmitted to it.4 Several of the limitationsjn those Undertakings significantly restnct US opportunities to use information for investigative and law enforcement purposes.
*\ U \ The most significant of these limitations, from our perspective are the following:
(C
b\ c
' A i
*
\ v.
\
b 001893
re)
>r) >
on Requirements in
y '
'' This concern is consistent with Hxecutive Order 13388 and the President's Memorandum issued or December !6, 2006 to Heads of Executive Departments and Agencies on ""Guidelines and Requiren Support of Information Sharing Environment."'
/
/
/
/ \ "n-tc'CCJ --MR C--1.S0. The Agreemeri was no less controversial in Emsseis. Disturbed over what it \ ^ viewed as an attack on persona! privacy and its own authority, the European Parliament (E?) filed V_ i\vo suits in the European Court of Justice (ECJ) challenging the information sharing arrangement.
v
On May 30, 2006, the ECJ issued its opinion in the lawsuits. The opinion did not address the merits of the EU-US PNR. Agreement or the role of the Parliament. Rather, the decision turned on the lack of competence of the Commission and Council to enter into the Agreement in the first instance. The EU had based its authority on the so-called "First Pillar.'" which allows the EU to regulate trade and commercial matters. The ECJ held (as the US had argued earlier) that the requirement that PNR data be sent to the US was a law enforcement and national security matter. Such transfers, the court held, were excluded from the data protection directive governing commercial data exports, [f they are to be regulated, the court implied, it would have to be done under the "Third Pillar."3
y " j \ That is what the EU proposes to do. It has obtained authority from its Member States to erect substantially the same agreement on a new foundation. In order to meet the European Court of Justice deadline, the Commission will seek to codify its position over the next couple of weeks and then will call for agreement on the new arrangement by September 30.
>v
<0
YD
NJN F.U Proposals on Sharing Law Enforcement Information. If that were all that is at stake, this would be an interesting diplomatic and legal problem for DEIS. But it is not. The PNR negotiations will be closely intertwined with a broader effort to establish restrictive, EU-wide rules for information sharing in the area of law enforcement. Last October the EU put forward two draft documents thai concern data sharing and protection in the law enforcement context. They consist of a draft Framework Directive of the European Parliament and Council on the retention of data and a proposed Council decision on the protection of personal data in criminal matters, n
sr-
\s>
• ' Acring under ihe Firs! Pillar, the EU has also entered into a PNR sharing agreement with Canada. In light of "f\ 'he EU's determination that ihe US Undertakings provided "adequate" privacy protections, the EU-Canada
agreement authorizes Canada to share PNR data received from the EU with the US. Even though the ECJ has •siruck down the EU-US rigreement. the EU contends that its similar agreement with Canada remains in effect. Some Canadian government .sources tire concerned, however, that the absence of an "adequacy" finding ..which =s a First Pillar concept) may now ha\e the effect ox prohibiting US-Canada information sharing derived from EU-originated flights.
/ f ms^
\ - \
IV / x^
rk?~?
^ I
At-'
' For example, the Draft Decision contains provisions on time limits for retention of shared data, ensuring the accuracy of shared data logging mid audit Irnils ns writ iy rp strict inm limiting fnrtVinr .^P nf th,. ,^|fi (,, i|)t.—= original purpose for which it wat; first transmitted. In effect, it borrows heavily from the PNR Agreement an<T the Undertakings.
V <*~ h
\ sx
" The adequacy finding granted to the U.S. was specific to the transfer of PNR data and only extended to its transmission to CBP. The May 30Ul decision of the ECJ also annuls this decision by the Commission on the grounds that tlie Commission did not have the legal authority to grant it
/
( 5
o
VC
Communicable Dise;.ives. One indicator of the extent to which EU data protection authorities prioritize the expansion of such roles over public safety concerns can be found in the European reaction to another US initiative relating to avian flu. If air passengers are exposed to a pandemic strain of avian flu. the government will need to locate all of the passengers and crew, quickly. So the Centers for Disease Control has proposed a rule requiring airlines to retain PNR for up to 60 days for that purpose. The top data protection authorities of Europe, known as the "Article 29 Working Party," have now decided that this sort of data retention violates EU privacy directives. If given effect, the Working Party's opinion would place air carriers legal jeopardy because of inconsistent legal regimes. It reflects a widespread EU view that privacy trumps even the critical public health interests of the United States. l j
Analysis & Recommendation
fc>
j i : If adopted without the offered exemptions, the Draft Decision could conflict with a number of binding and , — non-binding information sharing arrangements that the United States has signed. For example, we have \ ^v i signed a 2003 Mutual Legal Assistance Agreement (MLAT) with the European Union and a 2001 information V sharing .-iPTfvmc.nf- wiih Fnropnl (the. HI ?-1PVH pnbVp agpnry); ,vilh wp>v-t (rt momhw ititMi w* .«ign«^ n =
-2QQ3 MLAT with Germany, which builds on numerous other MLATs already in force with other EU member states, the United States also has many executive agreements and memoranda of understanding with member states under which critical information is currently being shared. Under EU law, directives supersede bilateral treaties and agreements and member states must conform their existing agreements with the directive.
r-) I '"' Conversely, Paragraph 34 of the Undertakings allows for the exchange of PNR for public health purposes and neither the Commission or the .Article 29 Committee have challenged the DHS-1IHS MOU.
I '" Unlike in 2003, this risk is present now because the Court has conclusively ruled that the transfer of PNR data is a law enforcement matter. While European integration has been the greatest in areas associated with
^ he Common Market, law enforcement and public security is a relatively new area of activity at the community level and many responsibilities still fall to the EU Member States. The ECJ firmly placed PNR in •'he area of law enforcement and public security, and as result, any actions taken in this area are likely to set nreeedents for further community involvement in other law enforcement matters.
r c 0*7
; C
CfficigjQJse OaiV
.A 5
V
"oiidusior!
^ s
V
Conclusion
001.633
/ /
f f\ The USG has a paramount interest in ensuring that lav/ enforcement and border control information \ J continues to flow to the United States. In creating the Information Shaiing Environment we are
"""" working to break down walls that restrict the sharing of information between Federal agencies.
,, \ The PNR Agreement that the US signed with the EU in 2004 is an example of the old-style artificial "\i limitation. We entered into the PNR Agreement based upon the EU's argument that the export of
commercial information was subject to special restrictions under EU law. The European Court of justice has now held that the information is law enforcement information, not commercial information, so that the rationale for the agreement lias now dissolved.
f ^
\ "
U33
10
Attachmeat: Excerpts from the EU data protection Directive and proposed Framework Decision.
1. DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995
Article 3
Scope
1. This Directive shall apply to the processing of personal data wholly or partly bv automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning puhlic security, defence. State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas nf rriminal law.
Article 26
Derogations
1. Bv way of derogation from Article 25 and save where otherwise provided by domestic law govern in g particular cases. Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:
fa) the data subject has given his consent unambiguously to the proposed transfer: or
(b) tile transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request: or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party: or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or deience oi legal claims: or
(e) the transfer is necessary in order to protect the vital interests of the data subject: or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest to me extent that the conditions laid down in law for consultation are fulfilled in the particular case.
2. Without prejudice to paragraph 1. a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2). where the controller adduces adequate safeguards with respect lo the protection of the privacy and fundamental rights and freedoms of
ii 001700
For QfficflBJJse Only
individuals and as regards the exercise of the corresponding rights: such safeguards may in particular result from appropriate contractual clauses.
3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.
If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).
Member States shall take the necessary measures to comply with the Commission's decision.
4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2). mat certain standard contractual clauses offer sufficient safeguards as required by paragraph 2. Member States shall take the necessary measures to comply with the Commission's decision.
CHAPTER IV TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Article 25
Principles
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if. without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations: particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in mat country.
3. The Member States and the Commission shall inform each other of cases where thev consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4vWfaere-the Commission finds, under the procedure provided for in Article 31 (2). that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article. Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2). that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered
u 001701
For OfffifeLUse Only
into, particularly upon conclusion of the negotiations referred to in paragraph 5. for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission's decision.
2. Proposal for a COUNCIL FRAMEWORK DECISION on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
Article 15
Transfer to competent authorities in third countries or to international bodies
1. Member States shall provide that personal data received from or made available by the competent authority of another Member State are not further transferred to competent authorities of third countries or to international bodies except if such transfer- is-in-compliance with this Framework Decision and, in particular, ail the following requirements are met. fa) The transfer is provided for bv law clearly obliging or authorising it. (b) The transfer is necessary for the purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden bv the need to protect the interests or f"nriamt»ntal rightc of the data subject. (c) The competent authority of another Member State that has transmitted or made available the data concerned to the competent authority that intends to farther transfer them has given its prior consent to their further transfer. (d) An adequate level of data protection is ensured in the third country or bv the international body to which the data concerned shall be transferred.
2. Member States shall ensure that the adequacy of the level of protection afforded by a thirH country or international body shall be assessed in the light of all the circumstances for each transfer or category of transfers. In particular, the assessment shall result from an examination of the following elements: the type of data, the purposes and duration of processing for which the data are transferred, the country of origin and the country of final destination, the general and sectoral rules of law applicable in the third country or body in Question, the professional and security rules which arc applicable there, as well as the existence of sufficient safeguards put in place bv the recipient of the transfer.
3. The Member States and the Commission shall inform each other of cases where thev consider that a third country or an international body does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where, under the procedure provided for in Article 16. it is established that a third country or international body does not ensure an adequate level of protection within the meaning of paragraph 2. Member States shall take the measures necessary to prevent any transfer of personal data to the third country or international body in question.
001702 13
iM For OfScfoLUse Only
5. In accordance with the procedure referred to in Article 16, it may be established that a third country or international body ensures an adequate level of protection within the meaning of paragraph 2. bv reason of its domestic law or of the international commitments it has entered into, for the protection of the private lives and basic freedoms and rights of individuals.
6. Exceptionally, personal data received from the competent authority of another Member State may be farther transferred to competent authorities of third countries or to international bodies in or bv which an adequate level of data protection is not ensured if absolutely necessary in order to safeguard the essentiallnterests of a Member State or for the prevention of imminent serious danger threatening public security or a specific person or persons.
w 001703 Urs6UKS
Attachment B
FOR
DISCUSSION DOCUMENT Analysis of United States Interests in the U.S.-EU PNTR dialogue
Department of Homeland Security
July 13.2006
Purpose
( $
( * " )
( ^
Terprovidj? you wjthLbjKkgromid information an. the PaTapn^ef^ameTleconf (£NR)-issue and^ related developments concerning law enforcement information sharing with the European Union (EU) in preparation for a mid-July "un-DC."
Summary
Before September 11, the government knew very little about the people getting on planes bound for the United States. After the attacks, airlines were required to provide information about their U.S.-bound passengers. Some of this information - name, contact information, and the like -was drawn from information supplied to the airline as part of the reservation process. DHS uses the information to screen for no-fly violators and terrorist suspects prior to arrival, and even before the plane takes off1, protecting against mid-flight hijackings and bombings.
For flights between Europe and the U.S., the data must be made available from European air carriers. EU law has long prohibited the commercial export of personal data to countries whose legal protections have not been deemed "adequate" in the view of European data protection authorities. While the U.S. has many privacy laws, it does not have an overarching data protection regime that corresponds to every aspect of European law. It has therefore been viewed as "'inadequate" by European standards, and commercial data transfers to the U.S. have long been restricted by the lack of a broad adequacy finding. While the EU lacks similar requirements for the transfer of law enforcement information between the EU and third parties, a Framework Decision is currently being considered that would mirror the requirements applied in the commercial realm. ' , - " "
C b*> =
lot 001704
W 1 CBP may automatically access PNR data from European carriers up to 72 hours in advance of a flight. During this pre-deparnlre period, information is screened against CBTiutomated systems and risk scores begin to be generated. In some cases, particularly airports where CBP maintains a presence through the Immigration Advisory Program, coordinated law enforcement action is also planned in advance with local authorities. Analysis continues up to arrival and is further supported by the collection of manifest information.
> I) FOR QfflofauVSE ONLY *
/
FOR O F F I C I A I N J S E ONLY
\ The PNR Agreement was also controversial in Europe, ft w as challenged by the European Parliament as insufficiently protective of EU privacy rights. On May 30 the European Court of j ustijee TEC J) struck down the Agreement-: But it chose a ^ i ind4KaI wa&Tii^^rwoeiduFaF---ihe equivalent under US law of the Supreme Court ducking a Fourth Amendment challenge by-finding a law invalid because it exceeded Congress's Commerce Clause power. Under EU law, commercial issues fall within the jurisdiction of the EU as part of its "First Pillar" authority. This is the authority that the EU relied on in entering the Agreement. The ECJ, however, held that the US wanted PNR data for law enforcement and public security reasons. Law enforcement and public security are exempt from the EU's commercial data protection laws and are only partly within the EU's authority. Instead, they fall under the "Third Pillar," where the authority of EU central institutions (the Commission, Parliament and Court of Justice) is more limited and more authority is left to the Member States. This finding by the Court also eliminates the uncertainty that led to the signing of the agreement in the first place, specifically the fear that some Member States might bring action against air carriers under the commercial legal framework.
•\ \ \ Because the agreement was entered under the wrong authority, the Court ruled it invalid but
delayed the effective date of its decision until September 30 in the hope that the jurisdictional problem could be quickly solved. To cure the problem, the EU has obtained authority from the Member States to renegotiate the PNR Agreement under the Third Pillar. As required by the Agreement, the EU also notified the United States that it will terminate the current Agreement on September 30, 2006 and has set a goal of establishing a new agreement by this date. The USG received a proposed replacement text from the Finnish Presidency on July 19th, although Commission officials have indicated that this draft may not be final/ Commission representatives have portrayed their proposal as a technical change that would put the same agreement back in place, albeit under a different leg^l anrhnrity
C -"N b\ I \\\~ C'BP can share PNR data with other law enforcement agencies, but only on a case-by-case basis and only for the I ^ ' purpose of combating icrrorism and serious transnational crimes. This restriction prevents PNR information from
being shared in bulk with the intelligence and lav enforcement community, and it denies those agencies direct access to she records. Broader access would allow other agencies to look for patterns in the travel of individuals not deemed lo be high risk and to assess connections between passengers. ICE. for example, has expressed its lajsirauon over lotting access to this mfortnatnmr
, \ Both the Departments of State and Homeland Security have a number of questions regarding the legal impact of a v J~~ . arietv of wording choices, including references to the European Convention on Human Rights. Additional policy
~ analysis is underway and our response will be driven by the decisions of the Deputies.
" / ''• f*0I705 FOR o h j f c l A L USE ONLY
FOR OFFICIAL USE ONLY
4 ^
Background
Two converging events in Europe - the recent European Court of Justice decision on the legality of the EU-US PNR Agreement and a draft EU Framework Decision on Exchange of Criminal Data -- have major implications for US law enforcement and security.
The EU-US PNR Agreement. As noted, in May 2004, after snh«sianti?l npgnti^tinnc the Department of Homeland Security entered into an agreementTeTating to the sharing ot PNR information collected by air carriers flying to the United States from Europe. The Agreement was intended to resolve a perceived conflict between EU law (which limits the sharing of personal information collected by commercial entities with governmental entities) and US law (which required the collection and dissemination of PNR data). Central to the Agreement was a set of Undertakings made by Customs and Border Protection (CBP) regarding how it would treat the PNTR data transmitted to it. Several of the limitations in those Undertakings
£ h 001706 FOR O r a ^ l A / f u S E ^ N L Y
! ' • '
FOR OFFIGMrf. USE ONLY
significantly restrict L'S opportunities to use information for imestigative and Saw enforcement purposes.
' ^ J fhe most signillcant of these limitations, from our perspective are the following:
1.
r A i ^ • V
f A
f ( \
v
b
u /
/
FOR dteJClAt USE ONLY
^ry.* i"*A"7
/
FOR &/FICIAL USE ONLY
V
f«V
t v y \ The ECJ PiNR Case. The Agreement was no less controversial in Brussels. Disturbed over —what-tt viewed as an attack on personal privacy and its own authority, the European Parliament
(EP) tiled two suits in the European Court of Justice (ECJ) challenging the information sharing arrangement.
i
This concern is consistent u ith Executive Order I 3 588 and the President's Memorandum issued on December ! 6. ^ .2006 to Heads of E\ecuti\e Dcpannicnts and Agencies on "Guidelines and Requirements in Support of Information
Sharing Environment."
,%*<")
V ^ k\ FOR OFVCIAL USE
m/ « 'J*
ONLY
FOR OFFICIAL LSE ONLY oWici
{ , , • On May 30, 2006, the ECJ issued its opinion in the lawsuits. The opinion did not address the \ '" J merits of the EU-US PNR Agreement or the roie of the Parliament. Rather, the decision turned
on the !ack of competence of the Commission and Council to enter into the Agreement in the first instance. The EU had based its authority on the so-called "First Pillar." which allows the EU to regulate trade and commercial matters. The ECJ held (as the US had argued earlier) that the requirement that PNR data be sent to the US was a law enforcement and national security matter. Such transfers, the court held, were excluded from the data protection directive governing commercial data exports. If they are to be regulated, the court implied, it would have to be done under the "Third Pillar."*
[ \ j ^ Thcitits vvhatthe EtLpropjjses to do; Ithas:abteiriMajirJ^ ; \ ^ substantially the same agreement on a new foundation. In order to meet the European Court of
Justice deadline the Commission will seek to codify its position over the next couple of weeks and then will call for agreement on the new arrangement by September 30.
uy
h
r N EU Proposals on Sharing Law Enforcement Information. If that were all that is at stake, this ( U ) would be an interesting diplomatic and legal problem for DHS. But it is not. The PNR
negotiations will be closely intertwined with a broader effort to establish restrictive, EU-wide rules for information sharing in the area of law enforcement. East October the EU put forward two draft documents that concern data sharing and protection in the law enforcement context. They consist of a draft Framework Directive of the European Parliament and Council on the retention of data and a proposed Council decision on the protection of personal data in criminal matters. C_ fcr£— ~~
^ r
f • / '' u / "N. ' Acting under the First Pillar, the El. has also entered into a PNR -sharing agreement with Canada. In light ot'rhe I VX j f L ' s determination that the L'S t ndertakmgs provided "adequate" privacy protections, the tL-Canada agreement "V .iiithorizcs Canada to share PNR data received from the KL with the LS. Even though the ECJ has struck down the
EU-US 'agreement, the EU contends thai its similar agreement with Canada remains in effect. Some Canadian „i<nernment sources, are concerned, however, that the absence of an "adequacy" finding (which is a First Pillar concept) may now have '.he effect of prohibiting (.. S-Canada information sharing derived from EU-onginated iltghts. / *
XL / A0'!7B3 FOR OrWICIAL/LSE ONLY
FOfc^OFFlCIAL ONLY
^
For example, the Draft Decision contains provisions oa time limits for retention of shared data, ensuring the accuracy of shared data, logging and audit trails, as well as restrictions limiting further use of the data to the original purpose for which it was first transmitted. In effect, it borrows heavily from the PNR Agreement and the Undertakings.
1' The adequacy finding granted to the U.S. was specific to the transfer of PNR data and only extended to its transmission to CBP. The May 30"1 decision of the ECJ also annuls this decision by the Commission on the grounds that the Commission did not have the legal authority to grant it
FOfe/OFFI Ts BE ONLY 001710
FO Fv^FFl CI A L I S EON L Y
f' -^ Communicable Diseases. One indicator of the extent to which EU data protection authorities \ ) pnontize the expansion of such roles over public safety concerns can be found in the European
reaction to another US initiative relating to avian flu. if air passengers are exposed to a pandemic strain of avian flu, the government will need to locate all of the passengers and crew, quickly. So the Centers for Diseaic Control lias proposed a rule requiring airlines to retain PNR for up to 60 days for that purpose. The top data protection authorities of Europe, known as the •Article 29 Working Party," have now decided that this sort of data retention violates EL' privacy d rrectivcs.-rf given:effect;.tti£. Working Party "s;.optxiical...\vouId 'pSceaif carfie^TepTjeopaSy"' because of inconsistent legal regimes. It reflects a widespread EU view that privacy tramps even the critical public health interests of the United States. '"
\
(a
\S
V
r a
Analysis & Recommendation
b
: If adopted without the offered exemptions, the Draft Decision could conflict with a number of binding and non-binding information sharing arrangements that the United States has signed For f-xampl<- u.-i» h.iv. ^gp^d a ?QQ_>
-Mutual I egal Assistance AutecmctH4-MLA D with the European Union and a 2001 information sharing agreement— •A ith Europol (the EU-ievel police agency); with respeel to member states, we signed a 2003 .VILA T with Germany, which builds i>n numerous other MLATs already in force with other EU member states. The United States also has many executive agreements and memoranda of understanding with member states under which critical information is currently being shared. Under EU law, directives supersede bilateral treaties and agreements and member states must conform their existing agreements to the directive.
Conversely. Paragraph 34 of the Undertakings allows for the exchange of PNR for public heaith purposes and neither she Commission nor the Article 29 Committee have challenged the DHS-F1HS MOU.
* t nlike in 2003, (his risk is present now because the ( ourt has conclusively ruled that the transfer of PNR data is a law enforcement matter. While European integration has been ;he greatest in areas associated with the Common Market. law enforcement and public security is a relatively new area of activity at the community level and manv -•.-sponsibsiines still fall to the EL Member States. The ECU firmly placed PNR in ihe area of law enforcement and public security, and as result, any actions taken in this area are likely to set precedents for further community involvement in other law enforcement matters. / . ...
/ / n f...A r-,4 1
FOR OVFIClAj: USE ONLY ' f J':. i J.J. ;OVFICIA
FOR W F I C S L USE £*NLY^T /
b
Conclusion
CO-
•\
c)
<c " Excluding Canada and Mexico, flights originating in these five countries comprise nearly a quarter of all international flights arriving in the United States. In terms of global traffic, flights arriving from the L'K rank third (after Canada and Mexico). Germany is 6th; France 9*; the Netherlands lO"1; and Ttaly 17th.
FOR^nCTAIvUSE ONLY ©01712
FOR O F F I & L * L \ SE ONLY
,;• ^ The L'SG has a paramount interest in ensuring that law enforcement and border control . ; information continues to How to the United States. In creating the Information Sharing
Environment we are working to break down wails.that restrict the sharing of information between Federal agencies.
, -\ The PNR Agreement that the I S signed with the EU in 2004 is an example of the old-style ^ ' artificial limitation. We entered into the PNR Agreement based upon the E:U"s argument that the
export of commercial information was subject to special restrictions under EU law. The European Court of Justice has now held that the information is law enforcement information, not comnierciatinfonBatitTrivSOuiarthe rationale fcr tile apeem^rillias'rio^llissolvell;: " z :
3 ,'/ ^
to rr)
Attachments
A. B.
Excerpt from EU Data Protection Directive 95/46/EC (24 October 1995) f <4 J
Excerpt from Draft Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matter (October 2005) C^"^
>f\A *"-A f\ f\A *"•* ' i
FOR OFFIC M I . USE ONLY
FOR O F F i r a L USE ONLY
Attachments;
A. DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995
Article 3
Scope _ . . _
1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
3r This Directive shaft not apprfy ttrthe processingufperSoTratlTara:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.
Article 26
Derogations
1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases. Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject: or
( 0 the transfer is made from~a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.
AI 001714 FOR OWICIAL USE ONLY
r^usE FOR OFFICpW^USE ONLY
If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2). Member States shall take the necessary measures to comply with the Commission's decision.
4. Where the Commission decides, in accordance with the procedure referred to in Article —31 (2),~that cenain"Standard~conn-aclual"clausesToffef sufficient Safeguards asTequirecTby ~
paragraph 2. Member States shall take the necessary measures to comply with the Commission's decision.
^HARTER-TV TRANSFER-QF-PERSONAL-EKATA^Q-TrHRD-C0UNTRfES — Article 25 Principles 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2. 4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
r> At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4. 6. The Commission may find, in accordance with the procedure referred to in Article 31 (2). that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals. Member States shall take the measures necessary to comply with the Commission's decision.
FOR OFFICIAL USE ONLY
FOR OFFICIAiCySE ONLY
B. Proposal for a COUNCIL FRAMEWORK DECISION on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
Article 15
Transfer to competent authorities in third countries or to international bodies
1. Member States shall provide that personal data received from or made available by the competent authority of another Member State are not further transferred to competent authorities of third countries or to international bodies except if such transfer is in compliance wtthjhis FrameworkJDecis jon and, in particittarratt thezfo Hawing: requiremenls are met, ' "'—. (a) The transfer is provided for by law clearly obliging or authorising it. (b) The transfer is necessary for the purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject. (c) The competent authority of another Member State that has transmitted or made available the data concerned to the competent authority that intends to further transfer them has given its prior consent to their further transfer. (d) An adequate level of data protection is ensured in the third country or by the international body to which the data concerned shall be transferred.
2. Member States shall ensure that the adequacy of the level of protection afforded by a third country or international body shall be assessed in the light of all the circumstances for each transfer or category of transfers. In particular, the assessment shall result from an examination of the following elements: the type of data, the purposes and duration of processing for which the data are transferred, the country of origin and the country of final destination, the general and sectoral rules of law applicable in the third country or body in question, the professional and security rules which are applicable there, as well as the existence of sufficient safeguards put in place by the recipient of the transfer.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country or an international body does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where, under the procedure provided for in Article 16, it is established that a third country or international body does not ensure an adequate level of protection within the meaning of paragraph 2, Member States shall take the measures necessary to prevent any transfer of personal data to the third country or international body in question.
5. In accordance with the procedure referred to in Article 16, it may be established that a third country or international body ensures an adequate level of protection within, the meaning of paragraph 2. by reason of its domestic law or of the international commitments it has entered into, for the protection of the private lives and basic freedoms and rights of individuals.
j 001716 FOR OTFICIAL USE ONLY
FOR OFFICIAL USE ONLY
6. Exceptionally, personal data received from the competent authority of another Member State may be further transferred to competent authorities of third countries or to international bodies in or by which an adequate level of data protection is not ensured if absolutely necessary in order to safeguard the essential interests of a Member State or for the prevention of imminent serious danger threatening public security or a specific person or persons.
FOR OyFElCIAL USE ONLY
: O R O USE ONLY
Attachment C
DISCUSSION DOCUMENT Analysis of United States Interests in the U.S.-EU PNR dialogue
Department of Homeland Security
July 13,2006
Purpose
To provide you with background information on the Passenger Name Record (PNR) issue and related developments concerning law enforcement information sharing with the European Union (EU) in preparation for a mid-July "tin-DC."
Summary
% Before September 11. the government knew very little about the people getting on planes bound .' for the United States. After the attacks, airlines were required to provide information about their
U.S.-bound passengers. Some of this information name, contact information, and the like -was drawn from information supplied to the airline as part of the reservation process. DHS uses the information to screen for no-fly violators and terrorist suspects prior to arrival, and even before the plane takes off1, protecting against mid-flight hijackings and bombings.
L( • For flights between Europe and the U.S., ihe data must be made available from European air carriers. EU law has long prohibited the commercial export of personal data to countries whose legal protections have not been deemed "adequate" in the view of European data protection authorities. While the U.S. has many privacy laws, it does not have an overarching data protection regime that corresponds to every aspect of European law. It has therefore been v iewed as "inadequate" by European standards, and commercial data transfers to the U.S. have iong been restricted by the lack of a broad adequacy finding. While the EU lacks similar requirements for the transfer of law enforcement information between the EU and diird parties, a Framework Decision is currently being considered that would mirror the requirements applied in the commercial realm, A
h<
<-ss
<H b ('HP ma\ automatically access PNR data from Huropean carriers up to 72 hours in advance of a flight. During this
ore-departure period, information is screened against (. BP automated systems and risk scores begin to he generated. in some cases, particularly airports where CBP maintains a presence through the immigiaiion Advisoty Program, ..•oordinated Saw enforcement action i.s also planned in advance with local authorities. Analysis continues up to .irrival and is further supported by ihe collection of manifest information. -—^ | •_ <~ IA r, c\\r
'iV FOR OTFICIA/USE OINLV^
FOR OFHCIAL USE ONLY
The PNR Agreement was also controversial in Europe. It was challenged by the European Parliament as insufficiently protective of EU privacy rights. On May 30 the European Court of Justice (ECJ) struck down the Agreement. But it chose a ground that was highly procedural -•• the equivalent under US law of the Supreme Court ducking a Fourth Amendment challenge by-finding a law invalid because it exceeded Congress's Commerce Clause power. Under EU law, commercial issues fall within the jurisdiction of the EU as part of its "First Pillar" authority. This is the authority that the EU relied on in entering the Agreement. The ECJ, however, held that the US wanted PNR data for law enforcement and public security reasons. Law enforcement and public security are exempt from the EU's commercial data protection laws and are only partly within the EU's authority. Instead, they fall under the "Third Pillar," where the authority of EU central institutions (the Commission, Parliament and Court of Justice) is more limited and more authority is left to the Member States. This finding by the Court also eliminates the uncertainty that led to the signing of the agreement in the first place, specifically the fear that some Member States might bring action against air carriers under the commercial legal framework.
Because the agreement was entered under the wrong authority, the Court ruled it invalid but delayed the effective date of its decision until September 30 in the hope that the jurisdictional problem could be quickly solved. To cure the problem, the EU has obtained authority from the Member States to renegotiate the PNR Agreement under the Third Pillar. As required by the Agreement, the EU also notified the United States that it will terminate the current Agreement on September 30, 2006 and has set a goal of establishing a new agreement by this date. The USG received a proposed replacement text from the Finnish Presidency on July 19th, although Commission officials have indicated that this draft may not be final.3 Commission representatives have portrayed their proposal as a technical change that would put the same agreement back in place, albeit under a different legal authority.
,A
bl r . " \ " CI3P can share PNR data with other law enforcement agencies, but only on a case-by-case basis and only for the \ A. -' purpose of combating terrorism and serious transnational crimes. Ibis restriction prevents PNR information from
v being shared in bulk with the intelligence and iaw enforcement community, and it denies those agencies direct access to the records. Broader access would allow other agencies to look for patterns in ihe iravel of individuals not deemed to be high risk and to assess connections between passengers. ICE, for example, lias expressed its frustration over losing access to this information.
-\ \ \ ' Both the Departments of State and Homeland Security have a number of questions regarding the legal impact of a
. -jriety of wording choices, including references to the European Convention on Human Rights. Additional policy tnalysis is underway and our response 'A ill be dm en by the/fiecisions of ihe Deputies.
FOA OFFICIAL USE ONLY V.v'-;- A.1-" .
,/SE FOR^JFFICIAL'USE ONLY
C *
Background
\T\ Two converging events in Europe - the recent European Court of Justice decision on the legality . 'of the EU-US PNR Agreement and a draft EU Framework Decision on Exchange of Criminal
Data - have major implications for US law enforcement and security.
The EU-US PNR Agreement As noted, in May 2004, after substantial negotiations, the Department of Homeland Security entered into an agreement relating to the sharing of PNR information collected by air carriers flying to the United States from Europe. The Agreement was intended to resolve a perceived conflict between EU law (which limits the sharing of personal information collected by commercial entities with governmental entities) and US law (which required the collection and dissemination of PNR data). Central to the Agreement was a set of Undertakings made by Customs and Border Protection (CBP) regarding how it would treat the PNR data transmitted to it.4 Several of the limitations in those Undertakings
h
?FWIAL FOR OFFICIAL USE ONLY
FGWHTICIAL U^E ONLY
significantly restrict US opportunities to use information for investigative and law enforcement purposes.
f \y \ The most significant of these limitations, from our perspective are the-following:
c V
c
r i
J>1 y
7.
FOR OFFICIAL USE ONLY AK.72:
"OR OFFICIAL L'SK ONLY
..' t ^
X,
re
X
I vA ' The ECJ PNR Case. The Agreement was no less controversial in Brussels. Disturbed over A what4t-viewed us an attack on personal privacy and its own authority, the European£arliamenf^
(fcP) filed two suits in the European Court of Justice (ECJ) challenging the information sharing arrangement.
{ v \ '• ' This concern is consistent with Executive Order 13388 and the President's Memorandum issued on December 16. 7:006 to Heads of Executive Departments and Agencies on "Guidelines and Requirements in Support of Information Sharing Environment."
•fA\
V_A h FOR OFFIC^KI^U
n SE ONLY
Awmi^oK FOR OFFICIAI/TSSI^ONLY
On May 30, 2006, the ECJ issued its opinion in the lawsuits. The opinion did not address the merits of the EU-US PNR Agreement or the role of the Parliament. Rather, the decision turned on the lack of competence of the Commission and Council to enter into the Agreement in the first instance. The EU had based its authority on the so-called "First Pillar," which allows the EU to regulate trade and commercial matters. The ECJ held (as the US had argued earlier) that the requirement that PNR data be sent to the US was a law enforcement and national security matter. Such transfers, the court held, were excluded from the data protection directive governing commercial data exports. If they are to be regulated, the court implied, it would have to be done under the "Third Pillar.""s
That is what the EU proposes to do. It has obtained authority from its Member States to erect substantially the same agreement on a new foundation. In order to meet the European Court of Justice deadline the Commission will seek to codify its position over the next couple of weeks and then will call for agreement on the new arrangement by September 30.
EU Proposals on Sharing Law Enforcement Inforniation. If that were all that is at stake, this would be an interesting diplomatic and legal problem for DHS. But it is not. The PNR negotiations will be closely intertwined with a broader effort to establish restrictive, EU-wide rules for information sharing in the area of law enforcement. Last October the EU put forward two draft documents that concern data sharing and protection in the law enforcement context. They consist of a draft Framework Directive of the European Parliament and Council on the retention of data and a proposed Council decision on the protection of personal data in criminal matters. £ Jp^ _
J-J — ~
fc iwf-»
' Acting under the First Pillar, the EL) has also entered into a PNR sharing agreement with Canada. ID light of the i L s determination that the US Undertakings provided "adequate'' privacy protections, the EU-Canada agreement .iuthurizes Canada to share PNR data received from the EU with the"VS. Even though the ECJ lias struck down the LU-US agreement, tiie EU contends that its similar agreement with Canada remains in effect. Some Canadian government sources are concerned, however, thai the absence of an "adequacy" finding (which is a First Pillar concept) may now have the effect of prohibiting L'S-Canada information sharing derived from EU-originated ;lights.
FOR OFFICIAL USE ONLY
\
FOR OFFICIALESE ONLY
\X. ' For example the D r i f t f W i s i n n . -nnla int p rn i k i r inc 1111 lim.» l i m i t , fn, r.-li-nl i. M i i i f - I m i f i l .turn ' iVtnr jn i , tha
accuracy of shared data, logging and audit trails, as welTas rcitriciions limiting further use of the data to the original purpose for which it was first transmitted, in effect, it borrows heavily from the PNR Agreement and the I 'ndenakinas.
\ \ \ W
r<J & W-* f72j'i
' The adequacy findiri" granted to the U.S. was specific to the transfer of PNR data and only extended to its transmission to CBP. The May 30,!i decision of the ECJ also annuls this decision by the Commission on the grounds that rhe Commission did not have the legal authority to grant it
FOR OFFICIAL USE ONLY
\ V
(^
V
f2\ I L ]
FOR OFFICIAL USE ONLY
Communicable Diseases. One indicator of the extent to which Eli data protection authorities prioritize the expansion of such roles over public safety concerns can be found in die European reaction to another US initiative relating to avian flu. If air passengers are exposed to a pandemic strain of avian flu. the government will need to locate all of the passengers and crew, quickly. So the Centers for Disease Control has proposed a rule requiring airlines to retain PNR for up to 60 days for that purpose. The top data protection authorities of Europe, known as the •'Article 29 Working Party," have now decided that this sort of data retention violates EU privacy directives. If given effect, the Working Party's opinion would place air carriers legal jeopardy because of inconsistent legal regimes. It reflects a widespread EU view that privacy trumps even the critical public health interests of the United States.i3
Analysis & Recommendation
\ '" If adopted without the ottered exemptions, the Draft Decision could conflict with a number of binding and non-Uv ' binding information sharing arrangements that the United States has signed. For example, we have signed a 2003
•iufual Legal Assistance Agieemem t.MLAT) with me uuropean Union and a 2001 information sharing agreement with nuropoi (the Eli-level police agency), with respect to member states, we signed a 2003 MLAT with Germany, which builds on numerous other ML ATs already m force with omer l-.U member states. "ITie United States also has many executive agreements and memoranda of understanding with member states under which critical information is currently being shared. Under EU law. directives supersede bilateral treaties and agreements and member states must conform their existing agreements to the directive.
s \ i " Conversely. Paragraph 34 of the Undertakings allows for the exchange of PNR for public health purposes and :.either the Commission nor '.he Article 20 Committee have challenged the DHS-HHS MOD.
'"' Unlike in 2003, this risk is present now because the Court has conclusively ruled that the transfer of PNR data is a >,v ' ia'A enforcement matter. While European integration has been die greatest in areas associated uith the Common
Market, law enforcement and public security is a relatively new area of activity at the community level and many ivsponsibilities still fail to (he EU Member Sta;es. The ECJ firmly placed PNR in the area of law enforcement and public security, and as result, any actions iaken in this area are likely to set precedents for further community ;nvolvement in other law enforcement matters.
FOR OFFMSAL USE ONLY
FOR OFFICIATE ONLY ^ E C ^ E T
( * >
Conclusion
( ^
001726 15 Excluding Canada and Mexico, flights originating in these five countries comprise nearly a quarter of all international flights arriving in the United Stotes. In terms of global traffic, flights arriving from the UK rank third (after Canada and Mexico). Germany is 6A; France 9*; the Netherlands lO*; and Italy 17th.
FOR OFFICIAL USE ONLY Q P f f f ? ^ ^
•Ox OFFK •: O N L Y
; ,\ '" The USG has a paramount interest in ensuring that law enforcement and border control V information continues to flow to the United States. In creatine the Information Sharing
Environment we are working to break down wails that restrict the sharing of information between Federal agencies.
'k
f
The PNR Agreement that the US signed with the EU in 2004 is an example of the old-style artificial limitation. We entered into the PNR Agreement based upon the EU*s argument that the export of commercial information was subject to special restrictions under EU law. The European Court of Justice has now held that the information is law enforcement information, not commercial information, so that the rationale for the agreement has now dissolved.
C
\ L
Attachments
A. B.
Excerpt from EU Data Protection Directive 95'46/EC (24 October 1995) ( u Excerpt from Draft Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation m criminal matter (October 2005) f \
^ u-
FOR OFLfCJAL USE ONLY
FOR O F F I ^ L USE ONLY
Attachments:
A. DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995
Article 3
Scope
- 1 -This Directive shalhapply to theprocessingof personal data wholly Of partly by " ~ ~~ automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Directive shall not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
Article 26 Derogations 1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that: (a) the data subject has given his consent unambiguously to the proposed transfer; or (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party: or (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or (e) the transfer is necessary in order to protect the vital interests of the data subject; or
(Q the uansfer is made from a register whicn according to laws or regulations is intended to ^z_ provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. 2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.
A / 001728 FORpFFICIAL USE ONLY
FOR OFFICfcfcL^USE ONLY
If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2). Member States shall take the necessary measures to comply with the Commission's decision.
4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractuaj clauses offerjufficjent safeguards,as_requiredl»y_ -paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.
CHAPTER IV TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES Article 25 Principles 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question. 5. At the appropriate timer the Commiss ion shall entpr intn nBgnlintinns with A vi>w tn —
"remedying thesiruation resulting from tEeTThding made pursuant to paragraph^ 6. The Commission may find, in accordance with the procedure referred to in Article 31 (2). that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission's decision.
FOR OFFICIAL USE ONLY u
IAj)u§EW FOR OFFICIM/tlS^ONLY
B. Proposal for a COUNCIL FRAMEWORK DECISION on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
Article IS
Transfer to competent authorities in third countries or to international bodies
— 1.- Member States shall provide-that personalia recrivedrfrom or made available by the competent authority of another Member State are not further transferred to competent authorities of third countries or to international bodies except if such transfer is in compliance with this Framework Decision and, in particular, all the following requirements are met. (a) The transfer is provided for by law clearly obliging or authorising it. (b) The transfer is necessary for the purpose the data concerned were transmitted or made available for or for the purpose of the prevention, investigation, detection or prosecution of criminal offences or for the purpose of the prevention of threats to public security or to a person, except where such considerations are overridden by the need to protect the interests or fundamental rights of the data subject. (c) The competent authority of another Member State that has transmitted or made available the data concerned to the competent authority that intends to further transfer them has given its prior consent to their further transfer. (d) An adequate level of data protection is ensured in the third country or by the international body to which the data concerned shall be transferred.
2. Member States shall ensure that the adequacy of the level of protection afforded by a third country or international body shall be assessed in the light of all the circumstances for each transferor category of transfers. In particular, the assessment shall result from an examination of the following elements: the type of data, the purposes and duration of processing for which the data are transferred, the country of origin and the country of final destination, the general and sectoral rules of law applicable in the third country or body in question, the professional and security rules which are applicable there, as well as the existence of sufficient safeguards put in place by the recipient of the transfer.
3. The Member States and the Commission shall inform each other of cases where they Consider that a third country nr an international hnHy r W c nnt wnr.iim an nHpqnatr II-I/PI rtf —
protection within the meaning of paragraph 2.
4. Where, under the procedure provided for in Article 16, it is established that a third country or international body does not ensure an adequate level of protection within the meaning of paragraph 2, Member States shall take the measures necessary to prevent any transfer of personal data to the third country or international body in question.
5. In accordance with the procedure referred to in Article 16, it may be established that a third country or international body ensures an adequate level of protection within the meaning of paragraph 2, by reason of its domestic law or of the international commitments it has entered into, for the protection of the private lives and basic freedoms and rights of individuals.
FOfcOTFICIAL USE ONLY G&W30 •'wcu^s
FOR OFFHSLKL USE ONLY
6. Exceptionally, personal data received from the competent authority of another Member State may be further transferred to competent authorities of third countries or to international bodies in or by which an adequate level of data protection is not ensured if absolutely necessary in order to safeguard the essential interests of a Member State or for the prevention of imminent serious danger threatening public security or a specific person or persons.
ofli731 FFICIAL USE ONLY l j«\CLMS