2009. évi CIV. törvény

az Európai Unió és az Amerikai Egyesült Államok között az utas-nyilvántartási adatállomány (PNR) adatainak a légi fuvarozók általi feldolgozásáról és az Amerikai Egyesült Államok Belbiztonsági Minisztériuma részére történő továbbításáról szóló megállapodás kihirdetéséről és a légi közlekedésről szóló 1995. évi XCVII. törvény módosításáról1

1. § Az Országgyűlés e törvénnyel felhatalmazást ad az Európai Unió és az Amerikai Egyesült Államok között az utas-nyilvántartási adatállomány (PNR) adatainak a légi fuvarozók általi feldolgozásáról és az Amerikai Egyesült Államok Belbiztonsági Minisztériuma részére történő továbbításáról szóló megállapodás (a továbbiakban: 2007. évi PNR-megállapodás) kötelező hatályának elismerésére.

2. § Az Országgyűlés a 2007. évi PNR-megállapodást és az ahhoz kapcsolódó Kiegészítő levélváltást e törvénnyel kihirdeti.

3. § A 2007. évi PNR-megállapodás és az ahhoz kapcsolódó Kiegészítő levélváltás hiteles szövege és azok hivatalos magyar nyelvű fordítása a következő:

„Agreement
between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)

THE EUROPEAN UNION

and

THE UNITED STATES OF AMERICA,

DESIRING to prevent and combat terrorism and transnational crime effectively as a means of protecting their respective democratic societies and common values,

RECOGNISING that information sharing is an essential component in the fight against terrorism and transnational crime and that in this context the use of PNR data is an important tool,

RECOGNISING that, in order to safeguard public security and for law enforcement purposes, rules should be laid down on the transfer of PNR data by air carriers to DHS,

RECOGNISING the importance of preventing and combating terrorism and related crimes, and other serious crimes that are transnational in nature, including organised crime, while respecting fundamental rights and freedoms, notably privacy,

RECOGNISING that U.S. and European privacy law and policy share a common basis and that any differences in the implementation of these principles should not present an obstacle to cooperation between the U.S. and the European Union (EU),

HAVING REGARD to international conventions, U.S. statutes, and regulations requiring each air carrier operating passenger flights in foreign air transportation to or from the United States to make PNR data available to DHS to the extent they are collected and contained in the air carrier¨s automated reservation/departure control systems (hereinafter reservation systems), and comparable requirements implemented in the EU,

HAVING REGARD to Article 6 paragraph 2 of the Treaty on European Union on respect for fundamental rights, and in particular to the related right to the protection of personal data,

NOTING the former agreements regarding PNR between the European Community and the United States of America of 28 May 2004 and between the European Union and the United States of America of 19 October 2006,

HAVING REGARD to relevant provisions of the Aviation Transportation Security Act of 2001, the Homeland Security Act of 2002, the Intelligence Reform and Terrorism Prevention Act of 2004 and Executive Order 13388 regarding cooperation between agencies of the United States government in combating terrorism, as well as the Privacy Act of 1974, Freedom of Information Act and the E-Government Act of 2002,

NOTING that the European Union should ensure that air carriers with reservation systems located within the European Union make available PNR data to DHS and comply with the technical requirements for such transfers as detailed by DHS,

AFFIRMING that this Agreement does not constitute a precedent for any future discussions or negotiations between the United States and the European Union, or between either of the Parties and any State regarding the processing and transfer of PNR or any other form of data,

SEEKING to enhance and encourage cooperation between the Parties in the spirit of transatlantic partnership,

HAVE AGREED AS FOLLOWS:

(1) On the basis of the assurances in DHS’s letter explaining its safeguarding of PNR (the DHS letter), the European Union will ensure that air carriers operating passenger flights in foreign air transportation to or from the United States of America will make available PNR data contained in their reservation systems as required by DHS.

(2) DHS will immediately transition to a push system for the transmission of data by such air carriers no later than 1 January 2008 for all such air carriers that have implemented such a system that complies with DHS’s technical requirements. For those air carriers that do not implement such a system, the current systems shall remain in effect until the carriers have implemented a system that complies with DHS’s technical requirements. Accordingly, DHS will electronically access the PNR from air carriers’ reservation systems located within the territory of the Member States of the European Union until there is a satisfactory system in place allowing for the transmission of such data by the air carriers.

(3) DHS shall process PNR data received and treat data subjects concerned by such processing in accordance with applicable U.S. laws, constitutional requirements, and without unlawful discrimination, in particular on the basis of nationality and country of residence. The DHS’s letter sets forth these and other safeguards.

(4) DHS and the EU, will periodically review the implementation of this Agreement, the DHS letter, and U.S. and EU PNR policies and practices with a view to mutually assuring the effective operation and privacy protection of their systems.

(5) By this Agreement, DHS expects that it is not being asked to undertake data protection measures in its PNR system that are more stringent than those applied by European authorities for their domestic PNR systems. DHS does not ask European authorities to adopt data protection measures in their PNR systems that are more stringent than those applied by the U.S. for its PNR system. If its expectation is not met, DHS reserves the right to suspend relevant provisions of the DHS letter while conducting consultations with the EU with a view to reaching a prompt and satisfactory resolution. In the event that a PNR system is implemented in the European Union or in one or more of its Member States that requires air carriers to make available to authorities PNR data for persons whose travel itinerary includes a flight to or from the European Union, DHS shall, strictly on the basis of reciprocity, actively promote the cooperation of the airlines within its jurisdiction.

(6) For the application of this Agreement, DHS is deemed to ensure an adequate level of protection for PNR data transferred from the European Union. Concomitantly, the EU will not interfere with relationships between the United States and third countries for the exchange of passenger information on data protection grounds.

(7) The EU and the U.S. will work with interested parties in the aviation industry to promote greater visibility for notices describing PNR systems (including redress and collection practices) to the travelling public and will encourage airlines to reference and incorporate these notices in the official contract of carriage.

(8) The exclusive remedy if the EU determines that the U.S. has breached this Agreement is the termination of this Agreement and the revocation of the adequacy determination referenced in paragraph 6. The exclusive remedy if the U.S. determines that the EU has breached this agreement is the termination of this Agreement and the revocation of the DHS letter.

(9) This Agreement will enter into force on the first day of the month after the date on which the Parties have exchanged notifications indicating that they have completed their internal procedures for this purpose. This Agreement will apply provisionally as of the date of signature. Either Party may terminate or suspend this Agreement at any time by notification through diplomatic channels. Termination will take effect 30 days from the date of notification thereof to the other Party unless either Party deems a shorter notice period essential for its national security or homeland security interests. This Agreement and any obligations thereunder will expire and cease to have effect seven years after the date of signature unless the parties mutually agree to replace it.

This Agreement is not intended to derogate from or amend the laws of the United States of America or the European Union or its Member States. This Agreement does not create or confer any right or benefit on any other person or entity, private or public.

This Agreement shall be drawn up in duplicate in the English language. It shall also be drawn up in the Bulgarian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, and Swedish languages, and the Parties shall approve these language versions.

Done at Brussels, 23 July 2007 and at Washington, 26 July 2007.

(signatures)

U.S. Letter to EU

In response to the inquiry of the European Union and to reiterate the importance that the United States government places on the protection of individual privacy, this letter is intended to explain how the United States Department of Homeland Security (DHS) handles the collection, use and storage of Passenger Name Records (PNR). None of the policies articulated herein create or confer any right or benefit on any person or party, private or public, nor any remedy other than that specified in the Agreement between the U.S. and the EU on the processing and transfer of PNR by air carriers to DHS done on the 26th of July, 2007 (the „Agreement”). Instead, this letter provides the assurances and reflects the policies which DHS applies to PNR data derived from flights between the U.S. and European Union (EU PNR) under U.S. law.

I. Purpose for which PNR is used

DHS uses EU PNR strictly for the purpose of preventing and combating: (1) terrorism and related crimes; (2) other serious crimes, including organized crime, that are transnational in nature; and (3) flight from warrants or custody for crimes described above. PNR may be used where necessary for the protection of the vital interests of the data subject or other persons, or in any criminal judicial proceedings, or as otherwise required by law. DHS will advise the EU regarding the passage of any U.S. legislation which materially affects the statements made in this letter.

II. Sharing of PNR

DHS shares EU PNR data only for the purposes named in article I.

DHS treats EU PNR data as sensitive and confidential in accordance with U.S. laws and, at its discretion, provides PNR data only to other domestic government authorities with law enforcement, public security, or counterterrorism functions, in support of counterterrorism, transnational crime and public security related cases (including threats, flights, individuals and routes of concern) they are examining or investigating, according to law, and pursuant to written understandings and U.S. law on the exchange of information between U.S. government authorities. Access shall be strictly and carefully limited to the cases described above in proportion to the nature of the case.

EU PNR data is only exchanged with other government authorities in third countries after consideration of the recipient’s intended use(s) and ability to protect the information. Apart from emergency circumstances, any such exchange of data occurs pursuant to express understandings between the parties that incorporate data privacy protections comparable to those applied to EU PNR by DHS, as described in the second paragraph of this article.

III. Types of Information Collected

Most data elements contained in PNR data can be obtained by DHS upon examining an individual’s airline ticket and other travel documents pursuant to its normal border control authority, but the ability to receive this data electronically significantly enhances DHS’s ability to focus its resources on high risk concerns, thereby facilitating and safeguarding bona fide travel.

Types of EU PNR Collected:

1. PNR record locator code,

2. Date of reservation/ issue of ticket

3. Date(s) of intended travel

4. Name(s)

5. Available frequent flier and benefit information (i.e., free tickets, upgrades, etc)

6. Other names on PNR, including number of travelers on PNR

7. All available contact information (including originator information)

8. All available payment/billing information (not including other transaction details linked to a credit card or account and not connected to the travel transaction)

9. Travel itinerary for specific PNR

10. Travel agency/travel agent

11. Code share information

12. Split/divided information

13. Travel status of passenger (including confirmations and check-in status)

14. Ticketing information, including ticket number, one way tickets and Automated Ticket Fare Quote

15. All Baggage information

16. Seat information, including seat number

17. General remarks including OSI, SSI and SSR information

18. Any collected APIS information

19. All historical changes to the PNR listed in numbers 1 to 18

To the extent that sensitive EU PNR data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning the health or sex life of the individual), as specified by the PNR codes and terms which DHS has identified in consultation with the European Commission, are included in the above types of EU PNR data, DHS employs an automated system which filters those sensitive PNR codes and terms and does not use this information. Unless the data is accessed for an exceptional case, as described in the next paragraph, DHS promptly deletes the sensitive EU PNR data.

If necessary in an exceptional case where the life of a data subject or of others could be imperiled or seriously impaired. DHS officials may require and use information in EU PNR other than those listed above, including sensitive data. In that event, DHS will maintain a log of access to any sensitive data in EU PNR and will delete the data within 30 days once the purpose for which it has been accessed is accomplished and its retention is not required by law. DHS will provide notice normally within 48 hours to the European Commission (DG JLS) that such data, including sensitive data, has been accessed.

IV. Access and Redress

DHS has made a policy decision to extend administrative Privacy Act protections to PNR data stored in the ATS regardless of the nationality or country of residence of the data subject, including data that relates to European citizens. Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless of their nationality or country of residence, for providing redress to persons seeking information about or correction of PNR. These policies are accessible on the DHS website, www.dhs.gov.

Furthermore, PNR furnished by or on behalf of an individual shall be disclosed to the individual in accordance with the U. S. Privacy Act and the U. S. Freedom of Information Act (FOIA). FOIA permits any person (regardless of nationality or country of residence) access to a U.S. federal agency’s records, except to the extent such records (or a portion thereof) are protected from disclosure by an applicable exemption under the FOIA. DHS does not disclose PNR data to the public, except to the data subjects or their agents in accordance with U.S. law. Requests for access to personally identifiable information contained in PNR that was provided by the requestor may be submitted to the FOIA/PA Unit, Office of Field Operations, U.S. Customs and Border Protection, Room 5.5-C, 1300 Pennsylvania Avenue, NW, Washington, DC 20229 [phone: (202) 344-1850 and fax: (202) 344-2791].