U.S. law requires air carriers operating flights to, from, or through the United States to provide the Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP), with certain passenger reservation information, called Passenger Name Record (PNR) data. This information is transmitted to CBP prior to departure and used primarily for purposes of preventing, detecting, investigating, and prosecuting terrorist offenses and related crimes and certain other crimes that are transnational in nature.
Collection of PNR information from air carriers is authorized by 49 U.S.C. § 44909(c)(3) and its implementing regulations at 19 C.F.R. § 122.49d. These statutory and regulatory authorities require each air carrier operating passenger flights in foreign air transportation to, from, or through the United States to provide CBP with electronic access to PNR data to the extent it is collected and contained in the air carrier’s reservation and/or departure control systems. The European Union (EU) has determined that U.S. laws, in conjunction with CBP policies regarding the protection of personal data, provide an adequate basis upon which to permit transfers of PNR data to the United States consistent with applicable EU law. An updated U.S.-EU PNR Agreement was signed in December 2011.
The Privacy Act of 1974, as amended (5 U.S.C. § 552a), governs the maintenance of information in federal agency systems through which records are retrieved using the personally identifiable information (PII) of United States citizens and lawful permanent residents. The Privacy Act regulates how the government can disclose, share, provide access to, and maintain the personal information that it collects in such systems. Though the Privacy Act does not afford coverage to non-U.S. persons, the Judicial Redress Act of 2015 (5 U.S.C. § 552a note), also extends provisions of the Privacy Act to non-U.S. citizens and non-lawful permanent residents who are citizens of countries that have been designated pursuant to procedures identified within the Judicial Redress Act. For those covered by neither, DHS policy covers information for all persons, regardless of immigration status, and treated consistent with the Fair Information Practice Principles (FIPPs).
DHS allows all persons, including foreign nationals, to seek access and request amendment to certain information maintained in the Automated Targeting System (ATS), including PNR data. Please see the procedures provided below. However, certain information maintained in ATS, such as information pertaining to the rule sets or accounting of a sharing with a law enforcement or intelligence entity in conformance with a routine use, may not be accessed, pursuant to 5 U.S.C. §§ 552a (j)(2) or (k)(2). For additional information, please refer to the ATS System of Records Notice (SORN) and Privacy Impact Assessment.
Who is affected by the program?
All persons traveling on flights to, from, or through the United States will be affected by this program. If you travel on flights arriving in or departing from the United States (even if you are simply transiting through the United States), CBP may receive PNR data concerning you. Air carriers create PNR data in their reservation systems for each itinerary booked for a passenger. Such PNR data may also be contained in the air carrier departure control systems.
What U.S. and EU laws allow for the transfer of PNR data?
By statute (49 U.S.C. § 44909(c)(3)) and its implementing regulations (19 CFR 122.49d), each air carrier operating international passenger flights to, from, or through the U.S. must provide CBP with electronic access to PNR data to the extent it is collected and contained in the air carrier’s reservation and/or departure control systems.
The EU has determined that this statute, in conjunction with DHS/CBP policies regarding the protection of personally identifiable information (PII) and the 2011 Agreement, provide an adequate basis upon which to permit transfers of PNR data to the U.S. consistent with applicable EU law. Please note that the 2011 Agreement applies to air carriers operating passenger flights between the EU and the U.S., as well as those air carriers incorporated or storing data in the EU and operating passenger flights to, from, or through the United States. For further information regarding this agreement, please refer to the link to the 2011 Agreement.
What is the purpose for collecting PNR information?
The purpose of collecting PNR information in advance of your arrival or departure is to assist CBP officers in measuring the risk associated with an individual traveling to, from, or through the United State, and to enable CBP to make accurate, comprehensive decisions regarding which travelers require additional inspection at the port of entry based on law enforcement and other information. Collecting this information in advance provides the traveler two advantages. First, it affords CBP adequate time to research possible matches against derogatory records to eliminate false positives. Second, it expedites travel by allowing CBP to conduct mandatory checks prior to a flight’s arrival in the United States, rather than making you, and everyone else on your flight, stand in line while we manually collect necessary information to facilitate a review after you arrive.
How is PNR information used?
DHS/CBP uses PNR strictly for the purposes of preventing, detecting, investigating, and prosecuting:
(1). To prevent, detect, investigate, and prosecute:
a. Terrorist offenses and related crimes, including
i. Conduct that--
1. involves a violent act or an act dangerous to human life, property, or infrastructure; and
2. appears to be intended to--
a. intimidate or coerce a civilian population;
b. influence the policy of a government by intimidation or coercion; or
c. affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.
ii. Activities constituting an offense within the scope of and as defined inapplicable international conventions and protocols relating to terrorism;
iii. Providing or collecting funds, by any means, directly or indirectly, with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the acts described in subparagraphs (i) or (ii);
iv. Attempting to commit any of the acts described in subparagraphs (i),(ii), or (iii);
v. Participating as an accomplice in the commission of any of the acts described in subparagraphs (i), (ii), or (iii);
vi. Organizing or directing others to commit any of the acts described in subparagraphs (i), (ii), or (iii);
vii. Contributing in any other way to the commission of any of the acts described in subparagraphs (i), (ii), or (iii);
viii. Threatening to commit an act described in subparagraph (i) under circumstances which indicate that the threat is credible;
b. Other crimes that are punishable by a sentence of imprisonment of three years or more and that are transnational in nature; a crime is considered as transnational in nature in particular if:
i. It is committed in more than one country;
ii. It is committed in one country but a substantial part of its preparation, planning, direction or control takes place in another country;
iii. It is committed in one country but involves an organized criminal group that engages in criminal activities in more than one country;
iv. It is committed in one country but has substantial effects in another country; or
v. It is committed in one country and the offender is in or intends to travel to another country;
(2) on a case-by-case basis where necessary in view of a serious threat and for the protection of vital interests of any individual or if ordered by a court.
(3) to identify persons who would be subject to closer questioning or examination upon arrival to or departure from the United States or who may require further examination.
(4) for domestic law enforcement, judicial powers, or proceedings, where other violations of law or indications thereof are detected in the course of the use and processing of PNR.
What information is collected?
The Automated Targeting System (ATS) maintains the PNR information obtained from commercial air carriers and uses that information to assess whether there is a risk associated with any travelers seeking to enter, exit, or transit through the United States. PNR may include some combination of the following categories of information, when available:
- PNR record locator code.
- Date of reservation/issue of ticket.
- Date(s) of intended travel.
- Available frequent flier and benefit information (i.e., free tickets, upgrades, etc.).
- Other names on PNR, including number of travelers on PNR.
- All available contact information (including originator of reservation).
- All available payment/billing information (e.g. credit card number).
- Travel itinerary for specific PNR.
- Travel agency/travel agent.
- Code share information (e.g., when one air carrier sells seats on another air carrier's flight).
- Split/divided information (e.g., when one PNR contains a reference to another PNR).
- Travel status of passenger (including confirmations and check-in status).
- Ticketing information, including ticket number, one way tickets and Automated Ticket Fare Quote (ATFQ) fields.
- Baggage information.
- Seat information, including seat number.
- General remarks including Other Service Indicated (OSI), Special Service Indicated (SSI) and Supplemental Service Request (SSR) information.
- Any collected APIS information (e.g., Advance Passenger Information (API) that is initially captured by an air carrier within its PNR, such as passport number, date of birth and gender).
- All historical changes to the PNR listed in numbers 1 to 18.
Not all air carriers maintain the same sets of information in PNR, and a particular individual’s PNR likely will not include information for all possible categories. In addition, PNR does not routinely include information that could directly indicate the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life of the individual. To the extent PNR does include terms that reveal such personal matters, DHS employs an automated system that filters certain of these terms and only uses this information in exceptional circumstances where the life of an individual could be imperiled or seriously impaired.
Is sensitive data included in the PNR data transfer?
Sometimes, information that could be considered sensitive could be included in the PNR data transfer. Such sensitive PNR data could include certain information revealing the passenger’s racial or ethnic origin, religion, or health. CBP uses electronic filters to automatically mask PNR data identified as sensitive that may be included in the PNR when it is transferred from reservation and/or air carrier departure systems to CBP. This information is not used or seen by any CBP personnel except under exceptional circumstances where the life of an individual could be imperiled or seriously impaired, in which case additional approval and security steps must be taken.
Who will have access to the information?
CBP is the primary user of PNR information. The PNR information collected from airlines may be made available to other government agencies inside and outside the Department of Homeland Security for law enforcement purposes pursuant to the “routine uses” included in the ATS System of Records Notice (SORN), and consistent with the terms of any applicable laws, regulations, DHS policies, and international agreements/arrangements, including the 2011 PNR Agreement. PNR information will not be shared outside of DHS unless the recipient agency has a proper need to know the information and can ensure the information will be properly protected.
CBP and DHS officials responsible for identifying illicit travel and preventing and detecting terrorism and certain transnational crimes will have access to PNR data derived from flights to, from, or through the United States. This PNR data may be provided to other government authorities, consistent with the purposes identified above in response to FAQ 1 and with the routine uses included in the ATS SORN and other exemptions under the Privacy Act. EU PNR data is only exchanged with foreign government authorities after a determination that the recipient’s intended use(s) is consistent with the terms of the 2011 Agreement, if applicable, and DHS/CBP policy, and that the recipient has the ability to protect the information.
CBP will advise in writing that the requesting authority will apply safeguards to the PNR that are comparable to those applied by CBP to ensure that access is granted in accordance with all applicable laws, regulations, DHS policies, and international agreements and arrangements.
How will the information be protected?
CBP carefully safeguards PNR data by applying appropriate data security and access controls, to ensure that the PNR data is not used or accessed improperly. Personal information will be kept secure and confidential and will not be discussed with, or disclosed to, any person within or outside CBP unless consistent with application law and in the performance of official duties, and as described above. Careful safeguards, including appropriate security controls, compliance audits, and written arrangements with non-DHS agencies ensure that the data is not used or accessed improperly. Additionally, the DHS Chief Privacy Officer reviews pertinent aspects of the program to ensure that proper safeguards are in place. Roles and responsibilities of DHS employees, system owners and managers, and third parties who manage or access PNR include:
DHS Employees - As users of ATS:
- Access records containing personal information only when the information is needed to carry out their official duties because of a specific need to know.
- Disclose personal information only for legitimate official purposes, and in accordance with applicable laws, regulations, and ATS routine use policies and procedures.
ATS System Owners/Managers:
- Follow applicable laws, regulations, and relevant DHS/CBP policies and procedures in the development, implementation, and operation of ATS.
- Conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against those risks.
- Ensure that only personal information that is necessary and relevant for legally mandated or authorized purposes is collected.
- Ensure that all processes that contain personal information have an approved Privacy Impact Assessment. Privacy Impact Assessments meet appropriate Office of Management and Budget (OMB) and DHS guidance and will be updated as the system progresses through its development stages.
- Ensure that all personal information is protected and disposed of in accordance with applicable laws, regulations, DHS/CBP policies and procedures, and applicable agreements or arrangements.
- Use personal information collected only for the purposes for which it was collected, unless other purposes are explicitly mandated or authorized by law.
- Establish and maintain appropriate administrative, technical, and physical security safeguards to protect personal information.
Third parties, including other law enforcement entities, who may have access to information collected by ATS shall comply with requirements of written arrangements drafted to address, among other matters, privacy issues, and shall follow the same privacy protection guidance as DHS employees are required to follow.
What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared?
Notice has been given to the public through the ATS SORN in conjunction with the ATS Privacy Impact Assessment (PIA). Because ATS does not collect PNR directly from individuals, there is no opportunity for an individual to consent to provide this information. PNR data maintained in ATS is collected from air carriers in accordance with U.S. law as stated above.
Similarly, since PNR data is collected from the air carriers to assist CBP in performing border security functions, it is not appropriate to seek consent from the affected individuals with respect to the defined uses of this information. Individuals do not have the right to consent to particular uses of the information. Once an individual submits the data to the air carrier for reservation purposes and the air carrier forwards the PNR data to CBP, the individual cannot exert control over it (except in the context of a request for access or redress, as discussed in the FAQs below).
How long is PNR information retained and what access restrictions apply?
The retention period for data maintained in ATS, which includes PNR, does not exceed fifteen years, except as noted below. The retention period for PNR, which is collected in ATS, will be subject to the following further access restrictions: ATS users will have general access to PNR for five years, after which time the PNR data is moved to dormant, non-operational status. After the first six months, the PNR is “depersonalized,” with names, contact information, and other personally identifiable information masked in the record. PNR data in dormant status is retained for an additional ten years, and may be accessed only with prior supervisory approval and only in response to an identifiable case, threat, or risk. Such limited access and use for older PNR strikes a reasonable balance between protecting this information and allowing CBP to continue to identify potential high-risk travelers.
Notwithstanding the foregoing, information maintained only in ATS that is linked to law enforcement lookout records, CBP matches to enforcement activities, investigations, or cases (i.e., specific and credible threats, and flights, individuals and routes of concern, or other defined sets of circumstances), will remain accessible for the life of the law enforcement matter to support that activity and other related enforcement activities.
Procedures for Access, Correction or Rectification, and Redress
How can an individual request access to his or her PNR?
Any individual, regardless of citizenship, who wishes to seek access to his or her PNR held by DHS can do so under the Freedom of Information Act (FOIA). FOIA provides members of the public with access to records, subject to certain exemptions, about the operations and activities of the U.S. federal government. Individuals seeking access to PNR records may submit a FOIA request to CBP at https://www.cbp.gov/site-policy-notices/foia, or by mailing a request to:CBP FOIA Headquarters Office
U.S. Customs and Border Protection
1300 Pennsylvania Avenue, NW, Room 3.3D
Washington, DC 20229
Fax Number: (202) 325-0230
An individual who is not satisfied with the agency’s response under FOIA may challenge a refusal to disclose data or a lack of a response to a FOIA request first through an administrative appeals process, and then in federal court.
How can an individual request correction or rectification of his or her PNR?
Several options are available for individuals seeking correction of personally identifiable information (PII) held by DHS.
Requests for amendment of information
Before requesting corrections be made to your PNR, please ask for a copy of the record through the processes described above to determine what information is actually in your PNR record(s). Keep in mind that PNR is usually information that you (or your representative) supplied in making your reservation. Requests for amendment should conform to the requirements of 6 CFR Part 5, which provides the rules for requesting amendment to records maintained by DHS. The envelope and letter should be clearly marked “Privacy Act Amendment Request.” The request must include the requester’s full name, current address, and date and place of birth. Your request should identify each particular record in question, state the amendment or correction that you want, and state why you believe that the record is not accurate, relevant, timely, or complete. You may submit any documentation that you think would be helpful. The request must be signed and either notarized or submitted under penalty of perjury.
Questions, concerns, or comments of a general or specific nature regarding CBP or its handling of PNR may be directed to the CBP INFO Center. You may contact the CBP INFOCenter in any one of three ways:
Online - https://help.cbp.gov
Telephone - During the hours of 8:30 a.m. to 5:00 p.m. Eastern Standard Time:
(877)227-5511 (toll-free call for U.S. callers)
(202)325-8000 (international callers)
OPA/CBP INFO Center
1300 Pennsylvania Avenue N.W., MS: 1345
Washington, DC 20229
Individuals may also seek redress through the DHS Traveler Redress Inquiry Program (DHS TRIP). Persons who believe they have been improperly denied entry, refused boarding for transportation, or identified for additional inspection by CBP may submit a redress request through DHS TRIP. DHS TRIP is a single point of contact for persons who have inquiries or seek resolution regarding difficulties they experienced during their travel screening at transportation hubs – such as airports, seaports, and train stations – or crossing U.S. borders. Through DHS TRIP, a traveler can request correction of erroneous data stored in ATS and other data stored in other DHS databases through one application. DHS TRIP redress requests can be made online at http://www.dhs.gov/dhs-trip or by mail at:
DHS Traveler Redress Inquiry Program (DHS TRIP)
601 South 12th Street, TSA-901
Arlington, VA 20598-6901
Whom do I contact if my complaint is not resolved?
In the event that a complaint cannot be resolved by CBP or through the DHS TRIP process, the complaint may be directed, in writing, to the Chief Privacy Officer, Department of Homeland Security, Washington, DC 20528-0550; Email at email@example.com; Phone: (202) 343-1717; and Fax: (202) 343-4010. The Chief Privacy Officer shall review the situation and endeavor to resolve the complaint.
Pursuant to the Homeland Security Act of 2002, as amended, (6 U.S.C. § 142) and Section 802 of the Implementing the Recommendations of the 9/11 Commission Act of 2007 (Public Law 110-53), the DHS Chief Privacy Officer is statutorily obligated to ensure that personally identifiable information is handled in a manner that complies with relevant law. He or she exercises oversight regarding the implementation of the 2011 Agreement to ensure strict compliance by DHS and to verify that proper safeguards are in place. He or she is independent of any directorate within DHS. His or her determination is binding on the Department.
Complaints received from the European Union Member States on behalf of an EU resident, to the extent such resident has authorized the Data Protection Authority (DPA) to act on his or her behalf, shall be handled on an expedited basis.
What are an individual’s other options for judicial redress?
Judicial redress for individuals, regardless of citizenship, may be available under the following circumstances:
- The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) allows individuals to bring a civil action in court for actual damages, and in some cases punitive damages plus attorney fees, when that individual’s personal information held on a U.S. government computer system, including the Automated Targeting System (ATS) that holds PNR, has been improperly accessed, causing a certain type of harm.
- The Electronic Communications Privacy Act (18 U.S.C. § 2701 et seq. and 18 U.S.C. §2510 et seq.) allows any person to bring a civil action in court for actual damages, and in some cases punitive damages plus attorney fees, when that person’s stored wire or electronic communications are improperly accessed or disclosed, or when that person’s wire, oral, or electronic communications are improperly intercepted or disclosed.
- Under 49 U.S.C. § 46110, an individual with interest in particular transportation orders,including orders that implement DHS Transportation Security Administration watchlists,may file a petition for review in an appropriate U.S. Court of Appeals.
- The Administrative Procedure Act (5 U.S.C. §§ 551 – 559), or APA, generally provides for judicial review of final agency action that is not precluded by statute or committed to the discretion of the agency, and provides for a court to set aside final administrative action not in compliance with statutes, or that is arbitrary and capricious, or an abuse of discretion. Individuals can bring APA claims on their own behalf, or as part of a class action.