Under US Law, US Customs and Border Protection (CBP) has the right to receive certain travel and reservation information, known as Passenger Name Record or PNR data, about passengers flying to, from or through the US.
CBP uses this PNR data for the purpose of preventing and combating terrorism and other trans-national serious crimes. The PNR may include information provided during the booking process or held by airlines or travel agents. The information will be retained for at least three years and six months and may be shared with other authorities.
Most of the information contained in the PNR data can be obtained at the port of entry by CBP upon examining an individual’s airline ticket and other travel documents as part of its normal border control functions. The ability to receive this PNR data electronically in advance of the passenger’s arrival at or departure from ports of entry in the US significantly enhances CBP’s ability to conduct efficient and effective pre-assessment of passengers.
What data is there in my PNR which may be accessed?
Who will my data be passed on to, and who will it be shared with?
What if I refuse to give Finnair the permission to release my data to the authorities?
Which countries have legislation to permit access to PNR data?
Which countries are currently receiving PNR data from Finnair?
What will the authorities use the data for?
Are my credit card details included?
How long will my data be held?
Will the data be transmitted in a secure way?
Once received by the authorities, is the data well protected?
May I request a copy of my PNR data collected by US CBP?
Can I request that corrections be made to my PNR?
Whom do I contact in the US regarding this programme?
Whom do I contact if my complaint is not resolved?
How can I get more information?
What data is there in my PNR which may be accessed?
The PNR contains data necessary for Finnair to conduct business with you. A variety of information may be necessary depending on your itinerary and on your specific needs. The data is provided to us by you during the booking process and includes such items as your name, contact information, details of your travel itinerary (such as date of travel, origin and destination, possibly seat number and number of bags) and details of your reservation (such as travel agency and payment information) or other details (such as affiliation with a frequent flier program). In addition the PNR may include information you have given Finnair about any disability, or medical or health condition that you may have, or any other special requirement (such as special meal and special baggage).
Who will my data be passed on to, and who will it be shared with?
Your data will be transmitted to the Border Control authorities, for example to the customs of countries which have a legal right to acquire the data. They may share it with other enforcement authorities for the purpose of preventing and combating terrorism and other serious criminal offences. PNR data may also be provided to other relevant government authorities, when necessary to protect the vital interests of that passenger or of other persons, in particular in case of significant health risks, or if otherwise required by law.
What if I refuse to give Finnair the permission to release my data to the authorities?
If you are flying to or through a country which by law requires the information, Finnair has to cancel your reservation and will be unable to carry you to or through that country.
Which countries have legislation to permit access to PNR data?
At present, the legislation in Australia, Canada, UK, and US requires carriers to grant access to passenger information. Other countries may follow in the future.
Which countries are currently receiving PNR data from Finnair?
At the moment Finnair is required by law to provide passenger data to the US and Canada. It is however expected that passenger data will have to be disclosed also to other governments in the near future, such as Australia and the United Kingdom. Accordingly, any information Finnair holds about you and your travel arrangements may be disclosed to the customs and immigration authorities of any country in your itinerary.
What will the authorities use the data for?
The data is used for enforcement purposes, including threat analysis to identify and interdict potential terrorists and other threats to national and public security, and to focus government resources on high risk concerns, thereby facilitating and safeguarding bona-fide travellers.
Are my credit card details included?
If payment has been made by credit card and this data is included in your passenger information record, the authorities may view details.
How long will my data be held?
Each country should hold the data for no longer than is required for the purpose for which it was stored.
Will the data be transmitted in a secure way?
Yes, Finnair will pass the data to the authorities by secure means.
Once received by the authorities, is the data well protected?
The European Commission evaluates the data protection standards of a receiving state, in cooperation with the Data Protection Authorities of the EU member states, before an EU carrier is allowed to transmit PNR data. The European Commission has determined that CBP is providing an adequate level of protection to the data transferred. These transfers are covered by an International Agreement between the European Community and the US.
May I request a copy of my PNR data collected by US CBP?
As permitted by the Freedom of Information Act and other US laws, regulations, and policies, CBP will consider a request by a passenger regardless of his nationality or country of residence for documents, including PNR documents in its possession. CBP may deny or postpone disclosure of all or part of a PNR in certain circumstances (for example if it could be reasonably expected to interfere with pending enforcement proceedings or would disclose techniques and procedures used in a law enforcement investigation).
In cases where CBP denies access to PNR data pursuant to an exemption under the Freedom of Information Act, such a determination ca be administratively appealed to the Chief Privacy Officer of the Department of Homeland Security, who is responsible for both privacy protection and disclosure policy at the DHS. A final agency decision may be judicially challenged under US law.
Can I request that corrections be made to my PNR?
Yes. Passengers may seek to rectify their PNR data that is contained in the CBP databases by contacting the offices indicated below. CBP will note corrections that it determines are justified and properly supported.
Whom do I contact in the US regarding this programme?
If you wish to make an inquiry about PNR data shared with CBP or seek access to PNR data held by CBP about you, you may mail a request to
Freedom of Information Act (FOIA) Request
US Customs and Border Protection,
1300 Pennsylvania Avenue, NW
Washington DC 20229
USA
For further information regarding the procedures for making such a request, you may refer to section 19 Code of Federal Regulations, section 103.5 (on this web site).
If you wish to file a concern, complaint or request for correction of PNR data, you may mail a request to
Assistant Commissioner
CBP Office of Field Operations
US Customs and Border Protection
1300 Pennsylvania Avenue, NW
Washington DC 20229
USA
Decisions made by CBP may be reviewed by the Chief Privacy Officer of the Department of Homeland Security, Washington DC 20528, USA. An inquiry, complaint or request for correction of PNR data may also be referred by a passenger to the Data Protection Authority (DPA) within their EU Member State for further consideration as may be deemed appropriate.
Whom do I contact if my complaint is not resolved?
In the event that a complaint cannot be resolved by CBP, the complaint may be directed, in writing to
Chief Privacy Officer
Department of Homeland Security
Washington DC 20528
USA
The Chief Privacy Officer has committed to handle complaints received from the Data Protection Authorities of European Union Member States on behalf of an EU resident, to the extent such resident has authorized the DPA to act on his or her behalf, on expedited bases.
How can I get more information?
You can obtain more information about transfers of PNR data to the US by contacting the Data Protection Supervisory Authority in your country and by clicking on this link to the US Government web site. The link goes to a PDF (size 14k) on an external web site, not a Finnair site. Please note that Finnair is not responsible for the information contained on that web site, to which different terms and conditions may apply.