Background

21.1 The Commission published a package of four proposals on 22 September 2010. The package comprised a draft Communication for a Global EU Approach for the transfer of Passenger Name Record (PNR) data to third countries, the document which is the subject of this Report, two proposals for Recommendations from the Commission to the Council to authorise the Commission to re-negotiate the PNR agreements with the U.S. and Australia, and a Recommendation from the Commission to the Council to authorise the Commission to negotiate a new PNR agreement with Canada.

21.2 The European Commission's key objective in this Communication is to establish, for the first time, a set of general criteria which should form the basis of future negotiations on EU PNR agreements with third countries.

PNR DATA AND ITS USE

21.3 PNR data is unverified information provided by passengers and collected by carriers for enabling reservations and carrying out the check-in process. It is a record of each passenger's travel requirements held in carriers' reservation and departure control systems. It contains several different types of information, for example dates of travel and travel itinerary, ticket information, contact details like address and phone numbers, travel agent, payment information, seat number and baggage information.

21.4 PNR data is different from Advance Passenger Information (API). API data is the biographical information taken from the machine-readable part of a passport and contains the name, place of residence, place of birth and nationality of a person. Under the API Directive,[150] API data is currently made available to border control authorities only for flights entering the territory of the EU for the purpose of improving border controls and combating illegal immigration. It is held by Member States for 24 hours. API data is mainly used to carry out identity checks as part of border controls and border management, although in some cases the data is also used by law enforcement authorities in order to identify suspects. API data is thus primarily used as an identity management tool. The Commission reports that the use of such data is becoming increasingly common around the world with more than 30 countries using it systematically, while more than 40 are in the process of setting up API systems.

21.5 In addition to the transmission of API data, some countries require carriers to transmit to them PNR data. The UK is one such country, the US, Canada and Australia others. PNR data is mainly used as a criminal intelligence tool rather than as an identity verification tool. The Communication gives the following uses for PNR data:

i)  risk assessment of passengers and identification of "unknown" persons, that is to say persons that might potentially be of interest to law enforcement authorities but who are not formal suspects;

ii)  because PNR data is available before API data, allowing law enforcement authorities more time for analysis and action;

iii)  matching addresses that are connected to criminal offences via credit cards, for example; and

iv)  matching PNR data with other PNR data for the identification of associates of criminal suspects.

The Commission's Communication

CURRENT TRENDS

21.6 The Communication describes how more and more countries are coming to see PNR data as an important tool in the fight against terrorism and organised crime. Some third countries, namely the United States, Canada, Australia, New Zealand and South Korea, are already using PNR data; others have either enacted relevant legislation and/or are currently testing the use of PNR data, such as Japan, Saudi Arabia, South Africa and Singapore. Several other third countries are considering the idea of using PNR, but have not yet enacted relevant legislation. Within the EU, the UK already has a PNR system. France, Denmark, Belgium, Sweden and the Netherlands have either enacted relevant legislation and/or are currently testing the use of PNR data. Several other Member States are considering setting up PNR systems, the Commission reports.

EFFECTS OF THE CURRENT TRENDS ON THE EUROPEAN UNION

21.7 The data protection laws of the EU do not allow carriers operating flights from the EU to transmit the PNR data of their passengers to third countries which do not ensure an adequate level of protection of personal data without adducing appropriate safeguards. As a result, when the United States, Canada and Australia requested EU carriers to transmit PNR data for flights to their countries, the carriers were faced with a very difficult situation. The EU therefore negotiated and signed separate international agreements with each of these three countries, so that PNR data could be transferred to them. Future requests from third countries are likely, according to the Commission, hence the objective of this Communication to set out the general criteria which should form the basis of future negotiations on EU PNR agreements with third countries.

STANDARDS, CONTENT AND CRITERIA

Protection of personal data

21.8 The collection and transfer of PNR data to third countries affects a very large number of individuals and their personal data. Thus, the Commission says, particular attention must be paid to the effective protection of personal data.

21.9 In Europe, the fundamental rights to respect for private life and to protection of personal data are enshrined in Article 8 of the European Convention on Human Rights (ECHR) and Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Further standards for data protection have been set in the Council of Europe Convention 108 of 1981 on the Protection of Individuals with regard to automatic processing of personal data and its additional Protocol 181 of 2001.

21.10 Any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of these rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

21.11 Since data protection regimes in third countries can differ from the data protection prevailing in the EU, it is important that for any transfer of PNR data from EU Member States to third countries, the third country ensures an adequate level of data protection based on a sound legal basis. Such an adequate level of data protection can be either enshrined in the legislation of the third country or be provided in the form of legally binding commitments in the international agreement governing the processing of personal data.

21.12 The adequacy afforded by a third country is to be assessed in the light of all the circumstances surrounding a data transfer operation. In this context, the EU will also consider the compliance by the third country with international standards, respectively its ratification of international instruments on data protection and fundamental rights in general. Adequacy decisions already adopted by the European Commission in this regard should be used as guidance on what can be regarded as being adequate.

21.13 The basic principles for the protection of personal data that the requesting third country should apply are the following:[151]

"Purpose limitation — use of data: The scope of the use of the data by a third country should be spelt out clearly and precisely in the agreement and should be no wider than what is necessary in view of the aims to be achieved. Experience with current PNR agreements shows that PNR data should be used only for law enforcement and security purposes to fight terrorism and serious transnational crime. Key notions like terrorism and serious transnational crime should be defined based on the approach of definitions laid down in relevant EU instruments.

"Purpose limitation — scope of data: The exchange of data should be limited to the minimum and should be proportionate. Any agreement should list exhaustively the categories of PNR data to be transferred.

"Special Categories of Personal Data (sensitive data): PNR data revealing racial or ethnic origins, political opinions or religious or philosophical beliefs, trade union membership, health or sexual life shall not be used unless under exceptional circumstances where there is an imminent threat to loss of life and provided that the third country provides appropriate safeguards, for example that such data may be used only on a case-by-case basis, under the authorisation of a high-ranking official and strictly limited to the purposes of the original transfer.

"Data Security: PNR data must be protected against misuse and unlawful access by all appropriate technical, security procedures and measures to guard against risks to the security, confidentially or integrity of the data.

"Oversight and accountability: A system of supervision by an independent public authority responsible for data protection with effective powers of intervention and enforcement shall exist to exercise oversight over those public authorities that use PNR data. The latter shall be accountable for complying with the established rules on the protection of personal data, and should have powers to hear complaints from individuals concerning the processing of PNR data.

"Transparency and Notice: Every individual shall be informed at least as to the purpose of processing of personal data, who will be processing that data, under what rules or laws, the types of third parties to whom data is disclosed and how and from whom redress can be sought.

"Access, rectification and deletion: Every individual shall be provided with access to his or her PNR data as well as, where appropriate, the right to seek rectification and deletion of his or her PNR data.

"Redress: Every individual shall have the right to effective administrative and judicial redress where his or her privacy has been infringed or data protection rules have been violated, on a non discriminatory basis regardless of nationality or place of residence. Any such infringement or violation shall be subject to appropriate and effective sanctions and/or remedies.

"Automated Individual Decisions: Decisions producing adverse actions or effects on an individual may not be based solely on the automated processing of personal data without human involvement.

"Retention of data: the period of retention of the PNR data should not be longer than necessary for the performance of the defined tasks. The period of retention should take into account the different ways in which PNR data are used (see section 1.2.1 above) and the possibilities of limiting access rights over the period of retention, for example by gradual anonymisation of the data.

"Restrictions on onward transfers to other government authorities: PNR data should only be disclosed to other government authorities with powers in the fight against terrorism and serious transnational crime, and which afford the same protections as those afforded by the recipient agency under the agreement in accordance with an undertaking to the latter. PNR data should never be disclosed in bulk but only on a case-by-case basis.

"Restrictions on onward transfers to third countries: this considers primarily restrictions on use and further dissemination in order to avoid circumvention of the agreement when PNR data is made available to another third country. Such onward transfers shall be subject to appropriate safeguards. In particular, the receiving third country should transfer this information to a competent authority of another third country only if the latter undertakes to treat the data with the same level of protection as set out in the agreement and the transfer is strictly limited to the purposes of the original transfer of the data. PNR data should never be disclosed in bulk but only on a case-by-case basis."

Modalities of transmission

21.14 In order to provide legal certainty and minimise the financial burden on air carriers, it is important, the Commission says, to streamline the rules governing the transmission of the data by the carriers to third countries. By having uniform obligations, the financial burden on the carriers would be greatly reduced as they would have to undertake less investment to comply with their obligations. For this purpose, it would be desirable if at least the following modalities of transmissions were standardised:[152]

"The method of transmission: To safeguard the data that is contained in the carriers' databases and to maintain their control thereof, data should be transmitted using exclusively the 'push' system.

"The frequency of transmission. There should be a reasonable limit to the number of times that the third country requires the data to be transmitted to it, which ensures an adequate benefit to security while minimising the costs of the carriers.

"No obligation on the carriers to collect additional data. The carriers should not be required to collect any more data than they already do or to mandatorily collect certain types of data, but only be required to transmit what they already collect as part of their business."

Overarching concepts

21.15 The Communication suggests the following "overarching concepts" should apply to all third country agreements:[153]

"Duration and review: The terms of the cooperation with third countries should be valid for a fixed duration and should provide the possibility that either party denounces the agreement. It should be possible to review the terms of the cooperation where it is considered appropriate.

"Monitoring: It is essential that the EU is provided with mechanisms for monitoring the correct implementation, for example through periodical joint reviews on the implementation of all aspects of the agreements, including the purpose limitation, the rights of passengers and onward transfers of PNR data, and comprising a proportionality assessment of the retained data on the basis of their value to achieving the purposes for which the data were transferred. The findings of such joint reviews should be presented to the Council and the European Parliament.

"Dispute resolution: Effective dispute resolution mechanisms with respect to interpretation, application and implementation of agreements should be provided.

"Reciprocity: reciprocity should be ensured, especially through the transfer of analytical information flowing from PNR data by competent authorities of the receiving third country to police and judicial authorities of the Member States, as well as to Europol and Eurojust."

CONCLUSION

21.16 The Commission says the criteria we have cited in full above should guide the EU in negotiating PNR agreements with third countries. Adherence to those principles is intended to lead to greater coherence between the various PNR agreements, whilst ensuring respect for the fundamental rights to respect for private life and to protection of personal data. At the same time, the Commission considers that the Communication remains sufficiently flexible and adaptable to each third country's particular security concerns and national legal order. Finally, looking at the longer term, this Communication concludes that the EU should explore the possibility of replacing bilateral agreements by a multilateral agreement between all countries that use PNR data.

The Government's view

21.17 The Minister for Equalities and Criminal Information at the Home Office (Lynne Featherstone) says that the Government welcomes the Commission's Communication — the UK has long recognised the value of PNR data in the fight against terrorism and serious crime, and it is pleased that the Commission shares this view. A clear EU strategy on sharing PNR data with third countries should, she thinks, lead to greater coherence between the various PNR agreements. She notes that the Communication outlines the basic principles for the protection of personal data that the requesting third country should apply, saying that the Government welcomes these measures and believes that they are necessary and sensible.

21.18 As this document is a Commission Communication, the UK's opt-in does not apply.

21.19 The Minister explains the national legal framework for collecting API and PNR data as follows. The UK has the ability to obtain passenger, crew and service data from carriers in advance of all movements into and out of the UK under paragraphs 27 and 27B of Schedule 2 to the Immigration Act 1971 (as amended), section 32 of the Immigration, Asylum and Nationality Act 2006, and the powers of the HMRC Commissioners under sections 35 and 64 of the Customs and Excise Management Act 1979. Section 36 of the Immigration, Asylum and Nationality Act 2006 also creates a duty for the UK Border Agency, the police and HM Revenue and Customs to share that data among themselves where it is likely to be of use for immigration, customs, or police purposes. The Immigration and Police (Passenger, Crew and Service Information) Order 2008 (SI 2008/5) specifies the travel-related data that an immigration officer or a police officer can require from ships, aircraft and trains, entering and leaving the United Kingdom. The data are divided into:

·  mandatory data which includes Advance Passenger Information (API) which must be collected and supplied when requested, and;

·  additional data which includes PNR and must be supplied only to the extent to which the carrier knows the data.

In a briefing to MEPs on this Communication dated 7 October 2010, the Government provided three examples of how the UK Borders Agency has successfully used PNR data to combat crime:

·  An individual known to be a close associate of a murder suspect was identified travelling from the UK to a Middle East state. Details of the credit card used to book the journey were obtained from PNR and found to belong to the suspect. Further enquiries showed that this had been used to book another journey in a different name but to the same country. The associate's mobile telephone number (again obtained from PNR) was also researched and calls to a mobile located in that country identified. Further enquiries located the suspect.

·  PNR research of registered sex offenders in e-Borders identified a travel agent through which several journeys for different suspects had been booked. A link between this agent and an e-mail address was identified in the PNR data set which in turn provided links to a number of other sex offenders. This information was used to support the investigation of child sex offenders.

·  PNR analysis identified two passengers travelling from Panama City to a UK airport. Further checks revealed that one of them had a Police National Computer (PNC) record for possession of Class A drugs. Arrangements were made to ensure that Officers were in attendance for the flight and on examination found more than six kilos of cocaine.

21.20 Finally, in terms of costs the Minister says that, should additional third countries seek to collect PNR data from the EU, there would be additional financial burdens placed on carriers. It is likely that the carriers would pass the cost of data provision on to passengers.

Conclusion

21.21 We thank the Minister for her Explanatory Memorandum. We agree with her and the Commission that EU PNR agreements with third countries should apply similar criteria, which uphold the right to respect for private and family life and to protection of personal data. As the Commission itself says: "the collection and transfer of PNR data to third countries affects a very large number of individuals and their personal data".[154]

21.22 However, as the Communication neither proposes any specific legislation nor has a legislative or financial impact, we are content to clear it from scrutiny.

151   See paragraph 3.3.1 on pages 8-10 of the Communication, paragraph 3.3.2 on page 10 and paragraph 3.3.3 on pages 10-11. Back

152   See paragraph 3.3.2, page 10 of the Communication. Back

153   Ibid, pages 10-11. Back

154   Page 8. Back