Select Committee on European Union Fifteenth Report



CHAPTER 2: the draft framework decision

The draft Framework Decision in outline

15.  The purpose of a Framework Decision is to harmonise the laws of the Member States in third pillar matters. Its consequences are the same as those of Directives in the first pillar: the provisions are binding on the Member States as to the result to be achieved, but leave to the national authorities the choice of form and methods.[10] This explains the brevity of the draft under consideration: it takes only twelve substantive articles to outline the result to be achieved, and the limitations on the manner of achieving it.

16.  The objective of the Framework Decision is set out in Article 1: it "provides for the making available by air carriers of PNR data of passengers of international flights to the competent authorities of the Member States, for the purpose of preventing and combating terrorist offences and organised crime, as well as the collection and retention of those data by these authorities and the exchange of those data between them".

17.  The expression "the purpose of preventing and combating terrorist offences and organised crime" is known as the purpose limitation, because the data may be used for no other purpose. This is by far the most important and controversial of the issues currently under negotiation, and we consider at some length in the following chapter both the shortcomings of this limitation in the current draft, and the Government's proposals to weaken this limitation still further.

The positive obligations

18.  To achieve its objective the Framework Decision imposes on the Member States a number of positive obligations. Article 3 requires each Member State to designate an authority, the Passenger Information Unit or PIU, to collect from air carriers or their intermediaries the PNR data relating to international flights; these are defined as flights originating in a third country and scheduled to enter the territory of at least one Member State, or to depart from the territory of at least one Member State with a final destination in a third country. Thus in its current form the Framework Decision does not apply to travel between or within Member States. A flight from Zurich to Heathrow would fall within this definition, but a flight from Frankfurt to Heathrow would not, and nor would a flight from Manchester to Heathrow.

19.  The data collected by a PIU remain with that authority; they are not passed to a central database. The PIU is then required to analyse the data, to identify from them those individuals who need further examination, and to pass their PNR data to the authorities of that Member State which are responsible for preventing and combating terrorist offences and organised crime. The PNR data may then be used by those authorities for the following purposes:

to identify persons who are or may be involved in a terrorist or organised crime offence, as well as their associates;

to create and update risk indicators for the assessment of such persons;

to provide intelligence on travel patterns and other trends relating to terrorist offences and organised crime; and

in criminal investigations and prosecutions of terrorist offences and organised crime.

20.  Where the PIU of a Member State has identified an individual as needing further examination, it may pass that person's PNR data to the PIU of other Member States for transfer to the competent authorities designated by those States. Additionally, and subject to limitations, the PNR data may be passed to the law enforcement authorities of third countries.

21.  Member States must ensure that air carriers make the PNR data which are collected and processed in their reservation systems available to the PIU of the State which the flight is entering, transiting or leaving, though the carriers may, and frequently do, employ intermediaries for this purpose. There must be sanctions, including financial penalties, available against carriers and intermediaries which transmit incomplete or erroneous data.

Data categories: PNR and API

22.  The data collected may not include sensitive personal data revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of the traveller, nor data concerning his or her health or sex life. Such data, if collected, must be deleted. But this still leaves available the 19 categories of data listed in the Annex to the Framework Decision. We set these out in Appendix 3 to this report. They are almost identical to the categories listed in the EU/US Agreement which we criticised in our earlier report as being unduly wide.[11] We have not taken further evidence on this point in the course of this short inquiry, but we see no reason to resile from our earlier view.

23.  We also set out in that Appendix the categories of Advance Passenger Information (API) data, since there is sometimes confusion between the two. API data are (or will be) collected on all passenger movements, both in and out of the country, and allow them all to be traced. PNR data are collected on a selective basis from a far smaller proportion of passengers, but the data range much more widely and, as the Home Office explain in their supplementary evidence (p 22), are very useful in identifying potentially high risk individuals whose identities have not yet come to the attention of the authorities. By contrast, API data are particularly useful where an individual has already come to their attention. API data are taken from the travel document itself, so that spellings and dates are transcribed more accurately; it is therefore API data that the Home Office use to check against watch lists.

24.  Over four years ago a Directive was adopted obliging air carriers to communicate API data to the authorities in the case of flights from third countries to Member States.[12] The deadline for implementation was 5 September 2006 but, as Ms Cecilia Verkleij told us on behalf of the Commission, not all Member States have yet implemented the Directive, and most of the systems are not yet operational. It is therefore not yet possible to tell how the data are being used by Member States and how efficient and useful the data are for the purposes for which they are collected (QQ 134-135).

Limitations and restrictions

25.  There are limitations on what Member States may do with the data they receive. Article 7 of the Framework Decision, entitled "Exchange of Information", provides that data may be passed to the PIU of another Member State "only in such cases and to the extent that such transmission is necessary in the prevention and fight against terrorist offences and organised crime". A similar restriction applies to transmission to the law enforcement authorities of third countries.

26.  There is an obligation imposed on PIUs to keep PNR data in a database for five years; thereafter they must be kept in a separate database for a further eight years, but accessed only in exceptional circumstances in response to a specific threat or risk. After this the data must be deleted unless they are being used for an ongoing criminal investigation. This is generally interpreted as a limitation on the time for which the data may be kept. The limitations in the 2007 EU/US Agreement are seven and eight years. The previous (2006) EU/US Agreement allowed data to be routinely kept for only 3.5 years, and even that was thought by the Assistant European Data Protection Supervisor to be excessive; he saw "an enormous disproportion between the effectiveness of that long period of retention and the results of that retention".[13]

Data protection

27.  Article 11 currently provides that the Data Protection Framework Decision (DPFD), which is to be adopted at the Justice and Home Affairs Council in June 2008, will apply to the processing of data under the PNR Framework Decision. This, at the time when the PNR Framework Decision was being drafted, would have added useful data protection measures, since the Commission at that stage hoped that the DPFD would apply to both domestic and cross-border data processing. But, as Ms Verkleij told us, "it turned out differently". The political agreement reached in the Council limited the scope of application of the DPFD to cross-border matters, so that the transfer of data from the carriers (or their intermediaries) to government agencies is not covered by any EU-wide data protection arrangement (Q 161).

28.  Although Ms Verkleij did not say so, we are aware from our scrutiny of draft EU legislation that the Government have been prominent among those who have sought to reduce the effectiveness of the draft DPFD to the point where it is hard to see what it will in fact apply to. In particular, Recital 24a and Article 27b of the latest draft that we have seen[14] provide that the DPFD is to have no application at all in the case of data exchanges governed by the instruments constituting Europol and Eurojust, or under the Schengen Information System (SIS) or the Customs Information System (CIS), or under the Prüm Decision.[15] Despite (or perhaps because of) this the Government are content with this text, and hope to see it adopted as soon as possible.[16]

29.  Some Member States have suggested including in the PNR Framework Decision not simply a reference to the DPFD, but specific data protection provisions so as to make sure that guarantees similar to the DPFD are also applied to domestic transfers of data within the PNR Framework Decision (QQ 112, 161). These, if adopted, would under Article 27b of the draft DPFD take precedence over it. The Government have told us that "during negotiations [they] will endeavour to ensure that the data protection safeguards applied are as robust as possible".[17] We believe that adequate and effective rules on data protection should be contained in the PNR Framework Decision itself, and we urge the Government to support this view in the course of the negotiations.

Review of operation

30.  Finally, Article 17 requires the Commission to undertake a review of the operation of the Framework Decision within three years of its entry into force, and to report to the Council. The review is to pay special attention to, among other things, adherence to the data protection safeguards, the period of retention of data and the quality of the risk assessments. These are matters of great interest to us and, we are sure, to other national parliaments and to the European Parliament. We hope that the Commission's report will be made available to us and to them.

 

 


10  
Compare TEU Article 34(2)(b) and TEC Article 249. Back

11   The EU/US Passenger Name Record (PNR) Agreement (21st Report, Session 2006-07, HL Paper 108), paragraphs 95 to 99. We refer there to the 34 data elements in the draft Agreement. The Agreement ultimately concluded the following month (OJ L204/18 of 4.8.2007) lists 19 data elements, but some of the 34 have simply been amalgamated; there is almost no difference in the substance. Back

12   Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, OJ L261/24 of 6 August 2004. Back

13   The EU/US Passenger Name Record (PNR) Agreement (21st Report, Session 2006-07, HL Paper 108), Q 206. Back

14   Document 16069/07. Back

15   Draft Council Decision on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. An earlier draft was the subject of our report Prüm: an effective weapon against terrorism and crime? (18th Report, Session 2006-07, HL Paper 90). Back

16   Explanatory Memorandum on the DPFD of 20 February 2008. Back

17   Explanatory Memorandum on the PNR Framework Decision, paragraph 44 (p 6). Back

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008