Select Committee on European Union Minutes of Evidence



Memoranda by the Home Office

Council Document: 14922/07

COM (2007) 654 final

EXPLANATORY MEMORANDUM (EM) ON EUROPEAN COMMUNITY LEGISLATION

European Commission proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes.

  Submitted by the Home Office on 7 December 2007

SUBJECT MATTER

  1.  This EM relates to a Commission proposal for a Council Framework Decision on the use of PNR for law enforcement purposes. The proposal aims to harmonise Member States' provisions on obligations for air carriers operating flights between at least one Member State and a non-EU state regarding the transmission of PNR data to the competent authorities for the purpose of preventing and fighting terrorist offences and organised crime, It will provide for rules governing the subsequent use and retention of that data by these authorities and the exchange of that data between them. The proposal also envisages that all processing of PNR data under the proposal will be govemed by the Council Framework Decision on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters.

  2.  The Commission submitted this proposal to Mr Javier SOLANA, Secretary-General/High Representative on 12 November.

DEFINITIONS

  3.   Passenger Name Record (PNR): in the air transport industry, is the generic term for records created by aircraft operators or their authorised agents for each journey booked by or on behalf of any passenger. The data is used by airline operators for their own commercial and operational purposes in providing air transportation services. A PNR is built up from data supplied by or on behalf of the passenger concerning all the flight segments of a journey eg passenger's name, address, telephone numbers, ticketing field information, travel itinerary etc. This data may be added to by the operator or his authorised agent eg changes to requested seating, additional services etc.[1] Outside the airline industry, PNR data is also known as Other Passenger Information (OPI).

  4.  In this proposal, PNR is defined as "a record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person. In the context of this Framework Decision, PNR data shall mean the data elements described in the Annex and only to the extent that these are collected by the air carriers".

  5.   Advance Passenger Information (API): is the main biographical data on an individual given to a state, prior to that individual's arrival in a country. This information usually consists of data found in the Machine Readable Zone (MRZ) of ICAO Document 9303 compliant travel documents. Key API data consists of full name of the traveller, date of birth, gender, nationality, travel document type, country of issue and travel document number.[2] As this is an airline term, API data is known as Travel Document Inforrnation (TDI) to other carriers.

  6.  The grounds and objectives of the proposal are based on the Commission's view, which we share, that terrorism constitutes a major threat to security, peace, stability, democracy and fundamental rights. The EU Terrorism Situation and Trend Report 2007 of Europol identified that almost all terrorist campaigns are transnational, The internal and external aspects of the fight against terrorism are interlinked. For any measures to be effective, close cooperation and enhanced exchange of information between EU Member States and their respective services, as well as Europol and, where appropriate, the competent authorities of third countries, is necessary. These issues are equally pertinent for organised crime as the use of passenger data will greatly enhance our ability to gain intelligence on criminals and identify those who may pose a risk. Joint EU cooperation in this area will greatly strengthen the UK's ability to combat both terrorism and organised crime activities.

  7.  Until now, only a limited number of Member States have adopted legislation to set up mechanisms to oblige carriers to provide the relevant PNR data and to have such data analysed by the competent authorities. The Commission believes this may mean that the potential benefits of an EU wide scheme in preventing terrorism and organised crime are not fully realised.

  8.  The European Council on 25-26 March 2004 invited the Commission to bring forward a proposal for a common EU approach to the use of passengers' data for law enforcement purposes.

EXISTING PROVISIONS

  9.  Currently carriers have an obligation to communicate some passenger data to the competent authorities of EU Member States, under Council Directive 2004/82/EC. The data included here is usually referred to as API data, however it also includes some elements of service data.[3] This Directive provides that, in order to combat illegal immigration effectively and to improve border control, it is essential that all Member States introduce provisions laying down obligations on air carriers transporting passengers into the territory of the Member States to communicate the required passenger data to the competent authorities. The obligation to provide this data to a MS under the Directive only relates to flights arriving into that MS from a non-EU State, however it also contains caveats allowing Member States to retain or introduce additional obligations for air carrier or some categories of other carriers, whether referred to in this Directive or not. In addition, it requires that sanctions, above a specified minimum or up to a specified maximum must be imposed for non-compliance. Council Directive 2004/82/EC applies to the UK.

  10.  Currently, an individual agreement relating to the transmission of certain PNR by air carriers in respect of flights between the EU and the US and an individual agreement relating to the transmission of certain PNR and API data by air carriers in respect of flights between the EC and Canada have been concluded. The agreements require air carriers that already capture passenger data on flights between the EU and the relevant country to transmit this data to the competent authorities of that country. On the basis of an exchange of information with these third countries, the EU has been able to assess the value of PNR data and to realise its potential for law enforcement purposes. The EU has also been able to learn from the experiences of such third countries in the use of PNR data, as well as from the experience of the UK's test of concept trial, Project Semaphore. An agreement between the EU and Australia on the transfer of PNR data from flights between the Member States and Australia is also expected to be negotiated shortly.

CONSULTATION OF INTERESTED PARTIES

  11.  The Commission services consulted all Member States, the data protection authorities of all Member States, the European Data Protection Supervisor (EDPS), the Association of European Airlines (AEA), the Air Transport Association of America (ATAA), the International Air Carrier Association (IACA), the European Regions Airline Association (ERA) and the International Air Transport Association (IATA).

  12.  Please see para 33 and 36 for details of the UK consultation and impact Assessment relating to the government's upcoming secondary legislation to capture passenger data.

SCRUTINY HISTORY

  13.  None.

MINISTERIAL RESPONSIBILITY

  14.  Following cross-governmental consultation, it has been agreed that the Home Secretary will lead the negotiations on the proposal. This proposal is also of particular interest to the Secretary of State for Justice, the Secretary of State for Transport, the Foreign Secretary and the Financial Secretary to the Treasury.

INTEREST OF THE DEVOLVED ADMINISTRATIONS

  15.  Scottish police have access to PNR data for reserved purposes. We are consulting the Devolved administrations to consider the application of this proposal in more detail.

LEGAL AND PROCEDURAL LINES

(i)   Legal basis

  16.  The Treaty on European Union (TEU), and in particular Article 29, Article 30(1)(b) and Article 34(2)(b).

(ii)   European Parliament procedure

  17.  Consultation.

(iii)   Voting procedure in the Council

  18.  Unanimity.

(iv)   impact on UK law

EXISTING PROVISIONS

  19.  The UK currently has the ability to collect certain passenger, service and crew data under the powers of the Commissioners' Directions of the Customs and Excise Management Act 1979, paragraphs 27 and 27B of Schedule 2 to the Immigration Act 1971 and paragraph 17 of Schedule 7 to the Terrorism Act 2000. There are powers for this data to be shared on a case by case basis between the Border Agencies under section 19 of the Anti-Terrorism, Crime and Security Act 2001 and sections 20 and 21 of the Immigration and Asylum Act 1999.

  20.  The information that can be obtained under paragraphs 27 and 27B of Schedule 2 to the Immigration Act 1971 is to be extended (to cover service information and more PNR elements) by legislation to be introduced at the beginning of 2008. The police will also lay new powers to acquire API and PNR data at the same time (section 32 of the Immigration, Asylum and Nationality Act 2006 and secondary legislation under that provision). Therefore, from early 2008 there will be powers to obtain passenger, service and crew data on a routine basis from all air, rail and maritime carriers on routes entering or leaving the United Kingdom. The form and manner in which this data should be supplied will also be specified. Forthcoming secondary legislation under Channel Tunnel Act 1987 will apply and modify the various data acquisition powers to trains running between Belgium/France and the UK.

  21.  The Immigration, Asylum and Nationality Act 2006 (Duty to Share Information and Disclosure of information for Security Purposes) Order 2008, to be brought into force alongside the above powers, will specify the information which must be shared between the Border Agencies pursuant to section 36 of the Immigration, Asylum and Nationality Act 2006. That will also be applied to trains running between Belgium/France and the UK.

LEGISLATION NEEDED TO IMPLEMENT THE PROPOSAL

  22.  The current powers and forthcoming UK legislation as described above, will allow for the collection of the PNR data requested under the EU proposal. However as currently drafted the terms of the proposal may run counter to some of these provisions of UK law. Therefore, were the proposal to be adopted as currently drafted, UK legislation may need to be amended. These issues are set out later in the document.

(v)   Application to Gibraltar

  23.  The Government of Gibraltar is being consulted on participation in this measure.

(vi)   Fundamental Rights Analysis (FRA)

  24.  The Framework Decision provides for the acquisition, use and sharing of personal data and therefore engages Article 8 of the European Convention on Human Rights (right to respect for private and family life). However, any interference with Article 8 rights would be justified under Article 8(2) of the Convention because the Framework Decision:

    (a)  restricts the purposes for which data can be processed to purposes included within Article 8(2) (as currently drafted, these purposes are restricted in the proposal to the prevention of and fight against terrorist offences and organised crime);

    (b)  makes express provision for data security in article 11;

    (c)  provides that the Council Framework Decision on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters applies to the processing of personal data under the proposal; and

    (d)  only permits onward transmission to a third country in accordance with national law and on the condition that it will only be used for the purpose of preventing and fighting terrorist offences and organised crime and that it will not be further transmitted to another third country without the express consent of the Member State.

  25.  Accordingly, in the opinion of the Minister the agreement should be regarded as respecting fundamental rights.

APPLICATION TO THE EUROPEAN ECONOMIC AREA

  26.  This document will not apply to Iceland, Liechtenstein or Norway.

SUBSIDIARITY

  27.  The Commission believes that the objectives of this proposal cannot be achieved sufficiently by Member States acting alone. The Council may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty establishing the European Community (TEC) and referred to in Article 2 of the TEU. in accordance with the principle of proportionality, as set out in Article 5 of TEC, this proposed Framework Decision does not go beyond what is necessary to achieve those objectives.

  28.  The UK government is confident that this is a proper area for Europe-wide action. The legislation will set the overseas legal principles for use and exchange of PNR data not only in Europe but beyond. This will underpin our ability to collect PNR data for a wide-range of purposes and encourage the development of parallel EU systems and data exchange powers.

POLICY IMPLICATIONS

  29.  The Government welcomes the Commission's proposal. Passenger information is central to a fundamentally more effective, efficient and secure border and greater cooperation in the EU will increase the benefits and effectiveness of our domestic programme. This proposal has the potential to be an important tool to share data in the fight against criminality targeting our borders.

  30.  Our view is that this should be a permissive framework which sets a basis for collection and sharing of PNR and enables our authorities to use this data to maintain the security and integrity of our borders. In particular we need to allow the processing and exchange of PNR data for wider border security and crime-fighting purposes such as immigration and customs purposes. We believe it is vital, and possible, to achieve a result that strikes an appropriate balance between the right to privacy and the right to security and will work with Member States towards ensuring the data protection safeguards included in the proposal are appropriate.

  31.  The UK has already had great success in this area. The e-Borders pilot, Project Semaphore—has demonstrated how effective use of this additional data can be, with over 1,300 arrests to date. To further illustrate the benefits experienced by the UK in this area to our European counterparts, I have written to Commissioner Frattini, copied to my JHA colleagues as annexed.

  32.  This proposal as drafted will have implications for forthcoming UK secondary legislation (we intend to lay before Parliament in the New Year) relating to PNR data and subsequently the implementation of the UK's domestic passenger data programme—e-Borders. We will therefore work to ensure that the proposal is compatible with the UK programme and wider domestic powers.

  There are a number of issues in the proposal:

Scope

  33.  As drafted, the proposal would only enable the use of PNR data to prevent or combat terrorist offences and organised crime (Article 3). Our initial assessment of the effect of the proposal is that there is a significant risk that it would constrain our ability to process this data for the purposes of combatting, for example, individual serious crime, We therefore will need to negotiate a wider scope.

  34.  PNR data has been shown to be a key tool under Semaphore, providing the mechanism to identify those who may pose a risk, spot emerging trends, track suspects in advance, and trace missing and other vulnerable subjects. Key successes to date through PNR data analysis and tracking include the offloading of passengers attempting to smuggle swallowed drugs to the UK, identification of a significant number of facilitators including those using falsified documents, and a number of serious crime suspects. Therefore, PNR data has been shown to be particularly valuable for purposes other than counter terrorism and organised crime.

  35.  The proposal would enable the collection of data from flights between the EU and a third country. Given that the risk to security is spread across all modes of transport we will seek to ensure, that like existing API legislation, this proposal does not restrict Member State's ability to collect and process data for other modes of transport, or to collect data on intra-EU journeys.

Competent Authorities

  36.  Linked to the issue on scope, the proposal enables authorities whose functions include the prevention or combating of terrorist offences and organised crime to be considered a Competent Authority, and thus authorised to be a Passenger Information Unit (PIU), permitted to process PNR (Article 11). We will seek to ensure that the proposal takes account of the wider range of agencies permitted to process this data in UK law can do so.

Exchange of Information

  37.  Under the proposal, PNR data is only to be provided to law enforcement authorities of countries outside the EU for the purpose of preventing and fighting terrorist offences and organised crime, and must not be transferred onwards to another third country without the express consent of the Member State providing the data. Any such exchange would be within the context of national law, applicable international agreements and the Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (Article 8). The UK would want to retain our current legal powers regarding the exchange of data, and therefore will need to ensure that any EU legislation enables this.

Timing

  38.  The proposal restricts carriers to providing PNR data 24 hours in advance of travel, preventing them from providing data prior to this time unless there is a specific terrorist/organised crime threat (Article 5). The UK carrier consultation for our upcoming Data Acquisition orders has concluded that carriers would wish to have the flexibility to provide PNR data earlier than 24 hours prior to departure, according to their varying operating environments. We would therefore wish to see this flexibility reflected in the legislation so that Member States can work with carriers to agree suitable timings in each case.

Data Retention

  39.  The document requires that PNR data be retained for five years in an active database and for eight years in a dormant database, after which time they shall be deleted. Data held on the dormant database may only be processed in exceptional circumstances. These time periods may be exceeded where data are being used for ongoing investigations or proceedings relevant to the purposes for which they were collected or relevant to the data subject (Article 9). The Government believes these conditions are in line with the principle that data be retained no longer than is necessary. However, we will work to ensure that domestic and EU requirements are aligned and take account of existing legislation governing the relevant Agencies.

Method of Data Transfer

  40.  The proposal requires carriers established outside the EU to permit a Passenger Information Unit to use the "pull" system of data transfer if they do not have the technology to "push" it to the Passenger Information Unit of the Member State (Article 5). This would necessitate carriers giving Member States access to their system to extract the data. The Government favours the push approach as preferable from a data protection point of view. We will continue to consult with carriers on this issue as part of our implementation, and would welcome the flexibility for Member States to decide how they would like the data transmitted to them in each environment.

PNR Fields

  41.  The proposal lists the specific PNR data fields that carriers would be required to provide if collected (listed in the Annex to the proposal). Domestic data powers will enable the collection of PNR to the extent it has been obtained by carriers, and each element has been shown to be of use under Project Semaphore. We should therefore not discount the usefulness of any piece of PNR at this stage, and a final list must reflect the balance between privacy and security.

Personal Data/Data Security

  42.  In addition to the data protection safeguards noted in the above passages, the proposal would also introduce the requirements:

    —    that any sensitive PNR data collected under the proposed framework decision would be deleted immediately by the receiving Passenger Information Unit or intermediary (Articles 3 and 6);

    —    that no enforcement action would be taken by Member States' Passenger Information Units or competent authorities only by reason of the automated processing of PNR data or by reason of a person's race or ethnic origin, religious or philosophical belief, political opinion or sexual orientation (Articles 3 and 11);

    —    that Member States ensure the security of PNR data by implementing appropriate systems and technologies (Articles 12 and 13); and

    —    Provision for a review of the operation of the framework decision to be carried out within three years of its adoption (Article 17).

  43.  These are supplementary to applicable safeguards already in existence or soon to come into force. The latter safeguards include the Data Protection Act 1998, which would continue to apply to all UK processing of PNR data, and (when enacted) the Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

  44.  HMG is fully supportive of the inclusion of safeguards and during negotiations will endeavour to ensure that the data protection safeguards applied are as robust as possible. The Government does intend to undertake further analysis to ensure that those safeguards presented offer appropriate data protection without unduly undermining operational effectiveness. In particular, the UK would not wish to withhold its right to process sensitive data under the conditions of the Data Protection Act 1998. We therefore seek to ensure compatibility in the negotiations between UK policy and the EU proposal position.

Regulatory impact Assessment

  45.  The Commission carried out an Impact Assessment (IA) for this proposal. For the Assessment, two main options with a number of variables were examined—the no change option and the option of a legislative proposal. The Impact Assessment concluded that the preferred option is a legislative proposal with a decentralised system for processing the data, The "no action" policy option does not present any real strength in improving security in the EU. On the contrary, it is anticipated that, bearing in mind the way that this field is currently developing, it will have negative impacts in the sense of creating administrative difficulties stemming from numerous diverging systems.

  46.  The Government has conducted an Impact Assessment to consider the impact to industry on the UK Data Acquisition Legislation to be introduced in early 2008. This legislation comprises of the power to collect both PNR and API data from carriers in advance of travel for all movements into and out of the UK. A consultation period is now complete and the final IA will be released after internal government clearance is gained. We will write to the Committees when the final version is available.

Financial implications

  47.  The Commission have not included set costs for implementation of the legislation. They conclude that the financial and administrative burden falling on the community has been minimised through the choice for a decentralised system. Setting up and maintaining a centralised EU system for the collection and processing would entail significant costs. These costs are likely to become clearer after further assessment on the financial impact to industry and Member State national governments.

  48.  The IA for the UK Data Acquisition legislation provided estimated costs of the e-Borders system in the UK. Our estimated costs to industry (per passenger movement) differ across all carriers, but overall, costs to industry equate to approximately 14p per passenger movement.

Consultation

  49.  As part of the UK impact Assessment, a full consultation programme was carried out with Industry and other key stakeholders. This included a 12 week consultation period, A set programme of engagement will continue throughout the implementation of the legislation to ensure a fair and equitable roll-out of the UK e-Borders programme. We would encourage an approach at EU level which takes account of the legitimate concerns of the carrier community.

  50.  The consultation undertaken by the Commission is noted in para 8.

Timetable

  51.  The proposal notes that Member States are required to take the necessary measures to comply with the provisions of this Framework Decision before 31 December 2010. However, we seek to clarify the Commission's handling of legislation in the early stages of the negotiations. This will give greater clarity to the proposed timetable for the legislation and implementation. We do not expect a conclusion of negotiations until late in 2008 at the earliest.

 

 

 


1   Definition from International Civil Aviation Organization (ICAO) Guidelines paper on Passenger Name Record (PNR) Data 12/08/05. p 2. Back

2   Definition from International Civil Aviation Organization (ICAO) Guidelines paper on Passenger Name Record (PNR) Data 12/08/05 Annex 3 p 13, with the exception of "This information... documents", taken from the International Air Transport Association (IATA) website at: http://www.iata.org/whatwedo/safety_security/facilitation/index.htm (28 November 2007). Back

3   The element of data requested are listed as: the number and type of travel document used, nationality, full names, date of birth, the border crossing point of entry into the territory of the Member States, code of transport, departure and arrival time of the transportation, total number of passengers carried on that transport and the initial point of embarkation. Back

 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008