PURPOSE: to provide a legal framework on the on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
PROPOSED ACT: Directive of the European Parliament and of the Council.
BACKGROUND: the European Commission adopted, on Tuesday 6 November, a proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes. This proposal has been subject to in-depth discussions with the Working Groups in the Council and the “Justice and Home Affairs” Council reviewed, in January, July and November 2008, the work carried out on this issue. The discussions enable a consensus to be reached on many of the provisions.
Following the entry into force of the Treaty on the Functioning of the European Union (TFEU) on the 1 December 2009, the 2007 draft framework proposal, which had not yet been adopted by the Council, became obsolete. This new proposal replaces it and is based on the provisions of the TFEU. It takes into account the views expressed by Member States in Council discussions on the draft Framework decision, as well as the recommendations of the European Parliament as stated in its Resolution of 20 November 2008 and the opinion of the European Data Protection Supervisor.
Over the last decade the EU and other parts of the world have seen an increase in serious and organised crime, such as trafficking in human beings and drugs. This proposal responds to a request for increased cooperation on organised crime and terrorism. As a response to the threat posed by serious crime and terrorism, and the abolition of internal border controls under the Schengen Convention, the EU adopted measures such as the Schengen Information System (SIS) the second-generation Schengen Information System (SIS II), the Visa Information System (VIS), and the anticipated Entry/Exit System are examples of such measures. The ‘Stockholm Programme’ also calls on the Commission to present a proposal for the use of PNR data to prevent, detect, investigate and prosecute terrorism and serious crime.
PNR data is unverified information provided by passengers, and collected by and held in the carriers’ reservation and departure control systems for their own commercial purposes. It contains several different types of information, such as travel dates, travel itinerary, ticket information, contact details, the travel agent at which the flight was booked, means of payment used, seat number and baggage information. More systematic collection, use and retention of PNR data with respect to international flights, subject to strict data protection guarantees, would strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime and is necessary to meet those threats to security and reduce the harm they cause.
Given that the use of PNR data is not currently regulated at EU level, it is necessary to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. The proposal does not require air carriers to collect any additional information from passengers or to retain any data, nor does it require passengers to provide any data in addition to that already being provided to air carriers.
In order to ensure compliance with the principle of proportionality, the proposal is therefore carefully limited in scope and contains strict data protection guarantees.
IMPACT ASSESSMENT: four main options were examined in the Impact Assessment, each containing two variables:
Option A: refraining from addressing the issue at EU level and maintaining the status quo.
Option B: addressing the structure of a system for collecting and processing PNR data:
- with option B.1: Decentralised collection and processing of data by Member States;
- with option B.2: Centralised collection and processing of data at EU level.
Option C: addressing limitation of the purpose of the proposed measures:
- with option C.1: Access for the prevention, detection, investigation and prosecution of terrorist offences and serious crime only;
- with option C.2: Access for the prevention, detection, investigation and prosecution of terrorist offences and serious crime and other policy objectives.
Option D: addressing the modes of transport to be covered by the proposed measures:
- with option D.1: Air carriers only;
- with option D.2: Air, sea and rail carriers.
The options were assessed against the following criteria: security in the EU, protection of personal data, costs to public authorities, costs for carriers/competition in the internal market and encouraging a global approach.
The Impact Assessment concluded that a legislative proposal applicable to travel by air with decentralised collection of PNR data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and other serious crime was the best policy option (combination of B1, C1 and D1). This would enhance security in the EU, while limiting the impact on the protection of personal data to the minimum and keeping costs at an acceptable level.
LEGAL BASIS: Articles 82(1)(d) and 87(2)(a) of the Treaty on the Functioning of the European Union (TFEU).
CONTENT: the draft Directive contains several chapters which may be summarised as follows:
Chapter I - General provisions: the proposal aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. The proposal is compatible with data protection principles and its provisions are in line with the Council Framework Decision 2008/977/JHA.
Passenger Name Record data as set out in the annex of the proposal include, inter alia:PNR record locator; date of reservation/issue of ticket; date(s) of intended travel; name(s); addresses; billing information; seat numbers; etc. Other general remarks are also made including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent).
Chapter II - Responsibilities:
On Member States:each Member State shall set up or designate an authority competent for the prevention, detection, investigation or prosecution of terrorist offences and serious crime or a branch of such an authority to act as its ‘Passenger Information Unit’ responsible for collecting PNR data from the air carriers, storing them, analysing them and transmitting the result of the analysis to the competent authorities. The PNR data transferred by the air carriers in relation to international flights which land on or depart from the territory of each Member State shall be collected by the Passenger Information Unit of the relevant Member State. Should the PNR data transferred by air carriers include data beyond those listed in the Annex, the Passenger Information Unit shall delete such data immediately upon receipt. Member States shall ensure that the assessment criteria are set by the Passenger Information Units, in cooperation with the competent authorities. The assessment criteria shall in no circumstances be based on a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life.
The Passenger Information Unit of a Member State shall transfer the PNR data or the results of the processing of PNR data of the persons identified for the purpose of further examination to the relevant competent authorities of the same Member State. Such transfers shall only be made on a case-by- case basis.
Obligations on air carriers:Member States shall adopt the necessary measures to ensure that air carriers transfer ('push') the PNR data to the extent that such data are already collected by them, to the database of the national Passenger Information Unit of the Member State on the territory of which the international flight will land or from the territory of which the flight will depart. Air carriers shall transfer PNR data by electronic means using the common protocols and supported data formats to be adopted, or in the event of technical failure, by any other appropriate means ensuring an appropriate level of data security: (a) 24 to 48 hours before the scheduled time for flight departure; and (b) immediately after flight closure, that is once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for further passengers to board.
Member States may permit air carriers to limit the transfer to updates of the transfers. On a case-by-case basis, upon request from a Passenger Information Unit in accordance with national law, air carriers shall transfer PNR data where access earlier than that mentioned is necessary to assist in responding to a specific and actual threat related to terrorist offences or serious crime.
Transfer of data to third countries: it is explicitly stated that a Member State may transfer PNR data to a third country under strict and limited conditions and with express authorisation from the Member States for the purpose of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Period of data retention: Member States shall ensure that the PNR data provided by the air carriers to the Passenger Information Unit are retained in a database at the Passenger Information Unit for a period of 30 days after their transfer to the Passenger Information Unit of the first Member State on whose territory the international flight is landing or departing. Upon expiry of the period of 30 days after the transfer of the PNR data to the Passenger Information Unit, the data shall be retained at the Passenger Information Unit for a further period of five years. During this period, all data elements which could serve to identify the passenger to whom PNR data relate shall be masked out. Access to the full PNR data shall be permitted only by the Head of the Passenger Information Unit for the purpose of prevention, detection, investigation and prosecution of a terrorist offence or serious crime, and to provide the competent authorities with the results of such processing; and where it could be reasonably believed that it is necessary to carry out an investigation or prosecution.
Penalties against air carriers: penalties are provided for against air carriers which, do not transmit the data required under this Directive, to the extent that they are already collected by the them, or do not do so in the required format or otherwise infringe the national provisions adopted pursuant to this Directive.
Protection of personal data: the proposal is compatible with data protection principles and its provisions are in line with the Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
Each Member State shall provide that, in respect of all processing of personal data pursuant to this Directive, every passenger shall have the same right to access, the right to rectification, erasure and blocking, the right to compensation and the right to judicial redress as those adopted under national law in implementation of Articles 17, 18, 19 and 20 of the Council Framework Decision 2008/977/JHA.
The draft Decision lays down a number of provisions which aim to:
- prohibit any processing of PNR data revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life;
- ensure the traceability of all processing of PNR data by air carriers, all transfers of PNR data by Passenger Information Units and all requests by competent authorities or Passenger Information Units of other Member States and third countries;
- ensure that air carriers, their agents or other ticket sellers for the carriage of passengers on air service inform passengers of international flights at the time of booking a flight and at the time of purchase of a ticket in a clear and precise manner about the provision of PNR data to the Passenger Information Unit, the purposes of their processing, the period of data retention, their possible use to prevent, detect, investigate or prosecute terrorist offences and serious crime, the possibility of exchanging and sharing such data and their data protection rights, in particular the right to complain to a national data protection supervisory authority of their choice;
- lay down effective, proportionate and dissuasive penalties to be imposed in case of infringements of the provisions adopted pursuant to this Directive.
Chapter IV - Implementing measures: this chapter concerns common protocols and supported data formats. All transfers of PNR data by air carriers to the Passenger Information Units for the purposes of this Directive shall be made by electronic means or, in the event of technical failure, by any other appropriate means, for a period of one year following the adoption of the common protocols and supported data formats. The technical provisions of comitology are also provided to this effect.
Chapter V - Final provisions: Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive at the latest two years after the entry into force of this Directive. They shall forthwith communicate to the Commission the text of those provisions and a correlation table between those provisions and this Directive. There will be a transitional period for the proposal in the form of a two year implementation period. There will also be a transitional collection of PNR data, aiming to achieve collection of data on all flights within 6 years from the entry into force of the Directive.
The proposal includes a review clause providing for a review of the operation of the Directive four years after its transposition date and a special review of the potential extension of the scope of the Directive to cover PNR data of passengers on flights internal to the EU. Member States shall prepare a set of statistical information on PNR data provided to the Passenger Information Units.
Territorial application: the application of the Directive to the United Kingdom, Ireland and Denmark will be determined in accordance with the provisions of Protocols Nos 21 and 22 annexed to the Treaty on the Functioning of the European Union.
BUDGETARY IMPLICATION: this proposal has no implication for the EU budget.