ACT : Commission Decision 2006/253/EC on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency.
CONTENT : Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.
In the framework of air transport, the ‘Passenger Name Record’ (PNR) is a record of each passenger’s travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines.
The Decision provides that for the purposes of Article 25(2) of Directive 95/46/EC, the Canadian Customs Border Services Agency (CBSA) is considered to ensure an adequate level of protection for PNR data transferred from the Community concerning flights bound for Canada in accordance with the Commitments set out in the Annex. The competent authorities in Member States may exercise their existing powers to suspend data flows to the CBSA in order to protect individuals with regard to the processing of their personal data in the following cases:
- where a competent Canadian authority has determined that the CBSA is in breach of the applicable standards of protection; or
- where there is a substantial likelihood that the standards of protection set out in the Annex are being infringed, there are reasonable grounds for believing that the CBSA is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the CBSA with notice and an opportunity to respond.
Suspension shall cease as soon as the standards of protection are assured and the competent authorities of the Member States concerned are notified.
Member States shall take all the measures necessary to comply with the Decision within four months of the date of its notification.
The Decision will expire three years and six months after the date of its notification, unless extended in accordance with the procedure set out in Article 31(2) of Directive 95/46/EC.