A global approach to PNR data transfers
The communication sets out general criteria for European Union’s (EU) bilateral agreements with non-EU countries on transfers of Passenger Name Record (PNR) data in order to harmonise transmission modalities and provisions on data protection.
Communication from the Commission of 21 September 2010 on the global approach to transfers of Passenger Name Record (PNR) data to third countries [COM(2010) 492 final – Not published in the Official Journal].
The European Union (EU) has adopted new measures against the threats of terrorism and organised crime, which are presented in the Commission’s communication on information management in the area of freedom, security and justice. These measures include the use of Passenger Name Record (PNR) data * for law enforcement purposes. PNR data is used increasingly, which also raises concerns regarding personal data protection. Due to these challenges, the Commission has reconsidered its global approach to PNR data transfers to non-EU countries. Consequently, this communication sets out general criteria for future bilateral PNR agreements, with a view to contributing towards the fight against terrorism and transnational serious crime, while guaranteeing respect for fundamental rights and ensuring coherence between the various PNR agreements.
Passenger Name Record (PNR) data
PNR data are principally used as a criminal intelligence tool with a view to:
- assessing passenger risks and identifying “unknown” persons;
- providing law enforcement authorities with data prior to the arrival or departure of a flight in order to allow for more time for any follow-up actions;
- identifying the persons to whom specific addresses and credit cards linked to criminal offences belong;
- identifying associates of suspects.
PNR data are used in investigations and prosecutions. They are also used to prevent crimes and to arrest persons when a crime has been committed, as well as to create travel and behaviour assessments to facilitate crime prevention.
However, under EU data protection laws, carriers may not transmit PNR data to non-EU countries, unless these countries provide an adequate level of protection for personal data. For this reason, the EU signed international PNR agreements with the United States, Canada and Australia. However, these agreements were negotiated on a case-by-case basis, as a result of which their provisions on rules for carriers and data protection are not coherent. As the number of such agreements is likely to increase in the near future, there is a need to set out general standards, content and criteria for them.
Global approach on PNR
Through the global approach on PNR, greater coherence should be achieved between non-EU countries’ data protection guarantees and between air carriers’ data transmission modalities.
A large number of persons and their personal data are affected by the collection and transfer of PNR data to non-EU countries. Since these countries’ data protection regimes may differ from that of the EU, it is essential that they ensure adequate legal protection for the transferred PNR data. Consequently, non-EU countries should apply the following basic principles for the protection of personal data:
- the use of the data should be limited to the purpose of the transfer;
- only the minimum necessary data should be exchanged;
- sensitive data should only be used under exceptional circumstances;
- appropriate measures must be taken to protect the security, confidentiality and integrity of the data;
- the authorities using PNR data should be accountable to and supervised by an independent public authority;
- individuals should be notified of the processing of their personal data;
- individuals should be given access to their PNR data and the possibility to request for rectification or deletion of that data;
- the right to administrative and judicial redress should be provided for anyone whose privacy has been infringed;
- the automated processing of personal data should not be used as the sole basis for any decisions that have negative effects on an individual;
- the data retention period should be limited to the purpose of the transfer;
- the onward transfers of data to other government authorities or to other non-EU countries should be restricted.
The rules governing the transmission of data to non-EU countries by carriers should be streamlined to increase legal certainty and minimise the financial burden on these carriers. At least the following modalities of transmission should be standardised:
- method of transmission, which should be based on the “push” system;
- frequency of transmission, which should be limited;
- collection of additional data, which should not be obligatory.
Furthermore, PNR agreements with non-EU countries should be concluded for fixed periods of time and be reviewable. Mechanisms should be put in place for monitoring their implementation, as well as for resolving any disputes regarding their interpretation and application. It is also essential to ensure reciprocity between EU and non-EU countries, in particular as regards the transfers of analytical information stemming from PNR data.
Finally, in the long term, if more countries start using PNR data, the EU should examine the possibility of setting out standards at the international level for transmitting and using such data, and consequently of replacing its bilateral PNR agreements with a multilateral one.