The Protection of the Right to Privacy in the Context of Security and Commercial Practices




© Springer International Publishing Switzerland 2015
Francesco Rossi Dal PozzoEU Legal Framework for Safeguarding Air Passenger Rights10.1007/978-3-319-08090-1_5


5. The Protection of the Right to Privacy in the Context of Security and Commercial Practices



Francesco Rossi Dal Pozzo 


(1)
Dipartimento di Diritto pubblico italiano e sovranazionale – Department of Italian and Supranational Public Law, Università degli Studi di Milano – University of Milan, Milan, Italy

 



 

Francesco Rossi Dal Pozzo





5.1 International and EU Regulations on PNRs


As previously described, the threat of possible unlawful interferences in the air transport system did not decline, even after the events of 11 September 2001, nor has it lost any of its urgency. This is demonstrated by the terrorist attempts of 20061 and, later, of December 2009.2 For this reason, even today, the necessity of sharpening preventive measures in order to avoid the repetition of such events is keenly felt.

In this context, the use by the authorities of every State of personal data provided by passengers when travelling is a useful preventive instrument. These identifying data (passenger name records—PNRs3) contain much information on the individual passenger including name, address and email, phone numbers, terms of payment, booking dates, seat number and information on previous non appearances at boarding. Such data are collected by air carriers (and in some cases by tour operators and travel agencies) and are mainly used for commercial aims and purposes. But these are not the only purposes the data are put to. Since the 1950s, this information has been used by customs offices in various States as an instrument in the fight against terrorism and organised crime, and consequently for purposes of security and safeguard of national interests.4

PNRs are, then, a group of data that enable the tracing of each passenger for commercial uses, but the handling of PNRs, especially for security reasons (after the 9/11 attacks many States started to require transmission of this information from carriers) has, however, impinged on the users-passengers’ right to privacy. For this reason, it is essential that processing of these data be carried out in ways and forms ensuring the respect of the fundamental rights of persons.

In 2005 ICAO adopted various measures to be followed for the correct use of PNR data. The rules of reference are the ‘Recommended Practice 3.48’ of Annex 9 (‘Facilitation’). This provision was supplemented by ICAO guidelines establish uniform measures for PNR data transfer and the subsequent handling of that data by the States concerned (Circular 309).5 Finally, in 2010, Document 9944 (‘Guidelines on Passenger Name Record Data’) updated the provisions of 2005.

In short, these provisions concern the rules that must be followed by Member States in the creation of adequate systems for the transfer, storage and protection of data.

It is expressly stated (Appendix 1 to Document 9944) that the transmission of data shall only refer to those elements that are strictly relevant and necessary. For the remainder, transfer is merely discretionary. Finally, there is information that passengers cannot be asked for, whether by the aircraft operators or States.6

The ICAO guidelines, moreover, recommend that the transmission of data be carried out by the ‘push’ method of transfer, according to which carriers make information available, sending it only by request of the State, rather than by the ‘pull’ method, which allows States free and direct access to the databanks where PNR data are kept. In preferring the first system, ICAO laid down restricted standards on the timing and frequency of data transmission, to avoid excessive costs to airlines.

These guidelines further recommend that, when transferring data, air carriers pay particular attention to complying with the laws on personal data transmission and processing in force in the two States between which the exchange occurs.

Many of these guidelines have been included in the international agreements signed by the European Union with third countries, in particular the USA, Canada and Australia.

Before analysing these treaties in detail, it is necessary to dwell on the overall position adopted by the European Union on this delicate matter in the last decade, and how it has generated a debate at institutional level.

On 16 January 2003, in a context that saw it involved in identifying solutions appropriate to the issues raised in the definition of a first agreement on the transmission of PNR data with the USA, the Commission, in a Communication to the European Parliament and Council on the ‘transfer of Air Passenger Name Record (PNR) data: a global EU approach’,7 pointed up the main elements that should characterise a global approach to the matter. In short, the Commission recognised the importance of this instrument in the fight against terrorism and organised crime and stressed the importance of a multitrack approach taking into account such relevant aspects as the necessity of laying down a valid legal framework for data transfers, the need for air carriers to be able to comply with diverse legal requirements at an acceptable cost and the inevitable international repercussions. The Commission thus considered it necessary for the European Union to adopt a common position (striking a balance between the different interests involved, and based upon a principle of reciprocity with third countries) on the use of personal data provided by passengers, and promoted the same necessity for a common vision, at an international level, promoting the creation of a ‘multilateral framework for PNR data Transfer within the International Civil Aviation Organisation’ (goal achieved by 2005). As regards the provision of a valid legal framework, the Commission had the object of identifying suitable legal instruments to ensure the safeguard of personal data transferred outside the Union, to third countries. In particular, in its 2003 Communication, it stressed the importance of adequate information to passengers on the uses of the data and on the rights they have in the case of infringements in the transfer or processing phases. It also specified the need to clearly define the quantitative limits of transferable data, reducing the instances of their use and to provide for the deletion of sensitive data once they had been transmitted.8 Finally, even in the EU context, the move from a ‘pull’ transfer method system to a ‘push’ one, with the implementation of further, appropriate filters for the transmission of PNR data, is strongly supported.

With its communication of 21 September 2010,9 the Commission returned to the issue of ‘global approach to transfers of Passenger Name Record (PNR) data to third countries’. In the Communication, it highlights how, considering the methods of processing PNR data used at the time, both within EU borders and globally, a new strategy was needed. In this regard, the Commission for the first time outlined a series of general considerations that were to be a guide in the negotiation phase of the international agreements on transfers of PNR data to third countries, in full respect of the fundamental right of persons, and especially, the Respect for private and family life and the Protection of personal data expressly set forth in Article 8 of the European Convention of Human Rights,10 Articles 711 and 812 of the EU Charter of Fundamental Rights and in the Council’s Convention No 108, for the Protection of Individuals with regard to Automatic Processing of Personal Data, and its related Additional Protocol No 181.

The basic principles the Commission stated requesting third countries should apply concerned the following: (a) the type, scope and use of data; (b) sensitive data processing (to be used only in exceptional circumstances , when an imminent threat of loss of life is present); (c) duty to inform passengers on the method of processing data and their rights thereto; (d) methods and length of time data are to be retained (which in any event should never be longer than strictly necessary); (e) data security which must be protected from misuse and unlawful access; (f) provision for restrictions and limitations on onward transfers to other government authorities of the same State, or to third countries, which can occur only in the presence of adequate guarantees concerning the levels of data protection, the latter having to be at least equal to those of the transmitting authority.13

The 2010 Communication also lays down certain uniform standards for the modalities of transmissions, such as the exclusive use of the ‘push’ system as method of transfer and the frequency of transmission (fixed to a reasonable limit on the number of times). A further extremely important principle is that there are not to be any obligations on air carriers to collect additional data beyond those they already do.

The Communication also stresses how any future international agreements concerning the processing of PNR data should be subject to constant monitoring and have a reciprocity clause in the transfer of such data between competent authorities of the third countries and judicial and police authorities of the Member States, as well as Europol and Eurojust.14 The Commission, in this regard, stated its desire that, in the near future, bilateral agreements were to be concluded with a single multilateral treaty addressed to all States using PNR data.

In February 2011, the Commission, in line with the foregoing, proposed the adoption of a Directive,15 aiming at harmonising national legislation and at defining certain rules in the processing of PNR data relating to international flights arriving at or departing from a Member State. One prime fundamental rule is that such data, after being transferred from the databanks of air carriers to the ‘Passenger Information Unit’ of the Member State concerned, may be used only for the prevention, detection, investigation and prosecution of acts of terrorism and particularly serious crimes. The period for retention in a dedicated databank on the part of the Unit is limited to 30 days from the date of flight. After this period, data retention may be extended a further 5 years, but all information identifying passengers is to be masked out, thus effectively anonymising the data in question. Beyond this period of time, Member States are to delete collected data, except where data has already been transferred to a national authority for the purposes of investigations or in the context of criminal prosecutions; in the latter case the retention period is to be determined by national law. Further provisions concern the prohibition on using any sensitive data liable to reveal a passenger’s race or ethnic origin, as well as his or her religious, political or sexual orientation. The Proposal for a Directive restates many of the recommendations of the two previous Communications of 2003 and 2010, and in particular it reaffirms the necessity to provide for: (a) a ‘push’ system in data transmission from air carriers ; (b) Special Passenger Units for the storage of data and system for the correct overseeing of the latter by an independent authority; (c) the informing passengers on their rights on processing their PNR and the modalities of transmission thereof; and (d) the definition of certain rules on the modalities of transmission and use of data to and from the different authorities of the same Member State or to third countries.

So far as concerns the transfer and use of passenger data for security purposes within the EU air carriers have a specific obligation to communicate personal data on persons transported under Directive 2004/82/EC.16 This is a harmonisation ­procedure that aims at making the fight against illegal immigration more efficient and improving frontier control, including via an appropriate sanctions regime.17

The latter Directive, which does not preclude the application of Directive 95/46/EC18 provides for obligations for air carriers which are supplementary to those under Article 26 of the 1990 Schengen Convention implementing the Schengen Agreement of 14 June 1985, as supplemented by Council Directive 2001/51/EC.19 Both instruments in fact pursue the objective of controlling migratory trends and fighting illegal immigration.


5.1.1 The EU–USA Agreement on the Processing and Transfer of PNR Data by Air Carriers


The ambiguous nature of data referred to resulted in a difference of opinion between the European Union and the United States.

Following the September 11 terrorist attacks , the United States adopted in November of the same year an internal regulation under which custom authorities could require electronic access to the automatic booking and departure check system of all carriers operating flights either connecting in the USA or merely flying over US territory. The Commission initially considered such a request contrary to some provisions of Council Regulation (EEC) No 2299/89 (repealed by Regulation (EC) No 80/2009) on a code of conduct for computerized reservation systems , as previously mentioned, albeit in relation to other aspects of the issue. In response to the EU stance, the USA announced their intention of sanctioning as from 5 March 2003 all carriers which failed to follow the rules on electronic access to PNR data. This threat prompted many airlines thereafter to provide US customs authorities with access to their PNR data.

Such a situation, with clear repercussions on diplomatic relations between the EU and the USA, induced the Commission to revise it original position and start a series of negotiations with American authorities, which eventually resulted in the adoption of Decision 2004/496/EC20 on 17 May 2004. For the Commission the priority was that of avoiding a conflict, at international law level, between United States laws and EU rules.

As stated in the first of two whereas comprising said Decision, it was preceded by the Resolution of 23 February 2004 where the Council authorised the Commission to negotiate in the name of the European Community, as it was at the time, an agreement with the United States on the processing and transfer of PNR data.

The procedure leading to the adoption of Decision 2004/496/EC, however, proved tortuous from the beginning due to the European Parliament’s consistent opposition. Under Article 300(3) TEC (Now article 218 TFEU), EU Parliament had been called upon to submit its Opinion on the Proposal within a short time limit (by 22 April 2004, subsequently extended to 5 May of the same year). The Council had agreed to the launching of an emergency procedure for the adoption of the Decision, arguing that passengers and carriers were in a position of uncertainty that had to be resolved as quickly as possible.

In response, on 31 March 2004, the European Parliament adopted a Resolution in which it expressed quite a number of legal reservations, arguing that the act the Commission had presented went beyond the latter’s powers. According to the European Parliament, it would have been necessary to conclude an international treaty.

In substance, the agreement the Community was about to make with the USA did not entirely observe fundamental rights. For these reasons the European Parliament sought an Opinion (registered as number 1/04) of the Court of Justice under Article 300(6) TEC (Now article 218 TFEU), on the compatibility of the agreement to be made with the EC Treaty, which it then withdrew on 9 July 2004.

The European Parliament chose to bring two separate actions before the Court of Justice, the first against the Council and the second against the Commission, which were later joined, seeking the annulment under Article 230 TEC (now Article 263 TFEU) of Decisions 2004/496/EC and 2004/535/EC21 on the level of protection of personal data contained in the PNRs transferred to the United States’ Bureau of Customs and of Border Protection.

In the latter decision the Commission found that the passenger data collection and processing system used by the United States’ Bureau of Customs and of Border Protection was compatible with Article 25(2) of Directive 95/46/EC.22 Under this Article, the suitableness of the level of protection of third country must be evaluated keeping in mind the nature of the transmitted data, the purpose of the proposed processing operation, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the third country in question as well as the professional rules and security measures which are complied with in that country.

The Court of Justice delivered its judgment on 30 May 2006, finding in favour of the European Parliament and accordingly annulling the contested Decision.23

The action based on eight grounds (relative to Decisions 2004/535/EC and 2004/496/EC) by the European Parliament, was adjudicated upon by the Court of Justice in a single judgment: incorrect choice of legal basis for Decision 2004/496/EC, breach of Article 300(3) TEC (now Article 218 TFEU), breach of Article 8 of the European Convention on Human Rights (ECHR), breach of the principle of proportionality ; failure to fulfil the obligation to provide reasons; breach of the principle of loyal cooperation; action ultra vires and breach of the essential principles of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data.

The Court did not address the substantive claims against the agreement made with the United States but looked only at its inter-institutional aspects as being preconditions to the former.

The first point addresses the problem of the correct identification of the legal basis of the two decisions. In particular, Decision 2004/496/EC was adopted on the basis of Article 95 of the EC Treaty, which allows the adoption of legal measures for the harmonisation of the internal market.

According to the Commission, while the agreement does concern the external dimension of the protection of personal data, it does so at the moment of their transfer within the Community. Decision 2004/535/EC, instead, was adopted on the basis of Article 25(6) of Directive 95/46/EC, under which the Commission may deem that a third country guarantees a suitable level of protection according to paragraph 2, in consideration of its national laws or its international commitments, ‘for the protection of the private lives and basic freedoms and rights of individuals’.

With reference to Decision 2004/496/EC, the Court shared the position of the European Parliament, according to which the Decision did not have as its object the institution and the functioning of the internal market, and was not aimed at eliminating obstacles to the free provision of services.

As regards Decision 2004/535/EC, the Court found that the agreement involved the processing of data that are excluded from the Directive’s sphere of application.

According to the Court, gathering PNR data is a public law activity to protect national security, and for this reason, cannot be conciliated with Article 3(2) of Directive 95/46/EC, stating a series of derogations to its own applicability. On the basis of this provision, the Directive does not apply to the processing of personal data: ‘in the course of an activity which falls outside the scope of Community law, such as activities provided for by Titles V and VI of the Treaty on European Union, and in any event processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law’.

In other words, the public law nature of PNR data collecting brings it within the competence of the European Union, removing it from those of the first Pillar. An agreement made in this file would then have called for the legal support of a decision adopted under Articles 24 (now Article 37 TEU) and 34 TEU (repealed by the Treaty of Lisbon).

PNR data are collected, especially by American authorities, not for commercial uses (despite implicitly having this function), but rather for public security needs and are consequently prerogative not of private individuals, as Directive 96/46/EC would require, but, as is the actual case, of Member States and their national authorities.

The Court had in fact previously adjudicated on this point, namely on the exceptions under Article 3(2) of Directive 96/46/EC, in Lindqvist Case, on 6 November 2003.24

In essence, this is a further judgment of the Court on the distribution of competences between the First and the Second and/or the Third Pillars before the structure was abolished as a result of the entry into force of the Treaty of Lisbon. A few hints are offered by another equally well-known judgment,25 which represents the first case in which the Court was called upon to adjudicate on an act based on Title VI, under Article 35(6) TEU (now repealed, only Article 263 TFEU being applicable). These provisions give the Court jurisdiction to examine the validity of Decisions and Framework Decisions on the basis of its powers under First Pillar Acts (competence, breach of substantive rules, breach of the Treaty and of secondary legislation, misuse of powers) and on the same terms. However, it has no power, on the other hand, to review common positions or conventions or the measures for their implementation.

This judgment settled the action brought by the Commission for the annulment of Framework Decision 2003/80/JHA on the protection of the environment through criminal law, which required Member States of to provide criminal penalties for offences against the environment.

The Commission took the view that in the case at issue, the power was to be attributed to a Community instrument. This case is the reverse of that in Joined Cases C-317/04 and C-318/04. Nonetheless, some of the Court’s findings are nevertheless of interest for the matter here examined.

The pivotal point was deciding within which Pillar should any determined act be adopted, and on what criteria, so as not to encroach on mutual competences, which would be entirely contrary to Article 47 TEU (now Article 40 TEU which concerns only the Common Foreign and Security Policy (CFSP)) which stated the primacy of Community law over Title V and Title VI of the EC Treaty. Again in this judgment the Court kept to the classic approach to construction on the basis of the purpose and the content of the act in order to assess its legal basis.

It is clear from the judgment that, at the time, criminal law did not in itself constitute a Community policy, and that consequently Community action in the matter could only be founded on implicit competence connected to a specific legal basis. The Court’s approach is thus functional. The possibility for the Community legislature of laying down measures in the criminal sphere derives from the necessity of having Community laws respected. Thus a close connection with substantive Community provisions is essential.

The Court seemed to overcome the alleged lack of competence of the Community legislature of the time in criminal matters, including because the Community rules did not justify it, based on a principle of necessity and of safeguarding the effectiveness of Community law. In other words, with that judgment, the Court sought to overcome an assessment based on just statutory elements only on the basis of the need in any event to ensure that Community laws were observed, in particular those which ensure the protection of primary interests such as the environment. The consequences of this judgment, at least until the entry into force of the Treaty of Lisbon, were significant. First of all, it ended the mechanism of the twofold instruments (Directive or Regulation and Framework Decision) the Community used in several occasions, namely the practice of separating the criminal elements of the Community act into a Framework-Decision. In short, it was either necessary to resort to a criminal law provision to ensure the effectiveness of Community law, in which case the law would have had to be adopted exclusively within the first Pillar or, still with an eye to the purpose and contents of the act (central criterion), resorting to criminal law would have been totally useless.

In the judgment on Decisions 2004/535/EC and 2004/496/EC, in the light of previous considerations, the Court defined the purpose and content of these acts as the primary pursuit of public security and foreign policy interests. The absorbing nature of this objective prevents the adoption of a Community act as such, despite the fact that many of them having concerned internal security, especially in the sphere of the free movement of persons.

For the foregoing reasons, the Court found that the correct legal basis for concluding an agreement between the United States and the European Union on the processing of PNR data is twofold and combined: Article 24 of Title V TEU (now Article 37 TEU) for the conclusion of an international agreement and Article 38 of Title VI (now repealed) in view of the fact that this agreement is aimed at the fight against terrorism.

Under Article 24 TEU at the time, when pursuant to Title V it was necessary to conclude an agreement with one or more states or international organisations, ‘the Council [could] authorise the Presidency, assisted by the Commission as appropriate, to open negotiations to that effect. Such agreements [were] concluded by the Council on a recommendation from the Presidency’. Under Article 38 at the time, agreements under Article 24 could also concern matters falling under Title VI. Article 37 TFEU, formerly Article 24, limits itself to providing that ‘[t]he Union may conclude agreements with one or more States or international organisations in areas’ of Common Foreign policy and Common Security, an implicit reference to Article 218 TFEU for the relevant procedure.

Beyond inter-institutional considerations, in connection with the legal basis and, accordingly, the correct identification of the legal instrument to be used, this judgment left many questions unanswered as to substance that cannot be ignored and to which we shall return later, as will be made clear further on.

Certainly, the annulment of the two controversial Decisions has produced a legislative vacuum, raising yet again the same doubts and perplexities that appeared from the very first positions taken by the various Community institutions. Furthermore, in the absence of any action, this time on the part of the Union, the uncertainty might have had repercussions for individuals in terms of the sanctions imposed on airlines and, more generally, for the whole of European air traffic.

These and other considerations prompted the European Union to renegotiate certain aspects of the agreement with the United States, in the light of the observations made by the Court, as briefly reported above.

The first formal step, which closely preceded the conclusion of the agreement and reflected a restart of negotiations, was the correspondence between the United States and the European Union, on 27 October 2006.26

By a letter to the Presidency of the European Council and the Commission by the Department of Homeland Security (DHS), the United States essentially offered an authentic interpretation of the declaration on the PNR made on 11 May 2004, which is considered strictly functional in respect of the fight against terrorism. It need hardly be pointed out that the declaration asserts that the United States complied with the requirements for the protection of personal data under EU law with regard to privacy.

In the letter, the Department of Homeland Security of the USA clarified a few practical aspects on the collection and dissemination of PNR data at national level, in particular by USA Government authorities in charge of the fight against terrorism (although in no case are they allowed unconditional direct electronic access).

The first point is on the timing of the communication of PNR data by air carriers . The DHS claims the right of requesting information on PNR no later than 72 h prior to flight departure or even sooner whenever timely access may help respond to a specific threat.

‘Frequent flyers’ call for special processing. The DHS reserved the right to ask for more information on such passengers than what would usually be expected for others (34 items).

Other passages concern the modalities of data preservation. Essentially, with what could be described as a letter of intent, the number of authorities which can access, transmit and preserve personal data was increased, as were the purposes for which the same may be used.

The European Union, through the answer of the Presidency of the Council and the Commission, while acknowledging the contents of the letters, again made clear the importance respecting fundamental rights as protected by Article 6 TFEU and the ECHR, which also entails the protection of private data.

Despite a few difficulties, the Agreement between the European Union and the United States on the processing and transfer of passenger name record (PNR) data was concluded with the adoption of Council Decision 2006/729/CFSP/JHA of 16 October 2006.27

In itself, the agreement contains no significant innovations. In other words, it is the legal basis rather than the substance of the act which changed.

The agreement, in fact, limits itself to restating the commitment of the European Union in guaranteeing that air carriers, operating passenger flights to or from the United States of America, handle PNR data in their booking systems as required by the DHS, to be understood not only to mean the Department of Homeland security itself, but also the Bureau of Customs and Border Protection, the competent immigration authorities, the Cabinet of the USA and all bodies directly supporting it, which will all have electronic access.

The DHS, in turn, undertakes to treat PNR data received in accordance with the applicable USA laws and constitutional duties, without undue discrimination, particularly on the basis of nationality and country of residence. Moreover, the DHS undertakes to ensure a suitable level of protection of PNR data transferred from the EU in relation to passenger flights to or from the United States.

The agreement entered into force definitively the first day of the month following the date when the parties exchanged the notifications of the completion of all necessary internal procedures, which, for the EU, consisted in Council Decision 2006/729/CFSP/JHA of 16 October 2006. It is indeed this act, more than the agreement, which possesses the most interesting ideas; it allows Member States, in particular circumstances, to suspend PNR data transmission, if this were necessary to protect individuals with regard to the processing of their personal data.

Under Article 4 of Decision 2006/729/CFSP/JHA the competent authorities in Member States, without prejudice to their powers to take action to ensure compliance with national provisions, may exercise their existing powers to suspend data flows to DHS in order to protect individuals with regard to the processing of their personal data in the following four cases: (a) ‘where a competent United States authority has determined that DHS is in breach of the applicable standards of protection’; (b) ‘where there is a substantial likelihood that the applicable standards of protection are being infringed’; (c) when ‘there are reasonable grounds for believing that DHS is not taking or will not take adequate and timely steps to settle the case at issue’; (d) ‘the continuing transfer would create an imminent risk of grave harm to data subjects, and the competent authorities in the Member States concerned have made reasonable efforts in the circumstances to provide DHS with notice and an opportunity to respond’. In the presence of these conditions, Member States must inform the Council and the Commission without delay of the measures adopted and the grounds for believing that DHS is not capable of guaranteeing adequate data protection.

The most significant provision on this matter is Article 5(5) of Decision 2006/729/CFSP/JHA. The provision enables the Council, if it considers that the information collected by Member States provides evidence of the violation of the basic principles necessary for an adequate level of protection for natural persons are no longer being complied with, or that compliance with the applicable standards of protection by DHS is not effectively guaranteed, to suspend or terminate the Agreement, after informing DHS.

This Agreement remained in force until July 2007. Article 7 of the Agreement provided that it applied only provisionally so that it was therefore necessary to replace it with a new agreement by 31 July 2007.

The main negotiations took place once again by the exchange of correspondence between DHS and the Presidency of the Council of the European Union, together with the Commission.

By a letter accompanying the Proposal for an Agreement of 28 June 2007, DHS informed the European Union in detail on the methods of collection, use and storage of PNR passenger in conformity with United States law. It contained explanations on several points, amongst which the purpose for which PNR is used, the type of information collected and the sharing of it, rights of passengers, data retention and transmission, and the reciprocity in the exchange of data between the relevant USA authorities and police and judicial authorities of the Member States concerned. Moreover, the United States stressed that it was not its intention to go back to the provisions of the previous 2004 Agreement, and that this would in no way constitute judicial precedent. The Council Presidency, on behalf of the European Union, responded positively to the assurances given, deeming adequate the level of data protection provided by United States law. The Agreement was consequently concluded on 23 July 2007, with Council Decision 2007/551/CFSP/JHA.28

The most relevant innovations in this Agreement are the introduction of the ‘push’ system in the transfer of data by air carriers, the reduction of the number of type of information to be gathered, and the extension of the period of data retention. A few brief considerations are necessary. As regards the first innovation, it must be borne in mind that the adoption of the ‘push’ system was already provided for by the Agreement of 2004. Despite this express provision, DHS continued to gather data using the ‘pull’ system. Under Article 2 of the new Agreement, DHS undertook to transition to the former system by 1 January 2008, but only for carriers that have also implemented a similar system. In the case of all others, DHS reserves its right to access the air carriers’ reservation systems until these carriers have complied with the new transfer systems. The types of PNR data collected by DHS have been reduced from 34 to 19. It has been highlighted that actually there has not been a reduction of the types, but simply a regrouping of them, with the introduction, in some cases, of new elements (their new numbering was based of groups of data, instead of individual elements). Finally, the period of retention of data switched from 3.5 to 15 years. Point seven of the letter accompanying the new Agreement specifies that the data is to be retained in an active analytical database for 7 years. But after this time the data will become dormant, and will be retained for a further 8 years, and may be accessed only with specific approval.

On 5 May 2010, the European Parliament, adopting an ad hoc Regulation, urged a review of the terms of the agreement,29 authorising on 2 December 2010 the Commission to launch the necessary initiatives for its renegotiation with the United States. The negotiation phase then lasted around a year.

On 17 November 2011, the European Union and the United States of America announced the conclusion of a new Agreement on the transfer of PNR data between the two parties. With Council Decision 2012/471/EU30 of 13 December 2011, the Union was authorised to sign the Agreement. The signing took place the day after, subject to reservations. The reservations were lifted and the Agreement was concluded on 26 April 2012 with Council Decision 2012/472/EU.31 The Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security, signed in Brussels on 14 December 2011, entered into force on 1 July 2012, in accordance with Article 27 of the Agreement.32 The provisions in it are in many ways innovative since they aim at providing a new legal framework for the processing of personal data with regard to both passengers and air carriers.

The first relevant provision is certainly the wording of Article 4 that expressly provides for the end use of PNR data on the part of authorities of the United States, that is for the prevention, detection, investigation and prosecution of terrorist offences (and related crimes) and other crimes that are transnational in nature and punishable by a sentence of imprisonment of 3 years or more. The Agreement, moreover, contains many provisions on the protection of passenger privacy . In this regard, Article 8 fixes the maximum period of PNR data retention in an active database at up to 5 years, also providing for additional guarantees such as PNR being depersonalised and masked out after the initial 6 months of retention on the part of United States authorities. After the initial 5-year period, PNR will not be automatically cancelled, but transferred to a ‘dormant’, or ‘inactive’ database, for up to 10 years. This database is subject to additional controls; access to it will require a higher level of supervisory approval, for a more restricted number of authorised personnel. The longest period of data retention is 10 years for serious crimes of a transnational nature, while for terrorist offences the data are accessible for a period of up to 15 years. On the use of sensitive data, Article 6 provides that DHS must employ automated systems to filter and mask out sensitive data from PNR. Processing these data will only be permitted in exceptional cases (the imperilment or serious impairment to an individual’s life), on a case-by-case basis and with the previous approval of a DSH senior officer. Finally, data must be deleted within 30 days from the last receipt of PNR containing sensitive data. However, this data may be retained for the time specified in US law in the case of a specific investigation, prosecution or any other specific purpose. Article 7, instead, prohibits the United States from adopting actions based solely on automated processing and use of PNR that affect the legal interests of individuals. Important provisions are also provided for under Articles 11, 12 and 13 of the Agreement, which offer passengers important guarantees on their right to protection of personal data. The guarantees (granted regardless of nationality, country of origin, or place of residence) are the possibility of seeking access to, and the correction, rectification, and erasure of their PNR (in compliance with the USA Freedom Information Act33). Any refusals or restrictions to such requests must be include the legal basis thereof in writing and provided in a timely manner. Moreover, any individual whose personal data and personal information has been processed and used in a manner inconsistent with this Agreement may seek both administrative and judicial redress. Additional provisions in the Agreement are on the modalities of PNR transmission. Carriers are once again enjoined to use the ‘push’ method, requiring carriers to acquire the technical ability to use this transmission system not later than 24 months following entry into force of the Agreement. However, DHS may require carriers to provide access by other means for technical reasons or in the exceptional circumstances of a specific, urgent, and serious threat.

The subsequent transfer of PNR data to competent government authorities of third countries may be undertaken only if the latter ensure a level of protection comparable to that set out in the Agreement. In this case DHS will have to promptly inform the Member State of which the passenger subject to PNR data transfer is a citizen or a resident. Finally, the Agreement lays down even more stringent regulations on police, law enforcement and judicial cooperation (Article 18) with the obligation for DHS to share PNR data with to competent law enforcement and judicial authorities of the EU Member States in cases pursuing serious transnational crime and terrorist offences. Despite the fact that this new Agreement has provided more clarity and transparency in the protection of passenger PNR data on the part of the United States of America, the European Data Protection Supervisor (EDPS),34 while welcoming the improvements brought about in comparison with the 2007 Agreement, still noted a few reasons for concern. In its Opinion of 9 December 2011,35 that is 3 days before the Agreement was signed, the EDPS pointed out that several aspects should be clarified, in particular with regard to the definition of crimes punishable by a sentence of imprisonment of 3 years or more. According to the Opinion, different EU Member States and US States jurisdictions include different crimes within this threshold. According to EDPS, yet another element of concern is the list of types of PNR data to be transferred. The list, which was fundamentally identical to the data category list in the 2007 Agreement, should have been substantially reduced. There were further questions regarding the processing of sensitive data (which according to EDPS should not be authorised at all), the length of the retention period of PNR in databases (absolutely disproportionate), the absence of a prohibition on the use of the ‘pull’ method on the part of DHS, the modalities of onward data transfers (that should be more detailed and in the case of data transfers to third countries should provide for prior judicial authorisation) and data safety, since a regulation of databank access is not provided for.


5.1.2 The EU–Australia Agreement


On 28 February 2008, the Council decided to authorise the Presidency, assisted by the Commission, to open negotiations for an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR ) data by air carriers to the Australian Customs Service. Those negotiations were successful and a draft Agreement was drawn up, which was signed by the European Union with Council Decision 2008/651/CFSP/JHA of 30 June 2008.36 Despite the Agreement being applicable on a provisional basis from the date of its signature, the Council, in the same decision, postponed the conclusion of the Agreement to a later date.

In its Recommendation of 2008,37 the European Parliament expressed its critical evaluation of the Agreement. In this evaluation it observed that the procedure followed by the Council completely lacked democratic legitimacy since the European Parliament had not even been informed on the adoption of the mandate, the conduct of the negotiations or the conclusion of the Agreement. In the Recommendation the European Parliament also expressed its concern as to the legal basis for the Agreement, since the latter focused almost entirely on the internal security needs of a third State and thus did not bring any added benefits to EU Member States or their citizens. The European Parliament, moreover, raised doubts on the definition of the purpose of the Agreement and on some provisions on data processing, at the same time applauding the provision in which the Australian Customs Service specifically stated they would not use any sensitive data in the transmissions, while at the same time wondering why Canada and US authorities took the opposite stance. The European Parliament went on to deplore the wording of the 19 categories of data to be transferred as being identical to those in the 2007 US Agreement. Finally, the European Parliament called for a review of the Agreement by 30 June 2010.

With Resolution of 5 May 201038 European Parliament, in view of its previous criticism, declared its intention of postponing the vote on the request for consent to the agreements with Australia until the modalities regarding the use of PNR were brought into line with EU law.

With the new 11 November Resolution,39 European Parliament yet again underlined the importance of the recommendation made by the Commission to the Council on the expediency of opening negotiations with Australia, Canada and the United States for new international agreements on the transfer and processing of PNR. The renegotiation of the Agreement with Australia was necessary in the light of the entry into force of the security provisions of the TEU,40 and in consideration of the Guidelines on an EU global approach to transfers of Passenger Name Record (PNR) data presented by the Commission a few weeks before.41

The new negotiation phase, which was more or less 2 years long, ended on 22 September 2011, when the Council, with Decision 2012/380/EU,42 authorised the signing of the new Agreement on behalf of the European Union although, again, the moment of the conclusion of the Agreement was postponed. On this occasion, however, the Agreement was concluded. The following 13 December, the Council authorised the conclusion with its Decision 2012/381/EU.43 In the period between the two Council Decisions, the European Parliament also endorsed the Agreement, with its legislative Resolution of 27 October 2011.44

There follows a brief list of the most relevant provisions of the Agreement, which entered into force on 1 June 2012.

Article 3, defining the scope of application of the agreement, provides that PNR data received will only be used for the prevention, detection, investigation and prosecution of terrorist offences or serious transnational crimes.45 The Article is also concerned with the detailed description of the cases that fall within the definition of these types of offences, with a view to more transparency and clarity. Article 7 provides that the safeguards provided for by Australian Law on persons’ private lives apply indiscriminately to the processing of PNR data (Privacy Act 198846). Moreover, and this is a fundamental difference from the other Agreements concluded with the United States and Canada, Article 8 expressly prohibits the Australian Customs and Border Protection Service from processing any sensitive data ; they are, in any event, to be deleted immediately. There are important differences also in the duration of data retention. Article 16, indeed, provides that the Australian Customs and Border Protection Service must retain PNR data no longer than 5.5 years from the date of their receipt, and during this period they can only be used for the purposes and ends of the Agreement.47 During the first 3 years, the data in the databank can only be accessible to a limited number of the Australian Customs and Border Protection Service’s officials (and only if specifically authorised). After this period, PNR data elements that might lead to passengers being identified must be masked out (this provision will enter into force, however, only on 1 January 2015). Article 17, indeed, then provides that all PNR data processing must be logged or documented by the Australian Customs and Border Protection Service, for the purpose of verifying the lawfulness of the processing, to ensure data integrity and the security of data processing. Documentation or logs may be exclusively used for oversight and auditing purposes (for instance, for investigations on cases of non-authorised access). Specific procedures are laid down for the sharing PNR data with other government authorities of Australia, listed in Annex II, and for data transfers to authorities of third countries.

Passengers are granted the right of access, rectification and erasure of their data, following a request to the Australian Customs and Border Protection Service. Moreover, passengers will also have the right to access documentation as to whether any data relating to them have been transferred and made available to other categories of recipients. The Australian Service must promptly (within 30 days) communicate in writing its decision, together with the factual and legal reasons on which it is based. In the case of a denial, passengers have the right to lodge a complaint with the Australian Custom and Border Protection Service, or to seek judicial redress according to the means available under Australian law, including the right to compensation whenever damage arises from an unlawful PNR data processing operation or, in any event, incompatible with the rights granted by the Agreement.

On the modalities of transfers, Article 20 provides that carriers transfer PNR data exclusively by the ‘push’ method, in accordance to particular procedures. Furthermore, Article 21 limits the frequency of transfers of PNR data to a maximum of five scheduled points in time per flight, the first point being up to 72 h before departure.

The Agreement will remain in force for a period of 7 years, renewable for a subsequent period of 7 years, and will be subject to the joint and periodical evaluation of it operational effectiveness by the Parties, starting 4 years after its entry into force.


5.1.3 The EU–Canada Agreement


The third international Agreement on the processing and transfer of Passenger Name Record (PNR ) data is the Agreement between the European Union and Canada of 2006 after the Commission, with Council authorisation of 7 March 2005, had opened negotiations.

The Agreement, which is on the processing and transfer of Advance Passenger Information (API) , as well as of PNR data, to the Canada Border Service Agency (CBSA), was approved, having regard to the Proposal from the Commission of 19 May 200548 and to the Opinion of the European Parliament of 7 July 2005,49 with Decision 2006/230/EC of 18 July 2007.50

The Agreement takes into account the provisions in two previous acts, Commission Decision 2006/253/EC of 6 September 200551 on the adequate protection of personal data on the part of the Canada Border Services Agency, and the Commitments by the Canada Border Service Agency in relation to the application of its PNR programme, attached to the Decision.52 In Decision 2006/253/EC the Commission confirmed that the CBSA is capable of ensuring an adequate level of PNR data protection transferred to it.53 In support of that confirmation, the Commission particularly referred to the specific purpose for which data processing is allowed in Canada (namely preventing and combating terrorism and other serious transnational offences), the extension of the rights and guarantees provided for in the Canadian ‘Privacy Act’ also to foreign nationals that are not in Canada, the obligation for the Canadian Agency to provide information in good time to passengers as to the methods of data processing and transfer and to the duration of data retention that can be for no longer than 3 years, with the exception of data used for specific purposes and for the prosecution of criminal offences. The Commitments represent a serious assurance on the part of the CBSA of its compliance with the duties provided for in the Commission Decision of 6 September 2005.54 This will be subject to joint reviews by Canada and the European Union, according to procedures also laid down in the Decision. The Commitments were, in fact, drafted by the CBSA to provide detailed explanations on the implementation of the measures safeguarding passenger privacy already outlined by the Commission Decision. In particular, it sets out data transmission procedures states that ‘push’ system must be adopted. Moreover, it provides a detailed illustration of safeguards on personal data security and protection under the ‘Privacy Act’55

Only gold members can continue reading. Log In or Register to continue