The ambiguous nature of data referred to resulted in a difference of opinion between the European Union and the United States.

Following the September 11 terrorist attacks , the United States adopted in November of the same year an internal regulation under which custom authorities could require electronic access to the automatic booking and departure check system of all carriers operating flights either connecting in the USA or merely flying over US territory. The Commission initially considered such a request contrary to some provisions of Council Regulation (EEC) No 2299/89 (repealed by Regulation (EC) No 80/2009) on a code of conduct for computerized reservation systems , as previously mentioned, albeit in relation to other aspects of the issue. In response to the EU stance, the USA announced their intention of sanctioning as from 5 March 2003 all carriers which failed to follow the rules on electronic access to PNR data. This threat prompted many airlines thereafter to provide US customs authorities with access to their PNR data.

Such a situation, with clear repercussions on diplomatic relations between the EU and the USA, induced the Commission to revise it original position and start a series of negotiations with American authorities, which eventually resulted in the adoption of Decision 2004/496/EC²⁰ on 17 May 2004. For the Commission the priority was that of avoiding a conflict, at international law level, between United States laws and EU rules.

As stated in the first of two whereas comprising said Decision, it was preceded by the Resolution of 23 February 2004 where the Council authorised the Commission to negotiate in the name of the European Community, as it was at the time, an agreement with the United States on the processing and transfer of PNR data.

The procedure leading to the adoption of Decision 2004/496/EC, however, proved tortuous from the beginning due to the European Parliament’s consistent opposition. Under Article 300(3) TEC (Now article 218 TFEU), EU Parliament had been called upon to submit its Opinion on the Proposal within a short time limit (by 22 April 2004, subsequently extended to 5 May of the same year). The Council had agreed to the launching of an emergency procedure for the adoption of the Decision, arguing that passengers and carriers were in a position of uncertainty that had to be resolved as quickly as possible.

In response, on 31 March 2004, the European Parliament adopted a Resolution in which it expressed quite a number of legal reservations, arguing that the act the Commission had presented went beyond the latter’s powers. According to the European Parliament, it would have been necessary to conclude an international treaty.

In substance, the agreement the Community was about to make with the USA did not entirely observe fundamental rights. For these reasons the European Parliament sought an Opinion (registered as number 1/04) of the Court of Justice under Article 300(6) TEC (Now article 218 TFEU), on the compatibility of the agreement to be made with the EC Treaty, which it then withdrew on 9 July 2004.

The European Parliament chose to bring two separate actions before the Court of Justice, the first against the Council and the second against the Commission, which were later joined, seeking the annulment under Article 230 TEC (now Article 263 TFEU) of Decisions 2004/496/EC and 2004/535/EC²¹ on the level of protection of personal data contained in the PNRs transferred to the United States’ Bureau of Customs and of Border Protection.

In the latter decision the Commission found that the passenger data collection and processing system used by the United States’ Bureau of Customs and of Border Protection was compatible with Article 25(2) of Directive 95/46/EC.²² Under this Article, the suitableness of the level of protection of third country must be evaluated keeping in mind the nature of the transmitted data, the purpose of the proposed processing operation, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the third country in question as well as the professional rules and security measures which are complied with in that country.

The Court of Justice delivered its judgment on 30 May 2006, finding in favour of the European Parliament and accordingly annulling the contested Decision.²³

The action based on eight grounds (relative to Decisions 2004/535/EC and 2004/496/EC) by the European Parliament, was adjudicated upon by the Court of Justice in a single judgment: incorrect choice of legal basis for Decision 2004/496/EC, breach of Article 300(3) TEC (now Article 218 TFEU), breach of Article 8 of the European Convention on Human Rights (ECHR), breach of the principle of proportionality ; failure to fulfil the obligation to provide reasons; breach of the principle of loyal cooperation; action ultra vires and breach of the essential principles of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data.

The Court did not address the substantive claims against the agreement made with the United States but looked only at its inter-institutional aspects as being preconditions to the former.

The first point addresses the problem of the correct identification of the legal basis of the two decisions. In particular, Decision 2004/496/EC was adopted on the basis of Article 95 of the EC Treaty, which allows the adoption of legal measures for the harmonisation of the internal market.

According to the Commission, while the agreement does concern the external dimension of the protection of personal data, it does so at the moment of their transfer within the Community. Decision 2004/535/EC, instead, was adopted on the basis of Article 25(6) of Directive 95/46/EC, under which the Commission may deem that a third country guarantees a suitable level of protection according to paragraph 2, in consideration of its national laws or its international commitments, ‘for the protection of the private lives and basic freedoms and rights of individuals’.

With reference to Decision 2004/496/EC, the Court shared the position of the European Parliament, according to which the Decision did not have as its object the institution and the functioning of the internal market, and was not aimed at eliminating obstacles to the free provision of services.

As regards Decision 2004/535/EC, the Court found that the agreement involved the processing of data that are excluded from the Directive’s sphere of application.

According to the Court, gathering PNR data is a public law activity to protect national security, and for this reason, cannot be conciliated with Article 3(2) of Directive 95/46/EC, stating a series of derogations to its own applicability. On the basis of this provision, the Directive does not apply to the processing of personal data: ‘in the course of an activity which falls outside the scope of Community law, such as activities provided for by Titles V and VI of the Treaty on European Union, and in any event processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law’.

In other words, the public law nature of PNR data collecting brings it within the competence of the European Union, removing it from those of the first Pillar. An agreement made in this file would then have called for the legal support of a decision adopted under Articles 24 (now Article 37 TEU) and 34 TEU (repealed by the Treaty of Lisbon).

PNR data are collected, especially by American authorities, not for commercial uses (despite implicitly having this function), but rather for public security needs and are consequently prerogative not of private individuals, as Directive 96/46/EC would require, but, as is the actual case, of Member States and their national authorities.

The Court had in fact previously adjudicated on this point, namely on the exceptions under Article 3(2) of Directive 96/46/EC, in Lindqvist Case, on 6 November 2003.²⁴

In essence, this is a further judgment of the Court on the distribution of competences between the First and the Second and/or the Third Pillars before the structure was abolished as a result of the entry into force of the Treaty of Lisbon. A few hints are offered by another equally well-known judgment,²⁵ which represents the first case in which the Court was called upon to adjudicate on an act based on Title VI, under Article 35(6) TEU (now repealed, only Article 263 TFEU being applicable). These provisions give the Court jurisdiction to examine the validity of Decisions and Framework Decisions on the basis of its powers under First Pillar Acts (competence, breach of substantive rules, breach of the Treaty and of secondary legislation, misuse of powers) and on the same terms. However, it has no power, on the other hand, to review common positions or conventions or the measures for their implementation.

This judgment settled the action brought by the Commission for the annulment of Framework Decision 2003/80/JHA on the protection of the environment through criminal law, which required Member States of to provide criminal penalties for offences against the environment.

The Commission took the view that in the case at issue, the power was to be attributed to a Community instrument. This case is the reverse of that in Joined Cases C-317/04 and C-318/04. Nonetheless, some of the Court’s findings are nevertheless of interest for the matter here examined.

The pivotal point was deciding within which Pillar should any determined act be adopted, and on what criteria, so as not to encroach on mutual competences, which would be entirely contrary to Article 47 TEU (now Article 40 TEU which concerns only the Common Foreign and Security Policy (CFSP)) which stated the primacy of Community law over Title V and Title VI of the EC Treaty. Again in this judgment the Court kept to the classic approach to construction on the basis of the purpose and the content of the act in order to assess its legal basis.

It is clear from the judgment that, at the time, criminal law did not in itself constitute a Community policy, and that consequently Community action in the matter could only be founded on implicit competence connected to a specific legal basis. The Court’s approach is thus functional. The possibility for the Community legislature of laying down measures in the criminal sphere derives from the necessity of having Community laws respected. Thus a close connection with substantive Community provisions is essential.

The Court seemed to overcome the alleged lack of competence of the Community legislature of the time in criminal matters, including because the Community rules did not justify it, based on a principle of necessity and of safeguarding the effectiveness of Community law. In other words, with that judgment, the Court sought to overcome an assessment based on just statutory elements only on the basis of the need in any event to ensure that Community laws were observed, in particular those which ensure the protection of primary interests such as the environment. The consequences of this judgment, at least until the entry into force of the Treaty of Lisbon, were significant. First of all, it ended the mechanism of the twofold instruments (Directive or Regulation and Framework Decision) the Community used in several occasions, namely the practice of separating the criminal elements of the Community act into a Framework-Decision. In short, it was either necessary to resort to a criminal law provision to ensure the effectiveness of Community law, in which case the law would have had to be adopted exclusively within the first Pillar or, still with an eye to the purpose and contents of the act (central criterion), resorting to criminal law would have been totally useless.

In the judgment on Decisions 2004/535/EC and 2004/496/EC, in the light of previous considerations, the Court defined the purpose and content of these acts as the primary pursuit of public security and foreign policy interests. The absorbing nature of this objective prevents the adoption of a Community act as such, despite the fact that many of them having concerned internal security, especially in the sphere of the free movement of persons.

For the foregoing reasons, the Court found that the correct legal basis for concluding an agreement between the United States and the European Union on the processing of PNR data is twofold and combined: Article 24 of Title V TEU (now Article 37 TEU) for the conclusion of an international agreement and Article 38 of Title VI (now repealed) in view of the fact that this agreement is aimed at the fight against terrorism.

Under Article 24 TEU at the time, when pursuant to Title V it was necessary to conclude an agreement with one or more states or international organisations, ‘the Council [could] authorise the Presidency, assisted by the Commission as appropriate, to open negotiations to that effect. Such agreements [were] concluded by the Council on a recommendation from the Presidency’. Under Article 38 at the time, agreements under Article 24 could also concern matters falling under Title VI. Article 37 TFEU, formerly Article 24, limits itself to providing that ‘[t]he Union may conclude agreements with one or more States or international organisations in areas’ of Common Foreign policy and Common Security, an implicit reference to Article 218 TFEU for the relevant procedure.

Beyond inter-institutional considerations, in connection with the legal basis and, accordingly, the correct identification of the legal instrument to be used, this judgment left many questions unanswered as to substance that cannot be ignored and to which we shall return later, as will be made clear further on.

Certainly, the annulment of the two controversial Decisions has produced a legislative vacuum, raising yet again the same doubts and perplexities that appeared from the very first positions taken by the various Community institutions. Furthermore, in the absence of any action, this time on the part of the Union, the uncertainty might have had repercussions for individuals in terms of the sanctions imposed on airlines and, more generally, for the whole of European air traffic.

These and other considerations prompted the European Union to renegotiate certain aspects of the agreement with the United States, in the light of the observations made by the Court, as briefly reported above.

The first formal step, which closely preceded the conclusion of the agreement and reflected a restart of negotiations, was the correspondence between the United States and the European Union, on 27 October 2006.²⁶

By a letter to the Presidency of the European Council and the Commission by the Department of Homeland Security (DHS), the United States essentially offered an authentic interpretation of the declaration on the PNR made on 11 May 2004, which is considered strictly functional in respect of the fight against terrorism. It need hardly be pointed out that the declaration asserts that the United States complied with the requirements for the protection of personal data under EU law with regard to privacy.

In the letter, the Department of Homeland Security of the USA clarified a few practical aspects on the collection and dissemination of PNR data at national level, in particular by USA Government authorities in charge of the fight against terrorism (although in no case are they allowed unconditional direct electronic access).

The first point is on the timing of the communication of PNR data by air carriers . The DHS claims the right of requesting information on PNR no later than 72 h prior to flight departure or even sooner whenever timely access may help respond to a specific threat.

‘Frequent flyers’ call for special processing. The DHS reserved the right to ask for more information on such passengers than what would usually be expected for others (34 items).

Other passages concern the modalities of data preservation. Essentially, with what could be described as a letter of intent, the number of authorities which can access, transmit and preserve personal data was increased, as were the purposes for which the same may be used.

The European Union, through the answer of the Presidency of the Council and the Commission, while acknowledging the contents of the letters, again made clear the importance respecting fundamental rights as protected by Article 6 TFEU and the ECHR, which also entails the protection of private data.

Despite a few difficulties, the Agreement between the European Union and the United States on the processing and transfer of passenger name record (PNR) data was concluded with the adoption of Council Decision 2006/729/CFSP/JHA of 16 October 2006.²⁷

In itself, the agreement contains no significant innovations. In other words, it is the legal basis rather than the substance of the act which changed.

The agreement, in fact, limits itself to restating the commitment of the European Union in guaranteeing that air carriers, operating passenger flights to or from the United States of America, handle PNR data in their booking systems as required by the DHS, to be understood not only to mean the Department of Homeland security itself, but also the Bureau of Customs and Border Protection, the competent immigration authorities, the Cabinet of the USA and all bodies directly supporting it, which will all have electronic access.

The DHS, in turn, undertakes to treat PNR data received in accordance with the applicable USA laws and constitutional duties, without undue discrimination, particularly on the basis of nationality and country of residence. Moreover, the DHS undertakes to ensure a suitable level of protection of PNR data transferred from the EU in relation to passenger flights to or from the United States.

The agreement entered into force definitively the first day of the month following the date when the parties exchanged the notifications of the completion of all necessary internal procedures, which, for the EU, consisted in Council Decision 2006/729/CFSP/JHA of 16 October 2006. It is indeed this act, more than the agreement, which possesses the most interesting ideas; it allows Member States, in particular circumstances, to suspend PNR data transmission, if this were necessary to protect individuals with regard to the processing of their personal data.

Under Article 4 of Decision 2006/729/CFSP/JHA the competent authorities in Member States, without prejudice to their powers to take action to ensure compliance with national provisions, may exercise their existing powers to suspend data flows to DHS in order to protect individuals with regard to the processing of their personal data in the following four cases: (a) ‘where a competent United States authority has determined that DHS is in breach of the applicable standards of protection’; (b) ‘where there is a substantial likelihood that the applicable standards of protection are being infringed’; (c) when ‘there are reasonable grounds for believing that DHS is not taking or will not take adequate and timely steps to settle the case at issue’; (d) ‘the continuing transfer would create an imminent risk of grave harm to data subjects, and the competent authorities in the Member States concerned have made reasonable efforts in the circumstances to provide DHS with notice and an opportunity to respond’. In the presence of these conditions, Member States must inform the Council and the Commission without delay of the measures adopted and the grounds for believing that DHS is not capable of guaranteeing adequate data protection.

The most significant provision on this matter is Article 5(5) of Decision 2006/729/CFSP/JHA. The provision enables the Council, if it considers that the information collected by Member States provides evidence of the violation of the basic principles necessary for an adequate level of protection for natural persons are no longer being complied with, or that compliance with the applicable standards of protection by DHS is not effectively guaranteed, to suspend or terminate the Agreement, after informing DHS.

This Agreement remained in force until July 2007. Article 7 of the Agreement provided that it applied only provisionally so that it was therefore necessary to replace it with a new agreement by 31 July 2007.

The main negotiations took place once again by the exchange of correspondence between DHS and the Presidency of the Council of the European Union, together with the Commission.

By a letter accompanying the Proposal for an Agreement of 28 June 2007, DHS informed the European Union in detail on the methods of collection, use and storage of PNR passenger in conformity with United States law. It contained explanations on several points, amongst which the purpose for which PNR is used, the type of information collected and the sharing of it, rights of passengers, data retention and transmission, and the reciprocity in the exchange of data between the relevant USA authorities and police and judicial authorities of the Member States concerned. Moreover, the United States stressed that it was not its intention to go back to the provisions of the previous 2004 Agreement, and that this would in no way constitute judicial precedent. The Council Presidency, on behalf of the European Union, responded positively to the assurances given, deeming adequate the level of data protection provided by United States law. The Agreement was consequently concluded on 23 July 2007, with Council Decision 2007/551/CFSP/JHA.²⁸

The most relevant innovations in this Agreement are the introduction of the ‘push’ system in the transfer of data by air carriers, the reduction of the number of type of information to be gathered, and the extension of the period of data retention. A few brief considerations are necessary. As regards the first innovation, it must be borne in mind that the adoption of the ‘push’ system was already provided for by the Agreement of 2004. Despite this express provision, DHS continued to gather data using the ‘pull’ system. Under Article 2 of the new Agreement, DHS undertook to transition to the former system by 1 January 2008, but only for carriers that have also implemented a similar system. In the case of all others, DHS reserves its right to access the air carriers’ reservation systems until these carriers have complied with the new transfer systems. The types of PNR data collected by DHS have been reduced from 34 to 19. It has been highlighted that actually there has not been a reduction of the types, but simply a regrouping of them, with the introduction, in some cases, of new elements (their new numbering was based of groups of data, instead of individual elements). Finally, the period of retention of data switched from 3.5 to 15 years. Point seven of the letter accompanying the new Agreement specifies that the data is to be retained in an active analytical database for 7 years. But after this time the data will become dormant, and will be retained for a further 8 years, and may be accessed only with specific approval.

On 5 May 2010, the European Parliament, adopting an ad hoc Regulation, urged a review of the terms of the agreement,²⁹ authorising on 2 December 2010 the Commission to launch the necessary initiatives for its renegotiation with the United States. The negotiation phase then lasted around a year.

On 17 November 2011, the European Union and the United States of America announced the conclusion of a new Agreement on the transfer of PNR data between the two parties. With Council Decision 2012/471/EU³⁰ of 13 December 2011, the Union was authorised to sign the Agreement. The signing took place the day after, subject to reservations. The reservations were lifted and the Agreement was concluded on 26 April 2012 with Council Decision 2012/472/EU.³¹ The Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records to the United States Department of Homeland Security, signed in Brussels on 14 December 2011, entered into force on 1 July 2012, in accordance with Article 27 of the Agreement.³² The provisions in it are in many ways innovative since they aim at providing a new legal framework for the processing of personal data with regard to both passengers and air carriers.

The first relevant provision is certainly the wording of Article 4 that expressly provides for the end use of PNR data on the part of authorities of the United States, that is for the prevention, detection, investigation and prosecution of terrorist offences (and related crimes) and other crimes that are transnational in nature and punishable by a sentence of imprisonment of 3 years or more. The Agreement, moreover, contains many provisions on the protection of passenger privacy . In this regard, Article 8 fixes the maximum period of PNR data retention in an active database at up to 5 years, also providing for additional guarantees such as PNR being depersonalised and masked out after the initial 6 months of retention on the part of United States authorities. After the initial 5-year period, PNR will not be automatically cancelled, but transferred to a ‘dormant’, or ‘inactive’ database, for up to 10 years. This database is subject to additional controls; access to it will require a higher level of supervisory approval, for a more restricted number of authorised personnel. The longest period of data retention is 10 years for serious crimes of a transnational nature, while for terrorist offences the data are accessible for a period of up to 15 years. On the use of sensitive data, Article 6 provides that DHS must employ automated systems to filter and mask out sensitive data from PNR. Processing these data will only be permitted in exceptional cases (the imperilment or serious impairment to an individual’s life), on a case-by-case basis and with the previous approval of a DSH senior officer. Finally, data must be deleted within 30 days from the last receipt of PNR containing sensitive data. However, this data may be retained for the time specified in US law in the case of a specific investigation, prosecution or any other specific purpose. Article 7, instead, prohibits the United States from adopting actions based solely on automated processing and use of PNR that affect the legal interests of individuals. Important provisions are also provided for under Articles 11, 12 and 13 of the Agreement, which offer passengers important guarantees on their right to protection of personal data. The guarantees (granted regardless of nationality, country of origin, or place of residence) are the possibility of seeking access to, and the correction, rectification, and erasure of their PNR (in compliance with the USA Freedom Information Act³³). Any refusals or restrictions to such requests must be include the legal basis thereof in writing and provided in a timely manner. Moreover, any individual whose personal data and personal information has been processed and used in a manner inconsistent with this Agreement may seek both administrative and judicial redress. Additional provisions in the Agreement are on the modalities of PNR transmission. Carriers are once again enjoined to use the ‘push’ method, requiring carriers to acquire the technical ability to use this transmission system not later than 24 months following entry into force of the Agreement. However, DHS may require carriers to provide access by other means for technical reasons or in the exceptional circumstances of a specific, urgent, and serious threat.

The subsequent transfer of PNR data to competent government authorities of third countries may be undertaken only if the latter ensure a level of protection comparable to that set out in the Agreement. In this case DHS will have to promptly inform the Member State of which the passenger subject to PNR data transfer is a citizen or a resident. Finally, the Agreement lays down even more stringent regulations on police, law enforcement and judicial cooperation (Article 18) with the obligation for DHS to share PNR data with to competent law enforcement and judicial authorities of the EU Member States in cases pursuing serious transnational crime and terrorist offences. Despite the fact that this new Agreement has provided more clarity and transparency in the protection of passenger PNR data on the part of the United States of America, the European Data Protection Supervisor (EDPS),³⁴ while welcoming the improvements brought about in comparison with the 2007 Agreement, still noted a few reasons for concern. In its Opinion of 9 December 2011,³⁵ that is 3 days before the Agreement was signed, the EDPS pointed out that several aspects should be clarified, in particular with regard to the definition of crimes punishable by a sentence of imprisonment of 3 years or more. According to the Opinion, different EU Member States and US States jurisdictions include different crimes within this threshold. According to EDPS, yet another element of concern is the list of types of PNR data to be transferred. The list, which was fundamentally identical to the data category list in the 2007 Agreement, should have been substantially reduced. There were further questions regarding the processing of sensitive data (which according to EDPS should not be authorised at all), the length of the retention period of PNR in databases (absolutely disproportionate), the absence of a prohibition on the use of the ‘pull’ method on the part of DHS, the modalities of onward data transfers (that should be more detailed and in the case of data transfers to third countries should provide for prior judicial authorisation) and data safety, since a regulation of databank access is not provided for.

On 28 February 2008, the Council decided to authorise the Presidency, assisted by the Commission, to open negotiations for an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR ) data by air carriers to the Australian Customs Service. Those negotiations were successful and a draft Agreement was drawn up, which was signed by the European Union with Council Decision 2008/651/CFSP/JHA of 30 June 2008.³⁶ Despite the Agreement being applicable on a provisional basis from the date of its signature, the Council, in the same decision, postponed the conclusion of the Agreement to a later date.

In its Recommendation of 2008,³⁷ the European Parliament expressed its critical evaluation of the Agreement. In this evaluation it observed that the procedure followed by the Council completely lacked democratic legitimacy since the European Parliament had not even been informed on the adoption of the mandate, the conduct of the negotiations or the conclusion of the Agreement. In the Recommendation the European Parliament also expressed its concern as to the legal basis for the Agreement, since the latter focused almost entirely on the internal security needs of a third State and thus did not bring any added benefits to EU Member States or their citizens. The European Parliament, moreover, raised doubts on the definition of the purpose of the Agreement and on some provisions on data processing, at the same time applauding the provision in which the Australian Customs Service specifically stated they would not use any sensitive data in the transmissions, while at the same time wondering why Canada and US authorities took the opposite stance. The European Parliament went on to deplore the wording of the 19 categories of data to be transferred as being identical to those in the 2007 US Agreement. Finally, the European Parliament called for a review of the Agreement by 30 June 2010.

With Resolution of 5 May 2010³⁸ European Parliament, in view of its previous criticism, declared its intention of postponing the vote on the request for consent to the agreements with Australia until the modalities regarding the use of PNR were brought into line with EU law.

With the new 11 November Resolution,³⁹ European Parliament yet again underlined the importance of the recommendation made by the Commission to the Council on the expediency of opening negotiations with Australia, Canada and the United States for new international agreements on the transfer and processing of PNR. The renegotiation of the Agreement with Australia was necessary in the light of the entry into force of the security provisions of the TEU,⁴⁰ and in consideration of the Guidelines on an EU global approach to transfers of Passenger Name Record (PNR) data presented by the Commission a few weeks before.⁴¹

The new negotiation phase, which was more or less 2 years long, ended on 22 September 2011, when the Council, with Decision 2012/380/EU,⁴² authorised the signing of the new Agreement on behalf of the European Union although, again, the moment of the conclusion of the Agreement was postponed. On this occasion, however, the Agreement was concluded. The following 13 December, the Council authorised the conclusion with its Decision 2012/381/EU.⁴³ In the period between the two Council Decisions, the European Parliament also endorsed the Agreement, with its legislative Resolution of 27 October 2011.⁴⁴

There follows a brief list of the most relevant provisions of the Agreement, which entered into force on 1 June 2012.

Article 3, defining the scope of application of the agreement, provides that PNR data received will only be used for the prevention, detection, investigation and prosecution of terrorist offences or serious transnational crimes.⁴⁵ The Article is also concerned with the detailed description of the cases that fall within the definition of these types of offences, with a view to more transparency and clarity. Article 7 provides that the safeguards provided for by Australian Law on persons’ private lives apply indiscriminately to the processing of PNR data (Privacy Act 1988⁴⁶). Moreover, and this is a fundamental difference from the other Agreements concluded with the United States and Canada, Article 8 expressly prohibits the Australian Customs and Border Protection Service from processing any sensitive data ; they are, in any event, to be deleted immediately. There are important differences also in the duration of data retention. Article 16, indeed, provides that the Australian Customs and Border Protection Service must retain PNR data no longer than 5.5 years from the date of their receipt, and during this period they can only be used for the purposes and ends of the Agreement.⁴⁷ During the first 3 years, the data in the databank can only be accessible to a limited number of the Australian Customs and Border Protection Service’s officials (and only if specifically authorised). After this period, PNR data elements that might lead to passengers being identified must be masked out (this provision will enter into force, however, only on 1 January 2015). Article 17, indeed, then provides that all PNR data processing must be logged or documented by the Australian Customs and Border Protection Service, for the purpose of verifying the lawfulness of the processing, to ensure data integrity and the security of data processing. Documentation or logs may be exclusively used for oversight and auditing purposes (for instance, for investigations on cases of non-authorised access). Specific procedures are laid down for the sharing PNR data with other government authorities of Australia, listed in Annex II, and for data transfers to authorities of third countries.

Passengers are granted the right of access, rectification and erasure of their data, following a request to the Australian Customs and Border Protection Service. Moreover, passengers will also have the right to access documentation as to whether any data relating to them have been transferred and made available to other categories of recipients. The Australian Service must promptly (within 30 days) communicate in writing its decision, together with the factual and legal reasons on which it is based. In the case of a denial, passengers have the right to lodge a complaint with the Australian Custom and Border Protection Service, or to seek judicial redress according to the means available under Australian law, including the right to compensation whenever damage arises from an unlawful PNR data processing operation or, in any event, incompatible with the rights granted by the Agreement.

On the modalities of transfers, Article 20 provides that carriers transfer PNR data exclusively by the ‘push’ method, in accordance to particular procedures. Furthermore, Article 21 limits the frequency of transfers of PNR data to a maximum of five scheduled points in time per flight, the first point being up to 72 h before departure.

The Agreement will remain in force for a period of 7 years, renewable for a subsequent period of 7 years, and will be subject to the joint and periodical evaluation of it operational effectiveness by the Parties, starting 4 years after its entry into force.

The third international Agreement on the processing and transfer of Passenger Name Record (PNR ) data is the Agreement between the European Union and Canada of 2006 after the Commission, with Council authorisation of 7 March 2005, had opened negotiations.

The Agreement, which is on the processing and transfer of Advance Passenger Information (API) , as well as of PNR data, to the Canada Border Service Agency (CBSA), was approved, having regard to the Proposal from the Commission of 19 May 2005⁴⁸ and to the Opinion of the European Parliament of 7 July 2005,⁴⁹ with Decision 2006/230/EC of 18 July 2007.⁵⁰

The Agreement takes into account the provisions in two previous acts, Commission Decision 2006/253/EC of 6 September 2005⁵¹ on the adequate protection of personal data on the part of the Canada Border Services Agency, and the Commitments by the Canada Border Service Agency in relation to the application of its PNR programme, attached to the Decision.⁵² In Decision 2006/253/EC the Commission confirmed that the CBSA is capable of ensuring an adequate level of PNR data protection transferred to it.⁵³ In support of that confirmation, the Commission particularly referred to the specific purpose for which data processing is allowed in Canada (namely preventing and combating terrorism and other serious transnational offences), the extension of the rights and guarantees provided for in the Canadian ‘Privacy Act’ also to foreign nationals that are not in Canada, the obligation for the Canadian Agency to provide information in good time to passengers as to the methods of data processing and transfer and to the duration of data retention that can be for no longer than 3 years, with the exception of data used for specific purposes and for the prosecution of criminal offences. The Commitments represent a serious assurance on the part of the CBSA of its compliance with the duties provided for in the Commission Decision of 6 September 2005.⁵⁴ This will be subject to joint reviews by Canada and the European Union, according to procedures also laid down in the Decision. The Commitments were, in fact, drafted by the CBSA to provide detailed explanations on the implementation of the measures safeguarding passenger privacy already outlined by the Commission Decision. In particular, it sets out data transmission procedures states that ‘push’ system must be adopted. Moreover, it provides a detailed illustration of safeguards on personal data security and protection under the ‘Privacy Act’⁵⁵