The Communication presented today sets general principles that any PNR agreement with a third country should observe.
1. Protection of personal data, which aim to protect the rights of passengers:
- PNR data should be used exclusively to fight terrorism and serious transnational crime.
- The categories of the PNR data exchanged should be limited to what is necessary for that purpose, and be clearly listed in the agreement.Passengers should be given clear information about the exchange of their PNR data, have the right to see their PNR data and the right to effective administrative and judicial redress. This helps ensure full respect for privacy and that any violation of privacy will be remedied.
- Decisions having adverse effects on passengers must never be based on an automated processing of PNR data. A human being must be involved before a passenger is denied boarding. This seeks to prevent “profiling”.
- Third countries must ensure a high level of data security and an effective independent oversight of the authorities which use PNR data.
- The PNR data cannot be stored longer than necessary to fight terrorism and serious transnational crime, and third countries should limit who has access to the data gradually during the period of retention.
- PNR data may be shared by the third country with other countries (onward transfer) only if those countries respect the standards laid down in the PNR agreement between the EU with the third country, and only on a case-by-case basis.
According to the Commission:
The views on general PNR issues of the major stakeholders, like the Member States, the European Parliament, the European Data Protection Supervisor and the Article 29 Data Protection Working Party, are especially
important in the development of the revised approach on PNR.
2. Modalities of transfer of the PNR data, which aim to provide legal certainty to air carriers and keep costs at an acceptable level: PNR data should be transmitted using the “PUSH” system, and the number of times that data is transferred before each flight be limited and proportionate.
3. Standards on monitoring the correct implementation of the PNR agreement, for instance on review, monitoring, effective dispute resolution.
4. Reciprocity should also be ensured. Information about terrorism and serious transnational crime resulting from the analysis of PNR data by third countries should be shared with EUROPOL, EUROJUST and EU Member States.
As far as I know it’s the first time that the Commission embraces the approach to limitations of rights as supported by the United Nations Special Rapporteur on the protection of human rights while countering terrorism in his privacy report.
According to the Commission:
Any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of these rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
The monitoring requirement also seems to be better than before, embracing the joint review approach.
It is essential that the EU is provided with mechanisms for monitoring the correct implementation, for example through periodical joint reviews on the implementation of all aspects of the agreements, including the purpose limitation, the rights of passengers and onward transfers of PNR data, and comprising a proportionality assessment of the retained data on the basis of their value to achieving the purposes for which the data were transferred. The findings of such joint reviews should be presented to the Council and the European Parliament.
A first quick scan of the document reveals three negative points.
The first one is the formulation on ‘sensitive data’. Is a ‘terrorist threat’ the same as an ‘imminent threat to loss of life’? And if a ‘terrorist threat’ doesn’t entail ‘any imminent threat to loss of life’ then what exactly sees the Commission as a ‘terrorist threat’?
PNR data revealing racial or ethnic origins, political opinions or religious or philosophical beliefs, trade union membership, health or sexual life shall not be used unless under exceptional circumstances where there is an imminent threat to loss of life and provided that the third country provides appropriate safeguards, for example that such data may be used only on a case-by-case basis, under the authorisation of a high-ranking official and strictly limited to the purposes of the original transfer.
The Commission adds that “key notions like terrorism and serious transnational crime should be defined based on the approach of definitions laid down in relevant EU instruments”. This formulation is crucial for any potential future PNR agreement with Israel, and – especially – Russia.
A second negative point is the data retention time limit, which is quite vague at this point:
The period of retention of the PNR data should not be longer than necessary for the performance of the defined tasks. The period of retention should take into account the different ways in which PNR data are used (see section 1.2.1 above) and the possibilities of limiting access rights over the period of retention, for example by gradual anonymisation of the data.
Last but not least the Commission’s approach to third countries which do not ensure an adequate level of protection of personal data, doesn’t seem to have substantially changed as well. This is important, as now the Commission needs to renegotiate the current PNR agreements with Australia, Canada and the United States. The agreements with Australia and the US are being applied provisionally, but their regular application requires the consent of MEPs. In May, the Parliament postponed a vote on the agreements and called on the Commission to draft general standards that apply to all future agreements.
The adequacy afforded by a third country is to be assessed in the light of all the circumstances surrounding a data transfer operation. In this context, the EU will also consider the compliance by the third country with international standards, respectively its ratification of international instruments on data protection and fundamental rights in general. Adequacy decisions already adopted by the European Commission in this regard should be used as guidance on what can be regarded as being adequate.
Jan Philipp Albrecht, a German Green MEP, said that the Commission had “still not fully got the message”. “The proposed mandates fail to provide sufficient guarantees to ensure that EU data protection law will be respected, as demanded by the Parliament,” he said.
Axel Voss, a centre-right German MEP, said that the agreement with the US would stand a chance of being approved by MEPs only if it included a limited retention period, redress for passengers and a ban on the onward transfer of data to other countries.
Background info on PNR here.