Brussels, 21/09/2010 (Agence Europe) - On Tuesday 21 September, the European Commission adopted several proposals on Passenger Name Record (PNR) exchanges with third countries, including an external EU strategy on PNR. Cecilia Malmström, the Commissioner for Internal Affairs, declared that, “in this strategy, we set the general principles that any PNR agreement with a third country should be based on. PNR data has proven to be an important tool in the fight against serious transnational crime and terrorism, but at the same time, it raises important issues about protection of personal data”. In addition to this strategy, the Commission also adopted negotiation briefs for concluding new PNR agreements with the US, Australia and Canada. The current agreements with these three countries were submitted to the European Parliament for approval, but the latter decided to postpone its vote in exchange for their renegotiation on new grounds (EUROPE 10206).
Increasing numbers of third countries are using PNR data in the context of fighting terrorism and serious transnational crime. The EU has concluded agreements with three countries, and others, such as Japan, have also asked permission to use personal data on European travellers. This, according to Commissioner Malmström, explains the importance of putting in place certain criteria, before negotiating with these countries. Passengers give PNR data to airlines when reserving their flights. These data are then sent on to law enforcement services, which can use them in criminal investigations and for preventing new offences being committed, as well as carrying out risk analyses. At the moment, PNR exchanges with third countries are subject to different legal jurisdictions. Given the increasing popularity of PNR as a security tool, these divergences (if they continue) could impinge on legal security and the protection of personal data for passengers, explained the Commission. This is why it adopted a communication establishing the general principles for any PNR agreement concluded with a third country. The proposal on the European PNR system will come into place later on, after an impact study has been carried out.
Protection guarantee for personal data. PNR should be exclusively used in the fight against terrorism and serious forms of transnational crime. Categories of PNR data exchanged should be limited to what is necessary to achieve this objective and clearly indicated in the agreement, underlines the Commission document. Passengers should be given clear information about the exchange of their PNR data, have the right to see their PNR data and the right to effective administrative and judicial redress. This helps ensure full respect for privacy and that any violation of privacy will be remedied. Decisions having adverse effects on passengers must never be based on an automated processing of PNR data. A human being must be involved before a passenger is denied boarding. This seeks to prevent "profiling". Third countries must ensure a high level of data security and an effective independent oversight of the authorities, which use PNR data. The PNR data cannot be stored longer than necessary to fight terrorism and serious transnational crime, and third countries should limit who has access to the data progressively during the period of retention. The authorities, which receive these data, must filter them and only use any sensitive information contained in the PNR in exceptional circumstances. Information is deemed sensitive if it relates to racial or ethnic origin, political or religious opinions, union membership or health and sexual orientation. PNR data may only be shared by the third country with other countries (onward transfer) if those countries respect the standards laid down in the PNR agreement between the EU with the third country, and only on a case-by-case basis.
Transfer of PNR data and safety nets. Arrangements for transferring PNR data, which aim to provide legal certainty to air carriers and keep costs at an acceptable level, have to be defined: PNR data should be transmitted using the “PUSH” system in which the data are first selected then transferred to the third country authorities, rather than the “PULL” system which allows third country authorities direct access to airlines' reservation systems. The number of times that data are transferred before each flight should be limited and proportionate. There should also be standards on monitoring the correct implementation of the PNR agreement, for instance on review, monitoring, and effective dispute resolution. Reciprocity should also be ensured. Information about terrorism and serious transnational crime resulting from the analysis of PNR data by third countries should be shared with EUROPOL, EUROJUST and EU member states. (B.C./transl.fl)