Legal provisions of COM(2021)19 - Review of the implementation of the Agreement with Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to Australian customs - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)19 - Review of the implementation of the Agreement with Australia on the processing and transfer of Passenger Name Record (PNR) ... |
|---|---|
| document | COM(2021)19  |
| date | January 12, 2021 |
Brussels, 12.1.2021
COM(2021) 19 final
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
On the joint review of the implementation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service
{SWD(2021) 5 final}
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
On the joint review of the implementation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service
Introduction
The Agreement between the European Union and Australia on the processing and transfer of passenger name record (PNR) data by air carriers to the Australian customs service 1 entered into force on 1 June 2012. According to Article 24(2) of the EU Australia PNR Agreement, the Parties shall jointly review the implementation of the Agreement and any matters related thereto one year after its entry into force and regularly thereafter.
The joint review is based on the methodology developed between the EU and the Australia teams for the first joint review of the Agreement which took place in Canberra on 29-30 August 2013. The outcome was reported by the Commission to the European Parliament and the Council in 2014 2 .
The second joint review of the Agreement was carried out on 14 August 2019 in Canberra, alongside the joint evaluation of the same Agreement 3 . The preparation process for the joint review and subsequent Report are outlined at the end of this Report. The Staff Working document accompanying this Report provides more detailed information and a comprehensive analysis of all the matters covered by this joint review.
Preparation process for the joint review and Report
·The Commission sent a questionnaire to the Department of Home Affairs (herein after “the Department”) of Australia on 28 June 2019 in advance of the joint review. The questionnaire contained specific questions in relation to the implementation of the Agreement by the Department and on the organisational changes in the Australian system. The Department provided written draft replies to the questionnaire prior to the joint review and a final consolidated version thereafter.
·The EU team conducted the joint review visit on 14 August 2019 and was granted access to the Department’s premises. The EU team had no access to any system processing PNR data.
·At the request of the Department, all members of the EU team signed a non-disclosure agreement as a condition for their participation in this exercise.
·The replies to the questionnaire were discussed in detail with the Department. The EU team also had the opportunity to raise further questions with Department officials and address various aspects of the Agreement.
·The findings of the EU team were laid down in the accompanying Staff Working document which was also shared with the Department, providing Australia with the opportunity to comment on inaccuracies and identify information which cannot be disclosed to public audiences.
Implementation of the 2013 Recommendations
All the recommendations from the 2013 review have either been completed or the work is on-going.
In the 2013 joint review the overall finding was that Australia had fully implemented the Agreement, respected its obligations as regard to data protection safeguards under the Agreement, and processed PNR data in compliance with the strict conditions set out therein. More specifically, it was demonstrated that Australia did not process any sensitive data held in PNR data sets obtained under the Agreement and it has been actively seeking to further improve the automated identification and deletion of sensitive data if received by air carriers. In addition, the targeted way in which Australia assessed PNR data against risk indicators had shown to usefully minimise the access to personal data. Last, the processing of PNR data under the Agreement had been subject to high-level independent oversight by the Office of the Australian Information Commissioner.
Moreover, the EU team invited Australia to implement measures to ensure the masking out of all data elements after three years which could serve to identify the passenger to whom the PNR data relate. These measures had by the 2019 review been implemented and an automated process runs daily to identify those records that have reached three years since their receipt.
The 2013 review recommended Australia to set up a reporting mechanism that would enable Australia to inform Member States if PNR data received under the Agreement, or analytical information containing such data, were to be eventually shared with a third country. According to the information provided during the 2019 review, the EU team considers that further improvements can be made for the development of reporting mechanisms and has issued a recommendation in this respect. In addition, the 2013 review recommended Australia to ensure that safeguards set out in the Agreement are also afforded to extracted PNR data. According to the information provided during the 2019 review, information sharing of PNR data must meet specific disclosure provisions in addition to the conditions of the PNR Agreement, and an appropriate caveat is applied to the extracted data transferred to partner law enforcement agencies. The 2013 review also recommended for Australia to enhance its efforts to ensure reciprocity and pro-actively share analytical information obtained from PNR data with Member States and, where appropriate, with Europol and Eurojust. Whilst improvements have been made and while the Department fully complies with the provisions of the Agreement under Article 6 on the police and judicial cooperation, the EU team notes that there is still room for improvement and cooperation with the EU Member States, Europol and Eurojust.
The outcome of the 2019 joint review
The EU team continues to find that Australia has implemented the Agreement in line with the conditions set out therein. The Department respects its obligations as regards data protection safeguards and processed PNR data in compliance with the strict conditions set out in the Agreement. The Department complies with the obligation of non-discrimination and the obligation not to process sensitive data. Moreover, the Department complies with its obligation to provide the right of access, rectification, erasure and redress and the processing of PNR data is subject to a high level of independent oversight by the Office of the Australian Information Commissioner.
Nevertheless, Australia is invited to address the following recommendations:
-To enhance the process for PNR data sharing and operational cooperation between Europol, Eurojust, Member States’ competent authorities and the Australian competent authorities.
-To put in place mechanisms aiming to immediately delete sensitive data, if transferred by the air carriers. The EU team recognises the Department’s confirmation, received in the meantime, that work has already commenced into putting these mechanisms in place.
-To ensure the limitation of access rights of officials to PNR data.
-For the periodical assessments made by the Office of the Australian Information Commissioner, to include also compliance to other relevant principles in the context of the processing of PNR data like cross-border disclosure of personal data or the deletion of sensitive data.
-To put in place follow-up controls to ensure that all the conditions in Article 18 are fulfilled, in particular on specific restrictions to the access, use and further disclosure of the information.
-To respect its commitments to set up a reporting mechanism to provide information in line with Article 19 and the joint declaration to the Agreement, including to EU Member States where the data of a European Union citizen or resident is transferred to a third country.
-To further improve information to passengers in relation to the processing of PNR data and to encourage air carriers to provide passengers with information in relation to the collection, processing and purpose of the use of PNR data.
(1)
Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186, 14.7.2012, p.4.
(2)
Report from the Commission to the European Parliament and the Council on the joint review of the implementation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, COM/2014/0458 final.
(3)
Report from the Commission to the European Parliament and the Council of the Joint Evaluation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to Australia, COM(2020)702.