Explanatory Memorandum to COM(2007)654 - Use of Passenger Name Record (PNR) for law enforcement purposes - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2007)654 - Use of Passenger Name Record (PNR) for law enforcement purposes. |
|---|---|
| source | COM(2007)654  |
| date | 06-11-2007 |
- Grounds for and objectives of the proposal
Terrorism currently constitutes one of the greatest threats to security, peace, stability, democracy and fundamental rights, values on which the European Union is founded, as well as a direct threat to European citizens. The threat of terrorism is not restricted to specific geographic zones. Terrorists and terrorist organisations can be found both within and outside the borders of the EU and have proved their ability to carry out attacks and acts of violence in any continent and against any country. The 'EU Terrorism Situation and Trend Report 2007' of Europol identified that almost all terrorist campaigns are transnational. It is clear that the internal and external aspects of the fight against terrorism are interlinked and that, for any measure to be effective, a close cooperation and an enhanced exchange of information between Member States and their respective services, as well as with Europol and, where appropriate, the competent authorities of third countries, is necessary.
Since 9/11, law enforcement authorities around the world have come to realise the added value of collecting and analysing so-called PNR data in combating terrorism and organised crime. PNR data are related to travel movements, usually flights, and include passport data, name, address, telephone numbers, travel agent, credit card number, history of changes in the flight schedule, seat preferences and other information. The PNR data of a certain passenger usually does not contain all PNR fields, but only those that are actually provided by the passenger at the time of the reservation and information received upon check-in and boarding. It must be noted that air carriers already capture the PNR data of passengers for their own commercial purposes, but that non-air carriers do not capture such data. The collection and analysis of PNR data allows the law enforcement authorities to identify high risk persons and to take appropriate measures.
Until now, only a limited number of Member State have adopted legislation to set up mechanisms to oblige air carriers to provide the relevant PNR data and to have such data analysed by the competent authorities. This means that the potential benefits of an EU wide scheme in preventing terrorism and organised crime are not fully realised.
- General context
Currently, arrangements for the transmission of PNR data in the context of the fight against terrorism and transnational organised crime have been concluded between the EU and the United States and Canada and are limited to travel by air. These require that air carriers, which were already capturing the PNR data of passengers for their own commercial purposes, are obliged to transmit these data to the competent authorities of the USA and Canada. On the basis of an exchange of information with these third countries, the EU has been able to assess the value of PNR data and to realise its potential for law enforcement purposes. The EU has further been able to learn from the experiences of such third countries in the use of PNR data, as well as from the experience of the UK from its pilot project. More specifically, the UK was able to report numerous arrests, identification of human trafficking networks and gaining of valuable intelligence in relation to terrorism in the two years of the operation of its pilot project.
The European Council of 25-26 March 2004 invited the Commission to bring forward a proposal for a common EU approach to the use of passengers' data for law enforcement purposes. This invitation has been reiterated twice, namely on 4-5 November 2004 in The Hague Programme and at the extraordinary Council meeting of 13 July 2005. A European policy in this area had also been announced already in the Commission Communication 'Transfer of Air Passenger Name Record (PNR) Data: A global EU approach' of 16 December 2003.
- Existing provisions in the area of the proposal
Currently air carriers have an obligation to communicate Advance Passenger Information (API) to the competent authorities of the Member States, under Council Directive 2004/82/EC. This measure aims to provide a means to border control authorities to enhance border control and to fight illegal immigration. Under this Directive, Member States are obliged to take the necessary national measures to ensure that air carriers transmit, at the request of the authorities responsible for carrying out checks on persons at external borders, information concerning the passengers of a flight. Such information includes only the API Data, which is basically biographical data. Such data include the number and type of travel document used, nationality, full names, the date of birth, the border crossing point of entry, code of transport, departure and arrival time of the transportation, total number of passengers carried on that transport and the initial point of embarkation. The information contained in the API data may also help to identify known terrorists and criminals by running their names against alert systems, such as the SIS.
For the purposes of the fight against terrorism and organised crime, the information contained in the API data would be sufficient only for identifying known terrorists and criminals by using alert systems. API data are official data, as they stem from passports, and sufficiently accurate as to the identity of a person. On the other hand, PNR data contains more data elements and are available in advance of API data. Such data elements are a very important tool for carrying out risk assessments of the persons, for obtaining intelligence and for making associations between known and unknown people.
- Consistency with the other policies and objectives of the Union
The proposal is fully in line with the overall objective of creating an European area of freedom, security and justice. It also complies with fundamental rights provisions, particularly with respect to the protection of personal data and the privacy of the persons concerned.
- Consultation of interested parties
Consultation methods, main sectors targeted and general profile of respondents
Several meetings and consultations were organised under the negotiations on the transfer of PNR data to the United States and on the transfer of Advance Passenger Information and PNR data to Canada. Further to the meetings organised by the Commission services with associations of air carriers and representatives of computer reservation systems, three dedicated meetings on a possible initiative on the development of an EU policy on the use of passenger data have been organised under the umbrella of the Forum on the prevention of transnational organised crime.
For the purposes of the preparation of this proposal, the Commission services further consulted all the relevant stakeholders by way of a questionnaire which was sent out in December 2006. Subsequently, the Commission invited member State representatives to a meeting in Brussels on the 2 February 2007, during which the representatives of the Member States had the opportunity to exchange their views.
The questionnaire was sent to:
- All the Member States
- The data protection authorities of the Member States
- The European Data Protection Supervisor (EDPS)
- The Association of European Airlines (AEA)
- The Air Transport Association of America
- The International Air Carrier Association (IACA)
- The European Regions Airline Association (ERA)
- The International Air Transport Association (IATA)
Replies were received from 24 Member States; a joint reply was received from the national data protection authorities of the Member States. Replies were also received from the EDPS, the Air Transport Association of America, the International Air Carrier Association (IACA), the Association of European Airlines (AEA), the European Regions Airline Association (ERA), the International Air Transport Association (IATA), LOT Polish Airlines and Austrian Airlines.
The data protection authorities of the Member States, meeting as a consultative body to the Commission under the umbrella of the Article 29 Working Party, have issued a number of opinions on the use of PNR data as well.
The consultation process has had a major impact on shaping the legislative proposal. More specifically, such impact affected:
- The choice of the policy option: it became clear from the replies which were received to the questionnaire that most of the Member States are clearly in favour of a legislative instrument which would regulate a common EU approach on the matter. The Article 29 Working Party was not convinced of the necessity of such a proposal and is therefore opposed to the proposal, but it noted that once the necessity is established or several Member States would be considering the development of a national PNR systems, then harmonisation of such measures at an EU level should be preferred.
- The scope of the proposal as regards the modes of transport: the majority of the consulted parties agrees that the scope of the proposal should be limited to air transport.
- The geographical scope of the proposal: most parties consulted believe that the geographical scope of the proposal should be limited to flights from third countries to the EU and from the EU to third countries.
- The use of and purpose for collecting the PNR data: The collection of PNR data should be used for the purposes of the third pillar only, i.e. the prevention of and fight against terrorism and related crimes and other serious crimes, including transnational organised crime.
- The data retention period: It was commonly agreed that, for the system to be effective, the data need to be retained for a period of 5 years, unless they were used for a crime investigation or an intelligence operation.
- The body receiving the PNR data: The majority of the Member States is in favour of the idea that the data be received by a Passenger Information Unit which will be identified within each Member State, while other Member States are in favour of a centralised EU Unit which would receive data from air carriers from all the Member States.
- The method of data transmission: The 'push' method of transmission is preferred to the 'pull' method by all parties consulted. The main difference of the two methods is that in the 'push' method, the data are being transmitted by the carrier to the national authority, whereas in the 'pull' method the national authority obtains access to the reservation system of the air carrier and takes the data.
- The onward transfers of the PNR data: Most of the consulted parties are in favour of the PNR data being transmitted to the national competent authorities and to the competent authorities of other Member States. Some Member States are in favour of the data being transmitted also to the competent authorities of third countries.
- Collection and use of expertise
There was no need for external expertise.
- Impact assessment
For the Impact Assessment, two main options with a number of variables were examined - the no change option and the option of a legislative proposal. Additionally, at an early stage the option of encouraging co-operation between the Member States in this field was rejected, since it was considered that this option would not achieve the desired objectives. Some Member States had suggested to expand the scope of the proposal so that it would also cover sea and rail travel. This option was also rejected at an early stage due to considerations of costs and the lack of existing systems which collect the relevant data.
The Impact Assessment concluded that the preferred option is a legislative proposal with a decentralised system for processing the data. The 'no action' policy option does not present any real strength in improving security in the EU. On the contrary, it is anticipated that, bearing in mind the way that this field is currently developing, it will have negative impacts in the sense of creating administrative difficulties stemming from numerous diverging systems.
The legislative proposal policy option possesses the clear advantage of increasing security in the form of reducing the risk of terrorist attacks and of serious crimes and transnational organised crime being committed on the territory of the EU. Moreover, this policy option would provide harmonisation of the various aspects of the systems for the exchange and use of PNR and of the safeguards given to persons aimed to protect their right to privacy.
Between the 'no action' policy and the legislative proposal policy, the legislative proposal presents clear advantages.
Between the two options for a legislative proposal, the option of a decentralised collection of data presents advantages over the centralised option in relation to the increase to the security of the EU. The option of a centralised collection of data would have a high risk of failure because of the vast amounts of data that a centralised unit would receive, the complications of the different types of processing being carried out. Further, for such a unit to be operable, it would need to have access to various national databases of all Member States.
With regard to the impact of the proposal on relations with third countries, it cannot be excluded that some countries may request reciprocal access to PNR data relating to flights from the EU to their territories, even though in practice such an eventuality is very remote. The Union's existing agreements on PNR data with the US and Canada foresee such reciprocal treatment which may be enforced automatically.
The Commission carried out an impact assessment listed in the Work Programme i.
Contents
- Summary of the proposed action
The proposal aims to harmonise Member State's provisions on obligations for air carriers operating flights to or from the territory of at least one Member State regarding the transmission of PNR data to the competent authorities for the purpose of preventing and fighting terrorist offences and organised crime. All processing of PNR data under the proposal will be governed by the Council Framework Decision (xx/xx) on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters.
- Legal basis
The Treaty on European Union, and in particular Article 29, Article 30(1)(b) and Article 34(2)(b).
- Subsidiarity principle
The subsidiarity principle applies to the action by the Union.
The objectives of the proposal cannot be sufficiently achieved by the Member States for the following reasons.
The main reason why action by Member States would not be sufficient to achieve the objectives is that it is impossible for the Member States alone to achieve appropriate harmonisation of legal obligations in this area to be imposed on all air carriers operating flights into or from the European Union.
Action by Member States alone would not achieve the Member States interest because they would not be assured of having the relevant PNR data made available to them by the authorities of other Member States - this can only be guaranteed by an EU wide scheme.
Union action will better achieve the objectives of the proposal for the following reasons.
Action by the EU will better achieve the objectives of the proposal because a harmonised approach makes it possible to ensure EU wide exchange of the relevant information. Also, it makes it possible to provide for a harmonised approach towards the outside world.
The qualitative indicator which demonstrates that the objective can be better achieved by the Union is a more effective action in the fight against terrorism and organised crime.
The proposal therefore complies with the subsidiarity principle.
- Proportionality principle
The proposal complies with the proportionality principle for the following reasons.
The scope of the proposal is limited to those elements which require a harmonised EU approach - including the definition of the tasks of the PNR Units, the data elements which need to be collected, the purposes for which the information may be used, the communication of the data between the PNR units of the Member States, and the technical conditions for such communication.
The proposed action is a Framework Decision which leaves as much scope as possible to the national decision makers. Also, the choice for a decentralised system means that the member States have the choice of how and where they set up their PNR system, and to decide themselves on the technical aspects of it. The harmonisation aspects are limited to those strictly necessary, such as the technical aspects of the communication systems needed to exchange the data with other Member States.
The financial and administrative burden falling on the community has been minimised through the choice for a decentralised system. Setting up and maintaining a centralised EU system for the collection and processing would entail significant costs.
- Choice of instruments
Proposed instruments: Framework Decision based on Article 34(2)(b) TEU.
Other means would not be adequate for the following reason.
As the aim is approximating Member States' legislation, other instruments than a Framework Decision are not appropriate.
The proposal has no implication for the Community budget.
- Simulation, pilot phase and transitory period
There was or there will be a transitory period for the proposal.
- Review/revision/sunset clause
The proposal includes a review clause.