Explanatory Memorandum to COM(2021)16 - EU position in the International Civil Aviation Organization as regards Amendment 28 to Annex 9 Section D to the Convention on International Civil Aviation

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. Subject matter of the proposal

This proposal concerns the decision establishing the position to be taken on behalf of the European Union in the International Civil Aviation Organization (ICAO) in connection with Amendment 28 to Annex 9 on Facilitation to the Convention on International Civil Aviation (the ‘Chicago Convention’). The ICAO Council adopted this Amendment on 23 June 2020.

Amendment 28 relates to the rules for processing of Passenger Name Record (PNR) data, which are addressed in Section D, Chapter 9 of Annex 9.

PNR data are personal data of passengers collected by airlines for their business purposes, unlike other travel-related data collected by them on behalf of the authorities such as Advance Passenger Information (API). Law enforcement authorities around the world increasingly use the PNR data transferred to them by airlines to fight terrorism and other forms of serious crime.

2. Context of the proposal

2.1. The Convention on International Civil Aviation (the ‘Chicago Convention’)

The Chicago Convention aims to regulate international air transport. It entered into force on 4 April 1947 and established the International Civil Aviation Organization, or ICAO.

All EU Member States are Parties to the Chicago Convention.

2.2. The International Civil Aviation Organization

ICAO is a specialised agency of the United Nations. The objectives of the Organization are to develop the principles and techniques of international air navigation and to foster the planning and development of international air transport.

The ICAO Council is a permanent body of ICAO with a membership of 36 Contracting States elected by the ICAO Assembly for a three-year term. For the period 2019-2022, there are seven EU Member States represented in the ICAO Council1.

Mandatory functions of the ICAO Council, listed in Article 54 of the Chicago Convention, include the adoption of international Standards and Recommended Practices (also known as SARPs), designated as Annexes to the Chicago Convention. Standards are specifications for which a uniform application is considered necessary, whereas Recommended Practices are not mandatory.

The ICAO Council also convenes the Assembly, which is ICAO’s sovereign body. The ICAO Assembly meets at least once every three years and establishes the Organization’s political direction for the upcoming triennium. The 40th Session of the ICAO Assembly took place on 24 September-4 October 2019 in Montreal, Canada.

2.3. The process for updating ICAO Standards and Recommended Practices (SARPs) on PNR

The elaboration of new PNR international Standard and Recommended Practices (SARPs) is rooted in United Nations Security Council Resolution 2396 (2017), adopted on 21 December 20172. The Resolution requires UN Member States to ‘develop the capability to collect,

1 These are Finland, France, Germany, Greece, Italy, Netherlands and Spain.

2 Security Council resolution 2396 (2017) of 21 December 2017 on threats to international peace and security caused by returning foreign terrorist fighters.

process and analyse, in furtherance of ICAO standards and recommended practices, passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms’. It also urges ICAO ‘to work with its Member States to establish a standard for the collection, use, processing and protection of PNR data’.

The drafting of proposals to review the PNR SARPs was entrusted to an expert group, the ICAO PNR Task Force, set up by the ICAO Air Transport Committee (ATC) in March 2019. The work of the Task Force concluded in December 2019 and was reviewed by the ICAO Facilitation Panel in January 2020.

The proposals of the ICAO Facilitation Panel were endorsed by the ATC on 7 February 2020. Such endorsement was followed by a formal consultation of the ICAO Member States by way of ICAO State letter 2020 14E. The State consultation concluded on 15 May 2020.

Following the State consultation, the ICAO Secretariat analysed the responses received from States and presented a proposal to the ATC. The Secretariat proposal was practically identical to the outcome of the Facilitation Panel meeting in January 2020. Similarly, as its meeting of 19 June 2019, the ATC recommended the ICAO Council to adopt the PNR SARPs as presented by the Secretariat with only minor corrections.

On 23 June 2020, during the Tenth Meeting of its 220th Session, the ICAO Council adopted Amendment 28 to Annex 9 to the Chicago Convention. As noted above, Annex 9 lays down international standards on Facilitation and its Chapter 9, Section D relates specifically to PNR.

1.

On 17 July 2020, ICAO informed its Member States of the adoption of Amendment 28 through another State letter (EC 6/3-20/71). The Amendment became effective on 30 October


2.

2020, unless a majority of States register their disapproval by that date in accordance with Article 90 of the Chicago Convention. The Amendment will be applicable as of 28 February


2021. However, the ICAO Member States can notify, by 30 January 2020, any differences between their national regulations and practices and those enshrined in the Standards laid down by Amendment 28 if they consider that certain differences exists between their domestic regulations or practices and any of the Standards. Such notification must be submitted in accordance with Article 38 of the Chicago Convention and the applicable mechanism for the filing of differences.

2.4. The PNR-aspects of Amendment 28 to Annex 9

If effective, Amendment 28 will replace existing Standards 9.22-9.22.1 and Recommended Practice 9.23 with new SARPs 9.23-9.38. These SARPs are significantly more detailed than the existing framework, covering among others aspects related to purpose limitation, oversight, data subject’s rights, the transmission method, data retention, the processing of sensitive data and the relationship between the Contracting States to the Chicago Convention concerning PNR data transfers. Some of the non-binding guidance provided in ICAO Document 9944 setting out guidelines on PNR data3 has been upgraded to the new Standards.

Standard 9.23 requires the contracting States to develop the capability to collect, use, process and protect PNR and to translate the rules for the practical implementation of this capability in the appropriate internal legal and administrative framework in consistency with the SARPs. The mandatory character of the development of PNR-processing capabilities is in line with United Nations Security Council Resolution 2396 (2017).

ICAO, Guidelines on Passenger Name Record (PNR) Data, First Edition — 2010.

3

Standard 9.24 requires contracting States, in full compliance with human rights and fundamental freedoms, to clearly identify the PNR data to be used in their operations and set the purposes for which PNR data may be used by the authorities. Such purposes should be no wider than necessary, including, in particular, border security purposes to fight terrorism and serious crime. In addition, the disclosure of PNR data within the receiving State or in others should be limited to authorities competent that exercise relevant functions related to the purposes for which PNR data are processed. These authorities should also ensure comparable protections as those afforded by the disclosing authority.

Standard 9.25 establishes requirements concerning data security and the rights of individuals in relation to the processing of their PNR data, including as regards non-discrimination, the provision of information, administrative and judicial redress, access to data and the possibility to request corrections, deletions or notations. Recommended Practice 26 encourages States to notify individuals about the processing of their PNR data and the rights and means of redress afforded to them.

Standard 9.27 requires contracting States to base the automated processing of PNR data on objective, precise and reliable criteria that effectively indicate the existence of a risk, without leading to unlawful differentiation, and refrain from making decisions that produce significant adverse actions affecting the individuals’ legal interest based solely on the automated processing of PNR data.

Under Standard 9.28, States are required to designate one (or more) competent domestic authority(ies) with the power to conduct independent oversight of the protection of PNR data and determine whether PNR data are being collected, used, processed and protected with full respect for human rights and fundamental freedoms.

Standard 9.29 precludes States from requiring airlines to collect PNR data that are not required as part of their normal business operating procedures, or to filter such data prior to transmission. It also prohibits the processing of sensitive data – that is, PNR data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning their health, sexual life or sexual orientation – except in exceptional and immediate circumstances to protect the vital interests of the data subject or of another natural person. In the event such data are transmitted, States are required to delete them as soon as practicable.

Standard 9.30 lays down obligations concerning data retention and the de-personalisation and re-personalisation of PNR data, requiring States to only retain the data for a set period as defined in their legal and administrative framework which shall be that period necessary and proportionate for the purposes for which the PNR data is used, and mask it after an established timeframe. Following masking, re-personalisation should only be possible when the data is to be used in connection with an ongoing case, threat or risk related to the purposes for which PNR data can be processed. Recommended Practice 9.32 suggests a maximum retention period of five years and Recommended Practice 9.33 proposes that PNR data should be de-personalised within six months and no later than two years from the moment it is transferred by airlines.

Standard 9.33 establishes that PNR data should be, as a rule, transmitted through the less privacy-intrusive push method. It also seeks to minimise burdens on air carriers by limiting the ability of States to impose fines for transmission errors in certain circumstances and by requiring them to limit the number of push times.

3.

Standard 9.34(a) requires contracting States not to inhibit or prevent the transfer of PNR data to another contracting State that complies with the new Standards. At the same time, Standard


9.34(b) provides that ICAO contracting States shall retain the ability to introduce or maintain higher levels of protection of PNR data, in accordance with their domestic legal framework, and to enter into additional arrangements with other States, in particular, with a view to comply with their internal legal requirements, or establish more detailed provisions relating to PNR data processing and transfer provided that those measures do not otherwise conflict with the Standards.

Under Standard 9.35, contracting States may be called to demonstrate their compliance with the new Standards upon request from another State. Where contracting States determine that they must impede PNR data transfers or fine an air carrier, Standard 9.36 requires them to do so in a transparent manner and with the intent of resolving the situation.

Recommended Practice 9.37 encourages States to notify others maintaining air travel with them of any significant changes in their PNR programme, including as regards compliance with the SARPs. Recommended Practice 9.38 suggests that air carriers are not penalised by States while they attempt to resolve disputes regarding PNR data transfers.

2.5. The applicable EU legal framework

The processing of PNR data constitutes an essential instrument in the EU’s common response to terrorism and serious crime and a building block of the Security Union. Identifying and tracing suspicious travel patterns by processing PNR to gather evidence and, where relevant, find associates of criminals and unravel criminal networks has proven essential to prevent, detect, investigate and prosecute terrorist and serious crime offences. At the same time, processing of PNR data constitutes an interference with the rights to privacy and protection of personal data as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the EU (‘Charter’). In accordance with Article 52(1) of the Charter, it shall therefore be provided for by law, respect the essence of the rights concerned and, subject to the principle of proportionality, be allowed only insofar as it is necessary and genuinely meet an objective of general interest of the Union or the need to protect the rights and freedoms of others. One such objective of general interest is the protection of citizens from serious security threats.

On 27 April 2016, the European Parliament and the Council adopted the Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime4. This Directive enables national authorities to require air carriers to transfer PNR data, while providing safeguards for individuals’ rights to privacy and data protection. The deadline for the Member States to transpose the legislation into national law was 25 May 2018. The review5 of the first two years of application of the Directive carried out in 2020 showed that the processing of PNR data had delivered tangible results in the fight against terrorism and serious crime.

Also in April 2016, the European Parliament and the Council adopted new EU data protection rules: Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR6) and

4.

Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of


passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist

offences and serious crime, OJ L 119, 4.5.2016, p. 132–149.

5.

Report from the Commission to the European Parliament and the Council on the review of Directive


6.

2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and


prosecution of terrorist offences and serious crime, COM(2020) 305 final. For further details, see the Staff

Working Document accompanying the Report (SWD(2020) 128 final).

7.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection


of natural persons with regard to the processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119,

4.5.2016, p. 1.

4

5

6

Directive (EU) 2016/680 (on data protection in the law enforcement sector7). Among others, the GDPR lays down rules on international transfers of personal data that are applicable to the transmission of PNR data by air carriers. Directive (EU) 2016/680 regulates the processing of personal data by law enforcement authorities and completes the regime of Directive (EU) 2016/681 on aspects such as data subject rights and case-by-case transfers of data to law enforcement authorities in third countries.

There are currently two international agreements in place between the EU and third countries (namely Australia8 and the United States9) on the processing and transfer of PNR data. On 26 July 2017, the Court of Justice of the European Union issued an Opinion (henceforth Opinion 1/1510) on the envisaged Agreement on the transfer and processing of PNR data between the EU and Canada, signed on 25 June 2014. The Court found that the agreement could not be concluded in its intended form because some of its provisions were incompatible with the fundamental rights to privacy and to personal data protection protected by the Charter. In particular, the Court interpreted the relevant Charter provisions as requiring specific safeguards with regard to oversight by an independent authority, processing of sensitive data, automated processing of PNR data and non-discrimination, purposes for which PNR data may be processed, and the retention, use, disclosure and further transfer of PNR data. Further to the adoption of negotiating directives by the Council in December 2017, the Commission begun new PNR negotiations with Canada in June 2018.

More generally, an increasing number of third countries are collecting PNR data from air carriers and several of them have approached the Commission over the past few years to express their interest in concluding an international agreement on PNR with the EU. In the absence of a legal basis allowing for data transfers, air carriers are confronted with a situation of conflict of laws and risk fines and other sanctions. At the same time, further to the implementation of Directive (EU) 2016/681, EU Member States are requesting air carriers from third countries to transfer PNR data to their Passenger Information Units. A number of third countries have refused such transfers – and others have threatened to do so – as a retaliatory measure due to the impossibility of receiving PNR data from the EU, therefore compromising the effectiveness of the EU PNR mechanism.

The EU approach to PNR data transfers to third countries dates back to 201011 and predates the adoption of Directive (EU) 2016/681, the reform of the EU data protection framework and Opinion 1/15 of the Court of Justice. The EU Security Union Strategy for the period 2020 to 2025 envisages the review of the approach as a mid-term action12.

7 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89.

8 Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service, OJ L 186, 14.7.2012, p. 4. The joint review and evaluation of this agreement are currently ongoing.

9 Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ L 215, 11.8.2012, p. 5. The joint evaluation of this agreement is currently ongoing.

10 Opinion 1/15 of the Court (grand chamber), 26 July 2017.

11 Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries, COM (2010) 492 final.

12 Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, COM (2020) 605 final.

3. Position to be taken on the Union’s behalf

3.1. Background

The Union strongly supports the development of new international standards on PNR and has actively contributed to the elaboration of the SARPs laid down in Amendment 28 to Annex 9.

The subject matter of Section D, Chapter 9 of Annex 9 of Amendment 28 concerns an area for which the Union has exclusive competence by virtue of the last limb of Article 3(2) of the Treaty on the Functioning of the European Union (TFEU), as it is liable to affect common rules on PNR and data protection.

Accordingly, throughout the discussions within the ICAO preparatory bodies, the approach of the EU Member States and of the Commission (as observer) was guided by the orientations set out in Council Decision (EU) 2019/2107 of 28 November 2019 laying down the Union position13. This position reflects the requirements of the EU legal framework on PNR and data protection, notably under Directive (EU) 2016/681, Regulation (EU) 2016/679, Directive (EU) 2016/680, as well as under the Charter as interpreted in the relevant case law of the Court of Justice, in particular Opinion 1/15.

On 25 March 2020, the Council of the EU endorsed a further Union position14 on the reply to the ICAO State letter 2020 14E through which Contracting States were consulted on the draft SARPs. The position welcomed the work undertaken by ICAO to develop the SARPs, and highlighted the importance of the protection of fundamental rights, including the protection of personal data, in the processing of PNR. Therefore, it submitted a drafting proposal aimed at amending (then draft) Standard 9.34. Its objective was to reinforce the text of this Standard in order to ensure that the ability of Contracting States to establish stricter requirements for PNR data transfers is clearly reflected in the SARPs.

It is to be noted that in the revision process following the State consultation, the ICAO Secretariat did not take into account the drafting suggestions submitted by the EU Member States, nor amendments proposed by any other ICAO contracting States, and retained the draft text resulting from the Facilitation Panel at its meeting of January 2020. Instead, the ICAO Secretariat proposed that ‘States that have made proposals to amend the provision should be invited to submit their proposal(s) to amend the text in Paragraph 9.34 to the next meeting of the Facilitation Panel (FALP/12), planned for July 2021’.

On 23 June 2020, during the ICAO Council meeting where Amendment 28 was adopted, the EU Member States stressed again the importance of striking the necessary balance between data availability and data protection and referred to the above-mentioned Union positions as submitted during the State consultation process. They also underlined the importance of ensuring high data protection levels and explicitly referred to the obligations stemming from the EU’s legal framework. In particular, the EU Member States emphasised the importance of the SARPs, in particular of Standard 9.34, arguing that it should be interpreted in such a way to allow States to retain the ability to require from other contracting States not only to demonstrate compliance of their legal framework with the SARPs but also the fulfilment of higher data protection standards, notably for enabling PNR data transfers, when so required by their domestic legal frameworks.

Council Decision (EU) 2019/2107 of 28 November 2019 on the position to be taken on behalf of the European Union within the Council of the International Civil Aviation Organization as regards the revision of Chapter 9 of Annex 9 (Facilitation) to the Convention on International Civil Aviation in respect of standards and recommended practices on passenger name record data, OJ L 318, 10.12.2019, p. 117–122.

Union Position on the reply to ICAO State letter as regards the revision of chapter 9 of annex 9 (Facilitation) to the Convention on International Civil Aviation in respects of standards and recommended practices on passenger name record data Approval, ST 6744 2020 INIT.

3

4

3.2. Proposed position

The present proposal for a Council Decision is necessary to adopt, within the timeframe set by the ICAO State letter EC 6/3-20/71, the position to be taken on the Union’s behalf with regard to the ICAO Council adoption of the new PNR SARPs.

The new PNR SARPs set out in Amendment 28 (Section D, Chapter 9 of Annex 9) largely follow the lines of the Union position enshrined in Council Decision (EU) 2019/2107. As such, they lay down ambitious safeguards on data protection, notably on data subject rights, oversight by an independent authority, sensitive data, automated processing of PNR data and non-discrimination, purposes for which PNR data may be processed, and the retention, use, disclosure and further transfer of PNR data.

In the Commission’s view, the SARPs allow significant progress to be achieved at international level in relation to the protection and use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Therefore, no disapproval should be notified by the EU Member States under Article 90 of the Chicago Convention, in particular since such a notification would also undermine the efforts to establish higher standards for the protection of PNR data worldwide if compared to the current ICAO rules of PNR.

The SARPs also take into consideration, in Standard 9.34(b), that the contracting States – such as the EU Member States - may retain the ability to maintain or introduce higher levels of protection in accordance with their domestic legal and administrative framework, and to enter into additional arrangements with other States in order to establish more detailed provisions relating to the transfer of PNR data. Under EU law, transfers by airlines of PNR data processed in the EU to a law enforcement authority in a third country must, in particular, meet the requirements of Chapter V of the GDPR and those resulting from the Charter, as specified in particular in the Court’s Opinion 1/15. Those requirements are more exacting than what is required under the PNR SARPs contained in Amendment 28.

In this context, Standard 9.34(a) requires Contracting States not to inhibit or prevent the transfer of PNR data to another Contracting State that complies with the SARPs, the current language of the Standard 9.34 is, from the perspective of the European Union and its Member States, not sufficiently clear in legal terms in expressing that the EU Member States are not precluded from imposing those requirements notwithstanding Standard 9.34.

For this reason, the Commission considers that Member States should notify a difference, pursuant to Article 38 of the Chicago Convention. Such difference, described in the Annex to the present Proposal for Council Decision, should remain strictly limited to what is necessary to avoid any doubt as to the prerogative for the EU Member States to impose more exacting requirements for PNR data transfers to third countries, and consequently to inhibit such transfers if such requirements are not fulfilled.

4. Legal basis

4.1. Procedural legal basis

4.1.1. Principles

Article 218(9) TFEU provides for decisions establishing ‘the positions to be adopted on the Union’s behalf in a body set up by an agreement, when that body is called upon to adopt acts having legal effects, with the exception of acts supplementing or amending the institutional framework of the agreement.’

Article 218(9) TFEU applies regardless of whether the Union is a member of the body or a party to the agreement15.

The concept of ‘acts having legal effects’ includes acts that have legal effects by virtue of the rules of international law governing the body in question. It also includes instruments that do not have a binding effect under international law, but that are ‘capable of decisively influencing the content of the legislation adopted by the EU legislature16.

4.1.2. Application to the present case

ICAO is a body set up by an international agreement, namely the Chicago Convention.

Amendment 28 to Annex 9 to the Chicago Convention contains standards that are, in principle, binding, upon ICAO members, among which the Member States of the Union and thus constitutes an act having legal effects. Certain of those legal effects depend however on the notification of differences, and the terms of such notification. Therefore, the adoption of a Union position in respect of such notification falls within the scope of Article 218(9) TFEU.

The legal effects of the standards and of any differences to be notified fall in an area covered by Union rules, notably Directive (EU) 2016/681 as well as the existing and future international agreements on PNR between the EU and third countries. This entails that, in accordance with Article 3(2) TFEU, the Union has exclusive competence in this matter.

The notification of differences does not entail that the institutional framework of the Chicago agreement be supplemented or amended.

4.2. Substantive legal basis

4.2.1. Principles

The substantive legal basis for a decision under Article 218(9) TFEU depends primarily on the objective and content of the act in respect of which a position is taken on the Union's behalf. If the act pursues two aims or has two components and if one of those aims or components is identifiable as the main one, whereas the other is merely incidental, the decision under Article 218(9) TFEU must be founded on a single substantive legal basis, namely that required by the main or predominant aim or component.

With regard to an act that simultaneously pursues a number of objectives, or that has several components, which are inseparably linked without one being incidental to the other, the substantive legal basis of a decision under Article 218(9) TFEU will have to include, exceptionally, the various corresponding legal bases.

4.2.2. Application to the present case

Amendment 28 to Annex 9 to the Chicago Convention pursues objectives and has components in the areas of data protection and police cooperation. These elements are inseparably linked without one being incidental to the other.

Therefore, the substantive legal basis of the proposed decision comprises the following provisions: Article 16(2) and Article 87(2)(a) TFEU.

15 Judgment of the Court of Justice of 7 October 2014, Germany v Council, C-399/12, ECLI:EU:C:2014:2258, paragraph 64:‘[..] the European Union, while not a party to the OIV Agreement, is entitled to establish a position to be adopted on its behalf with regard to those recommendations, in view of their direct impact on the European Union’s acquis in that area.]

16 Judgment of the Court of Justice of 7 October 2014, Germany v Council, C-399/12, ECLI:EU:C:2014:2258,

8.

paragraphs


61 to 64.

4.3. Conclusion

The legal basis of the proposed decision should be Article 16(2) and Article 87(2)(a) TFEU, in conjunction with Article 218(9) TFEU.