Explanatory Memorandum to COM(2024)95 - Conclusion of an agreement with Canada on the transfer and processing of Passenger Name Record (PNR) data - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2024)95 - Conclusion of an agreement with Canada on the transfer and processing of Passenger Name Record (PNR) data. |
|---|---|
| source | COM(2024)95 |
| date | 04-03-2024 |
The present proposal concerns the conclusion of an Agreement between the Canada and the European Union on the transfer and processing of Passenger Name Record (PNR) data (hereafter “the Agreement”).
1. CONTEXT OF THE PROPOSAL
Passenger name record (PNR) data is information provided by passengers and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes. The content of PNR data varies depending on the information given during the booking and check-in process and may include, for example, dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.
The collection and analysis of PNR data can provide the authorities with important elements allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement authorities. Accordingly, the processing of PNR data has become a widely used law enforcement tool, in the EU and beyond, to detect terrorism and other forms of serious crime, such as drug-related offences, human trafficking and child sexual exploitation, and to prevent such crime from being committed. It has also proven to constitute an important source of information to support the investigation and prosecution of cases where such illegal activities have been committed1.
Canadian legislation requires air carriers operating passenger flights to Canada to provide the Canada Border Services Agency (CBSA) with PNR data, prior to the passenger arrival to Canada to the extent such data is collected and contained in the air carriers' automated reservation and departure control systems in the normal course of their business. This legislation aims to significantly enhance CBSA's ability to conduct efficient and effective advance travel risk assessment of passengers and to facilitate bona fide travel, thereby enhancing the security of Canada in the fight against terrorism and other serious transnational crime.
The EU cooperates with Canada in the fight against terrorism and other serious transnational crime and considers the transfer of PNR data to Canada as a means to foster international law enforcement cooperation.
For this purpose, the European Community signed an Agreement in 2005 with Canada on the transfer and processing of PNR data.2 The Agreement entered into force on 22 March 2006 and was based on (i) a series of Commitments that the CBSA gave as to the way it would process PNR data and (ii) an adequacy decision issued by the European Commission that considered the Commitments of the CBSA to provide an adequate protection of personal data.3 The Commitments of the CBSA and the adequacy decision expired on 22 September 2009.
Since then, Member States assumed the responsibility for ensuring the continuation of transfers of PNR data to Canada during this interim period, while CBSA confirmed to the Member States, the Council Presidency and the Commission that it will continue implementing its Commitments for such an interim period as it is necessary to negotiate and conclude a long term agreement between the EU and Canada.
In 2010, the EU opened negotiations with Canada for the purpose of concluding a new Agreement laying down the conditions and the framework under which air carriers could transfer to the CBSA the PNR data of passengers flying between the EU and Canada. The new draft Agreement with Canada was signed on 25 June 2014 and submitted by the Council to the European Parliament in July 2014 for consent. On 30 January 2015, the European Parliament requested the Opinion of the Court of Justice as to whether the envisaged PNR Agreement with Canada is compatible with the Treaties and the Charter of Fundamental Rights of the European Union.
On 26 July 2017, the Court of Justice delivered Opinion 1/154 and stated that the envisaged PNR Agreement between Canada and the EU could not be concluded in its form because several of its provisions were incompatible with the fundamental rights recognised by the EU, notably the right to data protection and respect for private life. The Court also held that the legal basis of such an Agreement should be the combination of Article 87(2)(a) TFEU and Article 16(2) TFEU.
Following the issuance of this Opinion, the EU and Canada have opened new negotiations with the purpose of signing a new Agreement in a manner which is compliant with the Court’s requirements. Negotiations with Canada started on 20 June 2018 and, in line with the negotiating directives, focussed on the aspects necessary to draw the consequences from the said Opinion.
After a seventh and last round, which was held on 4 July 2023, the negotiators reached a preliminary agreement on 11 October 2023. The chief negotiators initialled the draft text of the Agreement on 27 November 2023.
The co-legislators have been regularly informed and consulted at all stages of the negotiations, notably by reporting to the Council’s responsible working group and European Parliament’s LIBE Committee. Prior to its initialling, the final draft of the agreement text has also been shared.
• Consistency with existing policy provisions in the policy area
The Commission has first set out the broad lines of it’s the EU’s external PNR policy in a 2003 Communication on the EU approach towards transfers of PNR data from the EU to third countries5, which were reviewed in a Communication adopted in 20106.
There are currently three international agreements in force between the EU and third countries namely Australia7, the United States (2012)8 and the United Kingdom (2020)9 which cover the transfer and processing of PNR data from the EU. In addition to negotiations with Canada, the Commission is authorised to negotiate PNR agreements with Mexico and Japan and, in September 2023, has also recommended the opening of negotiations with Norway10, Iceland11 and Switzerland12.
In 2016, the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’)13. This Directive regulates the transfer and processing of PNR data in the European Union and lays down important safeguards for the protection of fundamental rights, in particular the rights to privacy and the protection of personal data. In its judgment in Case C-817/19 of June 2022, the Court of Justice of the EU confirmed the validity of this Directive, in particular in light of the Charter of Fundamental Rights of the EU and the Union Treaties14.
At international level, an increasing number of third countries have started developing their capabilities to collect PNR data from air carriers. This trend is further prompted by Resolutions adopted by United Nations Security Council (in 2017 and 2019), requiring all States to develop the capability to collect and use PNR data15, based on which Standards and Recommended Practices on PNR (SARPs) were adopted by the International Civil Aviation Organization (ICAO) in 2020, by means of Amendment 28 to Annex 9 to the Chicago Convention which became applicable in February 2021.16
The Union position, as established by Council Decision (EU) 2021/121, welcomes the ICAO SARPs on PNR as laying down ambitious safeguards on data protection and therewith allowing significant progress to be made at international level. At the same time, this Council Decision considered, by means of requiring Member States to register a difference, that the requirements resulting from Union law (including relevant case-law), are more exacting than certain ICAO Standards, and that transfers from the EU to third countries require a legal basis establishing clear and precise rules and safeguards in relation to the use of PNR data by competent authorities of a third country17. In light of this, upon a call from the Council18, the Commission has started considering the demonstration of compliance with ICAO PNR Standards as an important element to take into account for entering into a PNR dialogue with any third country.
2. LEGAL BASIS AND PROPORTIONALITY
• Legal basis
Article 218(6) of the Treaty on the Functioning of the European Union (TFEU) provides for decisions ‘concluding the agreement.’ Since the proposal concerns areas where the ordinary legislative procedure is applied, the consent of the European Parliament is required and, therefore, the procedural legal basis is Article 218(6), point (a)(v) TFEU.
The proposal has two main aims and components, one relating to the necessity of ensuring public security by means of the transfer of PNR data to Canada and the other to the protection of privacy and other fundamental rights and freedoms of individuals. Thus the substantive legal basis is Article 16(2) and Article 87(2)(a) TFEU.
• Proportionality
The Union’s objectives with regard to this proposal as set out above can only be achieved by establishing a valid legal basis at Union level to ensure that appropriate protection of fundamental rights is granted to personal data transfers from the Union. The provisions of the agreement are limited to what is necessary to achieve its main objectives and strike a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.
• Choice of the instrument
Chapter V of Regulation 2016/67919 (‘GDPR’) requires that any transfer of personal data from the Union to a third countries be based on a valid instrument laying down appropriate safeguards. The present agreement constitutes one of those instruments, i.e. a legally binding and enforceable instrument between public authorities provided for in Article 46(2)(a) of that Regulation.
• Fundamental rights
The exchange of PNR data and its processing by the authorities of a third country constitutes an interference with the fundamental rights to privacy and data protection. However, the Agreement ensures the necessity and proportionality of any such interference in light of the legitimate purposes of the personal data processing, i.e. to prevent, detect, investigate and prosecute serious crime and terrorism. This is guaranteed by the application of adequate data protection safeguards to the personal data transferred and processed, in line with EU law, notably Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU.
3. BUDGETARY IMPLICATIONS
There are no budgetary implications for the Union budget.
4. OTHER ELEMENTS
• Detailed explanation of the specific provisions of the proposal
The Agreement resulting from the negotiations, attached to the proposed Decision, contains several important safeguards for those persons whose data will be transferred to and processed in Canada. In full alignment with the requirements of the said Court Opinion and the negotiating directives, the provisions of the Agreement subject of the negotiations were notably:
Article 3: the purposes for which PNR data are processed are spelt out clearly and precisely;
Article 8: the processing of sensitive data by Canada is prohibited under the Agreement and should Canada receive such data as part of PNR data under the Agreement, deletion is required;
Article 10: oversight of Canada's compliance with these rules shall be exercised by independent public authorities;
Article 11: individuals are notified of the use of their PNR;
Article 12: individuals may access (only) their own PNR data and are provided with the right to correction, redress and information;
Article 15: automated processing of PNR data will be based only on non-discriminatory and reliable criteria;
Article 16: the maximum retention period of five years will be combined with a requirement to delete the data after passengers’ date of departure, unless a risk assessment indicates that there is a connection based on objective elements from which it may be inferred that the PNR data might make an effective contribution to address the purposes of the Agreement, in addition to the requirement for Canada to review its assessment every two years;
Article 17: any use of PNR data for other purposes than security and border control checks will be subject to prior review by a court or an independent authority;
Article 20: the onward transfers of PNR data to other government authorities will be subject to appropriate safeguards and, in case of disclosure outside Canada, limited to countries which have concluded a comparable Agreement with the EU or are subject to an adequacy decision of the Commission;
Annex: the PNR data elements to be transferred to Canada are determined in a clear and precise manner.