2006/253/EC: Commission Decision of 6 September 2005 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency (notified under document number C(2005) 3248) (Text with EEA relevance)
OJ L 91, 29.3.2006, p. 49–60 (ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, NL, PL, PT, SK, SL, FI, SV)
OJ L 118M , 8.5.2007, p. 515–526 (MT)
Special edition in Bulgarian: Chapter 07 Volume 15 P. 175 - 186
Special edition in Romanian: Chapter 07 Volume 15 P. 175 - 186
CS DA DE EL EN ES ET FI FR HU IT LT LV NL PL PT SK SL SV
|Bilingual display: BG CS DA DE EL EN ES ET FI FR HU IT LT LV NL PL PT RO SK SL SV|
of 6 September 2005
on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency
(notified under document number C(2005) 3248)
(Text with EEA relevance)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data , and in particular Article 25(6) thereof,
(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, particular consideration being given to a number of elements relevant for the transfer and listed in Article 25(2) thereof.
(4) In the framework of air transport, the "Passenger Name Record" (PNR) is a record of each passenger’s travel requirements which contains all information necessary to enable reservations to be processed and controlled by the booking and participating airlines . For the purposes of this Decision, the terms "passenger" and "passengers" include crew members. "Booking airline" means an airline with which the passenger made his original reservations or with which additional reservations were made after commencement of the journey. "Participating airlines" means any airline on which the booking airline has requested space, on one or more of its flights, to be held for a passenger.
(5) The Canada Border Services Agency (the CBSA) requires each carrier operating passenger flights bound for Canada to provide it with electronic access to PNR to the extent that PNR is collected and contained in the air carrier's automated reservation systems and departure control systems.
(6) The requirements for personal data contained in the PNR of air passengers to be transferred to the CBSA, are based on section 107.1 of the Customs Act and paragraph 148(d) of the Immigration and Refugee Protection Act and upon implementing regulations adopted under those statutes .
(7) The Canadian legislation in question concerns the enhancement of security and the conditions under which persons may enter the country, matters on which Canada has the sovereign power to decide within its jurisdiction. The requirements laid down are not, moreover, inconsistent with any international commitments which Canada has undertaken. Canada is a democratic country, governed by the rule of law and with a strong civil liberties tradition. The legitimacy of its law-making process and strength and independence of its judiciary are not in question. Press freedom is a further strong guarantee against the abuse of civil liberties.
(8) The Community is fully committed to supporting Canada in the fight against terrorism within the limits imposed by Community law. Community law provides for striking the necessary balances between security concerns and privacy concerns. For example, Article 13 of Directive 95/46/EC provides that Member States may legislate to restrict the scope of certain requirements of that Directive, where it is necessary to do so for reasons of national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences.
(9) The data transfers concerned involve specific controllers, namely airlines operating flights from the Community to Canada, and only one recipient in Canada, namely the CBSA.
(10) Any arrangement to provide a legal framework for PNR transfers to Canada, in particular through this Decision should be time-limited. A period of three and a half years has been agreed. During this period, the context may change significantly and the Community and Canada agree that a review of the arrangements will be necessary.
(11) The processing by CBSA of personal data contained in the PNR of air passengers transferred to it is governed by conditions set out in the Commitments by the Canadian Border Services Agency in relation to the application of its PNR program (henceforth referred to as the "Commitments") and in Canadian domestic legislation to the extent indicated in the Commitments.
(12) As regards domestic law in Canada, the Privacy Act, the Access to Information Act and Section 107 of the Customs Act are relevant in the present context in so far as they control the conditions under which the CBSA may resist requests for disclosure and thus keep PNR confidential. The Privacy Act governs the disclosure of PNR to the person whom it concerns, closely linked to the data subject's right of access. The Privacy Act only applies to anyone present in Canada. However, in addition, the CBSA grants access to PNR information held on a foreign national if he or she is not present in Canada.
(13) As regards the Commitments, and as provided in section 43 thereof, the statements in the Commitments either have been incorporated in existing Canadian law, or are enshrined in domestic regulations formulated specifically for that purpose and thus will have legal effect. The Commitments will be published in full in the Canada Gazette. As such, they represent a serious and well-considered commitment on the part of the CBSA and their compliance will be subject to joint review by Canada and the Community. Non-compliance could be challenged as appropriate through legal, administrative and political channels and if persistent, would give rise to the suspension of the effects of this Decision.
(14) The standards by which the CBSA will process passengers' PNR data on the basis of Canadian legislation and the Commitments cover the basic principles necessary for an adequate level of protection for natural persons.
(15) As regards the purpose limitation principle, air passengers' personal data contained in the PNR transferred to the CBSA will be processed for a specific purpose and subsequently used or further communicated only insofar as this is compatible with the purpose of the transfer. In particular, PNR data will be used strictly for purposes of preventing and combating: terrorism and related crimes; other serious crimes, including organised crime, that are transnational in nature.
(16) As regards the data quality and proportionality principle, which needs to be considered in relation to the important public interest grounds for which PNR data are transferred, PNR data provided to the CBSA will not subsequently be changed by it. A maximum of 25 PNR data categories will be transferred and the CBSA will consult and agree with the European Commission regarding revision of the 25 required PNR data elements set out in Attachment A, prior to effecting any such revision. Additional personal information sought as a direct result of PNR data will be obtained from sources outside the government only through lawful channels. As a general rule, PNR will be deleted after a maximum of three years and six months.
(17) As regards the transparency principle, the CBSA will provide information to travellers as to the purpose of the transfer and processing, and the identity of the data controller, as well as other information.
(18) As regards the security principle, technical and organisational security measures are taken by the CBSA, which are appropriate to the risks presented by the processing.
(19) The rights of access, correction and notation are recognized in the Privacy Act to those individuals present in Canada. The CBSA will extend these rights in respect of PNR information in its possession to foreign nationals who are not present in Canada. The exceptions foreseen are broadly comparable with the restrictions which may be imposed by Member States under Article 13 of Directive 95/46/EC.
(20) Onward transfers will be made to other government authorities, including foreign government authorities on a case-by-case basis, for purposes that are identical to or consistent with those set out in the statement of purpose limitation concerning a minimum amount of data. Transfers may also be made for the protection of the vital interest of the data subject or of other persons, in particular as regards significant health risks or in any judicial proceedings or as otherwise required by law. Receiving agencies are obligated by the express terms of disclosure to use the data only for those purposes and may not transfer the data onwards without the agreement of the CBSA. No other foreign, federal, provincial or local authority has direct electronic access to PNR data through the CBSA databases. The CBSA will deny public disclosure of PNR on the basis of exemptions from the relevant provisions of the Access to Information Act and the Privacy Act.
(21) The CBSA does not receive sensitive data in the sense of Article 8 of Directive 95/46/EC.
(22) As regards the enforcement mechanisms to ensure compliance by the CBSA with these principles, the training and information of the CBSA staff is provided for, as well as sanctions with regard to individual staff members. The CBSA’s respect for privacy in general will be under the scrutiny of the independent Office of the Canadian Privacy Commissioner under the conditions set out in the Canadian Charter of Rights and Freedoms and the Privacy Act. The Privacy Commissioner may address complaints referred to it by the data protection authorities in Members States on behalf of residents of the Community, if the resident believes his or her complaint has not been satisfactorily dealt with by the CBSA. Compliance with the Commitments will be the subject of annual joint review to be conducted by the CBSA and a Commission-led team.
(23) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(24) The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered opinions on the level of protection provided by the Canadian authorities for passengers' data, which has guided the Commission throughout its negotiations with the CBSA. The Commission has taken note of these opinions in the preparation of this Decision .
(25) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
For the purposes of Article 25(2) of Directive 95/46/EC, the Canadian Customs Border Services Agency (herinafter referred to as the CBSA) is considered to ensure an adequate level of protection for PNR data transferred from the Community concerning flights bound for Canada in accordance with the Commitments set out in the Annex.
This Decision concerns the adequacy of protection provided by the CBSA with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and shall not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to the CBSA in order to protect individuals with regard to the processing of their personal data in the following cases:
(a) where a competent Canadian authority has determined that the CBSA is in breach of the applicable standards of protection; or
(b) where there is a substantial likelihood that the standards of protection set out in the Annex are being infringed, there are reasonable grounds for believing that the CBSA is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the CBSA with notice and an opportunity to respond.
2. Suspension shall cease as soon as the standards of protection are assured and the competent authorities of the Member States concerned are notified thereof.
1. Member States shall inform the Commission without delay when measures are adopted pursuant to Article 3.
2. The Member States and the Commission shall inform each other of any changes in the standards of protection and of cases where the action of bodies responsible for ensuring compliance with the standards of protection by the CBSA as set out in the Annex fails to secure such compliance.
3. If the information collected pursuant to Article 3 and pursuant to paragraphs 1 and 2 of this Article provides evidence that the basic principles necessary for an adequate level of protection for natural persons are no longer being complied with, or that any body responsible for ensuring compliance with the standards of protection by the CBSA as set out in the Annex is not effectively fulfilling its role, the CBSA shall be informed and, if necessary, the procedure referred to in Article 31(2) of Directive 95/46/EC shall apply with a view to repealing or suspending this Decision.
The functioning of this Decision shall be monitored and any pertinent findings reported to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection of personal data contained in the PNR of air passengers transferred to the CBSA is adequate within the meaning of Article 25 of Directive 95/46/EC.
Member States shall take all the measures necessary to comply with the Decision within four months of the date of its notification.
This Decision shall expire three years and six months after the date of its notification, unless extended in accordance with the procedure set out in Article 31(2) of Directive 95/46/EC.
This Decision is addressed to the Member States.
Done at Brussels, 6 September 2005.
For the Commission
 OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
 For the purposes of this Decision, the term "PNR" includes Advance Passenger Information (API) data as provided in section 4 of the Commitments of the CBSA.
 Passenger Information (Customs) Regulations and Regulation 269 of the Immigration and Refugee Protection Regulations.
 Opinion 3/2004 on the level of protection ensured in Canada for the transmission of Passenger Name Record and Advanced Passenger Information from airlines, adopted by the Working Party on 11 February 2004, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2004/wp88_en.pdfOpinion 1/2005 on the level of protection ensured in Canada for the transmission of Passenger Name Record and Advance Passenger Information from airlines, adopted by the Working Party on 19 January 2005, available at http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2005/wp103_en.pdf
COMMITMENTS BY THE CANADA BORDER SERVICE AGENCY IN RELATION TO THE APPLICATION OF ITS PNR PROGRAM
Legal authority to collect API and PNR information
1. All carriers are required, under Canadian law to provide the Canada Border Services Agency (CBSA) with Advance Passenger Information (API) and Passenger Name Record (PNR) information relating to all persons on board flights bound for Canada. The lawful authority of the CBSA to obtain and collect such information is found in section 107.1 of the Customs Act, and the Passenger Information (Customs) Regulations made thereunder, and in paragraph 148(1)(d) of the Immigration and Refugee Protection Act and Regulation 269 of the Immigration and Refugee Protection Regulations made thereunder.
Purpose for which API and PNR information is collected
2. API and PNR information will be collected by the CBSA only in respect of flights arriving in Canada. The CBSA will use API and PNR information collected from European and other carriers only to identify persons at risk to import goods related to, or persons who are inadmissible to Canada because of their potential relationship to, terrorism or terrorism-related crimes, or other serious crimes, including organized crime, that are transnational in nature.
3. API and PNR information will be used by the CBSA to target persons who will be subjected to closer questioning or examination on arrival in Canada, or who require further investigation, for one of the purposes described in section 2. No enforcement action will be taken by the CBSA or other Canadian law enforcement officials only by reason of the automated processing of API and PNR data.
API and PNR information collected
4. The list of API data elements that will be collected by the CBSA for the purposes set out in section 2 is set out in paragraphs 3(a) to (f) of the Passenger Information (Customs) Regulations made under the Customs Act.  The list of PNR data elements that will be collected by the CBSA for the purposes set out in section 2 is set out in Attachment A. For greater certainty, "sensitive data elements" within the meaning of Article 8.1 of Directive 95/46/EC (hereinafter referred to as "the Directive"), and all "open text" or "general remarks" fields, will not be included within these 25 data elements.
5. The CBSA will not require a carrier to collect PNR information that the carrier does not record for its own purposes, and will not require the carrier to collect any additional information for purposes of making it available to the CBSA. Therefore the CBSA recognizes that it will collect those data elements listed in Attachment A only to the extent that a carrier has chosen to place them in its automated reservation systems and departure control systems (DCS).
6. The CBSA will consult and agree with the European Commission regarding revision of the 25 required PNR data elements set out in Attachment A, prior to effecting any such revision,
(a) if the CBSA becomes aware of any additional PNR data element that may be available and is of the view that the element is required for the purposes set out in section 2; or
(b) if the CBSA at any time becomes aware that a particular PNR data element is no longer required for the purposes set out in section 2.
Method of accessing API and PNR information
7. The CBSA’s Passenger Information System (hereinafter referred to as "PAXIS") has been configured to receive API and PNR information pushed from a carrier.
Retention of, and access, to API and PNR information
8. Where the API and PNR information relates to a person who is not the subject of an investigation in Canada for a purpose described in section 2, it will be retained in the PAXIS system for a maximum of 3.5 years. During this period, the information will be retained in an increasingly de-personalized manner, as follows:
(a) From initial receipt to 72 hours, all available API and PNR information will be accessible only to a limited number of CBSA targetters and intelligence officers, who will use the information to identify those who require closer questioning or examination on arrival in Canada, for one of the purposes set out in section 2.
(b) After 72 hours to the end of two years from receipt, a person’s PNR record will be retained in the PAXIS system but accessible only by CBSA intelligence officers located at an international airport in Canada or at CBSA national headquarters in Ottawa. The name of the person to whom the information relates will be unavailable for viewing by these officials unless it is required in order to proceed with an investigation in Canada for one of the purposes described in section 2. The PNR record will be re-personalized only where the official reasonably believes that the name of the person is required in order to proceed with the investigation. During this period, the depersonalized information will be used by CBSA intelligence analysts for trend analysis and the development of future risk indicators related to the purposes set out in section 2.
(c) After two years from receipt, the PNR record will be retained in the PAXIS system for a further maximum period of 1.5 years, but all data elements which could serve to identify the person to whom the information relates will be available for viewing only if approved by the President of the CBSA for a purpose described in section 2. During this period, the depersonalized information will be used by CBSA intelligence analysts for trend analysis and the development of future risk indicators related to the purposes set out in section 2.
(d) API information will be stored separately from PNR information in the PAXIS system. It will be retained in the PAXIS system for a maximum of 3.5 years but during that period, API information relating to a person will not be used to gain access to PNR information about the same person, unless the PNR record is re-personalized in the circumstances described in paragraph b.
9. Where the API and PNR information relates to a person who is the subject of an investigation in Canada for a purpose described in section 2, it will be placed in an enforcement database of the CBSA. These databases contain only information with respect to persons who have been investigated or subjected to an enforcement action under CBSA legislation. Access to these databases is made available only to those CBSA officials whose duties require such access and is closely monitored. API and PNR information that is transferred to such an enforcement database will be retained in that system for no longer than is necessary, and in any case for a period of no more than six years, at which time it will be destroyed unless it is required to be retained for an additional period by virtue of the Privacy Act or the Access to Information Act, as explained in paragraph 10 b.
10. Where personal information is used by the CBSA for purposes of making a decision affecting the interests of the data subject to whom it relates, it must be retained by the CBSA for a period of two years from the date of such use in order that the data subject may access the information upon which such a decision has been made, unless the individual consents to its earlier disposal or where a request for access to the information has been received, until such time as the individual has had the opportunity to exercise all his rights under the Privacy Act or the Access to Information Act.
(a) In the case of information retained in the PAXIS database, this two-year requirement will be subsumed in the maximum 3.5 year period for which the information will be retained in that database.
(b) In the case of information retained in an enforcement database, API and PNR information could be retained where necessary for a period of no more than six years for use by the CBSA for the investigative purposes described in section nine, and then a further maximum period of two additional years, during which time it would be available for access by the data subject in accordance with the Privacy Act or the Access to Information Act, but unavailable for administrative use by the CBSA.
11. API and PNR information will, at the expiry of the retention periods described in sections 8 through 10, be destroyed in accordance with the provisions of the National Archives Act .
Disclosures of API and PNR information to other Canadian departments and agencies
12. All disclosures of API and PNR information by the CBSA are governed by the Privacy Act, the Access toInformation Act and the CBSA’s own legislation. Although the Privacy Act and the Access to Information Act grant a right of access to records unless an exemption or exclusion applies, these Acts do not otherwise require any mandatory disclosure of API and PNR information. A copy of the CBSA's administrative policy governing the disclosure, access to and use of API and PNR information, Memorandum D-1-16-3 entitled Interim Administrative Guidelines for the Disclosure, Access to and Use of Passenger Name Record (PNR) Data, (hereinafter referred to as the "CBSA's PNR disclosure policy") will be published and available for public access on the CBSA website. This policy, further described in section 37 of these Commitments, directs that API and PNR information could be shared with other Canadian government departments only for the purposes set out in section 2, unless the disclosure is made to comply with the subpoena or warrant issued, or an order made by, a court, person or body with jurisdiction in Canada to compel the production of the information or for the purposes of any judicial proceedings.
13. API and PNR information will not be disclosed in bulk. The CBSA will only release select API and PNR information on a case-by-case basis and only after assessing the relevance of the specific PNR information to be disclosed. Only those particular API and PNR elements which are clearly demonstrated as being required in the particular circumstances will be provided. In all cases, the minimum amount of information possible will be provided.
14. The CBSA will only disclose API and PNR information where the proposed recipients undertake to afford it the same protections which are afforded to the information by the CBSA. Canadian government recipients of PNR information are also bound by the requirements of the Privacy Act to the extent they are listed in the Schedule to this act. The Privacy Act applies to personal information which is information about an identifiable individual, recorded in any form, and under the control of a Canadian federal government department or agency subject to the Act. Such a department or agency is precluded from collecting any personal information unless it "relates directly to an operating program or activity of the institution".
15. The CBSA requires, as a matter of practice and as a condition precedent to disclosure, that Canadian federal or provincial law enforcement authorities undertake not to further disclose the information received, without the permission of the CBSA, unless required by law.
Disclosure of API and PNR information to other countries
16. The CBSA can share API and PNR information with the government of a foreign state, in accordance with an arrangement or agreement under subsection 8(2) of the Privacy Act and subsection 107(8) of the Customs Act.
17. Such arrangements or agreements could include a memorandum of understanding developed specifically for purposes of the CBSA’s PNR Program, or a treaty pursuant to which CBSA authorities are required to provide assistance and information. In either case, the information will only be shared for a purpose consistent with those set out in section 2, and only if the receiving country undertakes to afford the information with protections consistent with these Commitments. In all cases, the minimum amount of information possible will be provided to the other country.
18. API and PNR information retained in PAXIS will be shared only with a country that has received an adequacy finding under the Directive, or is covered by it.
19. API and PNR information retained in an enforcement database described in section 9 can be shared in accordance with treaty obligations under a Customs Mutual Assistance Agreement or a Mutual Legal Assistance Agreement. In this case, API and PNR elements will only be shared on a case by case basis and provided that the CBSA is in possession of evidence that directly links the request to the investigation or prevention of crimes referred to in section 2 and only to the extent that the data elements provided are strictly necessary to pursue the specific enquiry in question.
Disclosure of API and PNR information in the vital interest of the data subject
20. Notwithstanding anything in these Commitments to the contrary, the CBSA may disclose API and PNR information to relevant Canadian or other government departments and agencies, where such disclosure is necessary for the protection of the vital interests of the data subject or of other persons, in particular as regards significant health risks.
Notification to data subject
21. The CBSA will provide information to the traveling public regarding the API and PNR requirements and the issues associated with its use, including general information regarding the authority under which the data will be collected, the purpose for the collection, protection that will be afforded to the data, the manner and extent to which the data will be shared, the identity of responsible CBSA officials, procedures available for redress and contact information for persons with questions or concerns.
Legal review mechanisms of the CBSA’s PNR program
22. The PNR program may be subject to compliance reviews and investigations by the Privacy Commissioner of Canada and the Office of the Auditor General of Canada.
23. Canada’s independent data protection authority, the Privacy Commissioner of Canada, can investigate the compliance by government departments and agencies with the Privacy Act, and can monitor the extent to which the CBSA complies with these Commitments. Following accepted standard objectives and criteria, the Privacy Practices and Review Branch of the Office of the Privacy Commissioner may conduct compliance reviews and may also conduct investigations. The Privacy Commissioner of Canada may disclose information that, in her opinion, is necessary to carry out an investigation under the Act or establish the grounds for findings and recommendations contained in any report made under the Act.
24. The Office of the Auditor General of Canada conducts independent audits of Canadian federal government operations. These audits provide members of the Canadian Parliament and the public with objective information to help them examine the Government’s activities and hold it to account.
25. Final copies of the Office of the Privacy Commissioner and Office of the Auditor General reports are made available to the public through annual reports to Parliament and, at their discretion, are readily available on the Internet. The CBSA will provide the Commission with access to copies of any such reports that relate in any way to the PNR program.
Joint review of the CBSA’s PNR program
26. In addition to the above review processes which are provided for under Canadian law, the CBSA will participate on an annual basis or as appropriate, and as agreed with the Commission, in a joint review of the PNR program relating to transfers of API and PNR data to the CBSA.
27. The Canadian Charter of Rights and Freedoms, which is part of the Canadian Constitution, applies to all government actions, including legislation. Section 8 of the Charter provides the right to be secure against unreasonable search and seizure and protects a reasonable expectation of privacy. Section 24 of the Charter permits a person whose rights have been infringed to apply to a court of competent jurisdiction for such remedy as the court considers appropriate and just in the circumstances.
28. The right of a foreign national to access records under the control of a Canadian federal government department, by virtue of Extension Order Number 1 of the Access to Information Act (ATIA), is granted to anyone present in Canada. Subject to exemptions in the Act, a foreign national present in Canada or alternatively a person present in Canada with the consent of the foreign national not present in Canada, could make an ATIA request for records concerning the foreign national and be given access to such records, subject to specific and limited exemptions and exclusions in the Act.
29. Under the Privacy Act, the right to access personal information and request corrections or notations is extended by virtue of Extension Order Number 2, to anyone present in Canada. Therefore subject to exemptions in the Act, a foreign national may exercise these rights if he were present in Canada.
30. In addition, however, the government department who holds personal information about a person may administratively afford access, correction and notation rights to foreign nationals who are not present in Canada. The CBSA will extend these rights in respect of API and PNR information in its possession to EU citizens or other persons that are not present in Canada, provided that the disclosure is otherwise permitted by law.
31. The Privacy Commissioner may initiate a complaint if the Commissioner is "satisfied that there are reasonable grounds to investigate a matter under [the Privacy] Act" and has broad powers of investigation in respect of any complaint. Additionally, the Privacy Commissioner may address complaints referred to it by the Data Protection Authorities (DPAs) of any of the Member States of the European Union (EU) on behalf of an EU resident, to the extent such resident has authorized the DPA to act on his or her behalf and believes that his or her data protection complaint regarding API and PNR information has not been satisfactorily dealt with by CBSA as set out in paragraph 30 above. The Privacy Commissioner will report its conclusions and advise the DPA or DPAs concerned regarding actions taken, if any.
32. The Privacy Commissioner also has special powers to investigate the extent to which Canadian government departments and agencies are complying with the Privacy Act, with respect to the collection, retention, use, disclosure and disposal of personal information.
Security of Information
33. Access to the PAXIS system will only be provided only to a restricted number of CBSA targetters or intelligence officers located in passenger targeting units in Canadian regional offices and at the CBSA’s Headquarters in Ottawa, Canada. These officers will access the PAXIS system in secure work locations that are inaccessible to members of the public.
34. In order to access the PAXIS system, officers will be required to use two separate logins, using a system-generated user ID and password. The first login will provide access to the CBSA’s Local Area Network, while the second will provide access to the Integrated Customs System platform, which in turn provides access to the PAXIS application. Access to the CBSA network and any data contained in the PAXIS system will be strictly controlled and restricted to the selected user group, and every query and review of passenger data in the system will be audited. The audit record generated will contain the user name, the work location of the user, the date and time of access and the PNR file locator number for the information accessed. The CBSA will also restrict access to particular API and PNR data elements within the system on a "need to know" (user type/profile basis). These access controls will ensure that access to API and PNR information is provided only to the persons described in section 33, for the purposes set out in section 2.
35. Access, use and disclosure of API and PNR information is governed by the Privacy Act, the Access to Information Act as well as by section 107 of the Customs Act and the administrative policy described in section 37 of these Commitments, which reflect the protections and safeguards outlined in the present document. Section 160 of the Customs Act and internal codes of conduct provide for criminal and other sanctions in the event that these policies are not respected and, as noted above, the Privacy Commissioner is empowered under the Privacy Act to commence an investigation in respect of the disclosure of personal information.
36. The CBSA’s PNR disclosure policy sets out the procedures which must be followed by all CBSA employees who have access to API and PNR information. The policy of the CBSA is to protect the confidentiality of the information and to manage it in accordance with the authorities in Canadian legislation, as well as CBSA and Canadian Government policies related to the management and security of information, as described in section 38.
37. The CBSA’s PNR disclosure policy provides:
(a) that an official may disclose, allow access to or use API and PNR information only when authorized to do so by law and in accordance with the policy;
(b) that officials should take all appropriate means to ensure that only essential information is disclosed to third parties;
(c) that information will only be disclosed for a specific authorized purpose and limited to the minimum amount of information required for that purpose;
(d) that information will only be provided to or accessed by individuals with an operational requirement to see it; and
(e) that, subject to the Privacy Act, the Access to Information Act and the National Archives Act, any information disclosed will be destroyed or returned once it has been used, in accordance with CBSA and Treasury Board of Canada information management policies.
38. The CBSA’s PNR disclosure policy falls under the umbrella of several CBSA-wide policies for the protection and management of information collected under the various statutes administered by the CBSA. In addition all CBSA employees are bound by Government of Canada security policies in respect of the protection of electronic systems and data protection. 
39. All CBSA employees are familiar with these policies and the consequences of non-compliance, and adherence with them is a condition of their employment.
40. The Aeronautics Act allows Canadian air carriers operating flights from any destination, or any carriers operating flights departing from Canada, to provide a foreign state with information concerning persons on board such flights and bound for that state, where the laws of that state require the information to be provided.
41. In the event that the European Community, the European Union or any of its Member States decides to adopt an airline passenger identification system and passes legislation which would require all air carriers to provide European authorities with access to API and PNR data for persons whose current travel itinerary includes a flight to the European Union, section 4.83 of the Aeronautics Act would permit air carriers to comply with this requirement.
Review and termination of commitments
42. These Commitments will apply for a term of three years and six months (3.5 years), beginning on the date upon which an agreement enters into force between Canada and the European Community, authorizing the processing of API and PNR data by carriers for purposes of transferring such data to the CBSA, in accordance with the Directive. After these Commitments have been in effect for two years and six months (2.5 years), the CBSA will initiate discussions with the Commission with the goal of extending the Commitments and any supporting arrangements, upon mutually acceptable terms. If no mutually acceptable arrangements can be concluded prior to the expiration date of these Commitments, the Commitments will no longer apply to any data collected from that moment onwards. Data collected while these Commitments were in force will remain protected by the terms of these Commitments until any such data is deleted.
43. CBSA fulfils its Commitments via the application of existing Canadian law, or, where not already covered by Canadian legislation, in regulations formulated specifically for that purpose or through administrative processes.
 Paragraphs 3 (a) to (f) contain the following API data: (a) a person’s surname, first name and any middle names; (b) date of birth; (c) gender; (d) citizenship or nationality; (e) the type of travel document that identifies that person, the name of the country in which the travel document was issued and the number of the travel document; (f) the reservation record locator number, if any, and in the case of a person on charge of the commercial conveyance or any other crew member without a reservation record locator number, notification of their status as a crew member.
 This Act sets out the formalities that must be followed before government records are destroyed.
 Referenced policies include: the Government Security Policy published by the Treasury Board of Canada Secretariat on February 1, 2002 and the Operational Security Standard: Management of Information Technology Security (MITS) published by the Treasury Board of Canada Secretariat on May 31, 2004.
PNR DATA ELEMENTS REQUIRED BY CBSA FROM AIR CARRIERS
2. API data
3. PNR record locater code
4. Date of intended travel
5. Date of reservation
6. Date of ticket issuance
7. Travel agencies
8. Travel agent
9. Contact telephone information
10. Billing address
11. All forms of payment information
12. Frequent Flyer Information
13. Ticketing Field Information
14. Ticket number
15. Split/divided PNR
16. Go show information
17. No show history
18. All travel Itinerary Information
19. Standby Information
20. Other names on PNR
21. Order of check in
22. Bag tag numbers
23. Seat information
24. Seat number
25. One way tickets