Communication from the Commission to the Council and the Parliament - Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach /* COM/2003/0826 final */
COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE PARLIAMENT - Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach Table of Contents 1. Introduction and Background 2. Main Components of the Global EU Approach 3. Elements of the Global EU Approach in More Detail 3.1. Outcome of the EU/US talks on PNR data transfer 3.2. Information for Passengers 3.3. Development of "push" system with filters 3.4. The development of an EU position on the use of PNR data 3.5. The creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO) 4. Results of the Commission's analysis of the legal situation regarding the CRS Regulation 5. Conclusions 1. INTRODUCTION AND BACKGROUND In the aftermath of the terrorist attacks of 11 September 2001, the United States passed legislation in November 2001, requiring that air carriers operating flights to, from or through the United States provide the United States' Customs with electronic access to the data contained in their automated reservation and departure control systems, known as Passenger Name Records (PNR). Whilst recognising the legitimate security interests involved, the Commission informed the US authorities as early as in June 2002 that these requirements could conflict with Community and Member States' legislation on data protection [1] and with some provisions of the Regulation on computerised reservation systems (CRSs). [2] The US authorities postponed the entry into force of the new requirements, but finally refused to waive the imposition of penalties on non-complying airlines beyond 5 March 2003. Several major EU airlines have been providing access to their PNR since then. [1] See in particular Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31. [2] Council Regulation (EEC) No 2299/89 of 24 July 1989 on a code of conduct for computerised reservation systems, OJ L 220, 29.7.1989, p. 1, as last amended by Council Regulation (EC) No 323/1999 of 8 February 1999, OJ L 40, 13.2.1999, p. 1. On 18 February 2003, the Commission and the US administration issued a joint statement, recalling our shared interest in combating terrorism, setting out initial data protection undertakings agreed by US Customs and recording the parties' undertaking to pursue talks with a view to allowing the Commission to make a decision in accordance with Article 25 (6) of the data protection Directive 95/45/EC, recognising the protection given to the transmitted data as adequate. The talks have thus aimed to bring the way the US use and protect PNR data closer to EU standards. In the meantime, other third countries, including Canada and Australia, have requested or are considering requesting access to PNR data. Some Member States are also examining the possibility of using PNR data for aviation and border security purposes. In two Resolutions of 13 March 2003 [3] and of 9 October 2003 [4] the European Parliament invited the Commission to take a number of actions with regard to the transfer of PNR data to the US in order to ensure that European data protection concerns are being taken into account. [3] P5_TA(2003)0097 [4] P5_TA(2003)0429 The Commission agrees with European Parliament that a solution of the problems arising from third country and in particular US demands for PNR data is urgently required. It must be legally sound. It must ensure the protection of citizens' personal data and privacy, but also their physical security. It must stand four-square with the need to fight terrorism and international organised crime. It must end legal uncertainty for airlines - European and non-European. And it must facilitate legitimate travel. But the EU's approach cannot be limited to responding to the initiatives of others. A number of Member States have also indicated their interest in effective arrangements to improve aviation and border security. And an EU approach should form the basis of an initiative to establish a multilateral solution, which is the only practical way to address international air travel issues. This Communication sets out the elements of the global EU approach that the Commission considers necessary. 2. MAIN COMPONENTS OF THE GLOBAL EU APPROACH A comprehensive and balanced approach to the full range of issues raised in particular by US legislation requiring the transfer of PNR, but also responding to the wider needs outlined above needs to give due weight to all of the following considerations: - the fight against terrorism and international crime, - the right to privacy and the protection of fundamental civil rights, - the need for airlines to be able to comply with diverse legal requirements at an acceptable cost, - the broader EU-US relationship, - the security and convenience of air travellers, - border security concerns, - the truly international, indeed world-wide, scope of these issues. Any one-sided approach or any approach that fails to draw all these strands together will be unbalanced and unsustainable. At the same time, the search for a truly comprehensive solution must not delay or stand in the way of finding a legal solution to the problem of current PNR transfers to the US - not to mention growing pressure on those EU airlines not yet giving the US access to their PNR. The Commission's multi-track approach thus consists of the following main components: a. A legal framework for existing PNR transfers to the US. This will take the form of a Decision by the Commission under Article 25 paragraph 6 of the Data Protection Directive (95/46/EC) accompanied by a "light" bilateral international agreement. b. Complete, accurate and timely information for passengers. A concerted effort - involving the Commission, airlines, travel agents, CRSs and data protection authorities, and possibly the authorities of the third countries concerned - has been set in hand to ensure that passengers are fully and accurately informed before purchasing their tickets about the uses made of their PNR data and give their consent to its transfer. c. Replacing "pull" (direct access by US authorities to airlines' data bases) with a "push" method of transfer, combined with appropriate filters. The Commission's technical discussions with the industry are well advanced. The Commission will recommend the rapid implementation of a "push system" in a framework of an EU policy. d. The development of an EU position on the use of travellers' data, including PNR, for aviation and border security. e. The creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO). 3. ELEMENTS OF THE GLOBAL EU APPROACH IN MORE DETAIL 3.1. Outcome of the EU/US talks on PNR data transfer In the joint statement of February 2003 the Commission and the US side undertook to work towards a solution for the transfer of PNR data that respected the law on both sides. The joint statement foresaw that the search for a solution would focus on obtaining information and improved commitments from the US that would allow the Commission to adopt a finding of "adequate protection" under Article 25 (6) of the data protection Directive. In these talks, the Commission's main aim has thus been to obtain the best possible standards of protection for personal data transferred from the EU and to incorporate those in a suitable legal framework. At the same time, it has endeavoured to keep in mind the other policy objectives already mentioned (to co-operate with the US in the fight against terrorism and related crimes, to facilitate legitimate travel and to ensure fair and feasible operating conditions for EU airlines). It has also taken care not to prejudice the development of an EU policy towards the use of international travellers' data in the interests of EU aviation and border security, bearing in mind also that Member States may legislate to make derogations from certain data protection requirements if this is necessary for national security or law enforcement reasons, as provided for in Article 13 of the data protection Directive. The Commission had asked the US authorities concerned to suspend the enforcement of their requirements until a secure legal framework had been established for such transfers. In the light of the U.S. refusal, the option of insisting on the enforcement of law on the EU side would have been politically justified, but it would not have served the above objectives. It would have undermined the influence of more moderate and co-operative counsels in Washington and substituted a trial of strength for the genuine leverage we have as co-operative partners. This approach has borne fruit. Since the start of the co-operative phase in these discussions (marked by the Joint Statement of 18 February 2003), significant progress has been made towards meeting all the above objectives. In particular, the Commission has negotiated with the US Bureau of Customs and Border Protection (CBP) substantially improved data protection arrangements for PNR data transferred to the US. These arrangements form the basis for a legal framework in the form of a decision by the Commission exercising its powers under Article 25 paragraph 6 of Directive 95/46/EC combined with an international agreement authorising the airlines to treat the US requirements as legal requirements in the EU [5] and binding the US to grant reciprocity and ensure "due process" for EU citizens. [5] In addition to the issue of "adequate protection" which arises under Article 25 of the Directive, legal issues arising under Articles 4, 6 and 7 of the Directive also need to be addressed. A decision making a finding of adequate protection is limited to doing just that. The proposed international agreement is therefore necessary to address the other legal issues. Since the start of the talks in March 2003, the Commission has been able to secure the following Undertakings from the US: - Clear limits on the amount of data to be transferred. These will be data concerning only flights to, from or through the US. Instead of all data in the PNR, the US request is now limited to a closed list of 34 items. As a general rule in practice, most individual PNRs consist of no more than 10 to 15 elements, and the US has provided undertakings that it does not require airlines to collect data where any of these 34 fields may be empty. - All categories of sensitive data as defined by Article 8 paragraph 1 of the Data Protection Directive [6] will be deleted. The Commission has secured the necessary guarantees from the US that all personal data revealing racial or ethnic origin (e.g. dietary preferences), health, etc. will be filtered out and deleted. [6] Article 8 of the Directive establishes additional protections for special categories of data. These are defined in Article 8 paragraph 1 as "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and ... data concerning health or sex life". - The uses to which the data may be put have been made more precise and significantly narrower. The Commission's (and European Parliament's) insistent request that uses be limited to terrorism and crimes that are or may be linked to terrorism - to the exclusion of "domestic" crime - has finally been met. - A significant improvement has been achieved on the length of data storage. From a proposed length of storage of initially 50 years, the US has agreed to cut that period to three and a half years. This is related to the expiry of the whole arrangement after three and a half years. The duration of the retention period is thus linked to the lifetime of the arrangement. - Congress has required the establishment of a Chief Privacy Officer (CPO) in the Department of Homeland Security (DHS) who has to report annually to Congress and whose findings are binding on the department. The CPO has agreed to receive and handle in an expedited manner representations from Data Protection Authorities in the EU on behalf of citizens who consider that their complaints have not been satisfactorily resolved by DHS. EU citizens are thus given stronger assurance of getting fair treatment. - The CBP has agreed to participate, with an EU team led by the Commission, in an annual joint review of US implementation of its Undertakings. This will provide an invaluable window on actual practice in the US and a means to verify US compliance in line with its Undertakings. The review process could also be the platform for future closer co-operation with the US on these matters. The Department of Homeland Security was keen to see the Transportation Security Administration's CAPPS II (Computer Assisted Passenger Pre-Screening System) scheme covered by the agreed legal framework. The Commission has successfully resisted this pressure on the grounds that it can only take a position once internal US processes have been completed and once it is clear that Congress's privacy concerns regarding CAPPS II have been met. CAPPS II will thus be addressed only in a second round of talks. Furthermore, the Commission has proposed and the US side has agreed that any legal framework should be time-limited and will only be renewed if both sides agree that it should be so. The agreed lifetime of the arrangement (adequacy finding plus "light" international agreement) is three and a half years. This creates the appropriate conditions for a thorough review, in the light of experience with its implementation and of developments in the meantime, which should start about a year before the arrangement expires. By then, the EU will have developed its own policy on the use of PNR for transportation and border security purposes, and the US debate on data privacy may also have evolved. Finally, a multilateral framework might also be in place by then. The Commission will now launch the procedures necessary for the adoption of a decision under Article 25 paragraph 6 of the Directive and for the conclusion of an international agreement. In the light of the procedures laid down, the Commission aims to complete these processes in March 2004, though this timetable will only be realisable with the full co-operation of all concerned. 3.2. Information for Passengers The Commission services have prepared, with input from the data protection authorities, [7] as well as from the US CBP, a text that is now being transmitted to the airlines, notably through IATA, as a model for the information that they and/or their travel agents should be providing to passengers before they buy tickets to fly to the US. The co-operation of the CRSs is also being sought to ensure maximum coverage of ticket sales, especially through travel agents. [7] Although the comments of DPAs have been sought and many have been incorporated, the Article 29 Working Party declined to adopt or approve the text, on the grounds that the transfers of PNR to the US are in any case illegal and nothing should be done to blur that fact. Full, correct and timely information is an important data protection requirement in general, and more particularly in cases where consent is necessary. Consent can only be considered valid if the individual has the necessary information. Jurisprudence and best practice also require that consent can only be relied on if the individual has a free choice. In the present situation, the Article 29 Working Party took the view in its opinion 6/2002 of 24 October 2002 that consent should not be relied on and that the exception to the "adequate protection" requirement provided for in Article 26 (1) (a) of the Directive ("the data subject has given his consent unambiguously to the proposed transfer") did not therefore provide a sound legal solution. The Commission agrees that a legal solution relying entirely on consent would be a poor one from a data protection point of view, but believes that information and a conscious decision on the part of passengers are nevertheless an essential part of the overall package. 3.3. Development of "push" system with filters The introduction of a filter-based "push" system is another key element of a global approach. Such systems would allow the data flows from the airlines or reservation systems to the US security authorities to be controlled in the EU and, once an agreement has been found on the data elements, limit the transfer to what is strictly necessary for security purposes. The Commission is of the opinion that the rapid development and introduction of filter and "push" technology is necessary, and also the Parliament has invited the Commission in its Resolution of 9 October to "take the necessary steps to facilitate the implementation of computer-based filter systems". The Commission services have been engaged in a regular dialogue with airlines for several months on the implementation of such systems, as well as consulting with technical experts from a variety of organisations and IT firms. The airlines are open to the idea of implementing computer-based filter systems (the so called "push" system). The Commission services have been made aware of a number of possible technological solutions including the Austrian proposal referred to in the European Parliament's Resolution. The Commission's services held a second technical meeting with industry experts and various technology providers on 13 November. We learnt that these systems were technically feasible, but it is still unclear how they could best be implemented or supervised. It was also made clear at that meeting that implementation of a "push" system could not solve the problem alone. Filters would also need to be installed. These filters entail significant costs for the airlines, which mean that a legal obligation would be desirable to ensure that all airlines are subject to the same requirements. Airlines have also indicated a preference for a centralised system. It would be difficult to envisage obliging airlines, including US airlines, to adopt such a system, without creating a legal obligation for them to do so. There is currently no EU law or Community policy that obliges airlines to transfer PNR data in this way. A possible framework for the establishment of such a system would be a Community policy on PNR data collection for security and/or immigration purposes. In line with the timetable envisaged for the development of a policy framework in this context (see section 3.4), it should be possible to define the way forward for switching to "push" with filters by the middle of 2004. 3.4. The development of an EU position on the use of PNR data The talks with third countries on the transfer of PNR data should be complemented and to the extent possible preceded by the development of an EU policy on the use of PNR and/or travellers' data more generally within the Union. Such a policy will have to strike a balance between the different interests involved, in particular between legitimate security concerns and the protection of fundamental rights, including privacy. In this context, the "purpose limitation" language recently agreed with the US appears to be a sound basis for taking forward work on an EU approach, covering both the fight against terrorism, but also embracing organised crime with international implications. The list of data elements also seems broad enough to accommodate law enforcement needs in the EU. Nothing in the arrangements agreed with the US therefore seems to prejudice the development of an appropriate EU policy. As pointed out at the end of section 3.3, there is also a possible link between a future EU policy on the use of PNR or other travellers' data for security and law enforcement purposes and the development of a "push" system with filters, especially if this were to be on a centralised basis. A centralised structure within the EU could provide the necessary guarantees as regards liability (accuracy of the data), security (technological means, filters) and supervision (eg a Joint Supervisory Board), as well as offering added value for similar initiatives conducted at national level within the EU. Finally, any possible information exchange with the US authorities should be based on the principle of reciprocity in the transfer of data between the EU and the US, whilst at the same time considering the possibility for the collection and controlled transfer of PNR-data through a central European entity. Preparation of an EU policy is still in its early stages. In order to launch the preparation of an EU position, the Commission organised on 9 October 2003 an experts meeting on PNR, bringing together Commission services and law enforcement and data protection authorities of the Member States. Further meetings with law enforcement authorities are scheduled to take place in the coming weeks and months. Discussions will focus on the pros and cons of a centralised point of contact for data exchange with third countries, the lists of data that may be considered relevant and necessary, the minimum data protection conditions required, the general assessment of risks and systems for criminal profiling. It is intended to submit a proposal for a framework decision on data protection in law enforcement co-operation by the middle of 2004, thereby i.a. aiming at establishing a sound basis for the screening of commercial data for law enforcement purposes, whereas at the same time respecting data protection considerations under EU legislation. Such a framework decision will form the basis for the establishment of an "information policy" for law enforcement authorities. This will become the backbone for a prevention policy in the field of organised crime and terrorism addressing in particular the safeguards of data processing systems and the reciprocity of data exchange. 3.5. The creation of a multilateral framework for PNR Data Transfer within the International Civil Aviation Organisation (ICAO) The transfer of PNR data is a truly international, and not only a bilateral problem. Therefore, the Commission has taken the view that the best solution would be a multilateral one and that the ICAO would be the most appropriate framework to bring forward a multilateral initiative. In September 2003, the Commission decided to accelerate work on developing an international arrangement for PNR data transfers within ICAO. The Commission services have prepared a working paper to this effect that will be submitted by the Community and its Member States to ICAO shortly. Taking into account aviation security, border control and personal data protection requirements, and the proliferation of PNR data transfer initiatives among ICAO Member States, this working paper will address the following aspects: - The scope of data that may be used for these purposes; - The practices that may be employed for the collection and processing of such data; - The technical implications in respect of the systems employed for the capture, processing, storage, and transfer of such data. It will of course be necessary that the working paper does not prejudice the development of an EU policy in this area (see previous section) but is rather guided by it. This initiative will in any case require a consensus among all parties participating in ICAO and therefore take some time to be achieved. 4. ENFORCEMENT OF REGULATION 2299/89 BY THE COMMISSION As regards the CRS Regulation, the Commission services have been reviewing the situation over a period of several months in order to assess precisely how the current system of data access functions from a technical point of view and to what extent the CRSs are involved in a way that falls within the scope of Regulation 2299/89 on a code of conduct for computerized reservation systems. That review, which culminated in a second meeting with industry on 13th November 2003, has revealed that the CRSs may be processing data as contractors on behalf of airlines rather than acting as CRSs for these purposes. It will be necessary to clarify this aspect further before taking a final view on the applicability of the Regulation. However, since the Commission has received a complaint under Article 11 of the Regulation (initiation of procedures to terminate an infringement), the Commission is acting under Article 12 (empowering the Commission to obtain all necessary information from undertakings) and has sent letters to the CRSs requesting information on whether the system vendors are complying with the data protection provisions of the Regulation. 5. CONCLUSIONS Given the complexity and the multi-dimensional nature of the issues involved, the Commission is pursuing a global approach with regard to the transfer of Passenger Name Record data, which brings together the different individual elements outlined above. * It attaches prime importance to establishing rapidly a legally secure framework for PNR transfers to the US Department of Homeland Security (Bureau of Customs and Border Protection). * On the basis of the results of the talks with the US administration and as part of the package of measures which form the global approach, the Commission proposes to deliver this legal framework in the form of an adequacy finding in accordance with Article 25 (6) of the data protection directive, accompanied by an international agreement with the US on the basis of Article 300 (3) first paragraph of the Treaty. The European Parliament will be consulted on both elements of this solution, in both cases subject to appropriate time limits. * The Commission will also pursue its talks with other third countries to put in place, as quickly as possible, appropriate solutions to remove any legal incompatibilities. * The Commission will pursue energetically its co-operation with airlines and their representative organisations, as well as with CRSs to ensure that passengers are fully and accurately informed before purchasing their tickets about the uses that are made of their PNR data and are thus able to make an informed choice. The Commission will strongly encourage operators to obtain systematically the consent of passengers to their data being transferred, to the extent practicable, but believes that it is necessary to establish a legal framework which does not rely solely on consent. The Commission recalls its right of initiative to propose the regulation of consent at the EU level if operators fail to implement effective solutions within a reasonable timeframe. * The Commission reaffirms its strong support for the swift implementation of "push" technology accompanied by appropriate filters for the transmission of PNR data to third countries. It believes that a centralised or grouped approach has clear advantages over an airline by airline approach, in terms of both efficiency and costs. It will continue to explore possible options with the industry as a matter of priority. If necessary, it is prepared to take the appropriate initiatives to secure funding from within existing resources of the Community budget to support the development of such a system. The Commission aims to identify the way forward before mid-2004 at the latest. One option for consideration could be to implement a push system within the framework of an EU approach to the use of travellers' data for border and aviation security purposes (see below). * The Commission will pursue as a matter of priority the discussions that have been started with Member States and other relevant parties, e.g. Europol, with a view to making a first proposal by the middle of 2004 outlining an EU approach to the use of travellers' data for border and aviation security and other law enforcement purposes. Such a policy framework will need to strike a balance between security concerns on the one hand and data protection and other civil liberties concerns on the other. * The Commission is launching an international initiative with respect to PNR data transfers under the auspices of ICAO. A proposal to this effect is being transmitted to the Council.