9.2.2012   

EN

Official Journal of the European Union

C 35/16

1.

On 28 November 2011, the Commission adopted a proposal for a Council Decision on the conclusion of the Agreement between the United States of America and the European Union on the use and transfer of Passenger Name Records (PNR) to the United States Department of Homeland Security (3) (hereinafter: ‘the agreement’).

2.

On 9 November 2011, the EDPS was consulted informally on the draft proposal, in the context of a fast track procedure. On 11 November 2011, he issued a number of restricted comments. The aim of the present Opinion is to complement these comments in light of the present proposal and to make his views publicly available. This Opinion also builds on a number of earlier interventions by the EDPS and the Article 29 Working Party in relation to PNR.

3.

The agreement aims at providing a solid legal basis for the transfer of PNR data from the EU to the US. The transfer is currently based on the 2007 agreement (4) because the Parliament decided to postpone its vote on the consent until its data protection concerns were met. In particular, in its resolution of 5 May 2010 (5), the Parliament referred to the following requirements:

4.

The present agreement must be considered in the context of the global approach to PNR, which includes negotiations with other third countries (namely Australia (8) and Canada (9)), and a proposal for a PNR scheme at the EU level (10). It also falls within the scope of the current negotiations for an agreement between the EU and the US on the exchange of personal data in the framework of police and judicial cooperation in criminal matters (11). In a wider context, the agreement has been initialled a few weeks before the expected adoption of the proposals for the review of the general data protection framework (12).

5.

The EDPS welcomes this global approach aiming at providing a coherent legal framework for PNR agreements in line with EU legal requirements. However, he regrets that this timing does not allow in practice to ensure the consistency of these agreements with the new EU rules on data protection. He would also like to recall that the general agreement between the EU and the US on data exchanges should be applicable to the EU-US PNR Agreement.

6.

According to the EU Charter of Fundamental Rights, any limitation to fundamental rights and freedoms must be necessary, proportional and laid down by law. As repeatedly stated by the EDPS (13) and the Article 29 Working Party (14), the necessity and proportionality of the PNR schemes and of the bulk transfers of PNR data to third countries have so far not been demonstrated. The European Economic and Social Committee and the Fundamental Rights Agency also share this view (15). The specific comments below are without prejudice to this preliminary and fundamental observation.

7.

While this agreement includes some improvements in comparison with the 2007 agreement, and includes adequate safeguards on data security and oversight, none of the main concerns expressed in the above mentioned opinions nor the conditions required by the European Parliament to provide its consent appear to have been met (16).

8.

Article 4(1) of the agreement states that the US processes PNR data for the purposes of preventing, detecting, investigating and prosecuting (a) terrorist offences and related crimes and (b) crimes that are punishable by a sentence of imprisonment of three years of more and that are transnational in nature. Some of these concepts are further defined.

9.

Although these definitions are more precise than in the 2007 agreement, there are still some vague concepts and exceptions that could override the purpose limitation and undermine legal certainty. In particular:

10.

Annex I of the agreement contains 19 types of data that will be sent to the US. Most of them also comprise different categories of data and are identical to the data fields in the 2007 agreement, which were already considered disproportionate by the EDPS and the Article 29 Working Party (18).

11.

This refers in particular to the field ‘General remarks including OSI (19), SSI (20) and SSR (21) information’, which can reveal data related to religious beliefs (e.g. meal preferences) or to health (e.g. request for a wheelchair). Such sensitive data should be explicitly excluded from the list.

12.

While assessing the proportionality of the list, it should also be taken into account that due to advanced transmission (Article 15(3) of the agreement), these categories will refer not only to actual passengers but also to those individuals who do not finally fly (e.g. due to cancellations).

13.

In addition, the presence of open data fields could undermine legal certainty. Categories such as ‘all available contact information’, ‘all baggage information’ and ‘general remarks’ should be better defined.

14.

Therefore, the list should be narrowed. In line with the Article 29 Working Party's opinion (22), we consider that data should be limited to the following information: PNR record locator code, date of reservation, date(s) of intended travel, passenger name, other names on PNR, all travel itinerary, identifiers for free tickets, one-way tickets, ticketing field information, ATFQ (Automatic Ticket Fare Quote) data, ticket number, date of ticket issuance, no show history, number of bags, bag tag numbers, go show information, number of bags on each segment, voluntary/involuntary upgrades, historical changes to PNR data with regard to the aforementioned items.

15.

Article 6 of the agreement states that the DHS shall automatically filter and ‘mask out’ sensitive data. However, sensitive data will be stored at least 30 days and might be used in specific cases (Article 6(4)). The EDPS would stress that even after being ‘masked out’, these data will still be ‘sensitive’ and relate to identifiable natural persons.

16.

As already stated by the EDPS, the DHS should not process sensitive data related to EU citizens, even if they are ‘masked out’ upon reception. The EDPS recommends specifying in the text of the agreement that air carriers should not transfer sensitive data to the DHS.

17.

Article 8 states that PNR data will be retained for up to five years in an active database and then transferred to a dormant database and stored for up to 10 years. This maximum retention period of 15 years is clearly disproportionate, irrespective of whether the data are kept in ‘active’ or ‘dormant’ databases, as already underlined by the EDPS and the Article 29 Working Party.

18.

Article 8(1) specifies that the data will be ‘depersonalised and masked’ six months after their reception by the DHS. However, both ‘masked out’ data and data stored in a ‘dormant database’ are personal data as long as they are not anonymised. The data should therefore be anonymised (irreversibly) or deleted immediately after analysis or after a maximum of six months.

19.

The EDPS welcomes Article 15(1), which states that data will be transferred using the ‘push’ method. However, Article 15(5) requires carriers to ‘provide access’ to PNR data in exceptional circumstances. In order to definitively preclude the use of the ‘pull’ system, and in view of the concerns recently once again underlined by the Article 29 Working Party (23), we strongly advise that the agreement expressly prohibits the possibility for US officials to separately access the data via a ‘pull’ system.

20.

The number and periodicity of the transfers from air carriers to the DHS should be defined in the agreement. To enhance legal certainty, the conditions in which additional transfers would be allowed should also be more detailed.

21.

The EDPS welcomes Article 5 of the agreement on data security and integrity and, in particular, the obligation to notify the affected individuals of a privacy incident. However, the following elements of the data breach notification should be clarified:

22.

The EDPS supports the obligation to log or document all access and processing to PNR, as this will allow a verification of whether the DHS has made appropriate use of the PNR data and whether there has been any unauthorised access to the system.

23.

The EDPS welcomes the fact that compliance with the privacy safeguards in the agreement will be subject to independent supervision and oversight by Department Privacy Officers such as the DHS Chief Privacy Officer, as stated in Article 14(1). However, in order to ensure an effective exercise of data subjects’ rights, the EDPS and the national Data Protection Authorities should work with the DHS on the procedures and modalities of exercise of these rights (24). The EDPS would welcome a reference to this cooperation in the agreement.

24.

The EDPS strongly supports the right to redress ‘regardless of nationality, country of origin, or place of residence’ laid down in Article 14(1), second subparagraph. However, he regrets that Article 21 explicitly states that the agreement ‘shall not create or confer, under US law, any right or benefit on any person’. Even if a right to ‘judicial review’ is granted in the US under the agreement, such right may not be equivalent to the right to effective judicial redress in the EU, in particular in the light of the restriction stated in Article 21.

25.

Article 16 of the agreement prohibits the transfer of the data to domestic authorities that do not afford to PNR ‘equivalent or comparable’ safeguards to those set forth in this agreement. The EDPS welcomes this provision. The list of authorities that might receive PNR data should however be further specified. As regards international transfers, the agreement provides that they should only take place if the recipient's intended use is consistent with this agreement and adduces privacy safeguards ‘comparable’ to the ones provided in the agreement, except in emergency circumstances.

26.

With regard to the wording ‘comparable’ or ‘equivalent’ used in the agreement, the EDPS would like to emphasise that no domestic or international onward transfers by the DHS should take place unless the recipient adduces safeguards that are not less stringent than the ones established in this agreement. It should also be clarified in the agreement that the transfer of PNR data shall be done on a case-by-case basis, ensuring that only the necessary data will be transferred to the relevant recipients, and no exceptions should be allowed. In addition, the EDPS recommends that data transfers to third countries should be subject to prior judicial authorisation.

27.

Article 17(4) states that when data of a resident of an EU Member State are transferred to a third country, the competent authorities of the Member State concerned should be informed in cases where the DHS is aware of this situation. This condition should be deleted, as the DHS should always be aware of onward transfers to third countries.

28.

It is not clear what is the legal form chosen by the US for entering into this agreement and how this agreement will become legally binding in the US. This should be clarified.

29.

Article 20(2) addresses coherence with the possible EU PNR scheme. The EDPS notes that consultations on the adjustment of this agreement shall in particular examine ‘whether any future EU PNR system would apply less stringent data protection safeguards than those provided for in the present agreement’. In order to ensure consistency, any adjustment should also (and particularly) take account of stronger safeguards in any future PNR scheme.

30.

The agreement should also be reviewed in view of the new data protection framework and of the possible conclusion of a general agreement between the EU and the US on the exchange of personal data in the framework of police and judicial cooperation in criminal matters. A new provision similar to Article 20(2) could be added stating that ‘if and when a new data protection legal framework is adopted in the EU or a new agreement on the exchange of data between the EU and the US is concluded, the Parties shall consult each other to determine whether the present Agreement would need to be adjusted accordingly. Such consultations shall in particular examine whether any future modification of the EU data protection legal framework or any future EU-US data protection agreement would apply more stringent data protection safeguards than those provided for in the present agreement’.

31.

As regards the review of the agreement (Article 23), the EDPS considers that national Data Protection Authorities should be explicitly included in the review team. The review should also concentrate on assessment of the necessity and proportionality of the measures, on the effective exercise of data subjects’ rights, and include the verification of the way in which data subjects’ requests are being processed in practice, especially where no direct access is allowed. The frequency of the reviews should be specified.

32.

The EDPS welcomes the safeguards on data security and oversight foreseen in the agreement and the improvements in comparison with the 2007 agreement. However, many concerns remain especially as regards coherence of the global approach to PNR, purpose limitation, the categories of data to be transferred to the DHS, the processing of sensitive data, the retention period, the exceptions to the ‘push’ method, the rights of data subjects and onward transfers.

33.

These observations are without prejudice to the necessity and proportionality requirements for any legitimate PNR scheme and agreement providing for the bulk transfer of PNR data from the EU to third countries. As the European Parliament reaffirmed in its resolution of 5 May, ‘necessity and proportionality are key principles without which the fight against terrorism will never be effective’.