52014DC0458

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the joint review of the implementation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service /* COM/2014/0458 final */


REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

on the joint review of the implementation of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service

The Agreement between the European Union (EU) and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service (ACBPS) entered into force on 1 June 2012.

The Agreement provides for a first joint review one year after its entry into force and regularly thereafter as jointly agreed. This joint review was carried out in Canberra on 29 and 30 August 2013. Its main focus was the implementation of the Agreement, with particular attention to the mechanism of masking out data as well as the transfers of EU citizens’ and residents’ PNR data to the authorities of third countries as set out in the relevant articles of the Agreement, and in accordance with the Joint Declaration of the EU and Australia on the Agreement.

The joint review was based on the methodology applied in previous PNR joint reviews with the United States (2005, 2013) and Canada (2008). The first part of this methodology consisted of a questionnaire sent by the European Commission to ACBPS prior to the joint review. ACBPS provided written replies to the questionnaire prior to the joint review. The second part consisted of a visit to the ACBPS Passenger Analysis Unit by the EU team. The third part consisted of a meeting between representatives of ACBPS, the Australian Department of Foreign Affairs and Trade, the Office of the Australian Information Commissioner, the Australian Privacy Commissioner and the EU team, discussing in detail the implementation of the Agreement.

Prior to the joint review, ACBPS provided the EU team with detailed documentation on the processing of PNR data by ACBPS, including a PNR control framework setting out a complete inventory of automated systems and manual controls for the processing of PNR data, other internal operational documents, a PNR privacy impact assessment, and recent audit reports by the Office of the Australian Privacy Commissioner.

The EU team found that Australia has fully implemented the Agreement in line with the conditions set out therein. Australia respects its obligations as regards the data protection safeguards under the Agreement, and processes PNR data in compliance with the  conditions set out in the Agreement. Australia does not process any sensitive data held in PNR data obtained under the Agreement, and it is actively seeking to further improve the automated identification and deletion of sensitive data. The very targeted way in which Australia assesses PNR data against risk indicators  minimises the access to personal data. The processing of PNR data under the Agreement is subject to a high level of independent oversight by the Office of the Australian Information Commissioner.

Australia is to be commended for the way it applies the PNRGOV “push” method. Although outside the scope of the Agreement, it is welcomed that Australia extended the application of the "push" method to all airlines not covered by the Agreement. Moreover, Australia is a forerunner in the development and promotion of the PNRGOV standard messaging format worldwide, seeking to achieve global standardisation for the transmission of PNR data in its engagement with individual airlines and in the framework of the World Customs Organisation (WCO), the International Civil Aviation Organization (ICAO) and the International Air Transport Association (IATA).

The two sides envisage to combine the next joint review of the Agreement with the joint evaluation of the Agreement in mid-2016.

As regards issues to be further addressed,  law enforcement cooperation based on the sharing of analytical information obtained from PNR data requires more attention. Australia is requested to enhance its efforts to ensure reciprocity and pro-actively share analytical information obtained from PNR data with Member States and, where appropriate, with Europol and Eurojust. At the same time, recipients of such information on the EU side should provide adequate feedback to ACBPS on the use of this information and the results achieved. Australia is also requested to set up a reporting mechanism that will enable Australia to inform Member States if PNR data received under the Agreement, or analytical information containing such data, is eventually shared with a third country. Moreover, Australia should continue to ensure that the safeguards set out in the Agreement are also extended to extracted PNR data that is shared with other areas of ACBPS or other Australian government authorities.

Notwithstanding Article 24(4) on a joint evaluation of the Agreement four years after its entry into force, a preliminary assessment of the question of whether PNR serves the purpose of supporting the fight against terrorism and other serious crimes that are transnational in nature showed that the processing of PNR data provided ACBPS with the possibility of carrying out effective pre-departure risk assessments of all passengers up to 72 hours before departure. ACBPS processes PNR data to assess passenger information against targeting rules that can include several risk indicators. In case the assessment with risk indicators points to a potential high-risk traveller, PNR data is further processed by an analyst in conjunction with other law enforcement information to determine whether a traveller poses a high risk, in order to assist in identifying those travellers that require an intervention upon arrival. The early identification of passengers who may pose a high risk enables ACBPS to prepare the necessary responses upon arrival and better target their interventions, while facilitating the travel of legitimate travellers due to minimal interventions. According to ACBPS, the analysis of PNR data in conjunction with other information plays a critical role in the ability of ACBPS to identify, ahead of arrival, high risk travellers in the context of combatting terrorism, drugs trafficking, identity fraud, trafficking in human beings and other serious transnational crimes. ACBPS provided examples of the use of PNR.

The Joint Review Report accompanying this Report consists of three Chapters. Chapter 1 provides an overview of the background to the review and the purpose and procedural aspects of the exercise. Chapter 2 presents the main findings of the joint review. This Chapter is supplemented by Annex A which contains the questionnaire and replies by ACBPS thereto. Finally, Chapter 3 presents the overall conclusions of the exercise. Annex B lists the composition of the EU and Australian teams that carried out the review exercise. The examples provided by ACBPS of the use of PNR data in Australia appear in Annex C.