EUR-Lex Access to European Union law
This document is an excerpt from the EUR-Lex website
Document 52019PC0420
Recommendation for a COUNCIL DECISION to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
Recommendation for a COUNCIL DECISION to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
Recommendation for a COUNCIL DECISION to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
COM/2019/420 final
EUROPEAN COMMISSION
Brussels, 27.9.2019
COM(2019) 420 final
Recommendation for a
COUNCIL DECISION
to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
EXPLANATORY MEMORANDUM
1.PURPOSE
The EU should open negotiations with Japan with the purpose of signing a bilateral Agreement laying down the framework and conditions under which air carriers will be authorised to transfer to Japan the Passenger Name Record (PNR) data of passengers flying between the EU and Japan in a manner that is compliant with the requirements of EU law.
2. CONTEXT OF THE PROPOSAL
PNR is a record of each passenger's travel requirements, which contains all information necessary to enable reservations to be processed by air carriers. As far as the present Recommendation is concerned, PNR data covers data collected and contained in the air carrier's automated reservation and departure control systems.
Within the EU, processing of PNR data constitutes an essential instrument in the common response to terrorism and serious crime and a building block of the Security Union. Identifying and tracing suspicious travel patterns by processing PNR to gather evidence and, where relevant, find perpetrators of serious crime and their associates and unravel criminal networks is proving essential to prevent, detect, investigate and prosecute terrorist and serious crime offences.
On 27 April 2016, the European Parliament and the Council adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) 1 . This Directive enables EU national authorities to gain direct access to crucial information held by airlines, in full regard of data protection rights. It provides all Member States with an important tool for preventing, detecting and investigating terrorism and serious crimes, including drugs and human trafficking and child sexual exploitation. The deadline for the Member States to transpose the PNR Directive into national law was 25 May 2018 2 .
At a global level, the United Nations Security Council Resolution 2396 adopted on 21 December 2017 requires UN Member States to “develop the capability to collect, process and analyse, in furtherance of ICAO standards and recommended practices, passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms”. The Resolution also urges ICAO ‘to work with its Member States to establish a standard for the collection, use, processing and protection of PNR data’ 3 . In March 2019, the ICAO Air Transport Committee (ATC) set up a Facilitation Panel Task Force to consider proposals for Standards and Recommended Practices (SARPs) on the collection, use, processing and protection of PNR data in line with United Nations Security Council resolution 2396 (2017). The Task Force is mandated to: a) review the existing PNR SARPs found in Chapter 9 of Annex 9 to the Chicago Convention; b) determine whether they need to be complemented by additional SARPs and/or guidance material, taking into account the Security Council’s decision and considerations; and c) as required, develop new provisions (Standards, Recommended Practices, and/or guidance materials) for the collection, use, processing and protection of PNR data.
The transfer of relevant personal data from the EU to a third country may take place only in compliance with the provisions on international transfers laid down in Chapter V of Regulation (EU) 2016/679 (‘the GDPR’) 4 .
There are currently two international agreements in force between the EU and third countries (namely Australia 5 and the United States 6 ) on the processing and transfer of PNR data. On 26 July 2017, the Court of Justice of the EU adopted an Opinion on the envisaged Agreement between the EU and Canada signed on 25 June 2014 7 . The Court decided that the agreement could not be concluded in its intended form because some of its provisions were incompatible with the fundamental rights to privacy and to personal data protection recognised by the EU. In particular, the Court laid down further legal requirements with regard to oversight by an independent authority, sensitive data, automated processing of PNR data, purposes for which PNR data may be processed, and the retention, use, disclosure and further transfer of PNR data. Further to the authorization received by the European Commission from the Council in December 2017, new PNR negotiations with Canada were launched in June 2018. At the 17th EU-Canada Summit in Montreal on 17-18 July 2019, the EU and Canada welcomed that they had concluded these negotiations. While Canada noted its requirement for legal review, the parties committed, subject to that review, to finalise the Agreement as soon as possible, acknowledging the vital role of this Agreement in enhancing security while ensuring privacy and the protection of personal data.
3.OBJECTIVES OF THE PROPOSAL
Japan is a close and strategic partner of the European Union in the fight against terrorism and other serious transnational crime. At the United Nations, the G20, the G7 and other multilateral fora, the European Union and Japan work closely together to improve the global security frameworks and to enhance the security of their citizens.
The EU-Japan Strategic Partnership Agreement signed in July 2018 strengthens the overall partnership and states that ‘Parties shall endeavour to use, to the extent consistent with their respective laws and regulations, available tools, such as passenger name records, to prevent and combat acts of terrorism and serious crimes, while respecting the right to privacy and the protection of personal data’. An EU-Japan PNR agreement would contribute to strengthening the proposed Partnership on Sustainable Connectivity and Quality Infrastructure between the European Union and Japan, notably by enhancing the security of air transport.
On 23 January 2019, the European Commission adopted an adequacy decision in relation to the transfer of personal data from the EU to Japan between commercial operators. 8 In this context, the European Commission also assessed the conditions and safeguards under which Japanese public authorities, including law enforcement, can access data held by those operators.
Japan has been clear in expressing its interest to the European Commission to enter into negotiations with the aim of concluding a PNR Agreement with the European Union. In particular, more recently, Japan indicated a pressing need to acquire PNR data from EU carriers in view of the 2020 Olympics in their country in order to address an anticipated increase of security risks.
According to the legislation of Japan (Customs Act and Immigration Control and Refugee Recognition Act), airlines are required to transmit Passenger Name Record (PNR) data to the Japan Customs and Tariff Bureau and Immigration Bureau. This legislation aims at enhancing the security of Japan by obtaining PNR data prior to a passenger’s arrival or departure and therefore significantly enhances the ability to conduct efficient and effective advance travel risk assessment of passengers.
Air carriers and their associations have also on several occasions requested the European Commission to ensure legal certainty for air carriers operating flights between the EU and Japan, considering their obligation to provide Japan with PNR data to the extent it is collected and contained in their automated reservation and departure control systems.
A solution is required that will provide a legal basis at EU level for the transfer of PNR data from the EU to Japan as a recognition of the necessity of PNR data in the fight against terrorism and other forms of serious transnational crime. At the same time, a future agreement should provide appropriate data protection safeguards within the meaning of Article 46(2)(a) of the General Data Protection Regulation, including a system of independent oversight. A future agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised in Article 47 of the Charter.
The transfer of PNR data to Japan would be a means to further foster international law enforcement cooperation with the European Union, including through the provision by Japan of analytical information stemming from PNR data to the competent Member States authorities as well as Europol and/or to Eurojust within their respective mandates.
4.LEGAL ASPECTS OF THE PROPOSAL
This recommendation to open negotiations with Japan on a PNR Agreement takes into consideration the applicable EU legal framework on data protection and PNR, namely Regulation (EU) 2016/679, Directive (EU) 2016/680 9 and Directive (EU) 2016/681, as well as the Treaty and Charter of Fundamental Rights as interpreted in the relevant case law of the Court of Justice of the EU, in particular Opinion 1/15 of the Court.
The recommendation also takes into account the authorization received by the European Commission from the Council in December 2017 for the opening of negotiations of an Agreement between the EU and Canada for the transfers and use of PNR data.
This recommendation is in line with the legal requirements laid down in the Court’s Opinion 1/15. It is based on Article 218 of the Treaty of the Functioning of the EU. In line with Article 218 of the Treaty on the Functioning of the EU, the European Commission shall be nominated as the Union negotiator.
Recommendation for a
COUNCIL DECISION
to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 218(3) and (4) thereof,
Having regard to the recommendation from the European Commission,
Whereas:
(1)Negotiations should be opened with a view to concluding an Agreement between the Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime.
(2)The Agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised in Article 47 of the Charter. The Agreement should be applied in accordance with those rights and principles.
HAS ADOPTED THIS DECISION:
Article 1
The European Commission is hereby authorised to negotiate, on behalf of the Union, an Agreement between the Union and Japan on the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime.
Article 2
The negotiating directives are set out in the Annex.
Article 3
The negotiations shall be conducted in consultation with a special committee to be appointed by the Council.
Article 4
This Decision is addressed to the European Commission.
Done at Brussels,
For the Council
The President
EUROPEAN COMMISSION
Brussels, 27.9.2019
COM(2019) 420 final
ANNEX
to the
Recommendation
for a
COUNCIL DECISION
to authorise the opening of negotiations for an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
ANNEX
Directives for the negotiation of an Agreement between the European Union and Japan for the transfer and use of Passenger Name Record (PNR) data to prevent and combat terrorism and other serious transnational crime
In the course of the negotiations the European Commission should aim to achieve the objectives set in detail below:
(1)The objective of the Agreement should be to provide the legal basis, conditions and safeguards for the transfer of PNR data to Japan.
(2)The Agreement should duly reflect the necessity and importance of the use of PNR data in preventing and combating terrorism and other serious transnational crime.
(3)To this end, the objective of this Agreement should be to regulate the transfer and use of PNR data for the sole purpose of preventing and combating terrorism and other serious transnational crime, with full respect of the protection of privacy, personal data and fundamental rights and freedoms of individuals under the conditions to be set out in the Agreement.
(4)The Agreement should also acknowledge the transfer of PNR data to Japan as fostering police and judicial cooperation which will be achieved through the transfer of analytical information flowing from PNR data. Therefore, the Agreement should ensure the transfer of analytical information flowing from competent authorities of Japan to police and judicial authorities of the Member States, as well as to Europol and Eurojust within their respective competences.
(5)To guarantee compliance with the purpose limitation principle, the Agreement should limit the processing of PNR data exclusively to the prevention, detection, investigation or prosecution of terrorism and other serious transnational crime as based on definitions laid down in relevant EU instruments.
(6)The Agreement should ensure full respect for fundamental rights and freedoms as enshrined in Article 6 of the Treaty on the EU, in particular the right to the protection of personal data as stipulated in Article 16 of the Treaty of the Functioning of the EU and Article 8 of the Charter of Fundamental Rights of the EU. It should also ensure full respect for the principles of necessity and proportionality regarding the right for private and family life and the protection of personal data as set out Article 7 and Article 8 of the Charter of Fundamental Rights of the EU as interpreted by the Court of Justice in its Opinion 1/15 on the envisaged EU-Canada PNR Agreement.
(7)The Agreement should provide for legal certainty, notably for air carriers, by providing a legal basis for them to transfer PNR data contained in their automated reservation and departure control systems.
(8)The Agreement should spell out clearly and precisely the necessary safeguards and controls with respect to the protection of personal data, fundamental rights and freedoms of individuals, irrespective of nationality and place of residence, in the context of the transfer of PNR data to Japan. These safeguards should ensure the following:
(a)The categories of PNR data to be transferred should be specified exhaustively and in a clear and precise manner, in line with international standards. Data transfers should be kept to the minimum necessary and should be proportionate to the specified purpose of the Agreement.
(b)Sensitive data within the meaning of EU law, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerning a person’s health or sexual life or orientation, should not be processed.
(c)The Agreement should include provisions on data security, especially allowing only a limited number of specially authorised individuals to have access to PNR data and providing for an obligation to notify without delay the European data protection supervisory authorities of breaches of data security affecting PNR data unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons as well as referring to effective and deterrent sanctions.
(d)The Agreement should contain provisions for the adequate and transparent information to passengers in relation to the processing of their PNR data, as well as the right of individual notification in case of use after arrival, access, and where appropriate, rectification and deletion.
(e)The Agreement should ensure the rights of effective administrative and judicial redress on a non-discriminatory basis regardless of nationality or place of residence for any person whose data are processed pursuant to the Agreement, in line with Article 47 of the Charter of Fundamental Rights of the EU.
(f)The Agreement should ensure that automated processing should be based on specific, objective, non-discriminatory and reliable, pre-established criteria and should not be used as the sole basis for any decisions with adverse legal effects or seriously affecting an individual. The databases against which PNR data are compared should be only those relevant for purposes covered by the Agreement and should be reliable and up to date.
(g)The use of PNR data by the Japanese competent authority beyond security and border control checks should be based on new circumstances and subject to substantive and procedural conditions based on objective criteria. In particular, such use should be subject to a prior review carried out either by a court or by an independent administrative body, except in cases of validly established urgency.
(h)The period of retention of the PNR data should be restricted and not be longer than necessary for the original objective pursued. The retention of PNR data after the air passengers’ departure from Japan should be in line with the requirements set in the case law of the Court of Justice. The Agreement should require that the data are deleted upon expiry of the retention period or rendered anonymous in such a manner that the individual concerned is no longer identifiable.
(i)The Agreement should ensure that further disclosure of PNR data to other government authorities within the same country or to other countries may only take place on a case-by-case basis and under certain conditions and safeguards. In particular, such disclosure may only take place if the recipient authority exercises functions related to the fight against terrorism or serious transnational crime and ensures the same protections as those set out in the Agreement. Onward transfers to competent authorities of other third countries should be limited to those countries with which the EU has an equivalent PNR Agreement or for which the EU has adopted an adequacy decision under EU data protection law covering the relevant authorities to which PNR data is intended to be transferred.
(9)The Agreement should ensure a system of oversight by an independent public authority responsible for data protection with effective powers of investigation, intervention and enforcement to exercise oversight over those public authorities that use PNR data. That authority should have powers to hear complaints from individuals, in particular concerning the processing of their PNR data. Public authorities that use PNR data should be accountable for complying with the rules on protection of personal data under this Agreement.
(10)The Agreement should require that the data be transferred exclusively on the basis of a 'push' system.
(11)The Agreement should ensure that the frequency and the timing of PNR data transmissions should not create an unreasonable burden on carriers and should be limited to that strictly necessary.
(12)The Agreement should ensure that air carriers are not required to collect additional data compared to what they already do or to collect certain types of data, but only to transmit what they already collect as part of their business.
(13)The Agreement should include provisions for regular joint review on all aspects of the implementation of the Agreement, including the reliability and topicality of pre-established models and criteria and databases and comprising a proportionality assessment of the retained data based on their value for the prevention and combat of terrorism and other serious transnational crime.
(14)The Agreement should provide for a dispute settlement mechanism with respect to its interpretation, application and implementation.
(15)The Agreement should be concluded for a period of 7 years and should include a provision whereby the Agreement maybe renewed for a similar period unless a Party terminates it.
(16)The Agreement should include a clause addressing its territorial application.
(17)The Agreement should be authentic in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish languages and should include a language clause to that effect.
