The EU Parliament is to deal with a new agreement on the exchange of passenger data with Canada. So far, PNR agreements exist only with the USA and Australia, but now the EU Commission also wants to negotiate with Japan. Others could follow after the International Civil Aviation Organization adopts new standards.
The member states of the European Union want to conclude a further agreement on the transmission and use of passenger data. A proposal to start negotiations with Japan was published by the EU Commission in September, and the EU interior ministers intend to adopt it at their next meeting in Brussels at the beginning of December. The EU Parliament will not be involved, the MEPs can only vote on the negotiated treaty.
Passenger Name Records (PNR) include all data that travellers leave behind when booking and checking in with an airline. They are stored by the companies and transmitted to the relevant authorities in the destination country when the aircraft is booked and a second time when it is boarded. The PNR data differ from information that airlines have to send when finishing check-in to the border police of destination countries. This includes Advance Passenger Information (API). PNR data are considerably more comprehensive, but unlike API data they do not contain any identification documents. Governments like the U.S. therefore insist on both data sets.
Completion planned before the Olympics
Japanese authorities should use PNR data to prevent and combat terrorism and cross-border serious crime. The new agreement is expected to enter into force before the Summer Olympics in Japan. It follows an arrangement reached at the EU-Japan Summit in 2015, which, however, was not finalised in writing until 2018 in a strategic partnership between the EU and Japan. At the beginning of this year, the EU also adopted a so-called adequacy decision under Article 45 of the General Data Protection Regulation, according to which personal data can “flow freely between the two economies”.
Two out of three EU agreements with third countries on the exchange of passenger data are currently in force. In 2011, the Commission concluded such contracts with the US and Australia. The European Court of Justice (ECJ) overturned a third such agreement with Canada two years ago. The judges criticised the lack of protection of fundamental rights and attached conditions for a new treaty.
Shortly afterwards, the Commission received the Council’s approval for renegotiations. At the recent EU-Canada summit in summer, the parties finally presented a new agreement, which is to be adopted by the parliaments after a legal review. An adequacy decision was also taken on Canada.
Evaluation of the agreements with the USA and Australia
At the same time as the Canada Agreement will be discussed in Parliament, the two existing agreements are assessed, as is usual for such agreements. The EU Commission is responsible for this evaluation; the delegation to the USA was also accompanied by authorities from Germany, Belgium and Hungary. Among other things, the officials visited the Passenger Information Units (PIUs). These departments are responsible for receiving and, if necessary, forwarding personal data to the relevant police authorities or secret services.
The PNR agreements are reciprocal. Since data from the USA is also processed in Europe, US authorities have inspected the Belgian and Dutch passenger data centres. A final evaluation of the mutual visits is expected next year.
No consistent implementation of the EU directive
It was not until 2016, five years after the conclusion of the agreements with the USA and Australia, that the EU adopted its own PNR directive. This means that passenger data on all flights to and from the Schengen area must be transmitted twice in advance. To this end, the Member States must conclude appropriate agreements with the airlines. The British Government participates in the directive, while the Danish Parliament decided against it.
The EU PNR system is decentralised and data is only stored in national databases. As is usual with directives, Member States have had two years to transpose them. 14 countries did not meet the deadline for setting up a PIU and the Commission opened infringement proceedings against them. All governments except Spain and Slovenia have now notified full implementation of the Directive.
The decentral PIU’s compare passenger data with relevant national databases. Some Member States also query the Schengen Information System (SIS), where European authorities could deposit, for example, arrest warrants, entry bans or secret searches. Legally, however, it is not possible to use the SIS everywhere, so that, for example, the French central office does not query the SIS.
Extension to land and sea transport postponed
Suspicious passengers shall be reported to central offices of other Member States or to Europol, where they shall also be cross-checked with databases maintained there. The transfer takes place via the so-called PISA system. This means that other central offices are asked with an anonymised query whether more information on the person concerned is available. If a hit is made, the full data records are then exchanged.
In recent months, EU interior ministers have discussed extending the PNR Directive to land and sea transport. The demand came mainly from Scandinavian countries, which record a high number of ferry entries and process passenger data there. The governments in France and Belgium supported a corresponding proposal by the Finnish Presidency, but had rail transport in mind.
The planned extension has now been postponed. At their December meeting, the EU interior ministers are to adopt conclusions emphasising the importance of passenger data in land and sea transport. However, it also reiterates the concerns of some Member States that they would like to continue to make it possible to buy tickets without being tied to a specific person. The Council therefore proposes a “thorough impact assessment”. However, the Commission should wait until the EU PNR Directive has been reviewed next year as foreseen.
EU Commission works on global standards
Some EU Member States are now demanding further agreements with third countries. Interested parties include, for example, South Korea and Israel, which, however, insist on reciprocity, which means they want to receive personal data from the EU before each landing of an aircraft on their territory.
The conclusion of such agreements could soon be simplified after the International Civil Aviation Organisation (ICAO) adopts a decision to set up national PNR systems in all of its all 193 Member States. It implements United Nations Security Council Resolution 2396, which calls on to “develop the capability to collect, process and analyse PNR data”.
ICAO should also establish a standard for the processing of passenger data. The organisation will define common formats and procedures. The EU Commission is actively involved in this process and has ensured that the Council has formulated its own position vis-à-vis ICAO as well as a proposal on international PNR standards.