Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes - Hoofdinhoud

Inhoudsopgave van deze pagina:

Delen

1. Tekst
2. Originele weergave

3. Meer informatie

• 1. 

  Articles 1 through 11 of the above Commission proposal were discussed at meetings of the Multidisciplinary group of 4 February and 25 and 26 March 2008 and at the meeting of the

Friends of the Presidency of 25 February 2008.

• 2. 

  DELETED entered a reservation on the proposal. The following delegations entered a general scrutiny reservation on the proposal: DELETED. In addition, a number of

delegations also entered a parliamentary scrutiny reservation: AT, CZ, DK, EE, FR, HU, IE,

LT, MT, NL, PL, PT, SE and UK. DELETED welcomed that the Commission had tabled a

proposal on the use of PNR data, as requested by the Council. DELETED however pointed

out that specific provisions of the Draft Framework decision still needed a thorough

examination in order to ensure that it would be compatible with all data protection and

constitutional requirements.

• 3. 

  The Presidency has redrafted Articles 1-10 in order to accommodate as much as possible as possible the comments made by delegations.

________________________

ANNEX

Proposal for a

COUNCIL FRAMEWORK DECISION

on the use of Passenger Name Record (PNR) for law enforcement purposes

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on European Union, and in particular Article 29, Article 30(1)(b) and

Article 34(2)(b) thereof,

1

Having regard to the proposal from the Commission , 2

Having regard to the opinion of the European Parliament , Whereas,

(1) The European Council adopted the Declaration on combating terrorism on 25 March 2004 3 inviting the Commission to bring forward, inter alia a proposal for a common EU approach

to the use of passengers data for law enforcement purposes.

(2) The Commission has been further called upon to bring forward a proposal for the use of 4 5

PNR in the Hague Programme and at the extraordinary Council meeting of 13 July 2005 .

1

OJ

2 OJ 3

Bulletin of the EU 3-2004. 4

The Hague Programme ­ Strengthening Freedom, Security and Justice in the European Union, paragraph 2.2 Terrorism. 5

Council Declaration on the EU response to the London bombings ­ point 6.

(3) It is one of the objectives of the European Union to offer a high level of security and protection within an area of freedom, security and justice; this requires that the prevention of

and fight against terrorist offences and organised crime, be carried out in an adequate

manner. The definitions of terrorist offences and organised crime are taken from Articles 1

1

to 4 of the Council Framework Decision 2002/475/JHA on combating terrorism and Article 2

2 of the Council Framework Decision (xx/xx) on the fight against organised crime respectively.

(4) The Council adopted Directive 2004/82/EC of 29 April 2004 on the obligation of air carriers 3

to communicate passenger data which aims at improving border controls and combating illegal immigration by the transmission of advance passenger data by air carriers to the

competent national authorities.

(5) Because of the information they contain, PNR data are appropriate to effectively prevent, 4

detect, investigate and prosecute terrorist offences and organised crime and thus to enhance internal security; the obligations imposed on air carriers by virtue of this Framework

Decision should be separate from those established by Directive 2004/82/EC.

(6) Air carriers already collect PNR data from their passengers for their own commercial purposes. This Framework Decision does not impose any obligation on air carriers to collect

any additional information from passengers or to retain any data or any obligation on

passengers to provide any data in addition to that already provided to air carriers on a

voluntary basis.

(7) To prevent, detect, investigate and prosecute terrorist offences and organised crime, it is essential that all Member States introduce provisions laying down obligations on air carriers

operating flights to or from the territory of one or more Member States of the European

Union; intra-EU flights should not be covered by this Framework Decision, except those

segments connecting two EU-airports which are part of an international flight.

1 OJ L 164, 22.6.2002, p. 3. 2

OJ 3

OJ L 261, 6.8.2004, p. 24. 4

Throughout the text, the term 'fight' has been replaced by the terms ' detect, investigate and prosecute'.

(8) The availability of PNR data to competent national authorities in accordance with the provisions of this Framework Decision is necessary for the purposes of preventing,

detecting, investigating and prosecuting terrorist offences and organised crime, the

regulation of such availability should be proportionate to the legitimate security goal

pursued.

(9) The retention period of PNR data by competent national authorities should be proportionate to the purposes for which they are sought; namely the prevention of and fight against

terrorist offences and organised crime. Because of the nature of the data and their uses, it is

important that the data are kept for a sufficiently long period as to fulfil the purpose of

developing risk indicators and establishing patterns of travel and behaviour. In order to

avoid a disproportionate use, it is important that after some years, the data is moved to an

inactive database and only accessible under very strict and more limited conditions. At the

same time this ensures that they are available if they are needed in specified exceptional

circumstances. It is also important to permit the extension of the period of retention of the

data where such are used in an ongoing criminal investigation or judicial procedure.

(10) [The Council Framework Decision (xx/xx) on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters should be applicable

to all the data processed in accordance with this Framework Decision. The rights of the data

subjects in relation to such processing, such as the right to information, the right of access,

the right of rectification, erasure and blocking, as well as the rights to compensation and

1

judicial remedies should be those provided under that Framework Decision] .

1

This text may have to be revised depending on the outcome of the discussions to be had on the data protection chapter of the Framework Decision.

(11) To ensure the effectiveness of the obligations on air carriers to make PNR data available, dissuasive, effective and proportionate sanctions, including financial penalties, should be

provided for by Member States against those air carriers failing to meet these obligations.

The Member States should take all necessary measures to enable air carriers to fulfil their

obligations under the Framework Decision. In case where there are repeated serious

infringements which might undermine the basic objectives of this Framework Decision,

these sanctions may include measures such as the immobilisation, seizure and confiscation

of the means of transport, or the temporary suspension or withdrawal of the operating

licence. Such sanctions should be imposed only in exceptional cases.

(12) It is necessary that competent national authorities are provided with PNR data which are collected by air carriers.

(13) As a result of the legal and technical differences between national provisions concerning information, including PNR, air carriers will be faced with different requirements regarding

the types of information to be transmitted, as well as the conditions under which this

information needs to be provided to competent national authorities.

(14) These differences may be prejudicial to the effective co-operation between the competent national authorities for the purposes of preventing, detecting, investigating and prosecuting

and fighting terrorist offences and organised crime.

(15) The Commission in its Communication of 16 December 2003 on `Transfer of air PNR data: 1

a global EU-approach" has outlined the core elements of an EU policy in this area; it further provided support to and contributed actively to the work undertaken in the

framework of the multilateral initiative of ICAO which resulted in the development of the

ICAO guidelines on PNR; such guidelines should be taken into account. Measures adopted

solely at national or even Union level, without taking into account international coordination

and cooperation, would have limited effects. The measures adopted by the Union in this

field should therefore be consistent with the work undertaken in international fora.

1

COM(2003) 826, 16.12.2003.

(16) There are two possible methods of data transfer currently available: the 'pull' method, under which the competent authorities from the State requiring the data can reach into ("access")

the air carrier's reservation system and extract ("pull") a copy of the required data and the

'push' method, under which air carriers transmit ("push") the required PNR data to the

authority requesting them. The 'push' method is considered to offer a higher degree of data

protection and should be mandatory for all carriers established in the Union. As regards third

country carriers, "push" should be the preferred method whenever it is technically,

economically and operational possible for third country carriers.

(17) PNR data required by a Member State should be transferred to a single representative unit (Passenger Information Unit) of the requesting Member State, as to ensure clarity to air

carriers.

(17a) Air carriers that operate international flights may designate an intermediary through which

they make the PNR data of passengers available, instead of making such data available

directly to Passenger Information Units. Where such intermediaries are designated, they

shall act on behalf of the air carrier from which they have been designated, and they shall be

considered as such air carrier's representative for the purposes of this Framework Decision.

The designation of such intermediary does not exonerate the air carrier from its obligations

under this Framework Decision.

(18) The contents of any lists of required PNR data to be obtained by the competent national authorities should reflect an appropriate balance between the legitimate requirements of

public authorities to prevent, detect, investigate and prosecute terrorist offences and

organised crime, thereby improving the internal security within the EU and the protection of

fundamental rights of citizens, notably privacy; such list should not contain any personal

data that could reveal racial or ethnic origin, political opinions, religious or philosophical

beliefs, trade-union membership or data concerning health or sex life of the individual

concerned; the PNR data contain details on the passenger's reservation and travel itinerary

which enable competent authorities to identify air passengers representing a risk for internal

security.

(19) In order to enhance the internal security of the European Union as a whole, each Member State should be responsible for assessing the potential threats related to terrorist offences and

organised crime. Guidance for common general criteria for such risk assessment should be

provided for by the Committee established by this Framework Decision.

(20) As a fundamental principle of data protection, it is important to ensure that no decision which produces an adverse legal effect to a person or seriously affects him shall be taken by

the competent authorities of the Member States only by reason of the automated processing

of PNR data or by reason of a person's race or ethnic origin, religious or philosophical

belief, political opinion or sexual orientation.

(21) Member States should share with other Member States the PNR data that they receive as necessary. Transfers of PNR data to third countries and adequacy findings should be

governed by the Council Framework Decision (xx/xx) on the Protection of Personal Data

Processed in the Framework of Police and Judicial Cooperation in Criminal Matters and

should be further subject to additional requirements relating to the purpose of the transfer,

Whenever the Union has concluded international agreements on such transfers, the

provisions of such agreements should be duly taken into account.

(21a) The Framework Decision rules on exchange of PNR data between the Passenger

Information Units of different Member States are without prejudice to the exchange of PNR

data between law enforcement or judicial authorities that have obtained PNR data from their

Passenger Information Unit in accordance with this Framework Decision. Such exchange of

PNR data between law enforcement or judicial authorities shall be governed by the rules on

international police and judicial co-operation.

(22) Member States should ensure that the transfer of the relevant PNR data from air carriers to the competent national authorities takes place using state of the art technological means to

guarantee, to the maximum extent possible, the security of the data transmitted.

(23) Since the objectives of this Framework Decision cannot be sufficiently achieved by the Member States acting alone, and can therefore, by reason of the scale and effects of the

action, be better achieved at the level of the European Union, the Council may adopt

measures in accordance with the principle of subsidiarity as set out in Article 5 of the EC

Treaty and referred to in Article 2 of the EU Treaty. In accordance with the principle of

proportionality, as set out in Article 5 of the EC Treaty, this Framework Decision does not

go beyond what is necessary to achieve those objectives.

(24) This Framework Decision respects the fundamental rights and observes the principles recognised, in particular by the Charter of Fundamental Rights of the European Union,

HAS ADOPTED THIS FRAMEWORK DECISION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Objectives

This Framework Decision provides for the making available by air carriers of PNR data of

passengers of international flights to the competent authorities of the Member States, for the

purpose of preventing detecting, investigating and prosecuting terrorist offences and organised

crime, as well as the processing of those data, including their collection, use and retention (...) by

these authorities and their exchange (...) between them.

Article 2

1

Definitions

For the purpose of this Framework Decision the following definitions shall apply:

(a) `air carrier' means an air transport undertaking with a valid operating licence or equivalent permitting it to carry out carriage by air of passengers, as stated in the operating licence;

(b) "international flight" means any flight scheduled to enter the territory of at least one Member State of the European Union originating in a third country or to depart from the territory of at

2

least one Member State of the European Union with a final destination in a third country ;

1

DELETED scrutiny reservation. 2

Two Member States (DELETED) pleaded in favour of the inclusion of intra-EU flights.

(c) `Passenger Name Record (PNR)' means a record of each passenger's travel requirements which contains all information necessary to enable reservations to be processed and controlled

by the booking and participating air carriers for each journey booked by or on behalf of any

person. Such a record may be contained in reservation systems, Departure Control Systems

(DCS), Global Distribution Systems (GDS) or equivalent systems, or is otherwise known by

1

the air carrier . In the context of this Framework Decision, PNR data shall mean the data elements described in the Annex and only to the extent that these are collected or otherwise

known by the air carriers;

2

(d) 'passenger' means any person, except members of the crew , carried or to be carried in an aircraft with the consent of the carrier;

(e) `reservation systems' means the air carrier's computerised inventory system, in which PNR data are collected from reservations made via computerised reservation systems as defined in

Regulation (EEC) No 2299/89 on a code of conduct for computerized reservation systems or

via direct booking channels like the air carriers' Internet websites, call centres or sales outlets;

(f) 'Push method' means the method under which air carriers transmit the required PNR data into the database of the authority requesting them;

(g) "Pull method" means the method under which the authority requiring the data can access the air carrier's reservation system, departure control system, Global Distribution System and

equivalent system and extract (...) the required data into their database;

3

(h) "terrorist offences" means the offences under national law, referred to in Articles 1 to 4 of the 4

Council Framework Decision 2002/475/JHA on combating terrorism ;

1

Suggested clarification of the type of data covered by the Framework Decision. 2

DELETED wanted to include crew members. 3

DELETED thought it was sufficient to mention Article 2 and it was not necessary to include Articles 2, 3 and 4.

4

OJ L 164, 22.6.2002, p. 3.

(i) "organised crime" means the offences under national law, referred to in Article 2 of the 1

Council Framework Decision (xx/xx) on the fight against organised crime . CHAPTER II

RESPONSIBILITIES OF THE MEMBER STATES

Article 3

2

Passenger Information Unit

• 1. 

  (....) Each Member State shall set up or designate a public authority, to act as its "Passenger Information Unit". The Passenger Information Unit may be designated from authorities of the

Member State which are responsible for the prevention, detection, investigation or

prosecution of terrorist offences and organised crime. It may also be separate branch of a

3

competent authority as defined in Article 4 . Each Member State shall notify its Passenger Information Unit to the Commission and the General Secretariat of the Council within twelve

months after this Framework Decision enters into force, and may at any time update its

notification. The Commission shall publish this information in the Official Journal of the

European Union.

1

Several Member States (DELETED) criticised this reference to organised crime for being too narrow and indicated that forms of serious crime should be included in the scope of the proposal instead of the only membership of a criminal organisation. In this perspective, inspiration might be drawn from the draft Council Decision establishing the European Police Office (EUROPOL), which in Article 4(2) refers to forms of serious crime listed in the Annex to that draft decision. That Annex in turn has the same list of offences as in Article 2 of the Framework Decision on the European arrest warrant. 2

DELETED scrutiny reservation. 3

Several delegations (DELETED) asked that the Framework Decision would allow the PIU to be a branch of the law enforcement authority competent for acting upon the PNR.

• 2. 

  The Passenger Information Unit shall be responsible for collecting the PNR data from the air carriers (...), according to Article 5 (...), in relation to international flights which arrive or

depart from the territory of the Member States which it serves. To the extent that the PNR

data of a passenger as collected, includes data additional to those included in the Annex or

special categories of personal data that would reveal the racial or ethnic origin, political

opinions, religious or philosophical beliefs, trade-union membership or data concerning health

or sex life of the person concerned, the Passenger Information Unit shall delete such data

1

immediately upon their receipt .

• 3. 

  The Passenger Information Unit shall further be responsible for analysing the PNR data and 2

for carrying out a risk assessment of the passengers in order to identify the persons requiring further examination by the competent authorities of the Member State, as referred to in Article

4 3 . Such analysis and risk assessment shall be aimed at preventing, detecting, investigating or prosecuting terrorist offences and organised crime, only for the following purposes:

­ to identify persons who are or may be involved in a terrorist or organised crime offence, as well as their associates;

­ to create and update risk indicators for the assessment of such persons;

­ to provide intelligence on travel patterns and other trends relating to terrorist offences and organised crime;

­ to be used in criminal investigations and prosecutions of terrorist offences and organised 4

crime .

1

DELETED scrutiny reservation on paragraph 2.DELETED scrutiny reservation on the need

for a general obligation to delete all sensitive data. DELETED were in favour of such general obligation. DELETED thought this should be left to the PIU. The Presidency intends to revert to this issue at a later stage in the context of a general discussion on the use of sensitive data.

2

DELETED indicated that it thought Member States should not be under an obligation to analyse the PNR data of all passengers.

3

Some delegations pleaded in favour of some degree of harmonisation with regard to the risk assessment:DELETED. 4

DELETED scrutiny reservation.

The criteria and guarantees in respect of such risk assessments will be provided for under

national law, which shall take due account of the recommendations for common general

criteria, methods and practices for the risk assessment adopted under the procedure of Articles

13, 14 and 15. No risk assessment criterion shall be based on a person's race or ethnic origin,

religious or philosophical belief, political opinion, trade union membership, health or sexual

orientation.

• 4. 

  The Passenger Information Unit of a Member State shall transmit the analytical information flowing from PNR data of individuals identified in accordance with paragraph 3 for potential

further examination to the relevant competent authorities of the same Member State, referred

1

to in Article 4, by electronic means or, in case of failure, by any other appropriate means . The Passenger Information Units shall not take any decision on the basis of a passenger's

PNR data which produces an adverse legal effect concerning a person or seriously affects

him.

5. (...)

• 6. 

  Two or more Member States may jointly set up or designate the same authority to serve as their Passenger Information Unit. Such Passenger Information Units shall be established in

one of the participating Member States and shall be considered the national Passenger

2

Information Unit of all such participating Member States . The participating Member States shall agree on the modalities of the operation of the Passenger Information Unit, the control of

the data and in particular on the applicable requirements on data security, data protection and

supervision, in accordance with the requirements laid down in this Framework decision.

1

DELETED indicated telex might be used. DELETED asked for the deletion of of alternative means. DELETED scrutiny reservation.

2

DELETED pleaded in favour of a supranational analysis of PNR data.

Article 4

Competent authorities

• 1. 

  Each Member State shall adopt a list of the competent authorities which shall be entitled to receive analytical information flowing from PNR data from the Passenger Information Units

in order to examine this information further .

• 2. 

  Competent authorities shall only include authorities of the Member States which are responsible for the prevention, detection, investigation or prosecution of terrorist offences and

organised crime.

• 3. 

  Each Member State shall notify the list of its competent authorities in a declaration to the Commission and the General Secretariat of the Council within twelve months after this

Framework Decision enters into force, and may at any time update its declaration. The

Commission shall publish the declarations in the Official Journal of the European Union.

• 4. 

  The PNR data of passengers may be processed by the competent authorities of the Member States only with the aim of preventing, detecting, investigating or prosecuting terrorist

offences and organised crime.

• 5. 

  The limitation set out in paragraph 4 shall not affect or interfere with national law enforcement or judicial powers in case other offences, or indications thereof, are detected in

the course of the processing described in paragraph 4 or in the course of enforcement action

further to such processing.

• 6. 

  The competent authorities of the Member States shall not take any decision which produces an adverse legal effect on a person or seriously affects him shall be taken on the basis of a

passenger's PNR data only by reason of an automated processing of PNR data or only on the

basis of a person's race or ethnic origin, religious or philosophical belief, political opinion,

trade union membership or health or sexual orientation.

Article 5

Obligation on air carriers

1

• 1. 

  Member States shall adopt the necessary measures to ensure that air carriers make available the PNR data of the passengers of international flights to the national Passenger Information

Unit of the Member State on whose territory the international flight referred to is entering,

departing or transiting, in accordance with the conditions specified in this Framework

Decision. In cases in which a transiting international flight includes a segment involving two

or more different Member States, air carriers should make available the PNR data of the

2

passengers to the Passenger Information Units of all the involved Member States .

• 2. 

  Air carriers shall make available to the Passenger Information Unit the PNR data specified in the Annex to the extent that they are collected or otherwise known by the air carrier. For the

purposes of this Framework Decision, PNR data shall be deemed to be collected or otherwise

known by the air carrier if it is collected and processed in the air carriers' reservation systems,

departure control systems, Global Distribution Systems (GDS) and equivalent systems, or is

requested in the course of business of the air carrier but not necessarily held in such a system.

1

DELETED reservation on paragraph 1. DELETED in particular queried the meaning of 'necessary measures'.

2

This addition was suggested by the Presidency in order to accommodate a remark that was made with regard to transit flight in the context of the discussion on Article 2(b).

• 3. 

  Air carriers shall make available such data by electronic means using the common protocols and encryption standards to be adopted according to the procedure of Articles 13, 14 and 15,

1

or, in case of technical failure, by any other appropriate means : (a) in advance, 24 hours before the scheduled flight departure and

2

(b) immediately after flight closure . In specific cases, when there is an indication that early access is necessary to assist in

3

responding to a specific and actual threat related to terrorist offences and organised crime, a 4

Passenger Information Unit may, in accordance with national law , require an air carrier to make available to it PNR data prior to 24 hours before the scheduled flight departure. [In

5

exercising this discretion, the Passenger Information Unit will act proportionally] .

• 4. 

  Air carriers using databases that are established in a Member State of the European Union shall take the necessary technical measures to ensure that the PNR data are transferred to the

Passenger Information Units (...) pursuant to Article 6, using the "push method".

1

Several delegations (DELETED) questioned the concept of 'appropriate means'. The Presidency has tried to clarify the electronic transmission mode that would as a rule apply. As the 'appropriate means' would be used only in case of a technical failure, it may not be necessary to further specify these 'appropriate means'. 2

Delegations discussed this two-step approach and the criterion of 24 hours. As all delegations agreed on the need to have a harmonised approached, but disagreed on the exact criterion, the Presidency invited delegations to reflect on the most adequate moment for transmitting PNR data. Some delegations asked that the second transmission be limited to those PNR data that have changed after the first transmission. The concept of 'flight closure' also needed to be clarified. EE linguistic reservation on the concept of flight closure. 3

Addition in order to ensure consistency with Article 7(4). DELETEDargued in favour of a lower threshold without need to demonstrate the actual nature of the threat. 4

Following an intervention by DELETED, the Presidency suggests this addition in order to clarify that the ad hoc powers of PIUs to request PNR data in specific cases are regulated by national law. This sentence merely acknowledges the possibility for national law to provide for such powers, in addition to the general EU obligation to transmit PNR data, set out at the beginning of paragraph 1. 5

DELETED asked what was meant by 'proportionally'. COM replied by stating that it was

meant to emphasise that such requests could only be made on an ad hoc basis. As, the proportionality principle is a general principle of law, the Presidency thinks that this could be left to Member States law and this sentence could maybe be deleted.

• 5. 

  [Air carriers using databases that are not established in a Member State of the European Union:

­ shall be required to use the "push method" to transfer the data to the Passenger Information Units (...);

­ where they do not possess the necessary technical architecture to use the "push method", shall be obliged to permit the Passenger Information Unit (...), to extract the data from

their databases using the "pull method".

In all cases, they must inform the Passenger Information Units (...) of all the Member

States whether they will use the "push" or the "pull" methods for making the data

1

available .]

• 6. 

  Member States shall ensure that air carriers inform passengers in accordance with Article 11c of this Framework Decision 2 .

Article 6

3

Intermediary

(...)

1

Several delegations (DELETED) questioned the subsidiary 'pull' alternative, which is offered to the air carriers with a database outside the EU. It was suggested that this might result in a competitive advantage for air carriers outside the European Union. The Presidency concluded that further reflection was required on the need/expediency to distinguish between EU and non-EU carriers, and on the criterion for such distinction. 2

At the request of several delegations (DELETED), the Presidency suggests to move this paragraph to the Data Protection Chapter. 3

At the suggestion of several delegations (DELETED), the Presidency proposes to delete this provision from the draft Framework Decision. As air carriers have the option to use intermediaries or not, these intermediaries simply exercise the obligations of air carriers, but obviously cannot exempt the air carriers from their obligations. Therefore it does not deem expedient to regulate their obligations separately. The Presidency suggests to insert a new recital (17a) to clarify that air carriers may transmit the PNR data through designated intermediaries.

Article 7

Exchange of Information

• 1. 

  Member States shall ensure that the analytical information flowing from PNR data of persons identified by a Passenger Information Unit in accordance with Article 3(3) shall be

transmitted by that Passenger Information Unit to the Passenger Information Units of other

Member States only in such cases and to the extent that such transmission is necessary in the

1

prevention, detection, investigation or prosecution of terrorist offences and organised crime . 2

The Passenger Information Units of the receiving Member States shall (...) transmit the PNR data to their relevant competent authorities (...).

1

Several delegations (DELETED) indicated they wanted the purpose limitation to be broadened. The Presidency suggests this question will be dealt with in the context of the general debate on the scope of the Framework Decision and also refers to the suggestion it has made with regard to the definition of organised crime in Article 2(i). 2

At the suggestion of DELETED, the Presidency has deleted the reference to the retention period. The Presidency shares the view that the retention period set out in Article 9 should apply only to raw PNR data held by the PIU and not to analysed PNR data which have been transmitted onwards for further use.

1

• 2. 

  The Passenger Information Unit or any of the (...) competent authorities of a Member State 2

shall have the right to request, either on an ad hoc or on a regular basis , the Passenger 3

Information Unit of any (...) Member State to provide it with specific PNR data which are kept in the latter's active database as per Article 9(1), and, where appropriate, analytical data

related to such specific PNR data. The request for such data may be based on any one or a

combination of data elements, as deemed appropriate by the requesting Unit or competent

authority for the prevention, detection, investigation or prosecution of terrorist offences and

organised crime. Passenger Information Units shall respond to such requests as soon as

4

practicable .

• 3. 

  When a PIU or a competent authorities of a Member State requests specific PNR data of another Member State which are kept in the dormant database as per Article 9(2), the request

shall be made to the Passenger Information Unit of that Member State. Such request shall be

5 6

made only in exceptional circumstances in response to a specific (...) threat related to the prevention, detection, investigation or prosecution of terrorist offences and organised crime.

Access to such data shall be limited to personnel of the competent authorities which will be

specifically authorised for this purpose.

1

DELETED objected to the possibility of the competent authorities of other Member States to

request directly a PIU from another Member State. It thought all communication should take place between PIUs. The Presidency invites other delegations to make known their view on this. The DELETED pleaded in favour of allowing the competent authorities of different Member States to exchange PNR data between each other. The Presidency thinks this is allowed under the international police or judicial co-operation and should not be addressed specifically in this provision. It suggests an additional recital 21a to clarify this.

2

The Commission representative clarified that this paragraph could also be used to make a regular, standing request to the PIU of another Member State for certain type of PNR data. 3

Presidency suggests to delete the word `other' so as to encompass the possibility for a competent authority to request PNR data from its own PIU. The presidency acknowledges that eventually this may be better regulated in a different provision. 4

DELETED suggestion so as not to render the obligation on the requested PIU too onerous. DELETED thought these requests should be governed by the Framework Decision of 18

December on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union. The Presidency thinks that the question whether the latter Framework Decision, including the strict time limits laid down therein, can be made applicable to the exchange of PNR data between PIUs merits further reflection.

5

At the request of DELETED, COM clarified that it was for the requesting Member State to assess the exceptional nature of such circumstances. 6

At the request of several delegations (DELETED) the word 'actual' was deleted. DELETED scrutiny reservation on deletion.

• 4. 

  In exceptional circumstances, when there is an indication that early access is necessary to 1

assist in responding to a specific and actual threat related to the prevention, detection, investigation or prosecution of terrorist offences and organised crime, the Passenger

Information Unit of a Member State or the designated competent authorities shall have the

right to request the Passenger Information Unit of another Member State to provide it with

PNR data of flights arriving or, departing from the latter's territory prior to 24 hours before

the scheduled flight departure.

Article 8

2

Transfer of Data to Third Countries

• 1. 

  (...) PNR data and analytical information flowing from PNR data may be provided by a [PIU/Member State] to law enforcement authorities of third countries only if the

[PIU/Member State 3 ] is satisfied that:

(a) the authorities of the third country shall use the data only for the purpose of preventing, 4

investigating, detecting or prosecuting of terrorist offences and organised crime ,

(b) the receiving authority in the third country is responsible for the prevention, investigation, detection or prosecution of terrorist offences and organised crime or the

execution of criminal penalties imposed for such offences,

(c) in case the PNR data were obtained from another Member State, that Member State has given its consent to transfer in compliance with its national law,

(d) the third country ensures an adequate level of protection for the intended data processing; and

1

DELETED thought the term "actual" should be deleted as it made the requirement too stringent.

2

DELETED scrutiny reservation. ES and FI linguistic reservation. 3

The Presidency thinks that there is a general question whether the data protection chapter ass well as Article 8 of the PNR Framework decision should apply solely to PNR data held by PIUs or also to PNR data transmitted to competent authorities. 4

The question of the purpose limitation should be dealt with in the context of the general debate regarding the scope of the PNR FD. The Presidency also refers to the suggestion it has made with regard to the definition of organised crime in Article 2(i).

(e) the third country shall not transfer the data to another third country without the express

1

consent of the Member State .

• 2. 

  In addition, such transmissions may only take place in accordance with the national law of the Member State concerned and any applicable international agreements.

Article 9

2

Period of data retention

• 1. 

  Member States shall ensure that the PNR data provided by the air carriers or the intermediaries to the Passenger Information Unit are kept in a database at the Passenger

Information Unit for a period of five years after their transfer to the Passenger Information

Unit of the first Member State on whose territory the international flight is entering, departing

or transiting.

• 2. 

  Upon the expiry of the period of five years of the transfer of the PNR data to the Passenger Information Unit referred to in paragraph 1, the data shall be kept for a further period of eight

3

years . During this period, the PNR data may be accessed, processed and used only with the approval of the Passenger Information Unit and only in exceptional circumstances in response

4

to a specific and actual threat or risk related to the prevention or combat of terrorist offences and organised crime. Access to such data shall be limited to personnel of the competent

authorities which will be specifically authorised for this purpose.

1

Further to the comments by several delegations (DELETED) the Presidency has endeavoured to make this provision more precise, by copying the relevant provisions from Article 14 of the draft Framework Decision on data protection. 2

DELETED scrutiny reservation. DELETED thought the time limits laid down in this

provision should be drafted as minimum standards, allowing Member States to provide longer retention periods under national law. The Presidency thinks this should be discussed in the context of the debate with the Parliament.

3

Some Member States thought this period was too long. The Presidency invited delegations to reflect on the appropriate time period required. The Presidency thinks this should be discussed in the context of the debate with the Parliament. 4

DELETED argued in favour of a lower threshold without need to demonstrate the actual nature of the threat.

• 3. 

  Member States shall ensure that the PNR data are deleted from the databases of their Passenger Information Unit upon the expiry of the period of eight years specified in paragraph

2.

1

• 4. 

  (...) . Article 10

2

Sanctions

Member States shall ensure, in conformity with their national law, that dissuasive effective and

proportionate sanctions, including financial penalties, are provided for against air carriers and

intermediaries which, with regard to PNR data collected by them, do not transmit all data required

under this Framework decision or do not do so in the require format or otherwise infringe the

3 4

national provisions adopted pursuant to this Framework Decision . (...)

____________________

1

COM clarified that the retention periods applied only to the PNR data held by PIUs, not to PNR data transferred to competent authorities. The Presidency agrees with the remark by several delegations (DELETED) that the retention of PNR data and their treatment should not be regulated in the PNR FD, but should be left to general data protection principles. Paragraph 4 has consequently been deleted. 2

DELETED scrutiny reservation. 3

DELETED thought that air carriers could at any rate not be sanctioned for incomplete or erroneous PNR data. The presidency has endeavoured to ally these concerns by amending the drafting.

4

DELETED questioned whether it was necessary to list sanctions. The Presidency has accordingly deleted this reference.

• 6 nov '07
  Gebruik van persoonsgegevens van passagiers (PNR-gegevens) voor wetshandhavingsdoeleinden
  
  
  
• 6 nov '07
  COM(2007)654 - Gebruik van persoonsgegevens van passagiers (PNR-gegevens) voor wetshandhavingsdoeleinden
  
  
  
• 16 dec '03
  COM(2003)826 - Doorgifte van passagiersgegevens (PNR-gegevens): een allesomvattende EU-aanpak
  
  
  
• 24 feb '03
  JAI(2003)4 - Verplichting voor vervoerders om passagiersgegevens door te geven
  
  
  
• 14 okt '88
  COM(1988)447 - Gedragsregels voor geautomatiseerde boekingssystemen