(Oct. 6, 2010) On September 21, 2010, the European Commission adopted a Communication on exchange of data on passenger name records (PNR) with third countries. It also contains recommendations for the adoption of new PNR agreements with the United States and Australia.
An increasingly large number of third countries are using PNR data in the fight against terrorism and other transnational crimes. Such data are used by law enforcement authorities to investigate crimes that have been committed or, based on risk analysis, are thought to be in the planning stage. In the absence of any uniform set of guidelines to cover such agreements with third countries, the Communication proposes a number of principles that future agreements must follow in order to ensure legal certainty (the meeting of legal requirements so that all stakeholders understand their rights and obligations) and to safeguard the personal data of European Union citizens. (Communication from the Commission, On the Global Approach to Transfers of Passenger Name Record (PNR) Data to Third Countries, COM(2010) 492 final (Sept. 21, 2010), http://ec.europa.eu/commission_2010-2014/malmstrom/archive/COMM_NATIVE_C
The principles that apply to transfers of data arise from EU legislation on privacy and personal data protection, as follows:
1. Protection of personal data. This principle encompasses the following obligations:
· PNR data should be used exclusively to fight terrorism and transnational crime;
· Passengers have the right to be informed about the exchange of PNR data, to view how their data is used, and to administrative and effective redress in case of misuse;
· PNR data to be exchanged must be limited to what is necessary for a stated purpose and listed in the agreement;
· Automatic processing of PNR data must not result in decisions affecting passengers. In order to avoid profiling, a human official must be involved in deciding whether or not a passenger is to be denied boarding;
· PNR data must be stored for a limited time;
· Access must be limited only to appropriate authorities; and
· An authority must be established to oversee those who handle PNR data.
2. Use of standards for monitoring the correct implementation of PNR agreement, through the appointment by third countries of monitoring officials; and
3. Reciprocity. Data collected about terrorism and other transnational crimes should be shared with EU authorities, EUROPOL, EUROJUST, and the EU Member States.
In addition, the Communication addresses the issue of modes of transfer of PNR. It suggests that the “PUSH” system for the transfer of data be used in order to ensure legal certainty and to keep the costs involved for the airlines at low levels. It also recommends that the frequency of data transfers prior to each flight should be limited. (Id.)