Today, the European Data Protection Supervisor (EDPS) issued an opinion on the European Commission's communication on the transfer of Passenger Name Record (PNR) data to third countries (*). The Communication sets out the EU external strategy on PNR and puts forward the general principles, including a set of data protection standards, that any PNR agreement with a third country should be based on.
The EDPS welcomes the horizontal approach followed by the Commission and strongly supports the objective of achieving a high and harmonised level of data protection applicable to all existing and foreseen PNR schemes. He however expresses major concerns as regards the necessity and legitimacy of some important aspects of the proposed schemes. He considers in particular that the proactive use of PNR data of all passengers for risk assessment purposes requires more explicit justification and safeguards.
Peter Hustinx, EDPS, says: "I welcome the horizontal approach presented by the Commission as an essential step in the direction of a comprehensive framework for the exchange of PNR data. However, to be admissible, the conditions for collection and processing of PNR data should be considerably restricted. I am particularly concerned about the use of PNR schemes for risk assessment or profiling."
The EDPS also underlines the need to ensure consistency between the various initiatives directly or indirectly related to the processing of PNR data, including the EU general framework for data protection currently under revision, the initiative to set up a PNR system for the EU, and the negotiations for an EU-US agreement on data sharing for law enforcement. As these developments are progressing in parallel, due account should be taken of the need for a consistent and harmonised approach on data protection.
As regards the content of proposed data protection standards, the EDPS calls for more precision with regards to the minimal safeguards applicable to all PNR agreements. Stricter conditions should apply in particular to the processing of sensitive data, the conditions of onwards transfers (i.e. transfers within the third countries to other government authorities), and the retention of data.
The EDPS also emphasises the need for any PNR agreement to explicitly provide for directly enforceable rights to concerned individuals. The effectiveness of enforcement procedures is an essential condition for the assessment of the adequacy of any agreement with data protection principles.
(*) Communication from the Commission of 21 September 2010 on the global approach to transfers of Passenger Name Record (PNR) data to third countries (COM(2010) 492 final)