Legislative Observatory
European Parliament
Please fill in this field to find a procedure

EU/Canada Agreement: transfer and processing of passenger name record (PNR) data

2013/0250(NLE)

Opinion of the European Data Protection Supervisor on the proposals for Council decisions on the conclusion and the signature of the agreement between Canada and the European Union on the transfer and processing of passenger name record data.

On 19 July 2013, the European Commission adopted the proposals for Council decisions on the conclusion and the signature of the agreement between Canada and the European Union on the transfer and processing of passenger name record (PNR) data. The EDPS also had the opportunity to provide his advice before the adoption of the proposals.

Proportionality: the EDPS questions the necessity and proportionality of PNR schemes and of bulk transfers of PNR data to third countries. According to the jurisprudence, not only the reasons put forward by the public authority to justify any such restriction should be relevant and sufficient, but it should also be demonstrated that other less intrusive methods are not available. To date, the EDPS has not seen convincing elements showing the necessity and proportionality of the massive and routine processing of data of non-suspicious passengers for law enforcement purposes but he notes the data protection safeguards provided in the agreement.

Legal basis: the EDPS questions the necessity and proportionality of PNR schemes and of the bulk transfers of PNR data to third countries. He also questions the choice of the legal basis and recommends that the proposals be based on Article 16 of the TFEU, in conjunction with Article 218(5) and Article 218(6)(a) of the TFEU.

The EDPS is also concerned about the limited availability of independent administrative redress and full judicial redress for EU citizens not present in Canada and questions the appropriateness of an executive agreement to achieve them. He also recommends requiring confirmation that no other Canadian authority can directly access or request PNR data to the carriers covered by the agreement.

Provisions of the PNR agreement with Canada: according to the EDPS, the agreement should:

·        completely exclude the processing of sensitive data,

·        provide for deletion or anonymisation of the data immediately after analysis and 30 days after reception as a maximum and, in any case, reduce and justify the proposed retention period, which has been extended in comparison with the previous PNR agreement with Canada,

·        limit the categories of PNR data to be processed,

·        explicitly mention that overall oversight will be carried out by an independent authority,

·        further narrow down and clarify the concepts defining the purposes of the agreement,

·        clarify which types of ‘lawful’ discrimination would be possible,

·        provide for an obligation to notify data breaches to the European Commission and to data protection authorities,

·        complete the provisions on transparency,

·        extend the prohibition of deciding solely on the basis of automated processing to all decisions affecting passengers on the basis of the agreement,

·        specify to which authorities in Canada PNR data can be further transferred, adding the requirement of prior judicial authorisation or of the existence of an immediate threat, providing for an obligation of including adequate data protection safeguards in agreements or arrangements with other recipient countries or authorities and for their notification to the European Commission and to EU data protection authorities,

·        name the relevant authorities and laying down dissuasive sanctions for non-compliance with the agreement,

·        specify which are the mechanisms available to persons not resident in Canada to seek judicial review under Canadian law,

·        clarify if the right to judicial review could be exercised even if the relevant decision or action has not been communicated to the individual concerned, in particular if provisions of the agreement other than those related to access and rectification/notation are infringed,

·        specify to which ‘other remedy which may include compensation’ the agreement refers,

·        specify the frequency of reviews of the implementation of the agreement, their content and explicitly including EU data protection authorities in the EU review team.