EUROPEAN DATA PROTECTION SUPERVISOR

Similar documents
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

COMMISSION OF THE EUROPEAN COMMUNITIES

Recommendation for a COUNCIL DECISION

ARTICLE 29 Data Protection Working Party

EUROPEAN DATA PROTECTION SUPERVISOR

P6_TA-PROV(2007)0347 PNR Agreement

Opinion of the European Data Protection Supervisor

EUROPEAN PARLIAMENT. Committee on Civil Liberties, Justice and Home Affairs DRAFT RECOMMENDATION

SUMMARY OF THE IMPACT ASSESSMENT

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

1. What sort of passenger information will be transferred to US authorities?

EXECUTIVE SUMMARY. 3 P a g e

Opinion 6/2015. A further step towards comprehensive EU data protection

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

ARTICLE 29 Data Protection Working Party

The European Union Agency for Fundamental Rights (FRA)

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

PE-CONS 71/1/15 REV 1 EN

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

The EU Passenger Name Record System and Human Rights

Opinion. of the. European Union Agency for Fundamental Rights. on the. Proposal for a Directive on the use of

Opinion of the Joint Supervisory Body of Eurojust regarding data protection in the proposed new Eurojust legal framework

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT

(FRONTEX), COM(2010)61

PUBLIC. Brussels, 28 March 2011 (29.03) (OR. fr) COUNCIL OF THE EUROPEAN UNION. 8230/11 Interinstitutional File: 2011/0023 (COD) LIMITE

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit

Spring Conference of the European Data Protection Authorities, Cyprus May 2007 DECLARATION

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Opinion 07/2016. EDPS Opinion on the First reform package on the Common European Asylum System (Eurodac, EASO and Dublin regulations)

Counter-terrorism, De-Radicalisation and Foreign Fighters. Joint debate during the extraordinary meeting of the LIBE Committee. Giovanni Buttarelli

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

ARTICLE 29 Data Protection Working Party

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT 4

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL REGULATION

C 276/8 Official Journal of the European Union

Proposal for a COUNCIL DECISION

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

OPINION OF THE EUROPOL, EUROJUST, SCHENGEN AND CUSTOMS JOINT SUPERVISORY AUTHORITIES

PARLIAMENT v COUNCIL AND COMMISSION. JUDGMENT OF THE COURT (Grand Chamber) 30 May 2006*

1. UNHCR s interest regarding human trafficking

Data protection and privacy aspects of cross-border access to electronic evidence

EU Data Protection Law - Current State and Future Perspectives

With the current terrorist threat facing European Union Member States, including the UK

EDPS - European Data Protection Supervisor. Public access to documents and data protection

Public access to documents containing personal data after the Bavarian Lager ruling

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Speech before LIBE Committee

Proposal for a COUNCIL DECISION

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

EDPS Newsletter NO 25 JULY 2010

Second Opinion of the Joint Supervisory Body of Eurojust about the data protection regime in the proposed Eurojust Regulation

Recommendation for a COUNCIL DECISION

3. The attention of Convention members is drawn in particular to the following amendments proposed by the Praesidium:

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Opinion 3/2017 EDPS Opinion on the Proposal for a European Travel Information and Authorisation System (ETIAS)

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

ARTICLE 29 Data Protection Working Party

Ignoring Dissent and Legality

B. The transfer of personal information to states with equivalent protection of fundamental rights

ARTICLE 29 DATA PROTECTION WORKING PARTY

EUROPEAN DATA PROTECTION SUPERVISOR

10821/16 CDP/LM/vpl DGG 3 B

Brussels, 3 May 2006 (Case ) 1. Procedure

Council of the European Union Brussels, 2 December 2015 (OR. en)

EUROPEAN DATA PROTECTION SUPERVISOR

Proposal for a COUNCIL DECISION

EUROPEAN DATA PROTECTION SUPERVISOR

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

The Right to Data Protection and the Commissions Adequacy Decision

Opinion of the European Union Agency for Fundamental Rights on the proposed data protection reform package

Recommendation for a COUNCIL DECISION

Opinion of the Committee of the Regions on Public procurement package (2012/C 391/09)

10622/12 LL/mf 1 DG G 3 A

Proposal for a COUNCIL DECISION

Recommendation for a COUNCIL DECISION

LIMITE EN. Brussels, 30 September 2009 CONFERENCE ON ACCESSION TO THE EUROPEAN UNION CROATIA AD 13/09 LIMITE CONF-HR 8

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DECISION

COUNCIL REGULATION (EC)

TRANSFERS OF PNR DATA FROM THE E.U. TO THE U.S.

EUROPEAN DATA PROTECTION SUPERVISOR

The Post-Legislative Powers of the Commission. Delegated and Implementing Acts

How to read the analysis?

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. amending Regulation (EU) 2016/399 as regards the use of the Entry/Exit System

Adopted on 23 June 2005

STATEMENT OF THE COUNCIL'S REASONS

COUNCIL OF THE EUROPEAN UNION. Brussels, 13 September 2011 (OR. en) 10093/11 Interinstitutional File: 2011/0126 (NLE)

Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

GUIDE TO CONSULTATION OF THE EUROPEAN CENTRAL BANK BY NATIONAL AUTHORITIES REGARDING DRAFT LEGISLATIVE PROVISIONS

Having regard to the Treaty establishing the European Community, and in particular Article 235 thereof,

Proposal for a COUNCIL DECISION

Proposal for a COUNCIL DECISION

Introductory remarks on the analysis of subsidiarity and proportionality

Transcription:

C 218/6 EUROPEAN DATA PROTECTION SUPERVISOR Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision on the conclusion of an agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data (COM(2005) 200 final) (2005/C 218/06) THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty establishing the European Community, and in particular it's Article 286, Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Article 8, Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular it's Article 41, Having regard to the request for an opinion in accordance with Article 28(2) of Regulation (EC) No 45/2001 received on 26 May 2005 from the Commission, HAS ADOPTED THE FOLLOWING OPINION: 1. Introduction 1. The EDPS welcomes that he is consulted on the basis of Article 28(2) of Regulation (EC) No 45/2001. This confirms the viewpoint of the EDPS as laid down in his policy paper of 18 March 2005 ( The EDPS as an advisor to the Community Institutions on proposals for legislation and related documents ) that the advisory task extends to the conclusion of agreements between the EC and third countries and/or international organisations with regard to the processing of personal data. 2. In view of the mandatory character of Article 28(2) of Regulation (EC) No 45/2001, the present opinion should be mentioned in the preamble of the Council decision. 3. According to its recitals, the agreement at stake, between the European Community and Canada, has regard to a Commission decision, pursuant to Article 25(6) of Directive 95/46/EC, whereby the relevant Canadian competent authority is considered as providing an adequate level of protection for API/PNR data ( The Commission decision ). In the view of the EDPS, the Commission decision should have been sent for consultation as well, being part of the joint legal package.

C 218/7 4. This proposal is the second in a row, after the agreement of 17 May 2004 ( 1 ) between the European Community and the United States of America, of which the legality was contested by the Parliament under Article 230 of the EC-Treaty. In his intervention before the Court of Justice, the EDPS supported the conclusions of the Parliament to annul the agreement. 2. The essence of the agreement 5. This proposal for an agreement is of a similar nature to the agreement with the United States of America. It is linked to a decision of the Commission, pursuant to Article 25(6) of Directive 95/46/EC, the objective is to improve public security and the air carrier is obliged to transfer data to a third country. 6. In substance however, there are major differences, as has been noted in two opinions of the Article 29-Data Protection Working Party ( 2 ). The EDPS emphasises four essential differences that will play a role throughout this opinion. In the first place, the proposal foresees a push -system (and not a pull -system) which has as a consequence that the airlines in the European Community can control the transfer of the data to the Canadian authorities. In the second place, the commitments taken by the Canadian authorities are binding (Article 2(1) of the agreement), which contributes to a more balanced proposal, compared to the agreement with the United States of America. In the third place, the list of PNR-data to be transferred is more limited and does not comprise open categories of passenger data that could reveal sensitive information. Finally, the agreement profits from a much more developed legislative system of data protection, that offers protection to the data subject including supervision by an independent Data Commissioner. However, the Canadian legislation does not give a full protection to citizens of the European Union. The commitments taken by the Canadian authorities aim to find a solution for those citizens. 3. The implications on Directive 95/46/EC 7. In the system of Directive 95/46/EC, the transfer of data to a third country falls within the definition of processing of personal data (according to Article 2(b) of the Directive, any operation or set of operations which is performed upon personal data ) and, as a consequence, Chapter II of the Directive ( General rules on the lawfulness of the processing of personal data ) applies to the transfer. The meaning of Article 25 of the Directive in this context is to provide for an extra safeguard in case of transfer to a third country since, as from the moment of the transfer, the data are no longer within the jurisdiction of a Member State. 8. The proposal for an agreement with Canada, read in combination with the Commission decision, obliges the airlines to transfer data to Canada. It has to be established whether this obligation prevents them to fulfil the obligations imposed on them by the national legislation implementing Directive 95/46/EC, in particular Chapter II, and by doing so influences the effectiveness of the directive. 9. Article 5 of the proposal obliges European air carriers to process API/PNR data contained in their automated reservation systems and departure control systems as required by competent Canadian authorities pursuant to Canadian law. The proposal does not stipulate that Community law, and more specifically the rules on processing of personal data as foreseen in Chapter II of Directive 95/46/EC, apply. In the absence of such a provision, the air carriers may be obliged to process data, even if this processing would not be in full agreement with Chapter II of Directive 95/46/EC. They are only obliged to act in conformity with the substantial provisions of Canadian law. ( 1 ) Case C-317/04, pending before the Court. ( 2 ) This is an independent advisory group, composed of representatives of the data protection authorities of the Member States, the EDPS and the Commission, which was set up by Directive 95/46/EC. The EDPS refers to Opinion 3/2004 on the level of protection ensured in Canada for the transmission of Passenger Name Records and Advanced Passenger Information from airlines (11 February 2004) and Opinion 1/2005 on the level of protection ensured in Canada for the transmission of Passenger Name Record and Advance Passenger Information from airlines (19 January 2005).

C 218/8 10. Although, as has been said before and will be explained further on in this opinion, there exists in Canada a developed legislative system of data protection and there is no reason whatsoever to state that the Canadian legislation on data protection seriously harms the interests of the data subject within the European Community, there is no more reason to assume that the Canadian legislation fully complies with all the provisions of Chapter II of Directive 95/46/EC. Such an assumption can not be deduced from the agreement, nor from the explanatory memorandum. In addition the assumption is not conceivable since the Canadian authorities are not bound by any (future) interpretation of the directive given by the Court of Justice, nor can it be assured that ulterior changes of Canadian law (or new interpretations by the Canadian judiciary) comply with Community law. 11. On the basis of this analysis, the EDPS concludes that the agreement entails an amendment of Directive 95/46/EC. For this reason, and independently of possible, substantial harm to the data subject, the assent of the European Parliament should be obtained, according to Article 300(3) of the EC-Treaty. 12. In this respect, the EDPS considers that, in general, institutional questions fall outside of the scope of his mission. However, in this case the EDPS expresses his point of view on such a question, since the non respect of the prerogatives of the Parliament leads to an amendment of the Directive and, by doing so, influences the level of data protection within the territory of the European Community. 13. Alternatively, the agreement could be amended to assure that the processing of API/PNR-data by European airlines has to comply with Directive 95/46/EC. By adding a provision in that sense, the agreement would no longer entail an amendment of the directive. 4. On the substance of the agreement with Canada 4.1 Approval of the main elements of the proposal 14. Notwithstanding the procedural requirements for the adoption of the proposal, the EDPS has examined whether the proposed agreement in substance sufficiently protects the data subject, in particular his fundamental rights as meant in Article 6 of the EU-Treaty. 15. The EDPS notes the major differences of the proposal, compared to the agreement with the United States of America (see point 6, hereinabove). As a result, the shortcomings of the latter agreement do, on three major points, not apply to the present proposal, at least not to the same extent. 16. The EDPS furthermore notes that the Article 29-Data Protection Working Party, in its opinion of 19 January 2005, has approved of the main elements of the (proposed) Commission decision on the adequate level of protection offered by the Canadian Border Service Agency (CBSA). In its evaluation, the commitments by the CBSA (the annex of the Commission decision) play an important role. The EDPS subscribes to the findings of the Article 29-Data Protection Working Party, also taking into account that the independent Privacy Commissioner of Canada approves of the limitations to the access to API/PNR-data for governmental and law enforcement purposes ( 1 ). 17. To the EDPS it is highly important that the system of pushing API and PNR-data enables the European airline to control the processing and the transfer of the data. These activities fall thus within the jurisdiction of the Member States and Community law applies. 18. It is equally important that Article 2 of the proposal explicitly states that the Parties to the agreement have agreed that the API/PNR will be processed as outlined in the commitments. The commitments, as annexed to the Commission decision, are thus binding. ( 1 ) See the Commissioner's Statement of 9 April 2003 (http://www.privcom.gc.ca/keyissues/ki-qc/mc-ki-api_e.asp).

C 218/9 19. Finally, the EDPS emphasises the importance of the establishment of a Joint Committee that inter alia shall organise Joint Reviews. This allows the monitoring of the implementation of the legal instruments. This is all the more important since the legal instruments are new and since experiences with the implementation of these types of legal instruments are lacking. 20. In this context and in the light of the analysis foreseen in Par. 4.2 of the policy paper mentioned in point 1, the EDPS approves of the main elements of the proposal and limits his comments to some specific points, in particular: the number and nature of API/PNR-data, to be transferred; the purpose of the processing, which is not limited to the fight against terrorism, but also relates to any other serious transnational crime; Article 3 of the Agreement on access, correction and notation. 4.2 Number and nature of API/PNR-data 21. Annex II to the proposal does not contain sensitive data as meant in Article 8 of Directive 95/46/EC, nor does it contain open categories of passenger data that could, depending on the way these categories are completed on a form, reveal such sensitive data (such as dietary requirements revealing religious belief or medical data). 22. However, the list of PNR Data Elements to be collected (Annex II of the proposal) comprises data that could be relevant to the protection of fundamental rights of the passenger, in particular his privacy. The EDPS mentions category 10 (frequent flyer information), that could reveal facts about the behaviour of the passenger (although, not all the frequent flyer information is included) and category 23 (any collected APIS-information), which contains not only the name but also other information on the passport of the passenger. 23. The EDPS is not convinced that the insertion of these categories is necessary and proportional and suggests reconsidering the need to insert these categories in the Annex to the agreement. However, the fact that these categories are put on the list of data is in itself not serious enough to require renegotiating the agreement and should in the opinion of the EDPS not lead to an annulment of the agreement. 4.3 The purpose of the processing 24. As we have previously seen in legal instruments that require the processing of personal data in view of the fight against terrorism, the legislator has not limited the purpose of the processing to terrorism as such, but extended the purposes that allow processing to other serious crimes or, in some cases, even to law enforcement in general. 25. The present proposal mentions the combat of other serious crimes that are transnational in nature, including organised crime. According to the Commitments by the CBSA (section 12) the information could only be shared with other Canadian government departments for the same purposes. The information will only be shared with authorities of third countries for these purposes and in so far as an adequacy finding under Article 25 of Directive 95/46/EC applies, in the third country concerned. This purpose limitation does in itself not violate the provisions of the directive, nor its underlying principles. 4.4 Protection of the data subject 26. The agreement contains explicit provisions aimed to protect the interest of the data subject. The EDPS emphasises explicitly Article 3 of the agreement on access, correction and notation. Following this provision, the data subject residing within the territory of the European Union can exercise the rights of access, correction and notation under the same circumstances as Canadian residents.

C 218/10 27. Allowing these rights does, in itself, not provide the necessary protection to the data subject. It must be assured that the rights can effectively be exercised. 28. The scope and the substance of these rights are determined by Canadian law. In order to provide the necessary protection to the European data subject, the relevant legislation must be accessible to the individual concerned and its consequences for him must also be foreseeable. In order to fulfil this obligation, the Article 29-Data Protection Working Party suggested the inclusion of the relevant Canadian regulatory framework as an annex to the Commission decision. 29. This suggestion has not been followed, but the Commission decision and the commitments by the CBSA give an explanation of the relevant legal framework. The relevant sections of the commitments enable the air passengers to take note of their rights. 30. The EDPS notes that it is not only important that the air passenger residing in the European Community have access to the texts of the legal instruments, but equally important that they have an effective access to legal remedies. 31. In this respect, the EDPS endorses the procedure mentioned in Section 31 of the commitments. According to this procedure, the Privacy Commissioner of Canada may address complaints referred to it by the Data Protection Authorities of the Member States on behalf of residents of the European Union. According to the EDPS such as procedure might in practice even be more effective than a formal ius standi of European residents before Canadian Courts. 5. Conclusions 32. The EDPS concludes as follows: The present opinion should be mentioned in the preamble of the Council decision. He should have been consulted on the Commission decision, pursuant to Article 25(6) of Directive 95/46/EC, whereby the Canadian Border Service Agency is considered as providing an adequate level of protection for API/PNR data. According to Article 300(3) of the EC-Treaty, the assent of the European Parliament should be obtained. Alternatively, the agreement could be amended to assure that the processing of API/PNR-data by European airlines has to comply with Directive 95/46/EC. The EDPS approves to the main elements of the proposed agreement. Done at Brussels, 15 June 2005. Peter HUSTINX European Data Protection Supervisor

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback