Explanatory Memorandum to COM(2011)32 - Use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2011)32 - Use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and ... |
|---|---|
| source | COM(2011)32  |
| date | 02-02-2011 |
- Grounds for and objectives of the proposal
Over the last decade the EU and other parts of the world have seen an increase in serious and organised crime, such as trafficking in human beings[1] and drugs i. According to the Sourcebook of Crime and Criminal Justice Statistics, there were approximately 14 000 criminal offences per 100 000 population in the EU Member States in 2007 (excluding Italy and Portugal for which data were not made available), ranging from 14 465 offences in Sweden to 958 in Cyprus. Europol’s EU Organised Crime Threat Assessment 2009 (OCTA 2009), points out that most organised crime involves international travel, typically aimed at smuggling persons, drugs or other illicit goods into the EU.
At the same time, terrorists and terrorist organisations can be found both inside and outside the borders of the EU. The terrorist attacks in the United States in 2001, the aborted terrorist attack in August 2006 aimed at blowing up a number of aircraft on their way from the United Kingdom to the United States, and the attempted terrorist attack on board a flight from Amsterdam to Detroit in December 2009 showed the ability of terrorists to mount attacks, targeting international flights, in any country. While terrorism decreased in the EU during 2009, according to Europol’s EU Terrorism Situation and Trend Report 2010, the threat of terrorism remains real and serious. Most terrorist activities are transnational in character and involve international travel[3], inter alia to training camps outside the EU, calling for increased cooperation between law enforcement authorities.
Serious crime and terrorist offences cause severe harm to victims, inflict economic damage on a large scale and undermine the sense of security without which persons cannot exercise their freedom and individual rights effectively.
A study published in 2009 i for the International Labour Organisation estimated that the cost of coercion from underpayment of wages resulting from trafficking in human beings in 2007 in industrialised economies was $2 508 368 218, while the total for the world was $19 598 020 343.
The 2010 Annual report on the state of the drugs problem in Europe of the European Monitoring Centre for Drugs and Drug Addiction points to the global nature of the drugs problem and the growing and severe harm it entails. By undermining social development and feeding corruption and organised crime it represents a real threat for the European Union. Approximately 1 000 lives are lost in the EU annually due to cocaine-related deaths. The number of opioid users in Europe is cautiously estimated at 1.35 million. As regards the economic and social impacts of drugs, in 2008, 22 EU Member States reported a total expenditure relating to illicit drugs of EUR 4.2 billion.
Another study, from the UK Home Office i, measured the costs incurred in anticipation of crime, such as defensive expenditure, the costs as a consequence of crime, such as the physical and emotional impact on the victim and the value of any property stolen and the costs incurred in response to crime, including the costs to the criminal justice system. These costs were measured at £ 36 166 000 000 in 2003.
In the meantime, four out of five Europeans wish to see stronger action at EU level against organised crime and terrorism i.
As a response to the threat posed by serious crime and terrorism, and the abolition of internal border controls under the Schengen Convention, the EU adopted measures for the collection and exchange of personal data between law enforcement and other authorities. Although these measures have proven useful, they tend to focus on data relating to persons who are already suspected - i.e. persons who are 'known' to law enforcement authorities. The Schengen Information System (SIS) i the second-generation Schengen Information System (SIS II) i, the Visa Information System (VIS) i, and the anticipated Entry/Exit System are examples of such measures.
In its ‘Overview of information management in the area of freedom, security and justice’[10], the Commission provided an analysis of those measures and pointed to the need for increased cooperation between law enforcement authorities with respect to passengers on international flights to and from the Member States, including more systematic use of Passenger Name Record (PNR) data of such passengers for law enforcement purposes. The ‘Stockholm Programme — An open and secure Europe serving and protecting the citizens’[11] also calls on the Commission to present a proposal for the use of PNR data to prevent, detect, investigate and prosecute terrorism and serious crime.
PNR data is unverified information provided by passengers, and collected by and held in the carriers’ reservation and departure control systems for their own commercial purposes. It contains several different types of information, such as travel dates, travel itinerary, ticket information, contact details, the travel agent at which the flight was booked, means of payment used, seat number and baggage information.
Law enforcement authorities may use PNR data in several ways:
re-active: use in investigations, prosecutions, unravelling of networks after a crime has been committed. In order to allow law enforcement authorities to go back sufficiently in time, a commensurate period of retention of the data by law enforcement authorities is necessary;
real-time: use prior to the arrival or departure of passengers in order to prevent a crime, watch or arrest persons before a crime has been committed or because a crime has been or is being committed. In such cases PNR data are necessary for running against predetermined assessment criteria in order to identify previously ‘unknown’ suspects and for running against various databases of persons and objects sought;
pro-active: use of the data for analysis and creation of assessment criteria, which can then be used for a pre-arrival and pre-departure assessment of passengers. In order to carry out such an analysis of relevance for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, a commensurate period of retention of the data by law enforcement authorities is necessary.
More systematic collection, use and retention of PNR data with respect to international flights, subject to strict data protection guarantees, would strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime and is, as further explained below, necessary to meet those threats to security and reduce the harm they cause.
The use of PNR data, however, is not currently regulated at EU level. Even though only a limited number of Member States have set up a PNR system to date, most Member States do use PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime in a non-systematic way or under general powers granted to the police or other authorities. Within the EU, the United Kingdom already has a PNR system, while France, Denmark, Belgium, Sweden and the Netherlands have either enacted relevant legislation or are currently testing using PNR data. Several other Member States are considering setting up PNR systems. Those national measures diverge in several respects, including the purpose of the system, the period of data retention, the structure of the system, the geographic scope and the modes of transport covered. It is also very likely that once the complete regulatory framework on the use of PNR data in those Member States is adopted, there will be divergent rules on data protection and on the measures ensuring the security of data transfers. As a result, up to 27 considerably diverging systems could be created. That would result in uneven levels of protection of personal data across the EU, security gaps, increased costs and legal uncertainty for air carriers and passengers alike.
The proposal therefore aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. It does not require air carriers to collect any additional information from passengers or to retain any data, nor does it require passengers to provide any data in addition to that already being provided to air carriers.
It is necessary to impose those legal obligations on air carriers for the following reasons.
First, PNR data enable law enforcement authorities to identify persons who were previously 'unknown', i.e. persons previously unsuspected of involvement in serious crime and terrorism, but whom an analysis of the data suggests may be involved in such crime and who should therefore be subject to further examination by the competent authorities. Identifying such persons helps law enforcement authorities prevent and detect serious crimes including acts of terrorism. To achieve this, law enforcement authorities need to use PNR data both in real-time to run PNR against predetermined assessment criteria which indicate which previously ‘unknown’ persons require further examination and pro-actively for analysis and creation of assessment criteria.
For example, an analysis of PNR data may give indications on the most usual travel routes for trafficking people or drugs which can be made part of assessment criteria. By checking PNR data in real-time against such criteria, crimes may be prevented or detected. A concrete example given by a Member State is a case where PNR analysis uncovered a group of human traffickers always travelling on the same route. Using fake documents to check in for an internal flight, they would use authentic papers to simultaneously check in for another flight bound for a third country. Once in the airport lounge, they would board the internal flight. Without PNR it would have been impossible to unravel this human trafficking network.
The combined pro-active and real-time use of PNR data thus enable law enforcement authorities to address the threat of serious crime and terrorism from a different perspective than through the processing of other categories of personal data: as explained further below, the processing of personal data available to law enforcement authorities through existing and planned EU-level measures such as the Directive on Advance Passenger Information i, the Schengen Information System (SIS) and the second-generation Schengen Information System (SIS II) do not enable law enforcement authorities to identify unknown suspects in the way that the analysis of PNR data does.
Second, PNR data help law enforcement authorities prevent, detect, investigate and prosecute serious crimes, including acts of terrorism, after a crime has been committed. To achieve this, law enforcement authorities need to use PNR data in real-time to run the PNR data against various databases of known persons and objects sought. They also need to use PNR data in a re-active manner to construct evidence and, where relevant, to find associates of criminals and unravel criminal networks.
For example, the credit card information which is part of the PNR data may enable law enforcement authorities to identify and prove links between a person and a known criminal or criminal organisation. An example given by a Member State relates to large scale human and drug trafficking involving a Member State and third countries. Cartels were importing drugs to several destinations in Europe. They were using drugs swallowers who were themselves trafficked persons. They were identified on the basis of having bought the ticket with stolen credit cards on the basis of PNR. This lead to arrests in the Member State. On this basis, an assessment criterion was created which itself led to several additional arrests in other Member States and third countries.
Finally, the use of PNR data prior to arrival allows law enforcement authorities to conduct an assessment and perform a closer screening only of those persons who are most likely, based on objective assessment criteria and previous experience, to pose a threat to security. This facilitates the travel of all other passengers and reduces the risk of passengers being subjected to examination upon entry into the EU on the basis of unlawful criteria such as nationality or skin colour which may wrongly be associated with security risks by law enforcement authorities, including customs and border guards.
The proposed measures entail the collection and processing of PNR data by law enforcement authorities and therefore has an impact on the rights to privacy and data protection. In order to ensure compliance with the principle of proportionality, the proposal is therefore, as explained further below, carefully limited in scope and contains strict data protection guarantees.
The necessity of using PNR data, in a limited manner and subject to strict data protection guarantees, is supported by a number of factual elements, as reflected in the Impact Assessment accompanying this proposal. In the absence of harmonised provisions on the collection and processing of PNR data at EU level, detailed statistics on the extent to which such data help prevent, detect, investigate and prosecute serious crime and terrorism are not available. The necessity of using PNR data is however supported by information from third countries as well as Member States that already use such PNR data for law enforcement purposes.
The experience of those countries shows that the use of PNR data has led to critical progress in the fight against in particular drugs, human trafficking and terrorism, and a better understanding of the composition and operations of terrorist and other criminal networks. With respect to drugs, Member States have indicated that the majority of seizures are made due to the use of PNR data in real-time and pro-actively. Belgium reported that 95% of all drugs seizures in 2009 were exclusively or predominantly due to the processing of PNR data. Sweden reported that 65-75% of all drugs seizures in 2009 were exclusively or predominantly due to the processing of PNR data. This represented 278.9 kilos of cocaine and additional quantities of heroin and other drugs. The United Kingdom reported that during a period of 6 months in 2010, 212 kilos of cocaine and 20 kilos of heroine were seized exclusively or predominantly due to the processing of PNR data.
- General context
On 6 November 2007 the Commission adopted a proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes i (hereinafter ‘the 2007 proposal’). The proposal was extensively discussed in the Council working groups and the progress made in the discussions was endorsed by the Justice and Home Affairs Council in January, July and November 2008. The discussions on the proposal in the working groups allowed consensus to be reached on most of the provisions of the proposal i.
Upon entry into force of the Treaty on the Functioning of the European Union (TFEU) on 1 December 2009, the Commission proposal, not yet adopted by the Council, became obsolete. The current proposal replaces the 2007 proposal and is based on the provisions of the TFEU. It takes into account the recommendations of the European Parliament as stated in its Resolution of November 2008 i and it reflects the latest state of discussions in the Council working groups in 2009. It also takes into account the opinions of the European Data Protection Supervisor i, the Article 29 Working Party on Data Protection i and the Fundamental Rights Agency i.
- Existing provisions in the area of the proposal
PNR data are different from and should not be confused with Advance Passenger Information (API). API data are the biographical information taken from the machine-readable part of a passport and contain the name, place of birth and nationality of the person, the passport number and expiry date. Thus they are different and more limited in scope than PNR data.
In the EU, the use of API is regulated by the API Directive i. The Directive provides that API data should be made available to border control authorities, at the request of each Member State, for flights entering the territory of the EU for the purpose of improving border controls and combating irregular immigration. Even though their use for law enforcement purposes is permitted by the Directive, this is possible only if specific criteria are fulfilled. Thus, although API data are in some cases used by law enforcement authorities in order to identify suspects and persons sought, they are mainly used as an identity verification and border management tool. Moreover, API data do not enable law enforcement authorities to conduct an assessment of passengers, and therefore do not facilitate the detection of hitherto ‘unknown’ criminals or terrorists.
The Schengen Information System (SIS) seeks to maintain public security, including national security, within the Schengen area. SIS is a centralised information system comprising a national part in each participating state and a technical support function in France. Member States may issue alerts for persons wanted for arrest for extradition; aliens to be refused entry; missing persons; witnesses or those under judicial summons; persons and vehicles subject to additional checks; lost or stolen vehicles, documents and firearms; and suspect bank notes.
The Visa Information System (VIS) seeks to address both concerns: its purpose is to help implement a common visa policy by facilitating the examination of visa applications and external border checks while contributing to the prevention of threats to Member States’ internal security. It is a centralised information system which comprises a national part in each participating state and a technical support function in France. VIS will use a Biometric Matching System to ensure reliable fingerprint comparisons, and will be deployed at EU external borders to verify the identity of visa-holders. It will include data on visa applications, photographs, fingerprints, related decisions of visa authorities and links between related applications.
Therefore, as with API, the SIS and the VIS are mainly used as identity verification and border management tools and are only useful where the identity of the suspect is known. These instruments are neither useful for conducting assessment of persons nor for detecting unknown criminals or terrorists.
Agreements for the transfer of PNR data in the context of the fight against serious transnational crime and terrorism, limited to travel by air, have been signed between the EU and the United States, Canada and Australia. These require air carriers, collecting PNR data of passengers for their own commercial purposes, to transmit these data to the competent authorities of the United States, Canada and Australia. These three agreements are due to be renegotiated during 2011. Other countries, notably South Korea and Japan, have also requested to negotiate such agreements. The Commission has outlined the core elements of an EU policy in this area in its Communication of 21 September 2010 ‘On the global approach to transfers of Passenger Name Record (PNR) data to third countries’[20]. The current proposal is fully coherent with the policy set out in that Communication.
- Consistency with the EU’s other policies and objectives
The Schengen Information System (SIS) i the second-generation Schengen Information System (SIS II) i, the Visa Information System (VIS) i, and the anticipated Entry/Exit System and Registered Travellers Programme are EU measures that deal directly with actions taking place physically at the borders.
Even though PNR are passenger data linked to travel, they are mainly used as a criminal intelligence tool rather than as a border control tool. They are used in advance of a border crossing and not at the border crossing itself. The main aim of using PNR data is to fight terrorism and serious crime rather than to fight irregular immigration and facilitate border controls.
The proposal will neither change nor interfere with current EU rules on the way border controls are carried out or with the EU rules regulating entry and exit from the territory of the Union. The proposal will rather co-exist with and leave those rules intact.
- Impact on fundamental rights
The proposal is fully in line with the overall objective of creating a European area of freedom, security and justice. Because of the nature of the proposed provisions, this proposal was subject to in-depth scrutiny to ensure that its provisions are compatible with fundamental rights, and especially the right to protection of personal data enshrined in Article 8 of the Charter of Fundamental Rights of the EU, as reflected in the Impact Assessment accompanying this proposal. The proposal is also in line with Article 16 of the TFEU, which guarantees everyone the right to the protection of personal data.
The proposal is compatible with data protection principles and its provisions are in line with the Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters i (‘Framework Decision 2008/977/JHA’). This includes giving individuals the right of access, the right of rectification, erasure and blocking, as well as the right to compensation and judicial redress. Furthermore, and in order to comply with the proportionality principle, there are areas where the proposal will have stricter rules on data protection than Framework Decision 2008/977/JHA.
In particular, the scope of the proposal is strictly limited and law enforcement authorities are allowed to use PNR data only for the purpose of combating an exhaustive list of specified serious crimes, which in addition has to be subject to a prison sentence of at least three years in the Member State. Moreover, in order to ensure that the processing of data of innocent and unsuspected persons remains as limited as possible, some aspects of the scope of the proposal relating to the creation and application of assessment criteria were further limited to serious crimes that are also transnational in nature, i.e. are intrinsically linked to travelling and hence the type of the data being processed. The proposal allows retention of PNR data for period of time not exceeding 5 years, after which the data must be deleted. Moreover, the data must be anonymised after a very short period of 30 days since pro-active use of PNR data is possible on the basis of the anonymised data after this period of time. The collection and use of sensitive data directly or indirectly revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life, is prohibited. Moreover, the proposal provides that a decision taken by a Member State, producing adverse legal effects on a person or seriously affecting him/her, must not be taken on the basis of automated processing of PNR data only. Moreover such decision may under no circumstances be based on a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life. Furthermore, carriers must transmit PNR data exclusively by the so-called “push” method, meaning that the Member States will not have direct access to the carriers’ IT systems. PNR data may only be transferred by Member States to third countries in very limited circumstances and only on a case-by-case basis. In order to ensure efficiency and a high level of data protection, Member States are required to ensure that an independent national supervisory authority (data protection authority) is responsible for advising and monitoring how PNR data are processed. Member States are also required to establish a single designated unit (Passenger Information Unit) responsible for handling and protecting the data. All processing of PNR data must be logged or documented by this Passenger Information Unit for the purpose of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security of the data processing. Member States must also ensure that passengers are clearly and precisely informed about the collection of PNR data and their rights.
Therefore, in addition to being in line with existing data protection rules and principles, the proposal contains a number of safeguards to ensure full compliance with the proportionality principle and guarantee a high level of fundamental rights protection.
- Consultation of interested parties
Consultation methods, main sectors targeted and general profile of respondents
When preparing the 2007 proposal, the Commission consulted all stakeholders on the basis of a questionnaire in December 2006. The questionnaire was sent to all the Member States, the data protection authorities of the Member States, the European Data Protection Supervisor, the Association of European Airlines (AEA), the Air Transport Association of America (ATA), the International Air Carrier Association (IACA), the European Regions Airline Association (ERA) and the International Air Transport Association (IATA). The replies were summarised in the Impact Assessment which accompanied the 2007 proposal. Subsequently, the Commission invited the Member States to a meeting during which the representatives of the Member States had the opportunity to exchange views.
Following the adoption of the 2007 proposal, all stakeholders published their positions on it. The European Parliament adopted a resolution on the proposal on 20 November 2008 i. The Member States expressed their positions through the discussions in the Council working groups i. Opinions were also issued by the European Data Protection Supervisor i, the Article 29 Data Protection Working Party i and the Fundamental Rights Agency i.
The main criticism expressed in the Resolution of the European Parliament was that the need for the proposed actions had not been sufficiently demonstrated. Parliament questioned whether the proposal met the standard required for justifying an interference with the right to data protection. The Resolution expressed Parliament’s concern that the added value of the proposal in the light of other border initiatives had not been assessed. As regards data protection, Parliament called for a clear purpose limitation and emphasised that only specific authorities should have access to PNR data. Finally Parliament expressed concerns that the proposed method of automatically assessing PNR data using fact-based pre-determined assessment criteria was a very wide use of the data and stressed that such assessment should never result in ‘profiling’ on the basis of sensitive data.
The Article 29 Data Protection Working Party considered that the proposal was disproportionate and that it might violate the right to data protection. It called into question the data protection regime as Framework Decision 2008/977/JHA does not cover domestic processing of data. It considered that the demonstration of the need for the proposal was inadequate, that the data retention period (13 years) was disproportionate and that only the ‘push’ method of data transfer should be used.
The European Data Protection Supervisor questioned whether the necessity and proportionality of the proposal had been demonstrated since the proposal concerns the collection of data of innocent persons. He criticised the proposal as contributing towards a surveillance society and also called into question the data protection regime as domestic processing of data is not covered by Framework Decision 2008/977/JHA. The European Data Protection Supervisor specifically suggested better defining the authorities that would have access to PNR data and the conditions for transferring data to third countries.
The Fundamental Rights Agency was also of the opinion that the necessity and proportionality of the proposal had not been demonstrated and considered that there should be more guarantees in the proposal in order to avoid profiling on the basis of sensitive data.
Some airline associations, namely the International Air Transport Association (IATA) and the Association of European Airlines (AEA), also issued opinions on the proposal. These mainly criticised the decentralised structure of the proposal and stressed that centralised collection of the data would have financial advantages for the carriers. They also criticised the choice of the ‘push’ method and called for the choice of transfer method to be left to the carriers.
The consultation process has had a major impact on the legislative proposal. Even though several stakeholders were not convinced of the necessity of using PNR data, they all agreed that legislation at EU level is preferable to the development of diverging national PNR systems. The consultations also led to limitation of the purpose of using the data to the fight against terrorist offences and serious crime and limitation of the scope of the proposal to air transport. A strong data protection regime was chosen with a specific retention period and prohibition of the use of sensitive data, such as data revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life. The ‘push’ method was preferred, as well as strict limitations on onward transfers of data to third countries.
- Collection and use of expertise
There was no need for external expertise.
- Impact assessment
The Commission carried out the Impact Assessment listed in the Work Programme i.
Four main options were examined in the Impact Assessment, each containing two variables:
Policy Option A, refraining from addressing the issue at EU level and maintaining the status quo.
Policy Option B, addressing the structure of a system for collecting and processing PNR data, with option B.1: Decentralised collection and processing of data by Member States and option B.2: Centralised collection and processing of data at EU level.
Policy Option C, addressing limitation of the purpose of the proposed measures, with option C.1: Access for the prevention, detection, investigation and prosecution of terrorist offences and serious crime only and option C.2: Access for the prevention, detection, investigation and prosecution of terrorist offences and serious crime and other policy objectives.
Policy Option D, addressing the modes of transport to be covered by the proposed measures, with option D.1: Air carriers only and option D.2: Air, sea and rail carriers.
The options were assessed against the following criteria: security in the EU, protection of personal data, costs to public authorities, costs for carriers/competition in the internal market and encouraging a global approach.
The Impact Assessment concluded that a legislative proposal applicable to travel by air with decentralised collection of PNR data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and other serious crime was the best policy option (combination of B1, C1 and D1). This would enhance security in the EU, while limiting the impact on the protection of personal data to the minimum and keeping costs at an acceptable level.
Contents
- Summary of the proposed action
The proposal aims to harmonise Member States’ provisions on obligations for air carriers, operating flights between a third country and the territory of at least one Member State, to transmit PNR data to the competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. All processing of PNR data on the basis of this proposal will comply with the data protection rules laid down in Framework Decision 2008/977/JHA.
- Legal basis
The TFEU, and in particular Articles 82(1)(d) and 87(2)(a).
- Subsidiarity principle
Law enforcement authorities must be provided with effective tools with which to fight terrorism and serious crime. As most serious crimes and terrorist acts involve some international travel, authorities need to use PNR data to protect the internal security of the EU. Furthermore, investigations for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crimes carried out by the competent authorities of the Member States are largely dependent on international and cross-border cooperation.
Because of the free movement of persons in the Schengen area, it is necessary that all Member States collect, process and exchange PNR data, in order to avoid security gaps. By acting collectively and coherently, this measure will contribute to increasing the security of the EU.
Action at EU level will help to ensure harmonised provisions on safeguarding data protection in the Member States. The different systems of Member States that have already established similar mechanisms, or will do so in the future, may impact negatively on the air carriers as they may have to comply with several potentially diverging national requirements, for example regarding the types of information to be transmitted and the conditions under which this information needs to be provided to the Member States. These differences may also be prejudicial to effective cooperation between the Member States for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Since the objectives of this proposal cannot be sufficiently achieved by the Member States, and can be better achieved at Union level, it can be concluded that the EU is both entitled to act and better placed to do so than the Member States acting independently. The proposal therefore complies with the subsidiarity principle as set out in Article 5 of the Treaty on European Union.
- Proportionality principle
The proposed systematic collection, analysis and retention of PNR data with respect to flights into the EU from third countries, subject to strict data protection guarantees, would strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime and is necessary to meet those threats to security.
The scope of the proposal is limited to those elements that require a harmonised EU approach, including the definition of the ways in which PNR can be used by the Member States, the data elements that need to be collected, the purposes for which the information may be used, the communication of the data between the PNR units of the Member States, and the technical conditions for such communication.
The proposed action is a directive. The choice of a decentralised system means that the Member States can choose how they set up their PNR system, and can decide themselves on the technical aspects of it.
In accordance with the principle of proportionality, as set out in Article 5 of the Treaty on European Union, this proposal does not go beyond what is necessary and proportionate in order to achieve its objectives.
- Choice of instrument
Proposed instrument: a directive.
Other means would not be adequate for the following reason:
The aim of the measure is the approximation of Member States’ legislation, so that any instrument other than a directive would not be appropriate.
The proposal has no implication for the EU budget.
- Simulation, pilot phase and transitional period
There will be a transitional period for the proposal in the form of a two year implementation period. There will also be a transitional collection of PNR data, aiming to achieve collection of data on all flights within 6 years from the entry into force of the Directive.
- Territorial application
The proposed Directive will be addressed to the Member States. Application of the Directive to the United Kingdom, Ireland and Denmark will be determined in accordance with the provisions of Protocols Nos 21 and 22 annexed to the Treaty on the Functioning of the European Union.
- Review/revision/sunset clause
The proposal includes a clause providing for a review of the operation of the Directive four years after its transposition date and a special review of the potential extension of the scope of the Directive to cover PNR data of passengers on flights internal to the EU.