Chapter 7 Agreement between Australia and the European Union on the
Processing and Transfer of European Union Sourced Passenger Name Record Data
Background
7.1
Passenger name record (PNR) data is personal information collected by
airlines on passengers travelling by air. The information is used by the
Australian Customs Service to identify possible persons of interest in the
context of counterterrorism, drug trafficking, identity fraud, people smuggling,
and other serious crimes.[1]
7.2
The Australian Customs Service described the use of PNR data in the
following terms:
…On the one hand, we are able to identify persons of interest
and conduct associated analysis before that person arrives into the country.
Those people are then subject to intervention on arrival for questioning and
examination. On the other hand, our ability to undertake that work in turn
facilitates a freer flow of legitimate travellers through the entry and exit
regulatory processes.
Assessment, in this sense, is made on the basis of advance
passenger data, information and intelligence. The essential pieces of data I am
referring to are known as ‘advance passenger information’, or API, data, which
is provided to Customs by the Department of Immigration and Citizenship, and
‘passenger name record’, or PNR, data, which Customs obtains directly from
airlines. API data contains information about identity, passport details, visa
details and flight details. Passenger name record, or PNR, data includes
information about, for example, name and address, ticketing, check-in, seating,
form of payment, travel itinerary, requested preferences or other requests and
baggage.[2]
7.3
The Australian Customs Service started using PNR data in 1998, with
airlines providing PNR data to Customs on a voluntary basis.
7.4
In 2002, the Customs Act 1901 was amended to require airlines to
provide PNR data to the Australian Customs Service.[3]
7.5
The Australian Customs Service advised the Committee that PNR data had,
in the twelve months preceding the hearing, resulted in:
n the identification of
21 terrorism related matters;
n the identification of
78 drug traffickers;
n the identification of
25 people in possession of objectionable material; and
n 37 people being
denied entry to Australia because they were persons of interest in relation to
serious crime.[4]
7.6
Prior to the negotiation of the Agreement between Australia and the European Union on the Processing and Transfer of European Union Sourced
Passenger Name Record Data (the EU Passenger Name Record Data Agreement) the
Australian Customs Service had access to the passenger information systems of
31 airlines, representing 91% of passengers travelling to Australia.[5]
7.7
The EU Passenger Name Record Data Agreement will permit the transfer to
the Australian Customs Service of PNR data from airlines that process their PNR
data in the European Union.[6]
7.8
While the EU Passenger Name Record Data Agreement has not been notified
by Australia or the European Union to date, it has been provisionally
implemented since it was signed on 30 June 2008.[7]
In other words, airlines that process their PNR data in the European Union are
already providing that data to the Australian Customs Service.
Reasons for Australia to take treaty action
7.9
The EU Passenger Name Record Data Agreement is necessary to overcome a
conflict between the Customs Act 1901 and European Union data protection
laws.
7.10
The Customs Act 1901 requires airlines to provide PNR data for
all passengers before their arrival, while European Union data protection laws
prevent the transfer of personal information from the European Union to other
countries without a formal agreement that adequately protects that personal
information.[8]
7.11
Airlines that process PNR data in the European Union for passengers
travelling to Australia are therefore in breach of either Australian or European
Union law regardless of what they do.
7.12
Nine per cent of travellers to Australia arrive on airlines that process
PNR data in the European Union. However this is expected to increase to 30% of
travellers following a decision by Qantas Airways to transfer its PNR data
processing to Europe.[9]
7.13
The EU Passenger Name Record Data Agreement will require some changes to
PNR data administration. PNR data that is not sourced in the European Union is
accessed by interrogating airline databases. This is colloquially known as
‘pulling’ the data. European Union sourced PNR data will need to be provided
by the airlines to the Australian Customs Service, or ‘pushed’.[10]
Obligations
7.14
The EU Passenger Name Record Data Agreement obliges Australia to impose certain restrictions on the use and storage of European Union sourced
PNR data. The key obligations as highlighted by the NIA and treaty text are:
n restrictions on the
purposes for which European Union sourced PNR data and personal information
derived from it can be used;
n applying Australian
privacy and freedom of information laws to European Union sourced PNR data;
n restrictions on the
disclosure of European Union sourced PNR data amongst Australian Government
agencies;
n a requirement to
filter out sensitive European Union sourced PNR data such as racial or ethnic
origin;
n a requirement to
provide information to the public on Customs’ processing of PNR data;
n a limit of three
years on the retention of person records obtained through European Union sourced
PNR data, with a further two years’ limit on European Union sourced PNR data
that has had the personal identification removed;
n a comprehensive range
of physical and electronic security measures on European Union sourced PNR
data; and
n an obligation to
advise the European Union of the passage of any legislation that directly
affects the safeguards application to European Union sourced PNR data. [11]
Privacy matters
7.15
Because the European Union is the only jurisdiction with data protection
laws that prevent the transfer of PNR data, this is the only agreement Australia has had to negotiate of this sort.[12]
7.16
The Privacy Commissioner advised the Committee that she was involved in
the negotiation of the EU Passenger Name Record Data Agreement. From her
perspective:
…I am quite happy with the outcome that is being negotiated.
I really do think people’s personal information is going to be accorded the
appropriate privacy protections, and, most importantly, there are many
mechanisms in place to ensure that people are told about it, they have access to
that information and there are opportunities to have the processes reviewed. My
office is going to be undertaking two privacy audits a year of the way Customs
handles the passenger name records, and we think that is a really good outcome
because that will go to identifying any possible problems—we do not see any at
the moment—and helping improve outcomes for individuals within Australia.[13]
Costs
7.17
The EU Passenger Name Record Data Agreement will require the Australian
Customs Service to reconfigure its PNR system to ensure it can accept and
process ‘pushed’ PNR data from airlines that process their PNR data in the
European Union.
Consultation
7.18
The NIA indicates that the States and Territories have been notified of
the proposed Agreement through the Standing Committee on Treaties' (SCOT) Schedule of Treaty Action and no comment has been received to date. The
Agreement does not require State or Territory cooperation for its domestic
implementation.[14]
7.19
The Departments of Prime Minister and Cabinet;
Foreign Affairs and Trade; Immigration and Citizenship; and Infrastructure,
Transport Regional Development and Local Government; the Attorney General’s
Department; the Office of the Privacy Commissioner; and the Australian Security
and Intelligence Organisation were consulted in the negotiation of the
Agreement. All agencies cleared the text of the Agreement.[15]
Recommendation 10 |
|
|
The Committee supports the Agreement between Australia
and the European Union on the Processing and Transfer of European Union
Sourced Passenger Name Record Data and recommends that binding treaty
action be taken.
|