Chapter 3 Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service done at Brussels on 29 September 2011

Chapter 3 Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service done at Brussels on 29 September 2011

Introduction

3.1                   On 22 November 2011, the Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service done at Brussels on 29 September 2011 was tabled in the Commonwealth Parliament.

3.2                   The proposed Agreement provides the legal basis required by the European Union (EU) under its data protection laws to allow the transfer of passenger name record (PNR) data to Australia.  PNR data is passenger information processed in the EU by air carriers, including passengers’ travel requirements, date of reservation, date of intended travel, name, contact details and payment information.  Negotiation of such an agreement with the EU is a pre-requisite for the release of EU held personal information to other jurisdictions, and reflects the high standard of protection for personal information held in the EU.[1]

Background

3.3                   The proposed Agreement will replace the existing (though provisional) Agreement between the European Union and Australia on the Processing and Transfer of European Union - Sourced Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs Service, done at Brussels on 30 June 2008 (the 2008 PNR Agreement).[2]

3.4                   The Agreement is an important element in the relationship and underlines the broad-based cooperation between Australia and the European Union (EU).[3]

3.5                   Access to PNR data forms an integral component of Customs and Border Protection’s border protection measures.  Analysis of this and other data plays a critical role in the identification of possible persons of interest in the context of combating terrorism, drug trafficking, identity fraud, people smuggling and other serious transnational crimes.[4]

3.6                   Providing security and border protection is a potentially fraught affair, as the requirement to screen people and goods is sometimes in conflict with speed and efficiency.  The Australian Customs and Border Protection Service explained:

The operating environment within which these risks are identified and managed is characterised by increasing complexity and volumes in trade and travel.  For example, almost 29 million people crossed the Australian border last financial year. It is also characterised by infrastructure constraints in airports and ports, short intervention time frames and an increasing sophistication of those who seek to circumvent the controls and risk treatments that are in place. Further, while there is a community expectation that the border will be protected, there is only a limited community tolerance for things like queues in airports which complicate the management of these risks. Given the range of risks to be managed, the nature of the operating environment and the increasing volume of travellers, almost all risk assessment must take place before the physical border and relies absolutely on the ability to access and assess data, information and intelligence about travellers and intended travel. [5]

Reasons for Australia to take the proposed treaty action

3.7                   Section 64AF of the Customs Act 1901 (Cth) mandates that airlines operating international passenger air services to and from Australia provide Customs and Border Protection with access to PNR data for all passengers prior to arrival.  As Australia’s primary border protection agency, Customs and Border Protection undertakes risk assessment and clearance of all passengers arriving in and departing from Australia.  Access to PNR data is vital for Customs and Border Protection to fulfil this border protection role. [6]

3.8                   EU data protection laws prohibit data transfers from the EU to other countries without a formal agreement that contains adequate safeguards for the protection of personal data.  An agreement with the EU is therefore necessary to enable PNR data to be transferred to Australian authorities.[7] 

3.9                   Without such an agreement, PNR data processed in the EU could not be provided to Customs and Border Protection without breaching EU law.  On the other hand, failure to furnish such information might expose an information gap that could be exploited by people wishing to enter Australia without detection.[8]

3.10               The proposed Agreement resolves this conflict by providing an appropriate legal framework and assurances that EU-sourced PNR data transferred to Australia will be processed in accordance with existing Australian data protection laws, striking a balance between national security and privacy protection considerations.[9]

3.11               The proposed Agreement applies to all PNR data processed in the EU, regardless of the flight’s point of departure.  PNR data processed in the EU currently represents about 30 per cent of total air passenger arrivals in Australia.  By July 2012, EU-sourced PNR data is forecast to increase to about 42% of total air passenger arrivals in Australia when Cathay Pacific and Singapore Airlines migrate their passenger data services to a data-processing company in Germany.[10]

3.12               The Australian Customs and Border Protection Service explained why the PNR data is important for the work they do not just in terms of security, but also in terms of facilitating the flow of passengers through increasingly busy airports:

Our ability to assess travellers prior to their arrival is vital not just for managing border risk but also for effective passenger facilitation. Based on this layered approach we are able to identify potential persons of interest and conduct associated analysis before that person arrives into Australia. Those persons are then subject to some form of intervention on arrival. This process in turn facilitates a freer flow of legitimate travellers through the entry and exit regulatory processes without unnecessary intervention. So, in essence, without an ability to engage in pre-arrival risk assessment, large numbers of travellers would be stopped at the border for questioning, search and so on, leading to a fairly chaotic airport experience.

Risk assessments are made on the basis of advanced passenger data, information and intelligence. The essential pieces of data that I am referring to are known as advanced passenger information or API data, which is provided to the Customs and Border Protection Service by the Department of Immigration and Citizenship, and passenger name record, or PNR, data, which we obtain directly from airlines. API data contains information about identity, passport details, visa details and flight details. PNR data is a much richer source of information and includes API data and also information about, for example, ticketing, check-in, seating, form of payment, the travel itinerary, requested preferences or requests and baggage information. [11]

Replacement of the 2008 PNR Agreement

3.13               The 2008 PNR Agreement has operated provisionally since it was signed on 30 June 2008.  Australia notified the EU in December 2008 that it had completed domestic procedures necessary to bring the 2008 Agreement into force.  However, the EU was still processing its procedures for entry into force (requiring all 27 member states to formally agree) when the Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, done at Lisbon on 13 December 2007 (the Lisbon Treaty), entered into force on 1 December 2009.  The Lisbon Treaty gave the European Parliament the power to vote on all EU treaties that had not yet entered into force, including the 2008 PNR Agreement, as well as PNR agreements with the US and Canada.[12]

3.14               In May 2010, the European Parliament passed a resolution which postponed voting on all the EU’s unratified PNR agreements, and called on the European Council to develop mandates for the EU to renegotiate these PNR agreements in accordance with proposed new benchmarks that emphasised privacy protection.  Negotiations on a revised PNR agreement with Australia (the proposed Agreement) commenced in January 2011.[13]

Obligations

3.15               Article 3 of the proposed Agreement restricts the purposes for which PNR data may be used to the proposed Agreement alone. [14]

3.16               EU obligations reflected in Articles 4 and 5 provide that:

(i)                 air carriers will not be prevented by EU law from complying with Australian law obliging them to provide PNR data to Customs and Border Protection; and

(ii)              compliance with the proposed Agreement by Customs and Border Protection will, under EU law, constitute an adequate level of protection for PNR data.[15]

3.17               The proposed Agreement also obliges Customs and Border Protection to provide analytical information obtained from PNR data to police or judicial authorities of EU Member States, Europol or Eurojust, either at their request for the purpose of preventing, detecting, investigating or prosecuting a terrorist offence or serious transnational crime, or in accordance with relevant law enforcement or other information-sharing agreements or arrangements between Australia and any member state of the EU, Europol or Eurojust.[16]

3.18               Chapter II of the proposed Agreement places certain obligations on Australia to safeguard the transfer and use of PNR data which is transferred from the EU to Customs and Border Protection including:

n  adequate protection of personal information in accordance with the Privacy Act 1988 (Cth) and relevant national laws;

n  secure physical and electronic security for storage of PNR data; and

n  ensuring an individual has the right to access, and to seek rectification of, his or her PNR data subject to reasonable legal limitations and ensuring an individual has the right to administrative and judicial redress should his or her rights under the proposed Agreement be violated.[17]

3.19               The security of people’s information is of high importance to both Australian and EU authorities.

the matter of PNR data and its use is extremely sensitive in Europe. These negotiations were complex, highly political and required great sensitivity to the need to balance effective border protection with the individual's right to privacy.  This challenge was met, and we are of the view, as were the competent European authorities—including, importantly, the European Parliament—that we came to an appropriate balance in the circumstances we are faced with and in the global security and criminal environment.[18]

Implementation

3.20               The safeguards Australia is required to ensure in respect of EU-sourced PNR data are similar to existing Australian law and Customs and Border Protection policies and procedures. 

3.21               Specifically, existing Australian legislation governing the privacy of data, including the Privacy Act 1988 (Cth), the Freedom of Information Act 1982 (Cth) and the Ombudsman Act 1976 (Cth) establish most of the protections Australia has agreed to provide under the proposed Agreement. 

3.22               Other obligations, such as the limits on disclosure of information by Customs and Border Protection to other agencies, can be implemented through existing legislative mechanisms in the Customs Administration Act 1985 (Cth) and existing Customs and Border Protection policies and procedures.  No new legislation is required to process PNR data in the manner required by the proposed Agreement.[19]

3.23               The PNR data has been of high importance to Australian law enforcement authorities.  The Australian Customs and Border Protection Service explained:

... during the 2011 calendar year PNR data alone contributed to two successful terrorism prosecutions and supported a further 10 terrorism investigations. It led to the identification and prosecution of 30 drug traffickers and the associated seizure of 110 kilograms of narcotics, saving the Australian community $72 million in downstream effects, based on the Australian Federal Police drug harm index. It also led to the investigation and prosecution of three persons in possession of child pornography, and supported the investigation of over 600 overseas child sex tourism matters. In addition, PNR led directly to the identification of 26 persons in relation to other serious crime, who were refused entry at the border. The ability to analyse PNR data also provides important information in circumstances where persons of interest or syndicates have been identified through other intelligence or assessment methods.[20]

Costs

3.24               In the 2010/11 Budget, Customs and Border Protection was allocated $23.7 million and the Department of Immigration and Citizenship was allocated $1.2m for PNR risk assessment.[21]

Conclusion

3.25               This agreement between Australia and the EU is of high importance in terms of strengthening Customs and Border Protection’s border protection measures.  Analysis of this and other data plays a critical role in the identification of possible persons of interest in the context of combating transnational crimes.

3.26               The Committee recognises the need for balance between providing information to government agencies and personal privacy.  The Agreement has been scrutinised in this area – most notably by the European Parliament - and the Committee is satisfied that a suitable balance has been found.

3.27               On this basis, the Committee supports the ratification of this treaty.

Recommendation 2

  The Committee supports the Agreement between the European Union and Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs and Border Protection Service done at Brussels on 29 September 2011 and recommends that binding treaty action be taken.

 

Navigation: Previous Page | Contents | Next Page