Chapter 3 Agreement between the European Union and Australia on the
Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to
the Australian Customs and Border Protection Service done at Brussels on 29
September 2011
Introduction
3.1
On 22 November 2011, the Agreement between the European Union and
Australia on the Processing and Transfer of Passenger Name Record (PNR) Data by
Air Carriers to the Australian Customs and Border Protection Service done at
Brussels on 29 September 2011 was tabled in the Commonwealth Parliament.
3.2
The proposed Agreement provides the legal basis required by the European
Union (EU) under its data protection laws to allow the transfer of passenger
name record (PNR) data to Australia. PNR data is passenger information
processed in the EU by air carriers, including passengers’ travel requirements,
date of reservation, date of intended travel, name, contact details and payment
information. Negotiation of such an agreement with the EU is a pre-requisite
for the release of EU held personal information to other jurisdictions, and
reflects the high standard of protection for personal information held in the
EU.[1]
Background
3.3
The proposed Agreement will replace the existing (though provisional) Agreement
between the European Union and Australia on the Processing and Transfer of
European Union - Sourced Passenger Name Record (PNR) Data by Air Carriers to
the Australian Customs Service, done at Brussels on 30 June 2008
(the 2008 PNR Agreement).[2]
3.4
The Agreement is an important element in the relationship and underlines
the broad-based cooperation between Australia and the European Union (EU).[3]
3.5
Access to PNR data forms an integral component of Customs and Border
Protection’s border protection measures. Analysis of this and other data plays
a critical role in the identification of possible persons of interest in the
context of combating terrorism, drug trafficking, identity fraud, people
smuggling and other serious transnational crimes.[4]
3.6
Providing security and border protection is a potentially fraught
affair, as the requirement to screen people and goods is sometimes in conflict
with speed and efficiency. The Australian Customs and Border Protection
Service explained:
The operating environment within which these risks are
identified and managed is characterised by increasing complexity and volumes in
trade and travel. For example, almost 29 million people crossed the Australian
border last financial year. It is also characterised by infrastructure
constraints in airports and ports, short intervention time frames and an
increasing sophistication of those who seek to circumvent the controls and risk
treatments that are in place. Further, while there is a community expectation
that the border will be protected, there is only a limited community tolerance
for things like queues in airports which complicate the management of these
risks. Given the range of risks to be managed, the nature of the operating
environment and the increasing volume of travellers, almost all risk assessment
must take place before the physical border and relies absolutely on the ability
to access and assess data, information and intelligence about travellers and
intended travel. [5]
Reasons for Australia to take the proposed treaty action
3.7
Section 64AF of the Customs Act 1901 (Cth) mandates that airlines
operating international passenger air services to and from Australia provide
Customs and Border Protection with access to PNR data for all passengers prior
to arrival. As Australia’s primary border protection agency, Customs and
Border Protection undertakes risk assessment and clearance of all passengers
arriving in and departing from Australia. Access to PNR data is vital for
Customs and Border Protection to fulfil this border protection role. [6]
3.8
EU data protection laws prohibit data transfers from the EU to other
countries without a formal agreement that contains adequate safeguards for the
protection of personal data. An agreement with the EU is therefore necessary
to enable PNR data to be transferred to Australian authorities.[7]
3.9
Without such an agreement, PNR data processed in the EU could not be
provided to Customs and Border Protection without breaching EU law. On the
other hand, failure to furnish such information might expose an information gap
that could be exploited by people wishing to enter Australia without detection.[8]
3.10
The proposed Agreement resolves this conflict by providing an
appropriate legal framework and assurances that EU-sourced PNR data transferred
to Australia will be processed in accordance with existing Australian data
protection laws, striking a balance between national security and privacy
protection considerations.[9]
3.11
The proposed Agreement applies to all PNR data processed in the EU,
regardless of the flight’s point of departure. PNR data processed in the EU
currently represents about 30 per cent of total air passenger arrivals in
Australia. By July 2012, EU-sourced PNR data is forecast to increase to about
42% of total air passenger arrivals in Australia when Cathay Pacific and
Singapore Airlines migrate their passenger data services to a data-processing
company in Germany.[10]
3.12
The Australian Customs and Border Protection Service explained why the
PNR data is important for the work they do not just in terms of security, but
also in terms of facilitating the flow of passengers through increasingly busy
airports:
Our ability to assess travellers prior to their arrival is
vital not just for managing border risk but also for effective passenger
facilitation. Based on this layered approach we are able to identify potential
persons of interest and conduct associated analysis before that person arrives
into Australia. Those persons are then subject to some form of intervention on
arrival. This process in turn facilitates a freer flow of legitimate travellers
through the entry and exit regulatory processes without unnecessary
intervention. So, in essence, without an ability to engage in pre-arrival risk
assessment, large numbers of travellers would be stopped at the border for
questioning, search and so on, leading to a fairly chaotic airport experience.
Risk assessments are made on the basis of advanced passenger
data, information and intelligence. The essential pieces of data that I am
referring to are known as advanced passenger information or API data, which is
provided to the Customs and Border Protection Service by the Department of
Immigration and Citizenship, and passenger name record, or PNR, data, which we
obtain directly from airlines. API data contains information about identity,
passport details, visa details and flight details. PNR data is a much richer
source of information and includes API data and also information about, for
example, ticketing, check-in, seating, form of payment, the travel itinerary,
requested preferences or requests and baggage information. [11]
Replacement of the 2008 PNR Agreement
3.13
The 2008 PNR Agreement has operated provisionally since it was signed on
30 June 2008. Australia notified the EU in December 2008 that it had
completed domestic procedures necessary to bring the 2008 Agreement into
force. However, the EU was still processing its procedures for entry into
force (requiring all 27 member states to formally agree) when the Treaty of
Lisbon amending the Treaty on European Union and the Treaty establishing the
European Community, done at Lisbon on 13 December 2007 (the Lisbon Treaty),
entered into force on 1 December 2009. The Lisbon Treaty gave the European
Parliament the power to vote on all EU treaties that had not yet entered into
force, including the 2008 PNR Agreement, as well as PNR agreements with the US
and Canada.[12]
3.14
In May 2010, the European Parliament passed a resolution which postponed
voting on all the EU’s unratified PNR agreements, and called on the European
Council to develop mandates for the EU to renegotiate these PNR agreements in
accordance with proposed new benchmarks that emphasised privacy protection.
Negotiations on a revised PNR agreement with Australia (the proposed Agreement)
commenced in January 2011.[13]
Obligations
3.15
Article 3 of the proposed Agreement restricts the purposes for which PNR
data may be used to the proposed Agreement alone. [14]
3.16
EU obligations reflected in Articles 4 and 5 provide that:
(i)
air carriers will not be prevented by EU law from complying with
Australian law obliging them to provide PNR data to Customs and Border
Protection; and
(ii)
compliance with the proposed Agreement by Customs and Border Protection
will, under EU law, constitute an adequate level of protection for PNR data.[15]
3.17
The proposed Agreement also obliges Customs and Border Protection to
provide analytical information obtained from PNR data to police or judicial
authorities of EU Member States, Europol or Eurojust, either at their request
for the purpose of preventing, detecting, investigating or prosecuting a
terrorist offence or serious transnational crime, or in accordance with
relevant law enforcement or other information-sharing agreements or
arrangements between Australia and any member state of the EU, Europol or
Eurojust.[16]
3.18
Chapter II of the proposed Agreement places certain obligations on
Australia to safeguard the transfer and use of PNR data which is transferred
from the EU to Customs and Border Protection including:
n adequate
protection of personal information in accordance with the Privacy Act 1988
(Cth) and relevant national laws;
n secure
physical and electronic security for storage of PNR data; and
n ensuring
an individual has the right to access, and to seek rectification of, his or her
PNR data subject to reasonable legal limitations and ensuring an individual has
the right to administrative and judicial redress should his or her rights under
the proposed Agreement be violated.[17]
3.19
The security of people’s information is of high importance to both
Australian and EU authorities.
the matter of PNR data and its use is extremely sensitive in
Europe. These negotiations were complex, highly political and required great
sensitivity to the need to balance effective border protection with the
individual's right to privacy. This challenge was met, and we are of the view,
as were the competent European authorities—including, importantly, the European
Parliament—that we came to an appropriate balance in the circumstances we are
faced with and in the global security and criminal environment.[18]
Implementation
3.20
The safeguards Australia is required to ensure in respect of EU-sourced
PNR data are similar to existing Australian law and Customs and Border
Protection policies and procedures.
3.21
Specifically, existing Australian legislation governing the privacy of
data, including the Privacy Act 1988 (Cth), the Freedom of
Information Act 1982 (Cth) and the Ombudsman Act 1976 (Cth)
establish most of the protections Australia has agreed to provide under the
proposed Agreement.
3.22
Other obligations, such as the limits on disclosure of information by
Customs and Border Protection to other agencies, can be implemented through
existing legislative mechanisms in the Customs Administration Act 1985 (Cth)
and existing Customs and Border Protection policies and procedures. No new
legislation is required to process PNR data in the manner required by the
proposed Agreement.[19]
3.23
The PNR data has been of high importance to Australian law enforcement
authorities. The Australian Customs and Border Protection Service explained:
... during the 2011 calendar year PNR data alone contributed
to two successful terrorism prosecutions and supported a further 10 terrorism
investigations. It led to the identification and prosecution of 30 drug
traffickers and the associated seizure of 110 kilograms of narcotics, saving
the Australian community $72 million in downstream effects, based on the
Australian Federal Police drug harm index. It also led to the investigation and
prosecution of three persons in possession of child pornography, and supported
the investigation of over 600 overseas child sex tourism matters. In addition,
PNR led directly to the identification of 26 persons in relation to other
serious crime, who were refused entry at the border. The ability to analyse PNR
data also provides important information in circumstances where persons of
interest or syndicates have been identified through other intelligence or
assessment methods.[20]
Costs
3.24
In the 2010/11 Budget, Customs and Border Protection was allocated $23.7
million and the Department of Immigration and Citizenship was allocated $1.2m
for PNR risk assessment.[21]
Conclusion
3.25
This agreement between Australia and the EU is of high importance in
terms of strengthening Customs and Border Protection’s border protection
measures. Analysis of this and other data plays a critical role in the
identification of possible persons of interest in the context of combating
transnational crimes.
3.26
The Committee recognises the need for balance between providing
information to government agencies and personal privacy. The Agreement has
been scrutinised in this area – most notably by the European Parliament - and
the Committee is satisfied that a suitable balance has been found.
3.27
On this basis, the Committee supports the ratification of this treaty.