EUROPEAN COMMISSION

Brussels, 6.9.2023

COM(2023) 509 final

Recommendation for a

COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record data from the EU to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

EXPLANATORY MEMORANDUM

CONTEXT OF THE RECOMMENDATION

1 2 Strengthening international cooperation on law enforcement, including on information sharing, is essential to address the threats posed by terrorism and serious transnational crimes. The latest Serious Organised Crime Threat Assessment (SOCTA) report published by Europol  illustrates the international dimension of the activities of most serious crime organisations. Additionally, its latest Terrorism Situation and Trend Report (TE-SAT) stresses not only the direct links between transnational travel and the organization of terrorist activities and serious crime, but also the importance of effectively detecting, investigating and prosecuting other serious criminal offences for preventing and detecting terrorist offences.

Passenger name record (PNR) data is information provided by passengers, and collected by and held in the air carriers’ reservation and departure control systems for their own commercial purposes. The content of PNR data varies depending on the information given during the booking and check-in process and may include, for example, dates of travel and the complete travel itinerary of the passenger or group of passengers travelling together, contact details like address and phone number, payment information, seat number and baggage information.

The collection and analysis of PNR data can provide the authorities with important elements allowing them to detect suspicious travel patterns and identify associates of criminals and terrorists, in particular those previously unknown to law enforcement authorities. Accordingly, the processing of PNR data has become a widely used law enforcement tool, in the EU and beyond, to detect terrorism and other forms of serious crime, such as drug-related offences, human trafficking and child sexual exploitation, and to prevent such crime from being committed. It has also proven to constitute an important source of information to support the investigation and prosecution of cases where such illegal activities have been committed 3 .

While crucial for combating terrorism and serious crime, the transfer of PNR data to third countries as well as the processing by their authorities constitutes an interference with the protection of individuals’ rights with regard to their personal data. For this reason, it requires a legal basis under EU law and must be necessary, proportionate and subject to strict limitations and effective safeguards, as guaranteed by the Charter of Fundamental Rights of the EU, notably in its Articles 6, 7, 8, 21, 47 and 52. The achievement of these important objectives requires striking a fair balance between the legitimate objective to maintain public security and the right of everyone to enjoy the protection of their personal data and private life.

It is in this context that the Commission first sets out the broad lines of the EU's external PNR policy in a 2003 Communication 4 on the EU approach towards transfers of PNR data from the EU to third countries, which were reviewed in a Communication adopted in 2010 5 . There are currently three international agreements in force between the EU and third countries namely Australia 6 , the United States (2012) 7 and the United Kingdom (2020) 8 which cover the transfer and processing of PNR data from the EU. Following the Court’s Opinion of 2017 on the envisaged Agreement between the EU and Canada, 9 PNR negotiations notably with Canada are currently ongoing. 10

Meanwhile, in 2016, the European Parliament and the Council of the European Union adopted Directive (EU) 2016/681 on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (‘PNR Directive’) 11 . This Directive regulates the transfer and processing of PNR data in the European Union and lays down important safeguards for the protection of fundamental rights, in particular the rights to privacy and the protection of personal data. In June 2022, the Court of Justice of the EU confirmed the validity and compliance of this Directive with the Charter of Fundamental Rights of the EU and the Union Treaties, in its judgment in Case C-817/19 12 .

At international level, an increasing number of third countries have started developing their capabilities to collect PNR data from air carriers. This trend is further prompted by Resolutions adopted by United Nations Security Council (in 2017 and 2019), requiring all States to develop the capability to collect and use PNR data 13 , based on which Standards and Recommended Practices on PNR (SARPs) were adopted by the International Civil Aviation Organization (ICAO) in 2020, by means of Amendment 28 to Annex 9 to the Chicago Convention which became applicable in February 2021. 14  

The Union position, as established by Council Decision (EU) 2021/121, welcomes the ICAO SARPs on PNR as laying down ambitious safeguards on data protection and therewith allowing significant progress to be made at international level. At the same time, this Council Decision considered, by means of requiring Member States to register a difference, that the requirements resulting from Union law (including relevant case-law), are more exacting than certain ICAO Standards, and that transfers from the EU to third countries require a legal basis establishing clear and precise rules and safeguards in relation to the use of PNR data by competent authorities of a third country 15 .

In this context, while this Recommendation specifically concerns negotiations with Switzerland, it constitutes part of a broader effort of the Commission to pursue a consistent and effective approach regarding the transfer of PNR data to third countries, as announced in the Security Union Strategy 2020-2025 16 , building on the ICAO SARPs on PNR, and in line with the Union law and case-law. Such an approach was also requested by the Council with its Conclusions of June 2021 17 . Herewith, the Commission also seeks to respond to calls from air carriers to ensure more legal clarity and foreseeability on PNR transfers to third countries 18 .

To this end, the Commission considers that the demonstration of compliance with ICAO PNR Standards is an important element to take into account for entering into a PNR dialogue with any third country. Such subsequent PNR dialogue will then be aimed at establishing a legal basis enabling air carriers to transfer PNR data from the EU to the relevant competent authority of that country and ensuring that the use of PNR data received from the EU is subject to appropriate safeguards as required by Union law.

OBJECTIVES OF THE RECOMMENDATION

Switzerland and the EU Member States which are Contracting Parties to the Schengen Convention have a shared responsibility to ensure internal security within a common area without internal border controls, including by exchanging relevant information.

PNR data processing has demonstrated the potential to enhance the security of the Schengen area, by improving the prevention and detection of serious crime and terrorism at the external borders and by providing a risk-based data-driven approach for Member States to use within the Schengen area as a compensatory measure for the absence of internal border controls 19 .

In 2016, an EU-wide system amongst Member States was established by the PNR Directive, as an important tool to help improve the EU’s internal security. Switzerland is not bound by this Directive, as it is not a development of the Schengen acquis.

Based on preliminary exchanges at technical level, Switzerland informed of its plans to start operating a PNR system once the relevant national legislation will have entered into force. By then, Switzerland, would be capable to collect and process PNR data on flights landing or departing from its airports.

Under Union law, the transfer of any personal data from the Union to a third country may take place only if that country ensures a level of protection of personal data that is essentially equivalent to that guaranteed to those personal data within the Union. It should be noted that, while transposing its rules in its own domestic order on matters related to the implementation of the Schengen acquis, Switzerland is not bound by Directive (EU) 2016/680 20 , given that it is not a Member State of the EU.

In these circumstances, namely in the absence of appropriate safeguards in relation to the specific processing of PNR data, that are to be established by means of a valid legal basis as required by EU law, Switzerland may not lawfully receive and process PNR data on flights operated by air carriers between the Union and Switzerland. Hence, a solution is required to bridge this security gap existing in the Schengen area, and to enable the transfer of PNR data from the Union to Switzerland in recognition of the necessity to use PNR data as an essential tool in the fight against terrorism and other forms of serious crime.

With this in mind, the aim of concluding an agreement on PNR is to enable Switzerland to lawfully receive PNR data from the Union and to allow its designated competent authority to make use of such data in a manner that ensures, at the same time, the security of the individuals moving within a common area without internal borders controls as well as the protection of the personal data concerning those individuals.

In the last years, Switzerland has expressed its interest to receive PNR data on flights from the Union and to start negotiations with the aim of concluding a PNR Agreement with the Union. In this context, Switzerland has shared relevant information as regards it’s the process of adopting its domestic PNR law, notably on its planned adherence to the ICAO Standards on PNR.

For these reasons, the Commission considers it a priority to start negotiations with Switzerland, in parallel with Norway and Iceland, for a bilateral agreement which will allow the designated Swiss competent authority to receive and process PNR data from the Union, subject to appropriate safeguards. In addition, such an agreement would be a means to foster law enforcement cooperation through enhancing the possibilities to exchange PNR data between Swiss and EU Member States competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorism and serious crime.

LEGAL ASPECTS OF THE PROPOSAL

Recommendation for a

COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record data from the EU to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 218(3) and (4) thereof,

Having regard to the recommendation from the European Commission,

Whereas:

(1) Negotiations should be opened with a view to concluding an Agreement between the Union and the Swiss Confederation for the transfer of Passenger Name Record (PNR) data from the Union to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

(2) The Agreement should respect fundamental rights and observe the principles recognised by the Charter of Fundamental Rights of the Union, as interpreted by the Court of Justice of the European Union, in particular the right to private and family life recognised in Article 7 of the Charter, the right to the protection of personal data recognised in Article 8 of the Charter and the right to effective remedy and fair trial recognised in Article 47 of the Charter. The Agreement should be applied in accordance with those rights and principles and having due regard to the principle of proportionality in accordance with Article 52(1) of the Charter.

(3) The provisions of the Agreement should be in furtherance of the applicable international Standards on PNR, as contained in the International Convention on Civil Aviation, namely on its Annex 9 (Facilitation), Chapter 9 (Passenger Data Exchange System), Section D (Passenger Name Record (PNR) data) 25 .

HAS ADOPTED THIS DECISION:

Article 1

The European Commission is hereby authorised to open negotiations, on behalf of the Union, of an Agreement between the Union and the Swiss Confederation on the transfer of Passenger Name Record (PNR) data from the Union to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. 

Article 2

The negotiating directives are set out in the Annex.

Article 3

The negotiations shall be conducted in consultation with [name of special committee to be inserted by the Council].

Article 4

This Decision is addressed to the Commission.

Done at Brussels,

(1)     Serious and Organised Crime Threat Assessment (SOCTA) | Europol (europa.eu)

(2)     EU Terrorism Situation & Trend Report (TE-SAT) | Europol (europa.eu)

(3)    See also Report from the Commission to the European Parliament and the Council on the review of Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime; COM(2020) 305 final (24.07.2020).

(4)    COM(2003) 826 final (16.12.2003).

(5)    COM(2010) 492 final (21.09.2010).

(6)    OJ L 186, 14.7.2012, p. 4–16.

(7)    OJ L 215, 11.8.2012, p. 5–14.

(8)    OJ L 149, 30.4.2021, p. 710 – 735.

(9)    Opinion 1/15 of the Court (Grand Chamber) of 26 July 2017, EU:C:2017:592.

(10)    Council Decisions authorising the opening of negotiations of agreements on the transfer and use of PNR data between the EU and, respectively, Mexico (2015), Canada (2017), Japan (2020) have also been adopted.

(11)    Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132–149), ), hereinafter referred to as the ‘PNR Directive’ or ‘Directive (EU) 2016/681’.

(12)    Judgment of the Court (Grand Chamber) of 21 June 2022 “Ligue des droits humains ASBL v Conseil des ministres”, C-817/19, EU:C:2022:491. The judgement concerned a request for a preliminary ruling from the Cour Constitutionnelle of Belgium. .

(13)    UNSCR 2396 (2017): “The Security Council: [..] 12. Decides that Member States shall develop the capability to collect, process and analyse, in furtherance of ICAO standards and recommended practices, passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms for the purpose of preventing, detecting and investigating terrorist offenses and related travel, [..]”. See also UNSCR 2482 (2019).

(14)     Annex 9, Chapter 9, Section D to the International Convention on Civil Aviation (hereinafter referred to as the ‘Chicago Convention’).

(15)    Council Decision (EU) 2021/121 of 28 January 2021 on the position to be taken on behalf of the European Union in reply to the State Letter sent by the International Civil Aviation Organization as regards Amendment 28 to Section D of Chapter 9 of Annex 9 to the Convention on International Civil Aviation (OJ L 37, 3.2.2021, p.6-9).

(16)    Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy, , COM(2020) 605 final (24.7.2020): [..] as a mid-term action, the Commission will launch a review of the current approach on PNR data transfer to third countries.”,.

(17)    Council Conclusions of 7 June 2021 on the transfer of Passenger Name Record (PNR) data to third countries, in particular Australia and the United States, for the purpose of combating terrorism and serious crime, Council Document 9605/21 of 8 June 2021: “Calls on the Commission to pursue a consistent and effective approach regarding the transfer of PNR data to third countries for the purpose of combating terrorism and serious crime, building on the ICAO SARPs, and in line with the relevant requirements established under Union law.”

(18)    As noted by the air carriers, including in reply to the Roadmap consultation, they increasingly find themselves in a situation of “conflict of laws” between two different regulatory frameworks, available at <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12531-Air-travel-sharing-passenger-name-data-within-the-EU-and-beyond-assessment-_en>.

(19)

   Communication from the Commission to the European Parliament and the Council "A strategy towards a fully functioning and resilient Schengen area", COM(2021) 277 final (02.06.2021), page 13.

(20)    OJ L 119, 4.5.2016, p. 89–131.

(21)    See footnote 20.

(22)    See footnote 21.

(23)    See footnote 9.

(24)    See footnote 12.

(25)     Annex 9, Chapter 9, Section D to the International Convention on Civil Aviation .

EUROPEAN COMMISSION

Brussels, 6.9.2023

COM(2023) 509 final

ANNEX

to the

Recommendation for a COUNCIL DECISION

authorising the opening of negotiations for an agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record data from the EU to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

ANNEX

Directives for the negotiation for an agreement between the European Union and the Swiss Confederation on the transfer of Passenger Name Record data from the EU to the Swiss Confederation for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

The negotiations should aim to achieve the following general objectives:

(1)The Agreement reflects the necessity and importance of the processing of Passenger Name Record (PNR) data in combating serious crime and terorrism by enabling the lawful transfer of PNR data from the Union to Switzerland.

(2)In order to comply with relevant requirements of EU law, including the Charter of Fundamental Rights of the European Union and the relevant case law of the Court of Justice of the European Union, the Agreement provides a legal basis, conditions and safeguards for the transfer to and processing by Switzerland of PNR data, and ensures that an adequate level of personal data protection is provided.

(3)The Agreement encourages and facilitates cooperation between the Member States of the Union and Switzerland by establishing arrangements for timely, effective and efficient exchanges of PNR data and of the results of processing of PNR data.

The negotiations should aim to achieve the following on substance:

(4)The Agreement identifies the designated Swiss competent authority responsible for receiving from air carriers and further processing PNR data under the Agreement.

(5)The Agreement specifies exhaustively and in a clear manner the PNR data elements to be transferred, in line with international standards as well as with Annex I of Directive 2016/681. Data transfers are kept to the minimum necessary and are proportionate to the purpose specified in the Agreement.

(6)The Agreement ensures that PNR data is transferred exclusively on the basis of a 'push' system. The frequency and the timing of such transfers do not create an unreasonable burden on air carriers and are limited to what is strictly necessary, such as through the efficient use of common technical solutions where appropriate. 

(7)The Agreement ensures that air carriers are not required to collect and transfer any additional data compared to what they already collect as part of their business.

(8)(8)    The Agreement includes rules on data security, in particular on allowing only a limited number of specially authorised individuals from the designated Swiss competent authority to have direct access to PNR data, and on notifications of data security breaches to the responsible European data protection supervisory authorities. 

(9)The Agreement sets out the purposes of PNR data processing in an exhaustive manner, notably by establishing that PNR data is transferred and processed solely for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, based on definitions laid down in relevant EU law instruments.

(10)The Agreement provides that sensitive data within the meaning of Union law, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerning a person’s health or sexual life or orientation, are not processed under the Agreement.

(11)The Agreement sets out the specific modalities for the processing of PNR data received under the Agreement by the designated Swiss competent authority. It includes safeguards for the automated processing of PNR data to ensure it is based on non-discriminatory, specific, objective and reliable, pre-established criteria and that such automated processing is not used as a sole basis for any decisions with adverse legal effects or seriously affecting an individual. It also ensures that the databases against which PNR data are compared are only those relevant for purposes covered by the Agreement and are reliable and up to date.

(12)The Agreement provides that PNR data received under the Agreement is subject to periods of retention that are restricted and not longer than what is necessary for and proportionate to the objective pursued, that is, for purposes of preventing, detecting, investigating and prosecuting serious crime and terrorism offences. These retention periods ensure that, in line with the relevant case law of the Court of Justice of the European Union, PNR data can be retained under the Agreement only if an objective connection between the PNR data to be retained and the objective pursued is established. The Agreement requires that the PNR data is deleted upon expiry of the relevant retention periods or rendered anonymous in such a manner that the individuals concerned are no longer identifiable. The Agreement takes duly into account the free movement of persons between Switzerland and the Union.  

(13)The Agreement ensures that disclosure of PNR data by the designated Swiss competent authority to a closed list of other competent authorities of Switzerland or to competent authorities of other States, including Member States of the Union or other Schengen Associated Countries, may only take place on a case-by-case basis and under certain conditions and safeguards. In particular, such disclosure may only take place if the recipient authority exercises functions related to the fight against terrorism or serious crime and ensures the same protections as those set out in the Agreement. Onward transfers to competent authorities of other third countries are limited to those countries with which the Union has an equivalent PNR Agreement or for which the Union has adopted an adequacy decision under its personal data protection law covering the relevant authorities to which the PNR data is intended to be transferred.

(14)The Agreement ensures a system of oversight by an independent public authority responsible for personal data protection, with effective powers of investigation, intervention and enforcement, to exercise oversight over the designated competent authorities and other competent authorities that process PNR data under the Agreement. That independent public authority has powers to hear complaints from individuals, in particular concerning the processing of PNR data relating to them. 

(15)The Agreement ensures the rights of effective administrative and judicial redress on a non-discriminatory basis, regardless of nationality or place of residence, for any person in respect of whom PNR data relating to that person is processed under the Agreement, in line with Article 47 of the Charter of Fundamental Rights of the EU.

(16)The Agreement contains provisions to ensure adequate and transparent information to air passengers in relation to the transfer and further processing of PNR data relating to them, as well as the right of individual notification in case of disclosure of such PNR data, and, where appropriate, rectification and deletion, insofar as such notification does not jeopardise any ongoing investigations being carried out by the competent authorities using the PNR data.  

(17)The Agreement fosters police and judicial cooperation through the exchange of PNR data, or results of processing of PNR data, between the designated Swiss competent authority and the competent police and judicial authorities of Member States of the Union, as well as between the designated Swiss competent authority, on the one hand, and Europol or Eurojust within their respective competences, on the other hand.

(18)The Agreement includes provisions for regular joint review on all aspects of the implementation of the Agreement. It is concluded for a set period of time and includes a provision whereby the Agreement is renewed for similar periods unless a Party notifies its decision to terminate it. The Agreement provides for a dispute settlement mechanism with respect to its interpretation, application and implementation.

(19)The Agreement is equally authentic in the Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish languages and will include a language clause to that effect.