EU-Australia Passenger Name Record (PNR) Agreement

EU-Australia Passenger Name Record (PNR) Agreement

/


Public Statement

EU-Australia Passenger Name Record (PNR) Agreement

19 September 2011

Introduction

The APF has became aware that the EU-Australia Passenger Name Record (PNR) Agreement is being renegotiated.

But we have onily learnt this via our European colleagues. This is symptomatic of the general failure of either the Australian government or the Australian Privacy Commissioner to consult civil society or otherwise facilitate public debate about this important data exchange, which involves significant intrusion into the personal affairs of airline passengers entering and leaving Australia, without their express knowledge or consent.

APF first became aware of plans for the original Agreement because we had been following the debate over the EU-US PNR data exchange in the early 2000s.

Background

In April 2004, APF wrote to both the Australian Attorney-General (the relevant Minister) and to the EU Commission, expressing serious concerns about aspects of the original Agreement. We deplored the secrecy of the relevant documentation, and pointed out the severe limitations on the Privacy Commissioner’s monitoring and complaints handling roles (which were both a factor in the positive opinion of the EU Article 29 Working Party (Opinion 1/2004) and a condition of the EU’s eventual approval of the agreement. In our letter to the EU Commission, we described the Australian government’s assurances as part of the Agreement as misleading. See

We understand that the program may not have actually commenced until 2007-08.

The lack of transparency about the program continues to be a serious problem. General public information about the Agreement is confined to the following:

  • the EU Commission web site
  • some brief mentions of PNR in Australian Customs overall privacy statement at

Customs mentioned the Agreement as a highlight’ in its 2007-08 Annual Report :

“Two highlights for the year were ... and the signing of the AustraliaEU Passenger Name Record Agreement on 30 June 2008.

Customs uses Passenger Name Record data for pre-arrival assessment of passengers. Critically the agreement with the EU ensures Customs continued access to Qantas Passenger Name Record data after Qantas completes migration of this data to a company operating out of Germany.”

This seems to refer to only part of the data exchange under the Agreement.

Information Made Available Since 2008

Since 2008, the only public information in Australia about the operation of the Agreement has been brief mentions in the Privacy Commissioner’s Annual Reports of the audit activity, for which additional funding is provided to the Commissioner by Australian Customs (now Customs and Border Protection). The latest published AR (for 2009-2010) contains the following statement in the chapter on monitoring and enforcement activity (Chapter 2):

"The Office signed an agreement with the Australian Customs and Border Protection Service (Customs) in May 2008 to provide over the following four years ongoing privacy advice as well as undertake two audits a year of various aspects of Customs’ use of Passenger Name Record data. The Office receives annual funding of $110 187 from Customs to support the costs of this work."

A Table (3.12) listed four audits, and is followed by another brief statement:

“The completed and ongoing audits of Customs PNR data provide a comprehensive review of the way Customs handles this data. The completed audits revealed that Customs was generally compliant in terms of its handling of personal information involved in PNR processes. However, the auditors made a number of suggestions to Customs about best privacy practice improvements.

Customs held concerns regarding the publication of the final report, citing operational security issues. Therefore, the Office agreed to publish an abridged version of the final report on its website.”

It is not clear which of the two completed reports in the table this last sentence refers to, but in any case we cannot find any PNR audit reports on the website at

There is nothing in the policy chapter of AR 2009-10 (Chapter 1) where you would expect to find discussion of any advice that the Privacy Commissioner may have given on the review of the Agreement.

The 2008-09 Annual Report recorded the same explanation of the program and two audits in progress, with no other commentary.

Conclusions

The APF’s initial criticism of the Agreement was well founded, in that the Australian government and Privacy Commissioner have failed to provide evidence that the safeguards and assurances given to the EU in 2008 are working effectively. The subsequent failure to consult on the review of the Agreement compounds the problem.

We submit that unless the Australian government and/or Privacy Commissioner are willing to commit publicly to a much greater level of transparency about PNR record transfer under the Agreement, the EU should not agree to renew it.

Top View