Tag Archives: Personal data

Data protection in the electronic communications sector

Outline of the Community (European Union) legislation about Data protection in the electronic communications sector

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Internal market > Single market for services

Data protection in the electronic communications sector

Document or Iniciative

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [See amending acts].

Summary

Directive 2002/58/EC forms part of the “Telecoms Package”, a new legislative framework designed to regulate the electronic communications sector and amend the existing regulations governing the telecommunications sector. The “Telecoms Package” includes four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service. The “Telecoms Package” was amended in December 2009 by the two Directives “Better law-making” and “Citizens’ rights”, as well as by the establishment of a body of European regulators for electronic communications (BEREC).

This Directive principally concerns the processing of personal data relating to the delivery of communications services.

Processing security

The provider of an electronic communications service must protect the security of its services by:

ensuring personal data is accessed by authorised persons only;
protecting personal data from being destroyed, lost or accidentally altered;
ensuring the implementation of a security policy on the processing of personal data.

In the case of an infringement of personal data, the service provider must inform the person concerned, as well as the National Regulatory Authority (NRA).

Confidentiality of communications

The Directive reiterates the basic principle that Member States must, through national legislation, ensure the confidentiality of communications made over a public electronic communications network. They must in particular prohibit the listening into, tapping and storage of communications by persons other than users without the consent of the users concerned. The subscriber or user who stores their information must first be informed of the purposes of the processing of their data. They have the option to withdraw their consent on the processing of traffic data.

Data retention

The Directive determines that traffic data and location data must be erased or made anonymous when they are no longer required for the conveyance of a communication or for billing, except if the subscriber has given their consent for another use. On the sensitive issue of data retention, the Directive stipulates that Member States may withdraw the protection of data only to allow criminal investigations or to safeguard national security, defence and public security. Such action may be taken only where it constitutes a “necessary, appropriate and proportionate measure within a democratic society”.

In order to ensure the availability of communication data for the purpose of investigation, detection and prosecution of criminal offences, the Directive lays down provisions for the retention of data.

Unsolicited communications (“spamming”)

The Directive takes an “opt-in” approach to unsolicited commercial electronic communications, i.e. users must have given their prior consent before such communications are addressed to them. This opt-in system also covers SMS text messages and other electronic messages received on any fixed or mobile terminal. However, exceptions are provided.

Cookies

The Directive states that users must give their consent for information to be stored on their terminal equipment, or that access to such information may be obtained. In order to do this, users must receive clear and comprehensive information about the purpose of the storage or access. These provisions protect the private life of users from malicious software, such as viruses or spyware, but also apply to cookies.

Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user’s hard disk. Their original purpose was to retain information between sessions. They are also a useful and much decried tool for monitoring a net surfer’s activity.

The Directive encourages the use of methods, which are as user-friendly as possible, see effective technical tools.

Public directories

European citizens must give prior consent in order for their telephone numbers (landline or mobile), e-mail addresses and postal addresses to appear in public directories.

Controls

Member States must implement a system of penalties, including legal sanctions in the case of infringements to the provisions of this Directive, and ensure that the national competent authorities have at their disposal the necessary powers and resources to monitor and control compliance with the national provisions adopted during the transposition of this Directive.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Directive 2002/58/EC	30.07.2002	31.10.2003	OJ L 201 of 31.07.2002

Amending act(s)	Entry into force	Deadline for transposition in the Member States	Official Journal
Directive 2006/24/EC	3.5.2006	15.9.2007	OJ L 105 of 13.04.2006
Directive 2009/136/EC	19.12.2009	25.5.2011	OJ L 337 of 18.12.2009

Related Acts

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281/31 of 23.11.95].
This Directive is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU.

Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L 8 of 12.01.2001]
This Regulation aims to protect personal data within EU institutions and bodies. The text provides for rules to ensure a high level of protection for personal data processed by the Community institutions and bodies and the creation of an independent supervisory body to monitor the application of these rules.

Cooperation in criminal matters: protection of personal data

Leave a reply

Cooperation in criminal matters: protection of personal data

Outline of the Community (European Union) legislation about Cooperation in criminal matters: protection of personal data

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Police and customs cooperation

Cooperation in criminal matters: protection of personal data

Document or Iniciative

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

Summary

This framework decision aims to protect the fundamental rights and freedoms of natural persons when their personal data are processed for the purposes of preventing, investigating, detecting or prosecuting a criminal offence or of executing a criminal penalty. It concerns personal data that are processed in part or entirely by automatic means, as well as personal data forming part of a filing system that are processed by non-automatic means.

Data processing

The competent authorities of Member States may collect personal data only for specified, explicit and legitimate purposes. The processing of these data is permitted only for the purposes for which they were collected. Processing for other purposes is allowed only under certain circumstances or when certain appropriate safeguards are in place.

In principle, personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerns his/her health or sex life may not be processed. Their processing may be allowed only if it is absolutely necessary and if appropriate safeguards have been established.

Inaccurate personal data must be rectified and updated or completed if possible. Once the data are no longer needed for the purposes they were collected, they must be erased, made anonymous or, in certain cases, blocked. The need to store personal data must be reviewed regularly, with time limits set for their erasure.

The competent authorities of Member States must verify that the personal data to be transmitted or made available are accurate, up to date and complete. In order to be able to verify that the processing of data is lawful and to ensure the integrity and security of the data, their transmissions must be logged or documented.

Data transmission

Personal data received from another Member State are to be processed only for the purposes for which they were transmitted. In certain cases however, they may be processed for other purposes, for example for the prevention, investigation, detection or prosecution of other criminal offences, the execution of other criminal penalties or the prevention of threats to public security. The receiving Member State must respect any specific restrictions to the exchanges of data provided for in the law of the transmitting Member State.

Under certain circumstances, the receiving Member State may transfer personal data to third countries or to international bodies. To this end, the Member State that first made the data available must provide its consent. Only in urgent cases may data be transferred without a prior consent. Personal data may also be transferred to private parties in Member States for exclusive purposes, provided that the competent authority of the Member State from where the data was received has given its consent.

Rights of data subjects

The data subject is to be kept informed of any collection or processing of personal data relating to him/her. However, when data have been transmitted from one Member State to another, the first may demand that the second does not divulge any information to the subject.

The data subject may request to receive a confirmation on whether data concerning him/her have been transmitted, who the recipients are, what data are being processed, as well as a confirmation that the necessary verifications of that data have been made. In certain cases, Member States may restrict the subject’s access to information. Any decision restricting access must be given in writing to the data subject, together with the factual and legal reasons thereof. The data subject must also be given advice on his/her right to appeal such a decision.

The data subject may demand that personal data relating to him/her be rectified, erased or blocked. Any refusal to that end must be given in writing, along with information on the right to lodge a complaint or seek a judicial remedy.

Any person may demand compensation for the damages s/he has suffered due to an unlawful processing of personal data or any other act that is not compatible with this framework decision. In case a data subject’s rights are breeched, s/he has the right to a judicial remedy.

Safeguarding data processing

The competent authorities must take the necessary security measures to protect personal data against any unlawful form of processing. This includes accidental loss, alteration and unauthorised disclosure of, as well as access to, personal data. In particular, specific measures need to be taken with regard to the automated processing of data.

National supervisory authorities in Member States monitor and advise on the application of this framework decision. To that end, they are granted investigative powers, effective powers of intervention, as well as the power to pursue legal proceedings. For any infringements of the provisions of this framework decision, Member States must establish effective, proportionate and dissuasive penalties.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Framework Decision 2008/977/JHA	19.1.2009	27.11.2010	OJ L 350 of 30.12.2008

Deployment of Intelligent Transport Systems in Europe

Leave a reply

Deployment of Intelligent Transport Systems in Europe

Outline of the Community (European Union) legislation about Deployment of Intelligent Transport Systems in Europe

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Transport > Intelligent transport and navigation by satellite

Deployment of Intelligent Transport Systems in Europe

Document or Iniciative

Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport.

Summary

This directive is applicable to Intelligent Transport Systems (ITS) applications and services in the European Union (EU) road transport sector and to their interfaces with other modes of transport. ITS are systems in which information and communication technologies are applied in the field of road transport, including infrastructure, vehicles and users, and in traffic management and mobility management.

The following are identified as priority areas for the development and use of specifications and standards:

optimal use of road, traffic and travel data;
continuity of traffic and freight management ITS services;
ITS road safety and security applications;
linking the vehicle with the transport infrastructure.

Within these priority areas, there are six priority actions:

the provision of EU-wide multimodal travel information services;
the provision of EU-wide real-time traffic information services;
data and procedures for the provision, where possible, of road safety related minimum universal traffic information free of charge to users;
the harmonised provision for an interoperable EU eCall;
the provision of information services for safe and secure parking places for trucks and commercial vehicles;
the provision of reservation services for safe and secure parking places for trucks and commercial vehicles.

On deployment of ITS applications and services, EU countries must take the necessary action to ensure that the specifications adopted by the Commission are applied. Individual EU countries do, however, retain the right to decide on deployment of such applications and services on their own territory.

The Commission is responsible for first adopting the necessary specifications to ensure the compatibility, interoperability and continuity for the deployment and operational use of ITS for the above priority actions. Following this, the Commission shall then adopt specifications for the deployment and operational use of ITS for other actions in the priority areas. The specifications will, where appropriate, include the conditions under which EU countries may establish additional rules for the provision of ITS services on all or part of their territory, provided that these rules do not impede interoperability of the services. In addition to the specifications, the Commission may adopt guidelines and other non-binding measures to facilitate the cooperation of EU countries regarding the priority areas.

Rules on privacy, security and re-use of information

EU countries must ensure that the processing of personal data in the context of the operation of ITS applications and services is undertaken in accordance with EU rules on fundamental rights and freedoms of individuals, and that the provisions on consent are adhered to. In particular, personal data must be protected against misuse, including unlawful access, alteration or loss. To this end, personal data should only be processed where necessary and, where appropriate, the use of anonymous data should be encouraged for the performance of the ITS applications and services.

Delegated acts

With regards to specifications, the Commission may also adopt separate delegated acts for each of the priority actions. The European Parliament and the Council have the right to either revoke this delegation of powers, or object to a delegated act. If there is an objection to a delegated act, the act will not enter into force.

European ITS Advisory Group

The Commission shall establish a European ITS Advisory Group to provide advice on business and technical aspects of the deployment and use of ITS in the EU. The group shall be composed of high level representatives from relevant ITS service providers, associations of users, transport and facilities operators, manufacturing industry, social partners, professional associations, local authorities and other relevant fora.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Directive 2010/40/EU	26.8.2010	27.2.2012	OJ L 207 of 6.8.2010

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Leave a reply

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Outline of the Community (European Union) legislation about Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

External relations > Industrialised countries

Agreement on the processing and transfer of passenger name record data by air carriers to the United States Department of Homeland Security (2007 PNR Agreement)

Document or Iniciative

Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement)

Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement).

Summary

The purpose of sharing passenger name record (PNR) data is to combat terrorism and organised crime, protect people’s vital interests and prevent the flight of individuals from warrants or custody issued against them.

This Decision consists of the Agreement, the accompanying letter from the United States Department of Homeland Security (DHS) and the letter of the European Union (EU) in reply. Applicable for seven years, it requires airlines to transfer data to DHS concerning passengers transported to or from the United States. In return, DHS undertakes to guarantee a high level of protection. The Decision advocates the application of security measures on data transfers and calls on the parties to respect the fundamental rights and freedoms of passengers.

Type of passenger name record (PNR) data collected

DHS obtains PNR data from the air carriers, flight tickets and travel documents. The data collected concern:

APIS information (name, civil status, date of birth, nationality, country of residence, etc.);
the journey (date of reservation/issue of ticket, travel date, itinerary, baggage, seat number, travel status of passenger, travel agency used);
the flight ticket (free tickets, upgrades, ticket issue, price, number, form of payment used and billing);
PNR (record locator code, names on PNR, split/divided PNR information and all historical changes made to PNR);
all available contact information;
OSI (Other Service Information), SSI and SSR (Special Services) data.

“Sensitive” PNR data

Sensitive PNR data relate to ethnic origin, philosophical, political or religious beliefs, trade union membership and the health and sex life of the individual. Once this information has been received, DHS employs an automatic system to filter the sensitive codes and terms. DHS undertakes not to use this information and to delete it promptly.

However, where lives are in danger and the passenger has supplied such information, DHS is authorised to use it, provided that it maintains a log of access to these data and deletes them within thirty days. It is required to inform the European Commission (within 48 hours) that it has accessed these data.

PNR data protection and transmission

The letter from DHS accompanying the Agreement explains how the latter collects, uses and stores PNR data. It treats the information as sensitive and confidential. DHS may transmit it to the US authorities responsible for law enforcement, public security or counterterrorism and to countries capable of ensuring data protection, but only for the same purposes as those for which DHS received the data (mainly to combat terrorism and organised crime).

If the air carriers have a system complying with DHS technical requirements, they will transmit the data to DHS via a ‘push’ system. On the other hand, they will transmit the data via a ‘pull’ system if the carrier has not implemented such a system. It is for the carriers to initiate the transition to a ‘push’ system.

DHS receives PNR data 72 hours before the scheduled departure. It may ask to receive them earlier if necessary. It nevertheless undertakes to make this type of request judiciously and with proportionality.

DHS retains the data in an analytical database for 7 years, after which time the data are stored for a further 8 years, but in dormant, non-operational status. They may be accessed only with approval of a senior DHS official. The two parties will reach agreement to determine when PNR data must be destroyed. Only those related to a specific investigation in progress may be retained.

Right of access and right of inspection

DHS extends the American Privacy Act provisions to PNR in its possession. Administrative, civil and penal sanctions are therefore provided for in the event of failure to respect privacy and unauthorised disclosure.

The EU, US and the aviation industry cooperate so that passengers are informed about how the governments may use the information concerning them. DHS informs and replies to questions from the public on PNR data through publications in the Federal Register and standard notices made available and published on its website.

DHS undertakes not to disclose PNR data to the public (apart from the persons concerned).

Cooperation and reciprocity

DHS transmits analytical data flowing from PNR data to the European police and judicial authorities concerned, Europol and Eurojust. The European authorities do the same to the US authorities.

Both parties ensure that their systems work effectively. The Secretary of Homeland Security (DHS) and the Commissioner for Justice, Freedom and Security (EU) periodically review the application of this decision.

Background

The transfer to the US authorities of PNR data held by European airlines has been the subject of successive agreements. The most recent is dated 19 October 2006 and expired on 31 July 2007. For this reason, the Council decided (on 22 February 2007) to authorise the Presidency to open negotiations, which gave rise to the present Agreement.

This Agreement is applicable as of the date of signature. It enters into force on the first day of the month after the date on which the parties have notified one another that they have completed their internal procedures.

References

Act	Entry into force – Date of expiry	Deadline for transposition in the Member States	Official Journal
Decision 2007/551/CFSP/JHA	23.7.2007	–	OJ L 204 of 4.8.2007

Related Acts

Council Decision 2006/729/CFSP/JHA

of 16 October 2006 on the signing of an Agreement between the EU and the USA on the processing and transfer of passenger name record (PNR) data by air carriers to the DHS – Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the DHS [Official Journal L 298 of 27.10.2006]

Council Decision 2004/496/EC

of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the DHS, Bureau of Customs and Border Protection – Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the DHS, Bureau of Customs and Border Protection [Official Journal L 183 of 20.5.2004].

Agreement between the European Union and the United States on the transfer of financial messaging data

Leave a reply

Agreement between the European Union and the United States on the transfer of financial messaging data

Outline of the Community (European Union) legislation about Agreement between the European Union and the United States on the transfer of financial messaging data

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

External relations > Industrialised countries

Agreement between the European Union and the United States on the transfer of financial messaging data

Document or Iniciative

Council Decision 2010/412/EU of 13 July 2010 on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program.

Summary

For the purpose of preventing, investigating, detecting or prosecuting terrorism or terrorist financing, this agreement between the European Union (EU) and the United States of America (U.S.) provides for the transfer of:

financial payment messages that refer to financial transfers and related data, which are stored in the EU by international financial payment messaging service providers (designated providers), to the U.S. Treasury Department;
relevant information acquired from the U.S. Treasury Department’s Terrorist Finance Tracking Program (TFTP) to EU countries’ law enforcement, public security or counter terrorism authorities, or to Europol or Eurojust.

To obtain the necessary data stored in the EU, the U.S. Treasury Department makes a request, and sends any supplemental documents, to a designated provider on U.S. territory. At the same time, it provides a copy of these documents to Europol, which verifies the compliance of the request with the requirements of the agreement and notifies the designated provider accordingly. Once the compliance of the request is confirmed, it will have binding legal effect and the designated provider is required to transfer the requested data to the U.S. Treasury Department.

The U.S. Treasury Department must ensure that certain safeguards, particularly in relation to the protection of personal data, are applied when the provided data is processed. The data may only be processed for the purpose of preventing, investigating, detecting or prosecuting terrorism or terrorist financing. It must be secured from unauthorised access, disclosure and loss, as well as from any unauthorised form of processing. A search of the provided data may only be initiated where there is pre-existing information or evidence indicating that the subject of the search might be connected to terrorism or its financing. All searches and the reasons thereof must be recorded.

The U.S. Treasury Department must delete non-extracted data:

no longer necessary for the fight against terrorism, based on (at least) an annual evaluation;
transmitted without having been requested;
by 20 July 2012 at the latest, if it was received before 20 July 2007;
no later than five years after receipt, if it was received after 20 July 2007.

Extracted data may be retained for only as long as is necessary to fulfil the purpose for which it was requested. The agreement also defines safeguards to limit the onward transfers of extracted data.

The U.S. Treasury Department must make information obtained through the TFTP that may contribute to the EU’s actions against terrorism available to the relevant authorities of the EU countries concerned and, as appropriate, to Europol and Eurojust. If any follow-on information is deemed as necessary to the U.S.’s fight against terrorism, it must be similarly conveyed back. To facilitate these exchanges of information, a Europol liaison officer may be delegated to the U.S. Treasury Department.

A relevant EU country authority, Europol or Eurojust may provide the U.S. Treasury Department with a request to search data acquired through the TFTP and to transfer relevant information if there is reason to believe that a person or entity is connected to terrorism or its financing as defined by the framework decision on combating terrorism and the directive on the prevention of the use of the financial system for money laundering.

During the term of the agreement, the Commission will examine the options available for establishing an EU system equivalent to the U.S. TFTP. Once the European system is established, there will be the need to review and possibly modify this agreement and ensure the complementariness of the two systems.

Independent overseers will monitor compliance with the limitations and safeguards of the agreement. They have the authority to review, query and block searches of provided data, as well as to request for additional justifications on the connection to terrorism. One of these overseers will be appointed by the Commission.

Via the national data protection authority, a person has the right to request confirmation that his/her personal data has been processed in compliance with data protection rights. Disclosure of this information may be refused or restricted if necessary for the fight against terrorism or the protection of public or national security. In such cases, a written explanation will be given to the person, together with information on the possibility to seek administrative and judicial redress in the U.S. A person also has the right to request the rectification, erasure or blocking of inaccurate or wrongly processed personal data. To maintain the accuracy of information received or transmitted under this agreement, the data may be supplemented, deleted or corrected by each party. The U.S. Treasury Department provides information on the TFTP on a public website, including on the right of redress.

This agreement enters into force on 1 August 2010 and will remain in force for a period of five years. Afterwards, it will be automatically extended for subsequent periods of one year, unless one of the parties notifies of its intention not to extend it.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Decision 2010/412/EU	13.7.2010	–	OJ L 195, 27.7.2010

Integration of biometric features in passports and travel documents

Leave a reply

Integration of biometric features in passports and travel documents

Outline of the Community (European Union) legislation about Integration of biometric features in passports and travel documents

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Free movement of persons asylum and immigration

Integration of biometric features in passports and travel documents

Document or Iniciative

Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States [See amending act(s)].

Summary

In the view of the Council, the integration of biometrics in passports and travel documents will improve document security and prevent falsification of documents. The use of bogus or false identities could best be prevented through a more reliable check on the person who presents a document to establish that s/he is the person to whom the document had been issued. Therefore, under this regulation, biometric identifiers will be introduced by Member States with a view to harmonising national legislation.

Passports and travel documents will include a high-security storage medium for memorising computerised data that will have sufficient capacity to guarantee the integrity, authenticity and confidentiality of that data. The storage medium will contain a facial image and two fingerprints taken flat. These data, which will be in interoperable formats, will be secured.

Passports and travel documents will have to be issued as individual documents in accordance with international requirements. However, as regards the requirements for taking fingerprints of children between six and twelve years of age, the Commission will conduct a study and possibly propose initiatives on the requirements for children before 26 June 2012.

Children under the age of 12 years (provisional age limit), and persons to whom it is physically impossible, will be exempt from fingerprinting. Only qualified and duly authorised staff of national authorities who are responsible for issuing passports and travel documents may take biometric identifiers.

In accordance with international standards, the Commission will establish additional technical specifications, such as:

additional security features, notably with a view to combating counterfeiting and falsification;
the storage medium and its security;
common quality requirements for the facial image and the fingerprints.

Where appropriate, these additional specifications will not be published and will be made available only to the bodies responsible for printing and to persons duly authorised by a Member State or the Commission.

The biometric features in passports and travel documents will be used only for verifying the authenticity of the document and the identity of the holder, who will have the right to verify the personal data contained in the passport or travel document and, where appropriate, to ask for rectification or erasure. The collection and storage of biometric data will be exclusively for the purpose of issuing passports and travel documents.

Each Member State will designate one body for printing passports and travel documents. The Commission and the other Member States will be informed of the name of that body. Member States may at any time decide to confer that task on another body.

Under the provisions of the Schengen acquis, Denmark, the United Kingdom and Ireland do not take part in this regulation and so are not bound by it. Denmark, however, may decide within a period of six months after the Council has adopted this regulation whether it will implement it in its national law. Iceland, Norway, Switzerland and Liechtenstein, although not part of the EU, will be involved in implementing the regulation.

The regulation will enter into force in the Member States:

as regards the facial image: at the latest 18 months after adoption of the additional technical specifications;
as regards fingerprints: at the latest 36 months after adoption of the additional technical specifications.

However, the implementation of the regulation will in no way affect the validity of passports and travel documents already issued. Moreover, this regulation concerns only passports and travel documents. It does not apply to identity cards and temporary documents with a validity of 12 months or less under any circumstances.

Background

On 17 October 2000, the Council adopted a resolution introducing minimum security standards for passports. It now takes the view that this resolution should be upgraded in order to provide enhanced protection for passports and travel documents against falsification.

The Thessaloniki European Council on 19 and 20 June 2003 confirmed the need to take common measures on biometric identifiers and data for documents for third-country nationals, European Union citizens’ passports and information systems.

In addition, the introduction of biometrics in passports and travel documents reflects the need for Member States participating in the United States Visa Waiver Program to align themselves with the relevant US legislation, so that their nationals may enter US territory without a visa.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Regulation (EC) No 2252/2004	18.1.2005	–	OJ L 385 of 29.12.2004

Amending act(s)	Entry into force	Deadline for transposition in the Member States	Official Journal
Regulation (EC) No 444/2009	26.6.2009	–	OJ L 142 of 6.6.2009

Related Acts

Commission Decision of 28 June 2006 laying down the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States [C(2006) 2909 final – Not published in the Official Journal].

This decision supplements Regulation (EC) 2252/2004 by providing technical specifications relating to storage and protection of fingerprints to be integrated into passports and travel documents issued by Member States. It contains an annex addressing the following points:

primary biometric – face;
secondary biometric – fingerprints;
storage media;
electronic passport chip layout;
data security and integrity issues;
conformity assessment.

Exchange of information to combat counterfeit travel documents

Leave a reply

Exchange of information to combat counterfeit travel documents

Outline of the Community (European Union) legislation about Exchange of information to combat counterfeit travel documents

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Fight against terrorism

Exchange of information to combat counterfeit travel documents

Document or Iniciative

Council Decision of 27 March 2000 on the improved exchange of information to combat counterfeit travel documents [Official Journal L 81 of 01.04.2000]

Summary

The decision makes provision for the use of a reporting system for detecting counterfeit travel documents. This system should make it easier to:

Detect counterfeit travel documents on inspection;
Search for stolen travel documents.

The central unit of each Member State will without delay exchange information on counterfeit and stolen travel documents with the central unit of each other Member State by using the standard form attached to the Council decision.
It will also notify the General Secretariat of the Council.

The exchange of information will not include personal details.

A questionnaire attached to the Council decision (Annex II) will be used for the purposes of the uniform collection of information which may be required for subsequent criminal proceedings relating to counterfeit travel documents. Data will be communicated in accordance with national law and international conventions.

References

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Decision of 27 March, 2000	01.07.2000	–	Official Journal L 81 of 01.04.2000

Detecting forged documents

Leave a reply

Detecting forged documents

Outline of the Community (European Union) legislation about Detecting forged documents

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Fight against terrorism

Detecting forged documents

To ensure uniform levels of skills and equipment for the detection of false documents at points of entry into the European Union.

2) Union Measures

Council Recommendation 98/C 189/02 of 28 May 1998 on the provision of forgery detection equipment at ports of entry to the European Union.

Council Recommendation 99/C 140/01 of 29 April 1999 on the provision for the detection of false or falsified documents in the visa departments of representations abroad and in the offices of domestic authorities dealing with the issue or extension of visas.

3) Contents

The first Recommendation concerns the steps to be taken by Member State governments to ensure uniform levels of equipment at points of entry.

The factors determining the equipment at points of entry are:

the volume of passenger traffic;
current levels of abuse;
the availability of reference material;
the presence of border control officers and the standard of training provided.

This Recommendation cites three levels of provision (minimum, intermediate and upper) based on the qualifications of staff, the quality of the equipment required and the reference documents available.

The second Recommendation concerns the equipment of visa departments to detect false or falsified documents. Depending on the number of visa applications and the scale of the problems encountered, the Council recommends, resources permitting, that the Member States use certain technologies, train staff and increase staffing.

Cooperation could be established between consulates to share equipment where possible and train staff from more than one Member State at the same time.

Annexed to the Recommendation is a list of the provision in human and material resources recommended by the Council in the light of the situation (low, intermediate or high risk of falsification and counterfeiting).

4) Deadline For Implementation Of The Legislation In The Member States

Not applicable

5) Date Of Entry Into Force (If Different From The Previous Date)

Not applicable

6) References

Official Journal C 189 of 17.06.1998
Official Journal C 140 of 20.05.1999

7) Follow-Up Work

8) Implementing Measures

A global approach to PNR data transfers

Leave a reply

A global approach to PNR data transfers

Outline of the Community (European Union) legislation about A global approach to PNR data transfers

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Justice freedom and security > Police and customs cooperation

A global approach to PNR data transfers

Document or Iniciative

Communication from the Commission of 21 September 2010 on the global approach to transfers of Passenger Name Record (PNR) data to third countries [COM(2010) 492 final – Not published in the Official Journal].

Summary

The European Union (EU) has adopted new measures against the threats of terrorism and organised crime, which are presented in the Commission’s communication on information management in the area of freedom, security and justice. These measures include the use of Passenger Name Record (PNR) data * for law enforcement purposes. PNR data is used increasingly, which also raises concerns regarding personal data protection. Due to these challenges, the Commission has reconsidered its global approach to PNR data transfers to non-EU countries. Consequently, this communication sets out general criteria for future bilateral PNR agreements, with a view to contributing towards the fight against terrorism and transnational serious crime, while guaranteeing respect for fundamental rights and ensuring coherence between the various PNR agreements.

Passenger Name Record (PNR) data

PNR data are principally used as a criminal intelligence tool with a view to:

assessing passenger risks and identifying “unknown” persons;
providing law enforcement authorities with data prior to the arrival or departure of a flight in order to allow for more time for any follow-up actions;
identifying the persons to whom specific addresses and credit cards linked to criminal offences belong;
identifying associates of suspects.

PNR data are used in investigations and prosecutions. They are also used to prevent crimes and to arrest persons when a crime has been committed, as well as to create travel and behaviour assessments to facilitate crime prevention.

However, under EU data protection laws, carriers may not transmit PNR data to non-EU countries, unless these countries provide an adequate level of protection for personal data. For this reason, the EU signed international PNR agreements with the United States, Canada and Australia. However, these agreements were negotiated on a case-by-case basis, as a result of which their provisions on rules for carriers and data protection are not coherent. As the number of such agreements is likely to increase in the near future, there is a need to set out general standards, content and criteria for them.

Global approach on PNR

Through the global approach on PNR, greater coherence should be achieved between non-EU countries’ data protection guarantees and between air carriers’ data transmission modalities.

A large number of persons and their personal data are affected by the collection and transfer of PNR data to non-EU countries. Since these countries’ data protection regimes may differ from that of the EU, it is essential that they ensure adequate legal protection for the transferred PNR data. Consequently, non-EU countries should apply the following basic principles for the protection of personal data:

the use of the data should be limited to the purpose of the transfer;
only the minimum necessary data should be exchanged;
sensitive data should only be used under exceptional circumstances;
appropriate measures must be taken to protect the security, confidentiality and integrity of the data;
the authorities using PNR data should be accountable to and supervised by an independent public authority;
individuals should be notified of the processing of their personal data;
individuals should be given access to their PNR data and the possibility to request for rectification or deletion of that data;
the right to administrative and judicial redress should be provided for anyone whose privacy has been infringed;
the automated processing of personal data should not be used as the sole basis for any decisions that have negative effects on an individual;
the data retention period should be limited to the purpose of the transfer;
the onward transfers of data to other government authorities or to other non-EU countries should be restricted.

The rules governing the transmission of data to non-EU countries by carriers should be streamlined to increase legal certainty and minimise the financial burden on these carriers. At least the following modalities of transmission should be standardised:

method of transmission, which should be based on the “push” system;
frequency of transmission, which should be limited;
collection of additional data, which should not be obligatory.

Furthermore, PNR agreements with non-EU countries should be concluded for fixed periods of time and be reviewable. Mechanisms should be put in place for monitoring their implementation, as well as for resolving any disputes regarding their interpretation and application. It is also essential to ensure reciprocity between EU and non-EU countries, in particular as regards the transfers of analytical information stemming from PNR data.

Finally, in the long term, if more countries start using PNR data, the EU should examine the possibility of setting out standards at the international level for transmitting and using such data, and consequently of replacing its bilateral PNR agreements with a multilateral one.

Key terms used in the act
PNR data: unverified information provided by passengers and collected by carriers for enabling reservations and carrying out the check-in process. It is a record of each passenger’s travel requirements held in carriers’ reservation and departure control systems. It contains several different types of information, for example travel dates and itinerary, ticket information, contact details, travel agent, payment information, seat number and baggage information.

Key terms used in the act

PNR data: unverified information provided by passengers and collected by carriers for enabling reservations and carrying out the check-in process. It is a record of each passenger’s travel requirements held in carriers’ reservation and departure control systems. It contains several different types of information, for example travel dates and itinerary, ticket information, contact details, travel agent, payment information, seat number and baggage information.

Personal data protection: a new strategy

Leave a reply

Personal data protection: a new strategy

Outline of the Community (European Union) legislation about Personal data protection: a new strategy

Topics

These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.

Information society > Data protection copyright and related rights

Personal data protection: a new strategy

Document or Iniciative

Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions of 4 November 2010 – A comprehensive approach on personal data protection in the European Union [COM(2010) 609 final – Not published in the Official Journal].

Summary

Personal data comprises all information relating to an identified or identifiable person, either directly or indirectly.

This Communication proposes a new strategy for protecting personal data. It aims to revise the current legislative framework, specifically the Directive relating to the protection of personal data and the Directive relating to data protection in the electronic communications sector. As part of this revision, the Communication sets several objectives.

Objective 1: strengthening individuals’ rights

The right to personal data protection is a principle that follows from the Charter of Fundamental Rights of the European Union (EU). In order to protect this right, the European Commission wishes to develop a legal framework which takes into account the rapid growth of new technologies and social networks, in particular.

The Commission is considering introducing a general principle of transparent processing of personal data. To this end, it plans to draw up one or more EU standard forms of privacy information notices, and to implement a general obligation to notify personal data breaches.

It is also essential that individuals can exercise better control over their data, particularly when sending them online. To this end, the Commission wishes to improve the modalities for:

the right of access;
rectification;
erasure or blocking of data;
the ‘right to be forgotten’.

Objective 2: enhancing the internal market

There are currently divergences in how the Member States apply the Directive on the protection of personal data. The Commission therefore wishes to enhance the harmonisation of data protection rules at EU level.

Furthermore, still within the context of enhancing the internal market, the Commission also intends to reduce the administrative burden that data protection represents for enterprises. It therefore plans to harmonise the current notification system and to draw up a uniform EU-wide registration form. At the same time, certain modalities related to data processing must be more clearly defined through:

the appointment of an independent Data Protection Officer;
a data protection impact assessment;
promoting the use of Privacy Enhancing Technologies (PETs).

Objective 3: revising the data protection rules in the area of police and judicial cooperation

In the Stockholm Programme the Commission highlighted the need to have a comprehensive protection scheme. Currently, Framework Decision 2008/977/JHA establishes cooperation in criminal matters relating to personal data protection which applies only to the exchange of data between EU countries. The Commission is considering extending, in the future, the application of these rules to data exchanged at national level.

Objective 4: developing international data protection

Personal data from third countries can circulate through Member States if the Commission considers that the level of data protection guaranteed by a third country is adequate. However, the criteria which enable the level of protection to be determined have not yet been clearly defined. The current procedures for international data transfers therefore need to be defined, as do the legal instruments applicable in this field.

Furthermore, the Commission wishes to harmonise the clauses relating to personal data protection contained in the international agreements concluded by the EU with third countries. In this regard, the Commission plans to enhance its cooperation with third countries and follow up the development of international technical standards.

Objective 5: strengthening the institutional arrangement

The Commission wishes to strengthen the role and powers of the authorities responsible for data protection. They should benefit from the status of ‘complete independence’. It is also crucial that they improve their cooperation and coordination.

Furthermore, the Article 29 Working Party shall also contribute towards improving the activities of the national authorities by ensuring a more consistent application of the European data protection rules.

Context

A review of the current legal framework for data protection was launched during a conference in May 2009, followed by a public consultation. Following the consultation, the Commission shall present new legislative proposals in 2011.

This summary is for information only. It is not designed to interpret or replace the reference document, which remains the only binding legal text.