REPORT on the proposal for a Council decision on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data

4.7.2005 - (COM(2005)0200 – C6‑0184/2005 – 2005/0095(CNS)) - *

Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Sophia in 't Veld

Procedure : 2005/0095(CNS)
Document stages in plenary
Document selected :  
Texts tabled :
Debates :
Texts adopted :


on the proposal for a Council decision on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data

(COM(2005)0200 – C6‑0184/2005 – 2005/0095(CNS))

(Consultation procedure)

The European Parliament,

–   having regard to the proposal for a Council decision (COM(2005)0200)[1],

–   having regard to the (draft) Commission Decision on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the Canada Border Services Agency, and to the Commitments by the Canada Border Service Agency , annexed to the same Commission Decision,

–   having regard to Article 95 in conjunction with the first sentence of the first subparagraph of Article 300 (2) of the EC Treaty,

–   having regard to Article 300(3), first subparagraph, of the EC Treaty, pursuant to which the Council consulted Parliament (C6-0184/2005),

–   having regard to the Opinion of the Committee on Legal Affairs on the proposed legal basis,

–   having regard to Rules 51, 83(7) and 35 of its Rules of Procedure,

–   having regard to the report of the committee on Civil Liberties, Justice and Home Affairs (A6-0226/2005),

A. whereas, from a procedural point of view:

-  the approach adopted by the Commission and Council gives rise to the same reservations as those expressed by Parliament in the PNR/USA case (Case C-317/04), despite the fact that, from a substantive point of view, the negotiations with the Canadian authorities strike an acceptable balance between the need for freedom and the need for security in a third country,

-  an international agreement should contain all the essential elements binding the contracting parties and whereas, in this specific case, both the guarantees required by the Commission 'adequacy finding' decision and the corresponding commitments by the Canadian authorities should have formed part of the agreement itself,

-  the European Parliament has already challenged before the Court of Justice of the European Communities in Case C‑317/04 the same 'three tiers' procedure in a similar case because the procedure is not transparent and is not in conformity with the rule of law and the procedure by which Parliament gives its assent to international agreements. Pending the judgment of the Court, it would have been more appropriate for the Commission to have submitted its proposal, and the Council to act, in accordance with the procedure normally used for negotiating international agreements to be signed by the Community,

1.  Does not approve the conclusion of the agreement;

2.  Instructs its President to call on the Council not to conclude the agreement until the Court of Justice has delivered its judgment in Case C-317/04, pursuant to Article 300(6) of the EC Treaty, on the compatibility of a similar agreement with the provisions of that Treaty;

3.  Instructs its President to forward its position to the Council and Commission, and the governments and parliaments of the Member States and Canada.

  • [1]  Not yet published in OJ.



1. It has to be recalled that :

a) - According to general, non binding global standards ([1]) API data (Full name, date or birth, gender, passport number, country of citizenship, country of passport issuance) are the passenger data sent by airlines in advance of their arrival at their destination in order to facilitate border control in the interest of the travelling public and of border security. To facilitate the collection of these data, the information usually consists of data found in the Machine Readable Zone (MRZ) of ICAO Document 9303 and is transmitted electronically according to a format suggested by the UN ([2]). In the absence of compulsory global rules, airlines are to comply with national legislation, which can entail economic and logistical problems. In the European Community the collection of API data is regulated by the Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data ([3]).

b) - The Passenger Name Records (PNRs) are an even more variable set of data treated by each airline (usually via a Computerized Reservation Systems (CRS) and Global Distribution Systems (GDS)([4]) for managing the transport contract with each passenger. While some passenger data systems contain a limited amount of information, others contain extensive data on individuals, including the details of past travel, car and hotel reservation plans, phone numbers, e-mail addresses, residential and business addresses, and credit card information. These differences are dependent on the choice and service provided by the airline itself and by the way the contract is established (via internet or via a transport agency).

c) - In the aftermath of September 11, the US and subsequently New Zealand, Canada and Australia, decided to use PNR data (even if not structured and comparable) as a useful tool for (a) checking as soon as possible the identity of the passenger against a “watch list” or the “no-fly” list established by the security services of these countries and (b) do a first automated “security assessment by matching the same PNR data and, possibly, other data collected on commercial (non travel) databases such as credit card databases ([5]) to verify if the “profile” of a particular passenger may require a further control by the security services at the borders (or even before take off). This approach to PNR data was also considered by the Commission in its Communication to the European Parliament and the Council of 16 December 2003 (COM (2003) 826 final, "Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach")

In 2003 and 2004 the European Parliament adopted a number of resolutions which expressed serious concerns with regard to the PNR strategy. In particular, the EP stressed that PNR data is far from being effective in the fight against terrorism, that it could open the way for a mass surveillance system and that there was a serious risk of violating the data protection principles enshrined in Article 286 of the TEC, in the Directive 95/46/EC and in the Article 8 of the European Convention on Human Rights and Article 7 and 8 of the Charter of Fundamental Rights of the European Union. The EP invited the Commission to refrain from developing a similar strategy inside the Union and stressed that the transfer of PNR data to third countries could only be authorised as an exceptional measure and if the data were of a non sensitive nature (17 categories on 34 as suggested by the WG art. 29)([6]).

The proposed EC/Canada agreement

2. As outlined in the Draft agreement, Canada has adopted legislation authorising the Canadian Border Services Agency (CBSA) to collect API and PNR data from airlines and has introduced from February 2005 a system of fiscal penalties in case of non-compliance with the Canadian legislation. The penalties were suspended for European airlines during the negotiation on the agreement (from March 2005 to now) but will in principle be applied from 1 July 2005. Your rapporteur should like the Commission to clarify the exact situation as regards the application of penalties and to seek guarantees from the Canadian authorities not to apply penalties pending the conclusion of the agreement.

Lack of transparency and simplicity

3. It is very regrettable to note that, as in the case of the previous agreement with the USA on the same subject, the European Parliament has been consulted by the Council at the very last moment on a highly complex and sensitive topic. Moreover, the Council fixed the July plenary session as a mandatory deadline according to Article 300, paragraph 3, first subparagraph, second and third sentences of the TEC.

It should also be noted that the EP is effectively asked to take its decision without all the appropriate information, because the Council consultation is lacking some essential elements: (a) the Commission Decision declaring that the data are adequately protected by the Canadian authorities and (b) the text of the Commitments taken by the Canadian Authorities, which is the specific legal framework on which the Commission Decision and the Agreement are founded. Moreover, the agreement makes reference to possible onward transfers where the recipients are also subject to rules affording an adequate level of protection. However, given the European Parliament's position and the pending court case inter alia on the issue of adequate protection, it would be indispensable to know if and under which conditions onward transfer to third countries, including the US, is allowed.

4. Moreover, in the negotiations with Canada, the Commission and the Council have followed the same opaque “three tier” approach that was applied for the USA PNR agreement: Instead of a proper international agreement clarifying all the main obligations of the contracting parties, the rights and the obligations of the passengers, of airlines and the duties of the public authorities, a “light international agreement” has been submitted which:

· obliges the airlines to push the data to the Canadian authorities as if it was an obligation established by the Article 7 and Article 13 of Dir. 95/46/CE (which refers to security needs of the Member States and not of a third country)

· amends (or at least derogates ) indirectly the obligations foreseen in the Chapter II of Directive 95/46/EC and consequently (as indicated by the European Data Protection Supervisor) should be adopted by the Parliament under the assent procedure and not the simple consultation.

· enforces, indirectly, an administrative Decision of the Commission which defines the conditions under which the protection ensured by the Canadian authorities could be considered “adequate”.

· refers (always indirectly via a reference to an annex of the Commission Decision) to the Commitments taken by the Canadian authorities and which is the actual legal framework that will govern the transferred data.

· recognises the right of the Canadian authorities to modify their legislation without previous consent of the counterpart of the agreement and which reserves only the right to withdraw from the agreement in case of persistent violation of the agreement itself.

Such legislative technique does not respect the general principle of transparency and the rule of law on which the EU is founded (Article 6.1 TEU), particularly when fundamental rights of citizens are at stake. Furthermore, as with the agreement with the US, the European Parliament is only consulted on the international agreement, while it could rightfully be argued that Parliament should have full assent. This fact could indeed be challenged according to Art. 230 of the EC Treaty as far as the parliamentary prerogatives is concerned, as the draft agreement amends Directive 95/46 and therefore should be adopted according to Art 300 p.3 with the assent of the EP.

These concerns have been raised in the case which at the moment is under the scrutiny of the Court of justice (Case C-317/04), and these concerns should have been taken into account by the Commission and by the Council. Out of respect for European citizens, our Canadian counterparts and, inter-institutionally for the European Parliament, the negotiations should have followed a more democratic and transparent route.

The improvements of the EC/Canada agreement versus the EC/USA case

5. This situation is even more disconcerting as the EP could in principle positively evaluate the substance of the agreement reached with the Canadian authorities, as it answers to the main concerns the European Parliament raised in the US/EC case. The main positive improvements, which are indeed also noted by the European Data Supervisor and by the Article 29 Data Protection Working Party ([7]) are that:

· Canada, unlike the USA, has a legislative system of data protection which is the essential condition required by Article 8 of the European Charter and Article 8 of the ECHR according to which limitations to privacy are only admissible if they “…are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime,…”. Furthermore the Canadian system offers legal protection to the data subject including supervision by an independent Data Commissioner (which is comparable to the European model resulting from Directive 95/46 and Article 286 of the EC Treaty). The Canadian Privacy Act provides individuals with the rights of access, rectification and opposition with regard to any personal information relating to them, under the control of a Canadian supervisory authority. However, the Privacy Act currently requires that individuals be present in Canada in order to avail themselves of these rights.

· the Canadian “commitments” (cited in a generic way in the Article 2 (1) of the agreement and detailed in the annex of the Commission Decision – art. 29, 30 and 31) create rights of access, rectification and opposition to EU citizens who are not present in Canada for the passenger and bind the Canada administration instead of being simple administrative declarations, as is the case for the US undertakings.

· the PNR-data required are more limited and more focused than those required by the US namely without "open categories" of passenger data (these categories could create confusion or could be misleading with regard to sensitive aspects of the behaviour of the passenger and of the persons accompanying him/her). Moreover, CBSA does not require airlines to collect PNR information that they do not record for their own purposes, and does not require airlines to collect any additional information for purposes of making it available to the CBSA.

· Canada accepts a 'push'-system even if Canada can already 'pull' data from the airlines reservation and departure control systems via the Société Internationale de Télécommunications Aéronautique (SITA) network. Section 7 of the Commitments clearly states that the Canadian Passenger Information System PAXIS has been configured to receive API and PNR data pushed from airlines. This meets the European Parliaments' concerns raised in the US/EU agreement (by which the US authorities collect the data directly from the airlines reservation systems on EU territory without any filters).

· The purposes and data retention period are more limited and more specific than in the US case. From the initial receipt and up to 72 hours, all available API and PNR information will be accessible only to a limited number of CBSA targeters and intelligence officers, the Canadian data protection authority and the MS authorities could control the flow of the data.

The EP dilemma : reject the agreement or accept it under conditions ?

6. The rapporteur is faced with a dilemma of either:

a) rejecting the agreement as it appears subject to the same weaknesses from a legal, procedural and formal point of view, which justified referral to the Court of Justice in the USA case (and by this way remain consistent with his previous position)


b) accepting the agreement under certain conditions :

- that the agreement should be revised (if necessary) after the Decision of the Court

- that in this case the assent procedure should be recognised to the EP.

- that the EU come forward with a global approach

7. Bearing in mind that the legal framework of the EC/Canada agreement is from a content point of view substantially better than the EC/USA agreement and that these improvements have been recognised by the Article 29 WG and by the EDPS, your rapporteur proposes:

- to annex the Canadian Commitments to the agreement

- to indicate clearly who are the counterparts from the Canadian and Community side (actually a joint committee can decide to change at any moment the counterparts.). Article 6, paragraph 3, introduces the possibility for the Joint Committee “to agree modifications to Annex 1 to the Agreement” ([8]); such decisional power to change the “data controller” create an “institutional framework” inside the agreement and would justify, under a second profile, the assent of the EP. Therefore, such modifications – which may produce considerable effects in terms of liability for the processing of personal data – must be carried out in accordance with standard negotiation mechanisms, and no simplified approach could be a sound legal solution. Any amendment and/or addition is therefore to be regarded as an amendment to the Agreement itself and the related measures.

- to annex to the agreement, for information purposes the “adequacy finding” Decision adopted by the Commission

- to indicate that with regard to API data, airlines need to respect the rules established by the Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data ([9]).

- to approve the agreement by an assent procedure, but to declare in the same legislative resolution that such an assent does not intend to affect the position taken by the Parliament in the USA/PNR case and that the future Decision from the Court will be applied mutatis mutandis.

  • [1]  WTCO, IATA and ICAO are currently discussing a revised API guidelines revision see:
  • [2]  In 2002, a standard Electronic Data Interchange (EDI) message set was approved for use by the United Nations/Electronic Data Interchange for Administration, Commerce, and Trade (UN/EDIFACT). The International Air Transport Association (IATA) and the World Customs Organization (WCO) adopted the Passenger List (PAXLST) message set for use by all scheduled air carriers for the transmission of passenger and crew data to border control authorities.
    The requirements :
  • [3]  In OJ L 261 of August 6, 2004
  • [4]  Of the four main CRS the European one is Amadeus . CRS are under the direct supervision of the ECC according to regulation
  • [5]  In the USA, there are essentially no legal restrictions on the ability of the government to mine commercial databases, as long as the practice is announced in a Privacy Act notice.
  • [6]  These categories of data were: API/PNR record locator code, date of reservation, date(s) of intended travel, passenger name, other names on API/PNR, all travel itinerary, identifiers for free tickets, one-way tickets, ticketing field information, ATFQ (Automatic Ticket Fare Quote) data, ticket number, date of ticket issuance, no show history, number of bags, bag tag numbers, go show information, number of bags on each segment, voluntary/involuntary upgrades, historical changes to API/PNR data with regard to the aforementioned items.
  • [7]  Opinion 3/2004 :
  • [8]  A further element of transparency is the declaration Ad Article 6, paragraph 3 The Commission understands that the position of the Community in the Joint Committee relating to modifications to Annex I of the Agreement will be decided on by the Council, acting by a qualified majority on a proposal from the Commission.
  • [9]  In OJ L 261 of August 6, 2004

OPINION of the Committee on Legal Affairs ON THE PROPOSED LEGAL BASIS (4.7.2005)

for the Committee on Civil Liberties, Justice and Home Affairs

Legal basis for the proposal for a Council decision on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data

(COM(2005)0200 – C6‑0184/2005 – 2005/0095(CNS))[1]

Dear Mr President,

By letter of 1.07.2005 you requested the Committee on Legal Affairs, pursuant to Rule 35(2) of the Rules of Procedure, to assess the validity and the appropriateness of the legal basis for the Commission proposal referred to above.

The proposed legal basis for the Council decision is founded on Articles 95 and 300(2) of the EC Treaty.

The rapporteur for the Committee on Civil Liberties, Justice and Home Affairs, Mrs Int'veld, aims to modify that legal basis by substituting Article 300(2) of the EC Treaty with Article 300(3) of that Treaty, meaning that the assent of the European Parliament would be required.

The Committee considered the aforementioned matter at its meeting on 4 July 2005.

It is clear from the established case law of the Court of Justice of the European Communities (CJEC) that the legal basis cannot be chosen at the discretion of the Community legislature, but must rest on objective factors amenable to judicial control. These factors include, in particular, the objective and the content of the legal act[2].

The proposal calls on the Council to authorise the conclusion of an agreement with Canada on the processing and transfer of advance passenger information (API) and passenger name record (PNR) data for air travel between the EU and Canada. The Council of the European Union has adopted a set of negotiation directives and authorised the Commission to negotiate an agreement with Canada on 7 March 2005.

In the aftermath of 11 September 2001, Canada adopted legislation authorising the Canadian Border Services Agency (CBSA) to obtain and collect API and PNR data pertaining to anyone boarding an aircraft to Canada. Between March 2003 and September 2004, the CBSA gradually introduced the obligation to supply PNR data for all persons travelling by air to Canada, and in February 2005 it introduced a system of fiscal penalties in the event of non‑compliance with the Canadian legislation. The EU was temporarily exempted from this obligation until 1 July 2005 in order to enable the negotiation of an international agreement with Canada.

An examination of the text shows that the draft agreement imposes on airline companies obligations different from those laid down in Title II of Directive 95/46/EEC, while on the other hand granting the EC-Canada Joint Committee discretionary powers as regards the modification of essential elements of the agreement, such as the choice of administrations responsible for its implementation in Canada and the Community.

With regard to Parliament's prerogatives, it seems that the proposed agreement should, therefore, pursuant to the second subparagraph of Article 300(3) of the EC Treaty, be subject to the assent of the European Parliament.

Lastly, it should be pointed out that the very same observations have been made in the proceedings instituted by the European Parliament before the Court of Justice (case still in progress) concerning the agreement between the European Community and the United States.

On the basis of the above considerations and on a proposal from the draftsman, Mr Medina Ortega, the Committee on Legal Affairs decided unanimously[3], at its meeting on 4 July 2005, to approve the tabling of an amendment modifying the legal basis by substituting Article 300(2) of the EC Treaty with Article 300(3) of the EC Treaty, meaning therefore that the assent of the European Parliament would be required.

Yours sincerely.

Giuseppe Gargani

  • [1]  Not yet published in OJ
  • [2]  See in particular CJEC, Case C-42/97, Parliament versus the Council, paragraph 36.
  • [3]  The following were present for the vote: Rainer Wieland (acting chairman), Manuel Medina Ortega (draftsman and substitute for Andrzej Jan Szejna), Alexander Nuno Alvaro (substitute for Antonio Di Pietro), Maria Berger, Jean-Marie Cavada (substitute for Viktória Mohácsi under Rule 178(2)), Jean-Paul Gauzès (substitute for Giuseppe Gargani), Kurt Lechner, Klaus-Heiner Lehne, Evelin Lichtenberger (substitute for Monica Frassoni), Antonio López-Istúriz White, Antonio Masip Hidalgo, Marie Panayotopoulos-Cassiotou (substitute for Hans-Peter Mayer), Michel Rocard, Francesco Enrico Speroni, Diana Wallis, Jaroslav Zvěřina and Tadeusz Zwiefka.



Proposal for a Council decision on the conclusion of an Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information (API)/Passenger Name Record (PNR) data


COM(2005)0200 – C6‑0184/2005 – 2005/0095(CNS)

Legal basis

Article 300(3) first subparagraph, EC

Basis in Rules of Procedure

Rules 51, 83(7) and 35

Date of consulting Parliament


Committee responsible
  Date announced in plenary


Committee(s) asked for opinion(s)
  Date announced in plenary






Not delivering opinion(s)
  Date of decision






Enhanced cooperation
  Date announced in plenary






  Date appointed

Sophia in 't Veld


Previous rapporteur(s)



Simplified procedure
  Date of decision


Legal basis disputed
  Date of JURI opinion






Financial endowment amended
  Date of BUDG opinion




European Economic and Social Committee consulted
  Date of decision in plenary


Committee of the Regions consulted
  Date of decision in plenary


Discussed in committee






Date adopted


Result of final vote







Members present for the final vote

Alexander Nuno Alvaro, Edit Bauer, Johannes Blokland, Kathalijne Maria Buitenweg, Michael Cashman, Giusto Catania, Charlotte Cederschiöld, Carlos Coelho, Fausto Correia, Rosa Díez González, Antoine Duquesne, Lilli Gruber, Ewa Klamt, Barbara Kudrycka, Stavros Lambrinidis, Romano Maria La Russa, Henrik Lax, Sarah Ludford, Edith Mastenbroek, Claude Moraes, Martine Roure, Inger Segelström, Ioannis Varvitsiotis, Stefano Zappalà, Tatjana Ždanoka

Substitutes present for the final vote

Gérard Deprez, Ignasi Guardans Cambó, Sophia in 't Veld, Jean Lambert, Antonio Masip Hidalgo, Bill Newton Dunn, Marie-Line Reynaud, Agnes Schierhuber

Substitutes under Rule 178(2) present for the final vote

Catherine Guy-Quint, Pasqualina Napoletano

Date tabled – A6