(17 pages)

FALP11.IP1.PNRTF Report.doc

FACILITATION PANEL (FALP)

ELEVENTH MEETING

Montréal, 13-16 January 2020

Agenda Item 3: PNR Task Force: Recommendations for PNR SARPs

REPORT OF THE FACILITATION PANEL’S PASSENGER NAME

RECORD TASK FORCE (PNR-TF)

(Presented by the Rapporteur, PNR-TF)

1. INTRODUCTION

1.1 This Information Paper contains, in the Attachment, the report of the PNR Task Force’s

face-to-face meeting, held at ICAO Headquarters, Montréal, from 3 to 6 December 2019.

— — — — — — —

International Civil Aviation Organization

INFORMATION PAPER

FALP/11-IP/1 24/12/19

FALP/11-IP/1

- 2 -

ATTACHMENT TO FALP/11-IP/1

REPORT OF THE FACILITATION PANEL’S

PASSENGER NAME RECORD TASK FORCE

(PNR-TF)

REPORT FOR THE FACILITATION PANEL

Presented by Mr Nuno Bellem (Rapporteur) on behalf of the ICAO PNR-TF

January 2020

I have the honour to submit the final report of the PNR Task Force

which was established on 21 March 2019.

The contents of this report have been agreed by all the ICAO PNR-TF.

International Civil Aviation

Organization

FALP/11-IP/1

- 3 -

1. Introduction

1.2 On 23 January 2019, the Air Transport Committee (ATC) agreed that a Facilitation Panel

(FALP) Working Group be established to consider proposals for Standards and Recommended Practices

(SARPs) for inclusion in Annex 9 — Facilitation, on the collection, use, processing and protection of

passenger name records (PNR) data in line with United Nations Security Council resolution 2396 (2017)

(referred to in, inter alia, AT-WP/2161 and AT-SD/216-1). Subsequently, on 21 March 2019, the Terms

of Reference (ToRs) for a PNR Task Force (PNR-TF), as well as the membership of the Task Force, were

approved. Canada’s FALP Member, Mr. Nuno Bellem, undertook the role of the PNR-TF rapporteur.

1.3 The PNR-TF undertook its work via emails, teleconferences and face-to-face meetings.

The first face-to-face meeting was held in Cairo, Egypt, from 18-20 August 2019. At this meeting the

Task Force developed a number of draft Standards and Recommended Practices (SARPs) on Passenger

Name Record (PNR) for inclusion in Annex 9 - Facilitation. The report of this meeting was presented to

the ATC in October 2019, on the basis of AT-WP/2177, with a request that the Committee endorse the

draft SARPs submitted by the PNR-TF.

1.4 The ATC considered the report, noting that although the proposals do improve on the

collection, and use of PNR data, they do not advance on the topics such as compliance and conflicts

resolution. Concerns were also expressed regarding transparency and customers’ rights as well as

timelines on PNR data retention period.

1.5 The ATC requested that the PNR-TF meet in December 2019, to review the draft SARPs

from the Cairo meeting and the three proposals that were made but were not reviewed due to a lack of

time at the Cairo meeting, and to consider a legal analysis by the ICAO Legal Affairs and External

Relations Bureau on the three proposals.

2. The PNR TASK Force face-to-face meeting (Montréal December 3-6, 2019)

2.1 Based on ATC’s decision (AT-SD 218/1, paragraph 8, refers), the PNR-TF met at ICAO

Headquarters, Montréal, from 3-6 December 2019. The meeting was attended by 23 members and

advisers nominated by 8 Member States, 1 observer to the TF from a Member State and 8 observers

nominated by 4 international organizations (Appendix B, refers). Mr. Nuno Bellem (Canada), the

PNR-TF Rapporteur, acted as Chairman, with the support of the ICAO Secretariat.

2.2 The meeting adopted the agenda as shown hereunder:

1. Opening remarks and welcome - Chairperson, ATC

2. Remarks - Rapporteur

3. Overview of ATC’s consideration of WP/2177, Report of the FAL Panel’s PNR-TF

Secretariat

4. Review of Annex 9 PNR SARPs agreed at Cairo meeting (in light of ATC’s comments) –

PNR-TF

— Discussion on the number of SARPs

— Separation of “Core” v. “Operational” SARPs

5. Review of Annex 9 PNR SARPs submitted but not discussed at Cairo meeting

— Input of ICAO’s Legal Bureau – Secretariat

— Discussion – PNRTF

6. Analysis and explanation of recommended Provisions – PNR-TF

FALP/11-IP/1

- 4 -

7. Impact Assessment & Guidance on Implementation – PNR-TF

8. Doc 9944: Status and update – PNR-TF

9. PNR-TF draft Report – PNR-TF

10. Next Steps and Timelines – Secretariat

11. Any Other Business

12. Closing

2.3 Following the opening of the meeting by the ATC Chairperson, the ICAO Secretariat

reviewed the Agenda, and provided an update of the ATC’s comments made at the 218th Session

(AT-SD 218/1, refers), including a legal analysis by the ICAO's Legal Affairs and External Relations

Bureau (LEB), on PNR SARPs on compliance and conflicts resolution. The PNR-TF expressed its

appreciation for the update and the legal analysis by LEB.

2.4 On the matter of the scope and number of proposed SARPs, the consensus of the PNR-TF

was that the number of SARPs should be as many as necessary to deal with this important and highly

technical matter, and opposed the idea to attempt to split SARPs into any kind of ‘core’ and ‘operational’

provisions, including reducing the number. A member expressed the view that multiple SARPs are

needed to effectively address the requirements of UN Security Council resolution 2396 (2017) that refers

to the collection, use, processing and protection of PNR data. In order to establish an effective

international legal framework for PNR data transfer, data privacy and protection of human rights, a

variety of provisions are needed.

2.5 In an effort to streamline the proposed SARPs, the PNR-TF, by consensus, amalgamated

the previously agreed on SARPs (AT-WP/2177, Appendix A, refers) into groupings that aligned well

together. During the amalgamation, some proposals were revised for clarity and some merged, based on

commonality and relevance. These were discussed by the Task Force and general consensus was reached

on the proposed SARPs, as presented in Appendix A.

2.6 The discussions were held in a fluid manner and as such, the Agenda items were not

followed in the chronical order as presented to the PNR-TF. The PNR-TF deemed it more important to

develop generally accepted SARPs that allow for the transmission of PNR data between States, than

follow the chronological order of the Agenda. As such, the majority of the PNR-TF’s discussions over the

four days revolved around the issue of what would happen in the case where one State requires a higher

level of PNR data conditions, such as, for data protection, and how to ensure compliance by a State, prior

to providing PNR data to another State.

2.7 Notwithstanding the legal analysis by LEB and discussions with the Secretariat,

emphasizing that the Chicago Convention (the Convention) permits States to have differences in

Standards and negotiate such higher requirements with other States, given the existing regimes of PNR

data requirements, it was determined that it would be important that Annex 9 include Standards to explain

how differences between States’ requirements could be dealt with and to lay out the process for

resolution, where two States have differing requirements.

2.8 PNR-TF members also expressed their concerns with how to ensure compliance by other

States and how ICAO may assist in ensuring compliance, e.g. by auditing the PNR- related SARPs.

Explanations by the Secretariat (LEB and the Facilitation and Aviation Security Audit Sections) were

provided. The Secretariat reminded that ICAO already has existing mechanisms in place, through the

USAP audits and the Compliance Checklist of the Electronic Filing of Differences (EFOD) system that

allows States to file differences, as well as the dispute settlement mechanism established in Chapter XVIII

of the Chicago Convention.

FALP/11-IP/1

- 5 -

2.9 The PNR-TF urged the Secretariat to consider how to make information on differences to

PNR related SARPs more publically available and to ensure that ICAO would audit such provisions. The

Secretariat explained that currently a State is deemed to comply if it does not file a difference. In addition

to the EFOD and compliance checklist, compliance verification with Annex 9 security-related Standards

can be achieved through the USAP, though determinations would need to made as to which Standards

may and should be audited. The Secretariat reminded PNR-TF members that the development of a new

process for sharing the Universal Security Audit – Continuous Monitoring Approach (USAP-CMA) audit

results on PNR-related SARPs was outside the scope of the PNR-TF and explained that information on

USAP audit results belong to the audited States and only the audited States may share their audit results

with other States through agreement(s).

3 Proposed Amendments to Annex 9

3.1 The PNR-TF recommends that Annex 9 be amended as follows:

Chapter 9: Passenger Data Exchange Systems

D. Passenger Name Record (PNR) data

9.23 Each Contracting State requiring Passenger Name Record (PNR) data shall:

(a) develop a capability to collect, use, process and protect Passenger Name Record (PNR) data

supported by appropriate legal framework (such as, inter alia, legislation, regulation or decree),

and be consistent with all Standards contained in Section D, Chapter 9, Annex 9;

(b) align its PNR data requirements and its handling of such data with the guidelines contained in

ICAO Doc 9944, Guidelines on Passenger Name Record (PNR) Data, and in PNRGOV message

implementation guidance materials published and updated by the WCO and endorsed by ICAO

and IATA: and

9.23.1 Contracting States requiring the transfer of PNR data shall

(c) adopt and implement the EDIFACT-based PNRGOV message as the primary method for airline-

to-government PNR data transferal to ensure global interoperability.

Note 1.— The UN Security Council, in Resolution 2396 (2017) at paragraph 12, decided that

Member States shall develop the capability to collect, process and analyse, in furtherance of

ICAO standards and recommended practices, passenger name record (PNR) data, and to ensure

PNR data is used by and shared with all their competent national authorities, with full respect for

human rights and fundamental freedoms, for the purpose of preventing, detecting, and

investigating terrorist offenses and related travel.

Note 2.1— The PNRGOV message is a standard electronic message endorsed jointly by

WCO/ICAO/IATA. Depending on the specific aircraft operator’s Reservation and Departure

Control Systems, specific data elements which have been collected and stored by the aircraft

operator for their own operational and commercial purposes and can be efficiently transmitted

via this standardized message structure.

FALP/11-IP/1

- 6 -

Note 2.— This provision is not intended to replace or supersede any messages exchanged

between aircraft operators and customs administrations to support local airport operations.

Note 3.— In addition to the mandatory EDIFACT-based PNRGOV message, Contracting States

may also, optionally, consider implementation of the XML PNRGOV message format as a

supplemental method of PNR data transfer, thereby allowing those aircraft operators with XML

capability a choice of format for the transmission of PNR data.

Analysis of 9.23:

This proposed new Standard amalgamates previously proposed Standards and follows the language in

UNSCR 2396 and would make mandatory, at least, the development of a State’s capability to collect, use,

process and protect PNR data. The Standard also requires States to introduce a legal basis supporting its PNR

data transfer requirement.

The PNR-TF discussed the use of the term "develop a capability" versus other terms such as "develop a PNR

program" or "establish a capability/program. However, the consensus of the PNR-TF was to use the wording

"develop a capability" to remain consistent with the UN Security Council Resolution and given the use of a

(passenger data) single window for data collection is an Annex9 Standard.

The PNR-TF made the suggestion to include reference to "legal framework" throughout the chapter to allow

for various systems, which may exist in different States.

9.24 Recommended Practice.― Contracting States shall, with full respect for human rights and

fundamental freedoms: requiring PNR data should consider the data privacy impact of PNR data

collection and electronic transfer, within their own national systems and also in other States. Where

necessary, Contracting States requiring PNR data and those States restricting such data exchange should

engage in early cooperation to align legal requirements.

(a) clearly identify in their legal framework the PNR data to be used in their operations;

(b) clearly set the purposes for which PNR data may be used by the authorities which should be no

wider than what is necessary in view of the aims to be achieved, in particular for law

enforcement and border security purposes to fight terrorism and serious crime; and

(c) limit the disclosure of PNR data to other authorities in the same State or in other Contracting

States that exercise functions related to the purpose for which PNR data are processed, in

particular law enforcement and border security purposes, and ensure comparable protections as

those afforded by the disclosing authority.

Analysis of 9.24:

The proposed Standard set purpose limitations for PNR data in a framework embedded in the rule of law

respecting human rights and fundamental freedoms.

This proposed Standard streamlines an exhaustive list which was previously included under proposal

9.30, developed during the first meeting in Cairo. A proposal was made to include reference that any

requirements should relate to "the aims relating to entry, clearance, immigration, passports, customs, and

quarantine". This new proposal permits individual States to determine the scope of PNR data use, as

defined in their legal framework.

All references to "border integrity" within this chapter of Annex 9 were changed to "border security" as

FALP/11-IP/1

- 7 -

this was deemed to be a well-recognized and acceptably broad term. Furthermore, the consensus was that

"border security" provides adaptability to each State’s legal regime.

The proposed text under section c) was deemed as important to include in order to permit, but limit, the

transfer of PNR data from one State to another.

9.25 Contracting States shall:

(a) prevent unauthorised access, disclosure and use of PNR data and their legal framework shall

provide penalties for misuse, unauthorised access, and unauthorised disclosure;

(b) ensure the safeguards applied to their collection, use, processing and protection of PNR data

apply to all individuals without unlawful discrimination;

(c) be open and transparent about the collection, use, processing and protection of PNR data and

related privacy standards employed;

(d) take measures to ensure that aircraft operators inform their customers about the transfer of PNR

data;

(e) provide for appropriate administrative or judicial redress mechanisms to enable individuals to

seek a remedy for the unlawful processing of their PNR data by public authorities; and

(f) provide for appropriate mechanisms, established by their legal and administrative framework, for

individuals to request access to their PNR data and request corrections or notations, if necessary.

9.26 Recommended Practice.― Subject to necessary and proportionate restrictions, Contracting

States should notify individuals of the processing of their PNR data and inform them about the rights and

means of redress afforded to them as defined in their legal and administrative framework.

Analysis of 9.25 and 9.26:

The proposed Standards reflects that States shall incorporate several data privacy and protection

measures related to PNR data, and that such measures are communicated with the public in an open

and transparent manner.

Concerns were raised that States could take action against individuals or groups who have access to

PNR data as part of their duties. Concerns were also raised that aircraft operators are permitted to

discard PNR data that they may have received as they seem fit, so recourse by a customer to the

aircraft carrier may not be permitted. However, the consensus was that this Standard requires States

to define clearly in their legal framework who has access to PNR data, and that measures must be in

place to penalize the misuse of such data.

Discussions were also held on how a State could ensure that airlines inform passengers, however, the

consensus was that this was an important matter, which should, as a rule, be implemented by States.

Furthermore, the consensus was that the wording was significantly broad to permit individual States

to define how they would 'ensure' such communication.

9.27 Contracting States shall:

FALP/11-IP/1

- 8 -

(a) base the automated processing of PNR data on objective, precise and reliable criteria that

effectively indicate the existence of a risk, without leading to unlawful discrimination; and

(b) not make decisions that produce significant adverse actions affecting the legal interests of

individuals based solely on the automated processing of PNR data.

Analysis of 9.27:

The purpose of this proposed Standard is to highlight that any action taken on an individual that produce

"significant adverse actions affecting the legal interests of individuals" must be based on more than a

simple automated review of someone's PNR data. This was deemed as important to ensure some sort of

'secondary' or more thorough PNR review prior to taking actions that would cause such adverse actions.

This Standard was also deemed appropriately vague to permit States to define what objective, precise and

reliable means as well as significant adverse actions.

9.28 Contracting States shall designate one (or more) competent domestic authority(ies) as defined in

their legal framework with the power to conduct independent oversight of the protection of PNR data and

determine whether PNR data are being collected, used, processed and protected with full respect for

human rights and fundamental freedoms.

Analysis of 9.28:

The purpose of this Standard is to ensure that each State develops, in accordance with its legal

framework, a mechanism (competent authority) to ensure the protection of PNR data. While the PNR-TF

debated the importance of having an 'independent' body, it was determined that what was required was

that the conduct of such a body should be independent.

This decision was made as individual States will have varying mechanisms in place to carry out these

functions.

9.29 Contracting States shall:

(a) not require aircraft operators to collect PNR data that is not required as part of their normal

business operating procedures nor to filter the data prior to transmission; and

(b) not use PNR data revealing an individual’s racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade union membership or data concerning their health, sexual life or

sexual orientation other than in exceptional circumstances to protect the vital interests of the data

subject or of another natural person. In circumstances where such information is transferred,

Contracting States shall delete such data as soon as practicable.

Analysis of 9.29:

This Standard sets out that PNR data is essentially data that is collected by an aircraft operator as part of

their normal operations, and that States should not require operators to collect data that they would not

otherwise normally collect. One PNR-TF member submitted that aircraft operators should not be imposed

with additional obligations on other aspects, such as accuracy and data completeness, as data quality is

not applicable to PNR data.

9.30 Contracting States shall:

FALP/11-IP/1

- 9 -

(a) retain PNR data for a set period as defined in their national laws and policies which shall be that

period necessary and proportionate for the purposes for which the PNR data is used;

(b) depersonalize retained PNR data, which enable direct identification of the data subject, through

masking out of personal data elements no later than two years after the transfer of PNR data,

except when used in connection with an identifiable ongoing case, threat or risk related to the

purposes identified in 9.23b;

(c) only repersonalize (unmask) PNR data when used in connection with an identifiable case, threat

or risk for the purposes identified in 9.23b; and

(d) delete or anonymize PNR data at the end of the retention period.

Note 1. – Depersonalization of PNR data is the masking of information which enables direct

identification of an individual, without hindering law enforcement use of PNR data, whereas PNR

data anonymization is the permanent removal of identity information of a person from the PNR

record.

9.31 Recommended Practice.― Contracting States should retain PNR data for a maximum period of

five years after the transfer of PNR data, except when required in the course of an investigation,

prosecution, or court proceeding.

9.32 Recommended Practice.― Contracting States should depersonalize PNR data within six months of

the transfer of PNR data.

Analysis of 9.30, 9.31 and 9.32:

The proposed SARPs define how and for how long data shall and should be retained and depersonalised.

While the preference of the PNR-TF was to include a specific timeline in (a) for when PNR data should

be retained, it was agreed that a consensus could not be reached on what that time should be. As a result,

this proposal was developed and the PNR-TF agreed that specific timelines would best be included in the

recommended practice or guidance materials.

While the same arguments were also made for (c) on depersonalization, the consensus was that for this

specific element, a period of two years could be agreed upon and included in the Standard.

9.33 Contracting States shall:

(a) as a rule acquire PNR data using the 'push' method in order to protect the personal data that is

contained in the operators' systems and that operators remain in control of their systems;

(b) seek, to the greatest extent possible, to limit the operational and administrative burdens on aircraft

operators, while enhancing passenger facilitation;

(c) not impose fines and penalties on aircraft operators for any unavoidable errors caused by a

systems failure which may have resulted in the transmission of no, or corrupted, PNR data; and

(d) minimize the number of times the same PNR data is transmitted for a specific flight.

FALP/11-IP/1

- 10 -

Note 1.— In exceptional circumstances and when a PNR ‘push’ transfer method is not feasible, such

as when an aircraft makes an emergency landing, alternative means of PNR data acquisition can be

used by a Contracting State in order to maintain operational continuity.

Analysis of 9.33:

Although some PNR-TF members felt that using the term 'as a rule' was not necessary given that this

provision is a Standard, the consensus was that this was important to include in order to provide flexibility

for States to receive PNR data using other methods.

A proposal was also made to include limiting financial burdens in (b), however, the consensus was that

limiting the operational and administrative burdens was significantly broad and that specifying financial

burdens may be overly prescriptive for an ICAO Standard.

9.34 Contracting States shall:

(a) not inhibit or prevent the transfer of PNR data by an aircraft operator or other relevant party, nor

sanction, impose penalties or create unreasonable obstacles on aircraft operators or other relevant

parties that transfer PNR data to another Contracting State provided that Contracting States’

PNR data system is compliant with the Standards contained in Section D, Chapter 9 of Annex 9;

and

(b) retain the ability to introduce or maintain higher levels of protection of PNR data, in accordance

with their legal and administrative framework;

(c) in line with the above, retain the ability to negotiate additional arrangements with other

Contracting States in particular to: promote collective security; achieve higher levels of

protection of PNR data, including on data retention; or establish more detailed provisions

relating to the transfer of PNR data, provided those measures do not otherwise conflict with the

Standards contained in Section D, Chapter 9 of Annex 9; and

(d) in any instance where Contracting States have determined they must inhibit, prevent or otherwise

obstruct the transfer of PNR data or must penalize an aircraft operator, they will do so with

transparency and with the intent of resolving the situation which caused that determination.

Note 1.— Under 9.33a, Contracting States are expected to allow other Contracting States

compliant with the PNR Standards to receive PNR data, at least provisionally, while engaging in

consultations or negotiations, as necessary. In these instances, Contracting States are expected

to demonstrate, to any requesting Contracting State, their compliance with these Standards and

under 9.33b and 9.33c take into consideration any additional measures requested by another

Contracting State. A demonstration of compliance with the PNR Standards, upon request, should

take place as soon as possible, and, among other things, could occur based on bilateral

consultations and/or the information in the ICAO online compliance checklist for Annex 9 –

Facilitation contained in the Electronic Filing of Differences (EFOD) system. Further,

Contracting States are expected to work through this process in good faith and in a timely

manner. Under 9.33d, when a Contracting State assesses that another Contracting State is non-

compliant with these PNR Standards, the Contracting State making that assessment may inhibit

the transfer of PNR data to another Contracting State.

FALP/11-IP/1

- 11 -

Note 2.— When entering information in the ICAO online compliance checklist for Annex 9 –

Facilitation contained in the EFOD system, Contracting States are able to utilize the National Air

Transport Facilitation Committee (NATFC).

9.35 Recommended Practice.― Contracting States establishing a PNR program, or making significant

changes to an existing program, pursuant to these SARPs should proactively notify other Contracting

States maintaining air travel between them prior to receiving data, including whether they are complying

with these SARPs, to encourage or facilitate rapid consultation where appropriate.

9.36 Recommended Practice.— While attempting to resolve PNR data transfer disputes Contracting

States should not penalize aircraft operators.

Analysis of 9.34, 9.35 and 9.36:

As referred to in paragraphs 2.6 to 2.9 of this report, the bulk of the work of the PNR-TF revolved around

the resolution of the issues captured in these SARPs. The PNR-TF felt that these SARPs made significant

progress in resolving a complex issue and identifying a common approach that can be implemented

without most Contracting States having to file differences to these Standards.

However, some PNR-TF members are still concerned that a mechanism needs to be in place to provide

clarity as to whether a State is indeed compliant with PNR SARPs and able to receive PNR data. Some

PNR-TF members also raised concerns that these SARPs may unilaterally permit a State to enforce a

higher standard than those contained in Annex 9. Finally, concerns were raised that this separate higher

Standard would further complicate matters for the industry in terms of being aware of when PNR data

may or may not be shared with an individual State.

— — — — — — — —

4 Next steps and corresponding milestones

4.1 Regarding the impact assessment and guidance on implementation referred to in the

PNR-TF’s ToRs, it was agreed that it would be more beneficial to prepare the impact assessment and

consider any guidance on implementation after the Secretariat disseminates the relevant State letter and

receives comments from Member States, in order to better inform the ATC during its 220th Session.

4.2 The PNR-TF report is presented to FALP/11 for information. The Secretariat will present

the Report of the FALP/11 meeting, including the recommendations of FALP, to the Air Transport

Committee (ATC) during its 219th Session, on 7 February 2020.

4.3 Following the ATC’s consideration of the recommendations for new/revised SARPs for

PNR, it is planned that a State letter be disseminated, requesting comments from States and relevant

international organizations on the FALP/11’s proposals for amendment to Annex 9. A final review of the

proposals, including comments received, along with the Secretariat’s comments, will be undertaken by

the ATC, to be followed by the Council’s consideration of the SARPs, for possible adoption, during the

220th Session (May/June 2020).

— — — — — — — —

FALP/11-IP/1

- 12 -

APPENDIX A1

PROPOSALS FOR AMENDMENT TO ANNEX 9

Amend Annex 9 as follows:

CHAPTER 9. PASSENGER DATA EXCHANGE SYSTEMS

. . . . . . D. Passenger Name Record (PNR) Data

9.23 Each Contracting State requiring Passenger Name Record (PNR) data shall:

(a) develop a capability to collect, use, process and protect Passenger Name Record (PNR) data

supported by appropriate legal framework (such as, inter alia, legislation, regulation or decree), and

be consistent with all Standards contained in Section D, Chapter 9, Annex 9;

(b) align its PNR data requirements and its handling of such data with the guidelines contained in

ICAO Doc 9944, Guidelines on Passenger Name Record (PNR) Data, and in PNRGOV message

implementation guidance materials published and updated by the WCO and endorsed by ICAO and

IATA.; and 9.23.1 Contracting States requiring the transfer of PNR data shall

(c) adopt and implement the EDIFACT-based PNRGOV message as the primary method for airline-

to-government PNR data transferal to ensure global interoperability.

Note 1.— UN Security Council, in Resolution 2396 (2017) at paragraph 12, decided that Member

States shall develop the capability to collect, process and analyse, in furtherance of ICAO standards

and recommended practices, passenger name record (PNR) data, and to ensure PNR data is used by

and shared with all their competent national authorities, with full respect for human rights and

fundamental freedoms, for the purpose of preventing, detecting, and investigating terrorist offenses

and related travel.

Note 21.— The PNRGOV message is a standard electronic message endorsed jointly by

WCO/ICAO/IATA. Depending on the specific aircraft operator’s Reservation and Departure Control

Systems, specific data elements which have been collected and stored by the aircraft operator for

their own operational and commercial purposes and can be efficiently transmitted via this

standardized message structure.

Note 2.— This provision is not intended to replace or supersede any messages exchanged between

aircraft operators and customs administrations to support local airport operations.

Note 3.— In addition to the mandatory EDIFACT-based PNRGOV message, Contracting States may

also, optionally, consider implementation of the XML PNRGOV message format as a supplemental

method of PNR data transfer, thereby allowing those aircraft operators with XML capability a

choice of format for the transmission of PNR data.

9.24 Recommended Practice.― Contracting States shall, with full respect for human rights and fundamental freedoms: requiring PNR data should consider the data privacy impact of PNR data collection and electronic transfer, within their own national systems and also in other States. Where necessary, Contracting States requiring PNR data and those States restricting such data exchange should engage in early cooperation to align legal requirements.

(a) clearly identify in their legal framework the PNR data to be used in their operations;

1 Please note that the text presented in FALP/11-WP/2 is the authoritative version.

FALP/11-IP/1

- 13 -

(b) clearly set the purposes for which PNR data may be used by the authorities which should be no

wider than what is necessary in view of the aims to be achieved, in particular for law enforcement

and border security purposes to fight terrorism and serious crime; and

(c) limit the disclosure of PNR data to other authorities in the same State or in other Contracting

States that exercise functions related to the purpose for which PNR data are processed, in particular

law enforcement and border security purposes, and ensure comparable protections as those afforded

by the disclosing authority.

9.25 Contracting States shall:

(a) prevent unauthorised access, disclosure and use of PNR data and their legal framework shall

provide penalties for misuse, unauthorised access, and unauthorised disclosure;

(b) ensure the safeguards applied to their collection, use, processing and protection of PNR data

apply to all individuals without unlawful discrimination;

(c) be open and transparent about the collection, use, processing and protection of PNR data and

related privacy standards employed;

(d) take measures to ensure that aircraft operators inform their customers about the transfer of PNR

data;

(e) provide for appropriate administrative or judicial redress mechanisms to enable individuals to

seek a remedy for the unlawful processing of their PNR data by public authorities; and

(f) provide for appropriate mechanisms, established by their legal and administrative framework, for

individuals to request access to their PNR data and request corrections or notations, if necessary.

9.26 Recommended Practice.― Subject to necessary and proportionate restrictions, Contracting States

should notify individuals of the processing of their PNR data and inform them about the rights and means

of redress afforded to them as defined in their legal and administrative framework.

9.27 Contracting States shall:

(a) base the automated processing of PNR data on objective, precise and reliable criteria that

effectively indicate the existence of a risk, without leading to unlawful discrimination; and

(b) not make decisions that produce significant adverse actions affecting the legal interests of

individuals based solely on the automated processing of PNR data.

9.28 Contracting States shall designate one (or more) competent domestic authority(ies) as defined in

their legal framework with the power to conduct independent oversight of the protection of PNR data and

determine whether PNR data are being collected, used, processed and protected with full respect for

human rights and fundamental freedoms.

9.29 Contracting States shall:

(a) not require aircraft operators to collect PNR data that is not required as part of their normal

business operating procedures nor to filter the data prior to transmission; and

(b) not use PNR data revealing an individual’s racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade union membership or data concerning their health, sexual life or sexual

orientation other than in exceptional circumstances to protect the vital interests of the data subject or

FALP/11-IP/1

- 14 -

of another natural person. In circumstances where such information is transferred, Contracting States

shall delete such data as soon as practicable.

9.30 Contracting States shall:

(a) retain PNR data for a set period as defined in their national laws and policies which shall be that

period necessary and proportionate for the purposes for which the PNR data is used;

(b) depersonalise retained PNR data, which enable direct identification of the data subject, through

masking out of personal data elements no later than two years after the transfer of PNR data, except

when used in connection with an identifiable ongoing case, threat or risk related to the purposes

identified in 9.24b;

(c) only depersonalise (unmask) PNR data when used in connection with an identifiable case, threat

or risk for the purposes identified in 9.24b; and

(d) delete or anonymise PNR data at the end of the retention period.

Note. – Depersonalization of PNR data is the masking of information which enables direct

identification of an individual, without hindering law enforcement use of PNR data, whereas PNR

data anonymization is the permanent removal of identity information of a person from the PNR

record.

9.31 Recommended Practice.― Contracting States should retain PNR data for a maximum period of

five years after the transfer of PNR data, except when required in the course of an investigation,

prosecution, or court proceeding.

9.32 Recommended Practice.― Contracting States should depersonalise PNR data within six months of

the transfer of PNR data.

9.33 Contracting States shall:

(a) as a rule acquire PNR data using the 'push' method in order to protect the personal data that is

contained in the operators' systems and that operators remain in control of their systems;

(b) seek, to the greatest extent possible, to limit the operational and administrative burdens on

aircraft operators, while enhancing passenger facilitation;

(c) not impose fines and penalties on aircraft operators for any unavoidable errors caused by a

systems failure which may have resulted in the transmission of no, or corrupted, PNR data; and

(d) minimise the number of times the same PNR data is transmitted for a specific flight.

Note.— In exceptional circumstances and when a PNR ‘push’ transfer method is not feasible, such as

when an aircraft makes an emergency landing, alternative means of PNR data acquisition can be

used by a Contracting State in order to maintain operational continuity.

9.34 Contracting States shall:

(a) not inhibit or prevent the transfer of PNR data by an aircraft operator or other relevant party, nor

sanction, impose penalties or create unreasonable obstacles on aircraft operators or other relevant

parties that transfer PNR data to another Contracting State provided that Contracting States’ PNR

data system is compliant with the Standards contained in Section D, Chapter 9 of Annex 9; and

(b) retain the ability to introduce or maintain higher levels of protection of PNR data, in accordance

with their legal and administrative framework;

FALP/11-IP/1

- 15 -

(c) in line with the above, retain the ability to negotiate additional arrangements with other

Contracting States in particular to: promote collective security; achieve higher levels of

protection of PNR data, including on data retention; or establish more detailed provisions

relating to the transfer of PNR data, provided those measures do not otherwise conflict with the

Standards contained in Section D, Chapter 9 of Annex 9; and

(d) in any instance where Contracting States have determined they must inhibit, prevent or otherwise

obstruct the transfer of PNR data or must penalize an aircraft operator, they will do so with

transparency and with the intent of resolving the situation which caused that determination.

Note 1.— Under 9.34a, Contracting States are expected to allow other Contracting States compliant

with the PNR Standards to receive PNR data, at least provisionally, while engaging in consultations

or negotiations, as necessary. In these instances, Contracting States are expected to demonstrate, to

any requesting Contracting State, their compliance with these Standards and under 9.34b and 9.34c

take into consideration any additional measures requested by another Contracting State. A

demonstration of compliance with the PNR Standards, upon request, should take place as soon as

possible, and, among other things, could occur based on bilateral consultations and/or the

information in the ICAO online compliance checklist for Annex 9 – Facilitation contained in the

Electronic Filing of Differences (EFOD) system. Further, Contracting States are expected to work

through this process in good faith and in a timely manner. Under 9.34d, when a Contracting State

assesses that another Contracting State is non-compliant with these PNR Standards, the Contracting

State making that assessment may inhibit the transfer of PNR data to another Contracting State.

Note 2.— When entering information in the ICAO online compliance checklist for Annex 9 –

Facilitation contained in the EFOD system, Contracting States are able to utilize the National Air

Transport Facilitation Committee (NATFC).

9.35 Recommended Practice.― Contracting States establishing a PNR program, or making significant

changes to an existing program, pursuant to these SARPs should proactively notify other Contracting

States maintaining air travel between them prior to receiving data, including whether they are complying

with these SARPs, to encourage or facilitate rapid consultation where appropriate.

9.36 Recommended Practice.— While attempting to resolve PNR data transfer disputes Contracting

States should not penalize aircraft operators.

— — — — — — — —

FALP/11-IP/1

- 16 -

APPENDIX B

LIST OF PARTICIPANTS –PNR-TF MEETING MONTREAL

3-6 December 2019

State Name of Nominated Expert Designation Contact Details

Brazil Mr. Helder Gonzales Member hgonzales@icao.int

Mr. Julio César Baida Filho Alternate Point-of-Contact jucesar@icao.int

Canada

Mr. Nuno Bellem Member/ Point-of-contact

Rapporteur of PNR-TF nuno.bellem@otc-cta.gc.ca

Mr. Jacob van Dusen Advisor Jacob.vanDusen@otc-cta.gc.ca

Ms. Alyssa Herage Advisor Alyssa.Herage@cbsa-asfc.gc.ca

Mr. Sebastien Anes Advisor

Mr. Cameron MacIntosh Advisor Cameron.MacIntosh@cbsa-asfc.gc.ca

France Mr. Patrick Lansman

Member / Point-of-contact

FALP Member patrick.lansman@aviation-civile.gouv.fr

Mr. Lecoq Bertrand Advisor bertrand.lecoq@interieur.gouv.fr

Germany Mr. Stefan Diabo Member /Point-of-contact stefan.diabo@bva.bund.de

Ms. Anne Rochow Advisor

Qatar Mr. Ali Alathbi Member / Point-of-contact ali.alathbi@caa.gov.qa

Saudi Arabia

Mr. Mohamed H. Al Ahmadi Advisor mhaalahmadi@gaca.gov.sa

Mr. Fahad Khalid Alghamdi Advisor fkalghamdi@gaca.gov.sa

Mr. Waleed Awadallah Alotaibi Advisor waalotaibi@gaca.gov.sa

United

Kingdom

Mr. Simon Watkin Member / Point-of-contact simon.watkin@homeoffice.gov.uk

Mr. Steven Waterman Advisor steven.waterman@homeoffice.gov.uk

United States

Mr. Mike Scardaville Advisor michael.scardaville@hq.dhs.gov

Mr. Andrew Williams Advisor andrew.williams@hq.dhs.gov

Ms. Emily Rohde Advisor

Mr. Alex Kisselburg Advisor

Ms. Karen Zareski Advisor

Mr. Eric Yatar Advisor

FALP/11-IP/1

- 17 -

OBSERVER

Spain Ms. Diana Simón Polo Observer dsimon@senasa.es

European

Union

Ms. Jolande Prinssen Member / Point-of-contact jolande.prinssen@ec.europa.eu

Mr. Rob Rozenburg Observer Robertus.Rozenburg@ec.europa.eu

IATA

Ms. Celine Canu Member / Point-of-contact canuc@iata.org

Mr. Dominique Antonini Observer antoninid@iata.org

Ms. Karine Boulet-Gaudreault Observer bouletk@iata.org

Mr. Ilker Duzgoren Observer duzgoreni@iata.org

UNOCT Mr. Christophe Hypolite Observer christophe.hypolite@un.org

WCO Mr. Tejo Kusuma Observer tejo.kusuma@wcoomd.org

—END—