EU Legislative Proposals: Discussion

Before we begin, I ask members and witnesses to turn off their mobile telephones, as they interfere with the sound system. Putting them on silent mode is not sufficient. Apologies have been received from Deputy Anne Ferris and Senator Katherine Zappone.

The purpose of the meeting is to consider two motions that have been laid before the Dáil and Seanad: COM (2013) 258, proposal for a Council decision on the conclusion of an agreement between Canada and the European Union on the transfer and processing of passenger name record data; and COM (2013) 259, proposal for a Council decision on the signature of an agreement between Canada and the European Union on the transfer and processing of passenger name record data. Briefing information has been circulated to members. I thank the Minister of State at the Department of Justice and Equality, Deputy Kathleen Lynch, and her officials for agreeing to assist us in our consideration of these matters. We will begin with an opening statement by the Minister of State, to be followed by a question and answer session. We look forward to the Minister of State enlightening us on these matters.

They are very simple proposals which I am sure will meet the approval of everybody.

That is good to know.

I thank the Chairman for allocating time today to consider these two EU motions dealing with the proposed agreement between Canada and the EU on the transfer and processing of passenger name record, PNR, data. Two motions are required because the agreement itself is the subject of two separate proposals for Council decisions. This simply reflects the EU procedure for establishing such agreements, whereby the Council of Ministers and the European Parliament are co-legislators. It requires that the Council of Ministers must first adopt a decision to sign the agreement. The agreement is then sent to the European Parliament for its consent and, if that consent is given, the Council of Ministers subsequently adopts a decision to conclude the agreement.

The motions before the committee today are necessary to enable Ireland to participate in this measure. They propose that Ireland should exercise the option provided by Protocol 21 to the treaty on the functioning of the EU - that is to say, the Lisbon treaty - to participate in the adoption and application of an EU-Canada PNR agreement. The prior approval of both Houses of the Oireachtas is required, in accordance with the provisions of Article 29.4.7 of the Constitution, to enable Ireland to exercise that option. In line with the provisions of Protocol 21 to the Lisbon treaty, Ireland has three months to signal its participation in any given measure. In the case of this proposed agreement, the State must signal its participation by 26 November.

The Government has approved the proposal of the Minister for Justice and Equality that Ireland should take part in this measure. It is our view that measures such as these are to be welcomed and deserve our support. They can provide important support to police and law enforcement authorities in the fight against transnational serious crime and terrorism.

The proposal replaces the current EU-Canada PNR agreement which was concluded in 2005 and has been in operation since then. Following the entry into force of the Lisbon treaty, the European Parliament requested a renegotiation of this and the PNR agreements then in place with the United States and Australia. Members will be aware that revised agreements with those two countries have been established and put in place, and were considered by the committee under the same Protocol 21 in advance of Ireland's participation in them. Subsequent to the European Parliament's request for a renegotiation of the agreement with Canada, the Council of Ministers authorised the European Commission to conduct negotiations on behalf of the EU. It presented a draft agreement with Canada to the Council in May of this year. It is intended to seek approval to sign the proposed agreement at the meeting of the Council of Justice and Home Affairs Ministers in December. However, the deadline for opting into the agreement remains 26 November.

The proposed agreement provides that air carriers operating flights between the EU and Canada will provide to the Canada Border Services Agency certain PNR data for passengers flying to or from Canada. PNR data comprise information relating to passengers' travel reservations that is collected and held by air carriers as part of their reservations systems. The proposed agreement will require the airlines to continue to provide a portion of this information to the Canadian authorities for the purposes of combating terrorism and serious transnational crime. In practical terms, the proposed agreement will have no new or additional impacts for EU air carriers as the PNR data is already being provided under the 2005 agreement. However, unlike that agreement, the new proposal encompasses comprehensive data protection provisions and safeguards to be built in as part of the agreement itself. Under the 2005 agreement, on the other hand, data protection measures did not form part of the agreement. Rather, they were included as a set of commitments by the Canada Border Services Agency in regard to the application of the PNR agreement.

As I said, the proposed provisions represent an important tool in the fight against serious crime and terrorism. However, I am conscious of the need to ensure the rights of citizens are not subject to unnecessary or disproportionate intrusion, notwithstanding the importance of protecting both individuals and society against harm. It is essential to strike the right balance in measures such as these, especially with regard to privacy and the protection of personal data. Accordingly, the agreement contains a number of important and specifically tailored safeguards in respect of the use of PNR data. In particular, the purpose of processing the data is strictly limited to preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crimes. We can all agree that detecting terrorists, people traffickers and other serious criminals is worthy of support.

Furthermore, the agreement sets out clearly a series of provisions relating to the arrangements for the handling and security of the PNR data and for data protection.

I draw particular attention to the provisions which establish that an individual will have the right to access his or her own data, to have incorrect data corrected and to seek judicial redress, including compensation, for any violation of his or her rights under the proposed agreement.

The retention period relating to PNR data will be limited to five years in total. However, it is important to note that this data will be depersonalised by the masking out of passenger names after an initial period of only 30 days. Furthermore, the full depersonalisation of the data, that is, the masking out of all other identifying information, will take place after two years. Compliance with these rules will be subject to independent oversight by the Privacy Commissioner of Canada - the equivalent of our Data Protection Commissioner - in addition to the Recourse Directorate of the Canada Border Services Agency.

There are additional controls included in the proposed agreement to deal with the processing of sensitive data, that is, personal data revealing race, ethnicity, religious beliefs, political opinion, etc. The processing of this data is limited to very exceptional cases and subject to strict additional conditions and safeguards, including approval by the president of the Canada Border Services Agency and the deletion of the sensitive personal data after a maximum period of 15 days. The European Union is satisfied that the data protection provisions in force in Canada are sufficiently robust to protect EU citizens.

As stated, Ireland has until 26 November to decide whether to opt in to the adoption and application of the proposed agreement. This proposal is one of a number of measures being taken at EU level in the justice and home affairs field which arise from commitments set out in the 2009 Stockholm programme. The Government is determined that Ireland will have a full, active and constructive engagement in bringing forward the European justice agenda.

A number of countries, including the United Kingdom, the United States, Australia, Canada, Sweden and Spain, have been collecting PNR data for some years in order to help tackle transnational and serious crimes and terrorism. The use of PNR data has proved to be a very valuable tool in a range of investigations, particularly those targeting drug smugglers, human trafficking and terrorists. It is, as members will appreciate, difficult to provide details of the operational methods that police and law enforcement investigators might use, particularly when dealing with sensitive investigations. However, I will give the committee a flavour of the value of PNR in contributing to investigations. For example, the UK authorities targeted and successfully prosecuted a Chinese gang of people traffickers who had been bringing illegal immigrants into that jurisdiction and Ireland through other EU states. The use of PNR data was a key tool in the investigation in identifying the people who were being trafficked and linking them with the trafficking facilitators. I have no doubt that the committee will agree that human trafficking is a particularly reprehensible crime, a serious abuse of human rights and an affront to human dignity. It is often characterised as the modern equivalent of the slave trade. It is also often linked with the sexual exploitation of women. We should never tolerate human trafficking and must use all the tools and resources at our disposal to prevent and combat it, to protect the victims and prosecute the perpetrators.

PNR data were also used by investigators in the case of David Headley who was convicted for his involvement in the atrocious terrorist attacks in Mumbai, India, in November 2008, in which 164 innocent people lost their lives. By using details of the suspect’s first name, his partial travel itinerary and a possible travel window and entering this intelligence into the PNR database, David Headley’s full name, address and passport number were obtained. He was subsequently arrested and pleaded guilty to terrorism-related charges.

We can be in no doubt either about the pernicious nature of the international drugs trade. The supply and use of illegal drugs have a profound destructive impact on individuals' lives, as well as on entire communities. Drug trafficking is a highly lucrative internationalised crime that has a very local impact. As public representatives, we have all witnessed the impact of drugs in communities throughout the country. We must seek to ensure that those who are working to disrupt this criminal activity can take advantage of the relevant tools such as PNR to put the people involved out of business. Members will also be conscious of the potential value to police services of PNR data in contributing to the investigation of people who travel to overseas locations, often in the Far East, in order to have sex with under-age children. This is a particularly depraved form of "tourism" and we can be very sure the victims are not willing participants in what is an organised trade.

Given the potential law enforcement value of PNR data, particularly with regard to investigations into drug smuggling, human trafficking and international terrorism, the Government has no doubt that it is important that Ireland should opt-in in to the proposed agreement. Our participation in the measure is also a clear demonstration of our continued support and solidarity with our EU and international partners in the fight against these transnational criminal activities.

I have great pleasure in commending the motions to the committee.

I thank the Minister of State for her presentation which was fairly straightforward and easy to understand. Deputy Pádraig Mac Lochlainn is the first member indicating a desire to contribute.

Every public representative will agree that we must support the policing and intelligence services in combating serious criminality of the type outlined by the Minister of State. She has also highlighted the need to balance the rights of citizens in order to ensure we assist in the ongoing war against serious criminality. Said criminality does not recognise borders, particularly in the context of its impact on victims. In the context of human and civil rights, is the Minister of State satisfied with what is contained in the agreement? It appears that the original agreement will be strengthened by the new version. Is the Minister of State satisfied with the protections provided for citizens? In the past the European Commission's legal service had concerns about the categories of offences on which information was required to be given. For example, a person who might have been convicted of an offence which was not that serious could have had his or her details passed on. Will the Minister of State clarify the position on the types of offences involved?

I am also seeking reassurance on data protection issues, particularly in the context of the information revealed by Edward Snowden during the past year. Of course, the policing and intelligence services should be given what they need in order to combat crime, but we must also ensure they do not have too much power and that a Big Brother-type scenario is not created. Will the Minister of State provide reassurance on the position in this regard.

We all share the Deputy's concerns and there is certainly a need to ensure a proper balance is struck. However, we must also consider how we can combat human trafficking and the drugs trade. People who are trafficked often do not know the language spoken in the country to which they have been brought; they can be extremely scared and their documentation will have been taken from them. It is difficult to obtain a fix on how to combat serious crime, but the agreement will prove to be a major tool in that regard because the relevant experts will be able to use it to monitor the continual comings and goings of individuals and groups. We will never be able to completely eliminate serious crime, but the agreement will increase our chances of detecting it.

Let us ignore what happened during the past year and concentrate on that which has occurred in recent days in the context of people's personal information being stolen by those who are clearly not going to use it for any legitimate purpose. It is welcome that the European Union has decided to renegotiate this agreement in order to ensure it will be more robust, which is extremely important.

The fact that people will be able to access the relevant information themselves is also very important, as is the fact that a data protection officer in the country in which the information is being stored will have responsibility for ensuring it is kept safe. The only remit of data protection officers in any jurisdiction is to ensure data relating to individuals are both protected and used for the correct purpose.

I am completely assured of that. It is a good thing that we are coming back to this issue today and that we are building a regime of data protection. The world has changed in that in 2005 I am not certain that we were as conscious of breaches of data protection as we are now, but we are very conscious of them now. The robust mechanisms that have been built into this agreement will serve us well. However, I share the Deputy's concerns. We always need to be conscious that the details of an individual that are on the system for legitimate purposes could find their way into a space where they not should be. The fact that individuals will have access to their records and there is a provision built into the system that, in the event that something should happen, they will have a recourse to action should give us some degree of comfort.

Deputy Finian McGrath indicated that he wanted to contribute.

I welcome the Minister of State to the committee. I share her view on value of the system of investigations into violent activity, criminal activity, drugs crimes, human trafficking and the exploitation of under-aged children. However, I have a concern about an issue, which has arisen again recently, namely, the trust between the security services in different countries. I saw a programme on BBC1 last night which showed that the PSNI had a major lack of trust and confidence in the intelligence service in the North. That is in a divided community where they are trying build to trust in the relationship between the police force and the local community, and the Nationalist community in particular. I have a concern about elements of security services in Europe and other countries having PNR data, and many people share that concern.

I do not know if the Minister of State is familiar with Anne Cadwallader's book, Lethal Allies, which deals with the issue of collusion, an issue the joint committee covered at the time of the investigation into the Dublin and Monaghan bombings. There was an issue of trust and confidence involved there. The reason I raise this issue is that there are elements within the security forces about which many of us have concerns; their track record in terms of people's rights has let us down. Does the Minister of State have those concerns? She hinted at this when she said that when one has this type of information, it must be treated respectfully and there can be no violation of human rights. The reality is that some people have major concerns about some of the data in respect of individuals that is being shared. There is a lack of confidence and trust in certain aspects of security services.

It is always healthy to be a little sceptical of State agencies when they have the capacity to deprive one of one's liberty. It is good for all of us to have that approach and we should question matters. The BBC programme to which the Deputy referred was about a time when things were very different. I was here for the inquiry into the Dublin and Monaghan bombings. Anyone who sat at the table and looked at the pieces we saw was very clear that we were living in an entirely different space. In terms of transnational crimes, terrorism, drug trafficking, human trafficking and all such crimes, when one is negotiating an agreement with other countries, the only thing one can do is ensure that what is in that agreement is robust and one must then assume that the country which it is with will follow the law in their own land. I believe we can be assured of that. If that does happen, as I have said it to Deputy MacLochlainn, there are various of mechanisms in place to ensure people have access to their records and that they have a means of redress.

This agreement is purely between the EU and Canada only. It does not refer to any other country. Under this agreement the airlines will have to pass on passengers' names and details to the Canadian border authorities. I went to Canada about 15 years ago and the Canadian mounted police were at the airport when I arrived in Toronto. I never got as thorough a check in my life as I did then. They told me that my passport photograph was not a good likeness and that I had deteriorated since the time it had been taken. The Canadian authorities are quite thorough in their checks. Is there a particular reason that it is only Canada that is doing this?

No, it is doing that already. This is not something new. This agreement has been in place since 2005 but we are now building in a more robust mechanism to protect people's data. We have an agreement with Spain, Australia and the USA and the EU is negotiating agreements with different countries. This one, which we have to opt into by 26 November, is with Canada, but this is not about our relationship with Canada in isolation. It is about the EU's relationship with other countries.

I thank the Minister of State and her officials for attending. I do not believe anyone could argue with the intention of the motions. We would all agree that the type of information sharing is critical for law enforcement across borders. How easy would it be for people to examine the data that is on system and to check whether it is correct or incorrect? How user friendly will it be for the citizen to establish who has data and what are the data? If there is anything wrong with their details, how would a person go about getting them changed? It should be user friendly to ensure that people do not have to deal with a weight of bureaucracy to obtain their rights.

I am just checking that for the Deputy. It will be on the printed material one normally completes on these flights. The provision states that candidates shall ensure that any individual may access the PNR data . I assume that the only way they can ensure that is by informing the person by way of written documentation. It states that candidates shall ensure that a compliance authority, within a reasonable time, shall provide the individual with a copy of his or her PNR data and if the individual makes a written request for his or her PNR data, there will be a reply in writing to any request. It further states that Canada shall ensure that the Canadian compliance authority makes the following available on its website: a list of the legislation authorising the collection of PNR data; the reason for the collection of the PNR data; the manner of protecting the PNR data; and the manner and extent to which the data may be disclosed. There is a website, and there is also information on the transit cards we all complete from time to time. It will be made clear where that can be accessed but if the request is made, the data must be supplied to the individual and if they are incorrect, it is the data protection officer in charge of that particular section who will alter the information online if the individual requests it.

The protections in terms of depersonalising the information are very important. There may be other issues connected to groups travelling and so on but they may not concern the individual on whom they have the data but it is important that this can be dealt with separately.

What exactly is included in the passenger name record, PNR, data in these instances?

I should have included that in my contribution. It includes a PNR locator code, date of reservation-issue of ticket - it is a code with which everyone is issued - dates of intended travel, name, and available frequent flier and benefits information. If someone is on the frequent flier list, one's name could end up on this. It also includes numbers of travellers, and I spoke earlier in terms of a group of people.

It includes all available contact information, including originator information; all available payment billing information not included; other transaction details linked to a credit card or account and not connected to the travel transaction; travel itinerary for specific passenger name record, PNR; travel agency code share information - again, all of those details are numbered; split or divided information; travel status of passenger, including confirmation and check-in status; ticketing information, including ticket number, one-way tickets, automated ticket fare quote, all baggage information; seat information, including seat number; general remarks including other supplementary information, OSI, special services information, SSI, and special service request, SSR, information; any advance passenger information, API, data collected for reservation purposes; and all historical changes to PNR data listed in numbers.

Any of us who have done this knows it is not always necessary that the airline would collect all of this information. It is only the information that the airline collects. We do not expect that the airline would be obliged to collect all of the information outlined. Usually, it is a case of name, address, postal code if one has one and country of birth. In some countries the information might be requested internally more than externally. The information available will simply be what the airline collects as a matter of course.

Airlines collect a lot of information. We have seen recent reports of serious data protection breaches. We all know what I am talking about in that regard. In the case of a data protection breach in this context, are there mechanisms in place so that citizens can be informed or forewarned? What are they? How will someone be told if there is a data protection breach?

I can only speak from personal experience. I have never been asked for a credit card number on a transit card. Such information is not usually collected which is a protection in itself. If there is a breach then it is incumbent on the holders of the information to inform people. That said, there is a depersonalisation after 30 days and all of the sensitive information which it might have been considered necessary to keep is gone after two years and all of the information is gone after five years. Such a flushing out of the system will probably ensure that there would not be a great deal of information held at any one time. It is incumbent on the holders to inform people where the information is still held.

If all members are satisfied with that, I thank the Minister of State. We have now completed our consideration of the motion. I thank the Minister of State and her officials for their attendance before the committee today.

Thank you, Chairman.