European Union (Future Relationship) Act 2020

Schedule 2: Passenger name records data

PART 1: AMENDMENTS TO THE PNR REGULATIONS

316. Paragraph 1 outlines that the Passenger Name Record and Miscellaneous Amendments Regulations 2018 (S.I. 598/2018) ("the PNR Regulations") are amended as follows.
317. Paragraph 2 amends existing, and adds new definitions in regulation 2 of the PNR Regulations.
318. Sub-paragraph (2) inserts new definitions to align with those in the TCA.
319. Sub-paragraph (3) deletes three definitions which are no longer needed as a result of the amendments made.
320. Sub-paragraphs (4) to (8) amend existing definitions to ensure they work with the rest of the regulations as amended and to align them with the definitions used in the TCA.
321. Sub-paragraph (9) provides further clarity on the definition of the term "protecting the vital interests of persons", specifying that it includes protecting persons who are, or may be, at risk of death or serious injury and from significant threats against public health.
322. Paragraph 3 amends regulation 3 of the PNR Regulations which concerns the designation of the Passenger Information Unit ("PIU"). The PIU is responsible for collecting, storing, processing and exchanging PNR data under the Regulations.
323. Sub-paragraphs (2) and (3) provide that the PIU is able to cooperate with the PIUs of the EU Member States, Europol and Eurojust and competent authorities in third countries.
324. Sub-paragraph (5) provides that the Secretary of State may amend by regulations (subject to the negative resolution procedure) the designation of the PIU, and may do so by designating different authorities for different purposes or in relation to different parts of the UK. The Secretary of State may also make supplementary, incidental, consequential, transitional, transitory or saving provisions in connection with the designation.
325. Paragraph 4 inserts a new regulation 4A, which requires that the Secretary of State designate by direction an independent authority, to carry out specific functions under the PNR Regulations. It also provides for specific requirements in respect of the nature of that independent authority, in particular, that it acts independently of any person processing PNR data and has sufficient expertise and knowledge to carry out its functions.
326. Paragraph 5 amends regulation 5 to extend the provisions of the PNR Regulations to PNR data provided to the PIU by a PIU of an EU Member State or a third country competent authority.
327. Paragraph 6 amends regulation 6 and the purposes for which the PIU may process PNR data and aligns them with the description of processing activities in the Agreement. In particular it provides that the PIU can also process PNR data to protect the vital interests of persons, as well as to prevent, detect, investigate and prosecute terrorist offences and serious crime (sub-paragraph (4)); the conditions under which the PIU can transfer PNR data to law enforcement authorities and can process PNR data against pre-established criteria and databases (sub-paragraphs (4) and (5)); and prevents the PIU from taking decisions which have an adverse impact in an individual based only on automated processing or on the basis of a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation (sub-paragraph (6)).
328. Paragraph 7 amends regulation 7 to provide that a UK competent authority cannot further share PNR data received from the UK PIU without the permission of the PIU.
329. Paragraph 8 inserts new regulation 10, which prescribes the conditions under which the PIU may make a request for PNR data to the PIU of an EU Member State or the authorities of a third country.
330. Paragraph 9 amends regulation 11 in relation to requests for PNR data made by UK competent authorities to the PIUs of EU Member States or third country competent authorities.
331. Paragraph 10 inserts new regulations 11A and 11B, which implement the obligation in the TCA on the PIU to cooperate with the EU Member State PIUs, Europol and Eurojust. The PIU is able to cooperate and share PNR data on a proactive basis and upon request where necessary for the purposes described in regulation 6(3)(a).
332. Paragraph 11 amends regulation 12 in relation to the transfer of PNR data by the PIU to third countries to align it with new regulations 11 and 11A.
     1. Sub-paragraphs (3) to (5) amend the conditions attached to the onward transfer of non-EU PNR data, as the onward transfers of EU PNR data will be subject to different conditions.
     2. Sub-paragraph (6) outlines the additional conditions attached to the onward transfer of EU PNR data by the PIU to third countries. In particular, such transfers can only take place, subject to some exceptions, where the third country has been found to ensure an adequate level of data protection by the European Commission or it has concluded an agreement with the EU that provides for an equivalent level of protection to the TCA.
333. Paragraph 12 amends regulation to the retention and depersonalisation of PNR data to implement the requirements of the TCA in relation to EU PNR.
     1. Sub-paragraph (2) provides that the rules on data retention and depersonalisation also apply to PNR data transferred to the PIU from an EU Member State PIU.
     2. Sub-paragraph (3) differentiates the data retention period for non-EU PNR and EU PNR data. Non-EU PNR data must be retained for five years and permanently deleted at the end of that period. The retention of EU PNR is subject to new requirements; it must be permanently deleted no later than five years after the date of transfer if it is not subject to the deletion requirements in new regulation 13B.
     3. Sub-paragraph (6) provides that where data that is older than six months is masked (where certain elements that could identify a person are prevented from being viewed), that subsequent access to that data be limited to a small number of specifically authorised persons.
     4. Sub-paragraph (8) ensures that where PNR data is transferred to a UK competent authority and is used in the context of a specific case it can retain it for as long as is necessary for that case.
334. Paragraph 13 inserts new regulation 13A, which specifies additional conditions in relation to the use and transfer of EU PNR data in accordance with the requirements of the TCA. Therefore, these are different from the conditions attached to non-EU PNR.
     1. Regulation 13A(1) to (5) outlines the conditions under which EU PNR data can be used or transferred by the PIU: for the purposes of security and border control checks, for developing or verifying the accuracy of pre-determined criteria, in urgent cases; or otherwise with the permission of the independent authority.
     2. Regulation 13A(6) to (9) provides that where a person’s EU PNR data is used, that person should be notified of that use except where such a notification would be likely to jeopardise investigations.
335. Paragraph 14 inserts new regulation 13B, which specifies additional conditions in relation to the retention and deletion of EU PNR data in accordance with the requirements of the TCA. Therefore, these are different from the conditions attached to non-EU PNR.
     1. Regulation 13B(1) defines a subcategory of EU PNR data, namely "restricted EU PNR data" that is comprised of data that relates to a person who is not a UK national nor resident in the UK.
     2. Regulation 13B(2) to (4) provides that the PNR data of an individual who has departed the UK is subject to deletion when that person leaves the UK, except where on the basis of objective evidence a risk assessment identifies that the retention of that PNR data is necessary for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime.
     3. Regulation 13B(5) requires that the approach taken to the retention of EU PNR data on the basis of objective evidence by the PIU is reviewed annually by the designated independent authority.
     4. Regulation 13B(6) defines "UK national" for the purposes of this regulation.
336. Paragraph 15 amends regulation 14 to provide that the PIU must not process, and must permanently delete, any special categories of personal data that it receives.
337. Paragraph 16 amends regulation 16, which extends the application of other data protection enactments to Part 3 of the Regulations, to provide that nothing in Part 3 has the effect of disapplying the provisions of any other enactment so far as they relate to the protection of the public against threats to public health.

PART 2: INTERIM PERIOD

338. Paragraph 17 provides for the application of additional safeguards in relation to the retention and deletion of EU PNR data that is subject to deletion for an interim period. The TCA provides for this whilst the UK makes the technical adjustments necessary to transform its PNR processing systems into systems able to delete PNR data in accordance with the TCA.
     1. Sub-paragraphs (1) and (2) provide that until the commencement of paragraph 14, new regulation 13AA is inserted into the PNR Regulations which provides for this interim period.
     2. Regulation 13AA (1) to (3) replicate the provisions in regulation 13A (1) to (3) that prescribes which EU PNR data is subject to deletion and when.
     3. Regulation 13AA (4) and (5) provides that during the interim period, PNR data that is subject to deletion should be accessible only to a limited number of authorised persons, can only be accessed by them for the purpose of determining whether it is subject to deletion, and that such data should be deleted as soon as possible once the UK’s PNR systems are technically capable of doing so.
     4. Regulation 13AA (6) to (9) provides that any requests to use PNR data that is subject to deletion should be refused and outlines the specific details required to be recorded in respect of the request and its refusal.
     5. Regulation 13AA (10) and (11) outline the nature of the authorised persons responsible for accessing PNR data that is subject to deletion and that the number of authorised persons should be limited.
     6. Regulation 13AA(12) defines "UK national" for the purposes of this regulation.
     7. Sub-paragraph (4) to (6) provide for additional modifications to the PNR Regulations in order to ensure the PNR Regulations continue to operate effectively during the interim period when regulation 13AA is in force.

PART 3: POWER TO AMEND PNR REGULATIONS FOR SEA AND RAIL TRAVEL

339. Paragraph 18 provides that the Secretary of State may by regulations make provision, including by amending the PNR Regulations, for the implementation of a new agreement between the UK and the EU or an EU Member State. Such an agreement must modify the TCA by extending its provision to PNR data provided by sea and rail operators, or make provision in respect of such PNR data that correspond to the provisions of the TCA.