Key Benefits:
National Computer and Liberties Commission,
Entering By Minister of the Interior of a request for an opinion on a draft decree establishing the processing of personal data referred to as " API-PNR France system " For the application ofArticle L. 232-7 of the Internal Security Code and laying down the methods of transmission to the Service with national competence " Passenger Information Unit " Passenger data by air carriers;
In view of Convention 108 of the Council of Europe for the protection of persons with regard to the automatic processing of personal data;
In view of Directive 95 /46/EC of the European Parliament and the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of such data;
Having regard to Directive 2004 /82/EC of 29 April 2004 Concerning the obligation of carriers to communicate the relevant data To passengers;
Given the Code of Criminal Procedure, including sections 695-23 and 706-23;
Seen internal security code, including its article L. 232-7;
Seen Law No. 78-17 of 6 January 1978 as amended relating to computers, files and freedoms, including its Article 26;
In view of the Law n ° 2013-1168 of 18 December 2013 on military planning for the years 2014 to 2019, with various provisions concerning the Defence and national security;
Seen decree n ° 2005-1309 of 20 October 2005 modified for the application of Law n ° 78-17 of January 6, 1978 relating to computers, files and freedoms;
After hearing Mr. Jean-François CARREZ, Commissioner, in his report, and Mr. Jean-Alexandre SILVY, Commissioner of the Government, in his observations,
Emet the following opinion:
La The Minister of Internal Affairs asked for an opinion on a draft decree establishing the processing of personal data known as "personal data". API-PNR France system " And laying down the methods of transmission to the service under national jurisdiction " Passenger Information Unit " Passenger data by air carriers.
This draft order is made pursuant toarticle L. 232-7 of the code of internal security, created by the Law n ° 2013-1168 of 18 December 2013 above, on which the committee ruled in its deliberation no. 2013-219 of July 18, 2013.
The article L. 232-7 of the internal security code allows the implementation of an automated processing of character data Personnel for the prevention and recognition of acts of terrorism, the offences referred to in the 695-23 of the Code of Criminal Procedure and of Infringements of the fundamental interests of the Nation, the gathering of evidence of these infringements and the research of their authors.
This article provides that a decree in the Council of State, taken after the opinion of the Commission The National Computer and Freedom of Information Act determines the terms and conditions of application. This is the draft decree. In view of the purposes pursued by the intended processing, it is also necessary to apply the provisions of Article 26 of the amended Act of 6 January 1978 which subject the creation of such treatment to a prescribed act After reasoned and published opinion of the Commission.
On the creation of a new experimental processing of API and PNR data:
At the outset, the Committee notes that the API-PNR France system " Will concern all airlines and all passengers on flights to and from the national territory, with the exception of flights connecting two points of metropolitan France. Thus, almost 100 million people per year are affected by the projected processing.
In addition, the implementation of this system requires the collection of a very large volume of data, in this case, reservation data (" Passenger Name Record "," PNR ") and check-in and boarding data (" Advance Passenger Information ", API) of all air passengers. This is data initially collected by air transport companies, most of which are private, for commercial purposes only, and their exact, complete and up-to-date character is of uncertain reliability.
In addition, The proposed processing will make it possible to reconcile the collected data with other judicial and administrative police files relating to persons or objects being searched or monitored. It will also allow us to experiment with new ways of exploiting this data. Thus, it will be possible to know whether a person or an object, having regard to its displacement characteristics, presents a particular risk in relation to the purposes listed by the article L. 232-7 of the internal security code and must therefore be subject to specific measures. The exploitation of the API and PNR data will allow the targeting of individuals through different pre-established criteria and their ranking on a risk scale, by using a scoring tool.
Such possibilities Will finally be offered to a very large number of services, with judicial or administrative police prerogatives, as with all specialized intelligence services.
In view of the extent of this treatment, both at the level of the Number of data subjects, the amount of data collected, the large number of data Of persons likely to have access to such data, that new conditions for the exploitation of such data, the Commission considers that the proposed treatment is likely to be of particularly serious concern to the right to privacy and to Protection of personal data.
Such infringement can only be accepted if it appears strictly necessary for the purpose pursued and provides sufficient guarantees in respect of the observance of the fundamental principles of the right to the Protection of personal data. The Committee considers that appropriate legal and technical measures should be provided for in order to ensure a high level of data protection.
In this regard, it notes that the existence of specific legislative provisions introduced by The Act of 18 December 2013 referred to above as well as the statutory provisions of this Decree constitute a first guarantee to guide the risk Invasion of privacy and data protection The
also notes that additional guarantees have been provided by the Ministry of the Interior concerning the arrangements for the collection and processing of data (absence of Processing of so-called sensitive data, masking of data after two years, intended limitatively according to their missions, secure technical environment), modalities for the exploitation of data (clearance of certain data sheets In the context of screening) as well as security measures and Traceability implemented.
In addition, the experimental nature of the proposed processing, expressly provided for by the legislator, does not in any way prejudice the sustainability of the system " API-PNR France ".
If the Commission takes note of these guarantees, it is necessary to ensure that they are effective and appropriate. For this reason, this experiment will need to be rigorously evaluated before considering whether to maintain treatment. The Committee requests that an evaluation report on the scheme be sent to the Commission and that the draft decree be specifically stated on this point. In this respect, it considers that this evaluation report should, in particular, focus on verifying the effectiveness of the guarantees provided for and should therefore mention a minimum:
-figures on the number of data collected, the Number of persons concerned, the number of requests received by the Passenger Information Unit, etc. ;
-figures on the number of requests for the removal of the masking process on the data concerned as well as the number of releases made;
-the encrypted elements corresponding to the requests for visualization by the Competent services;
-a description of the conditions for the technical and operational implementation of the processing;
-a precise description of the different interconnections of the system " API/PNR France " With other treatments and their methods of implementation;
-general conclusions about the operation of the treatment, any difficulties encountered, both legal and technical.
In all In view of the particularly serious risks of invasion of privacy and the respect of the fundamental principles relating to the protection of personal data, the Committee will be particularly attentive to the real conditions of Implementation of this treatment and will not fail to make use, the case Of its supervisory powers provided for in Article 44 of the Act of 6 January 1978 as amended.
On the purposes of processing:
The draft decree refers to the purposes set out inarticle L 232-7 of the internal security code, namely prevention And the recognition of acts of terrorism, the offences referred to in695-23 of the Code of Criminal and of the Attacks on the fundamental interests of the The
of the draft decree is to enable the collection of the API and PNR data of air passengers in order to meet the needs of the Operational services of national police, national gendarmerie and customs officers as well as specialised intelligence services (Directorate-General for Internal Security, Directorate-General for External Security, Directorate-General Protection and security of defence, direction of intelligence Military, national service TRACFIN, national direction of intelligence and customs investigations).
The Committee notes that this device covers both administrative and judicial purposes and that infringements Allowing for consultation of the treatment is very numerous. If it is no longer for the Committee to rule on this point, to the extent that these purposes have been laid down by the legislator, it stresses the importance of putting in place appropriate safeguards in order to preserve rights and freedoms In
light of these elements, the Commission considers that the purposes pursued are determined, explicit and legitimate, in accordance with Article 6-2 ° of the law of 6 January 1978, as amended
Processed data and their operation:
Article L. 232-7-II of the Internal Security Code authorships the processing of registration data relating to passengers on flights to and from the national territory, with the exception of flights connecting two points in the Metropolitan France, referred to in Article L. 232-4 of the same Code, as well as passenger data recorded in the reservation systems of air carriers.
Article R. 232-14 of the said Code, as provided for in the draft Decree, specifies the different categories of personal data and Information recorded in the intended processing.
The Committee notes, at the outset, that no sensitive data within the meaning of Article 8 of the amended Act of 6 January 1978 will be collected as part of the proposed processing, in accordance with The provisions of Article L. 232-7-1 of that Code. It takes note of the filtering measures implemented in order to ensure that these data are not integrated into the API/PNR processing if they were to be transmitted by air carriers, which are based on the establishment of a " Blacklist " Listing the data identified as sensitive. This list, which will be updated as soon as the repositories on which it is based are evolving, will identify the fields that can contain such data, the result is that the system will automatically filter All the data collected on the basis of this blacklist, which will therefore not be accessible.
In view of the sensitivity of this information and the legal prohibition of processing them under the proposed system, it will be necessary to Ensure the effective nature of the guarantees implemented. The evaluation report should therefore contain elements on this point.
The first category of data collected is the so-called reservation data (PNR) provided by travellers at the commercial reservation stage. These are mainly data relating to the identity of air passengers (nationality, surname, first name, date of birth), the route taken, the number and names of other passengers included in the Passenger Name Record and others Information about the passenger (seat number, baggage information, means of payment, etc.).
The second category of data collected is the registration and boarding data (API) present in the systems Information of airlines or airport platforms, La List referred to in draft article R. 232-14 of the code of internal security is in line with that provided for in Article 3-2 ° of Directive 2004 /82/EC of 29 April 2004, which establishes a minimum list of data which carriers must Transmit to the competent authorities.
This is mainly data relating to the identity of air passengers (nationality, surname, first name, date of birth, sex), to the travel document used (type, number), to the stolen flight (number, point Border crossing, transport code, date of flight, hours and point of departure And arrival, point of embarkation and landing, total number of persons transported) as well as other information concerning the passenger (status of the person on board, seat number, passenger name reference code, number, weight and Identification of baggage).
All these data are transmitted by the airlines to a Passenger Information Unit (IPU), which is responsible for collecting, operating and transmitting the data to the requesting services. This service, which is inter-ministerial and national in nature, will be attached to the Minister responsible for customs and will be subject to a specific decree.
The interest of the services concerned to collect such a large number of data is twofold. It is, on the one hand, to check whether a person or, where applicable, an object which is about to be registered on a flight departing from or on the arrival of the territory is not being sought and, on the other hand, to determine whether a passenger, taking account of his or her Travel habits, presents a particular risk in relation to the purposes listed inArticle L. 232-7 of the Safety Code Inner.
In the first place, the proposed device must Allow each reception of API and PNR data by the Unit to automatically and systematically compare them with certain files relating to persons or objects searched or monitored (FPR, FOVeS, SIS II, SILCF, base ASF-SLTD Interpol). This functionality, known as " ", runs automatically when new data flows from the airlines arrive. The purpose of these interconnections is to determine whether persons or objects listed in these files appear on a flight concerned by the processing.
The Commission notes that different guarantees have been provided for this use of the Data recorded in processing. The Department has selected the only PRFs that are to be consulted in relation to the sub-actional gravity threshold, which is expressly provided for in article L. 232-7 of the internal security code, allowing the processing of API and PNR data. Thus, the API and PNR data of passengers will not be screened with all FPR cards, but only with those compatible with this condition. In case of a positive response ("hit" Positive), the response is provided to both the service that issued the report in the RPF and the general police service on the platform used by the passenger. This reply shall be accompanied by the availability of the copy of the research or surveillance data sheet concerned. The Committee takes note that the other treatments with which the API/PNR system will be brought closer will be the subject of the same clearance work. In addition, the records of these treatments are not kept in the system " API-PNR ", only the existence or not of a" Hit " Positive (plug number, type of card and conduct to be maintained) on the dates and times considered to be recorded in the processing, which is expressly provided for in the draft order.
Finally, in order to increase the reliability of the system and to preserve To the best of privacy and the right to the protection of personal data, the Ministry is implementing a homonymies management software, with a decision support tool allowing for a lifting of doubt by the IPU (scoring tool) Which allows to classify individuals according to the score obtained and reduce the risk of false Positive results. A white list is also made up of the identity of the persons wrongly controlled to reduce the malfunctions due to homonymies and indicate that this person is not the subject of further research.
Second, The exploitation of API and PNR data will lead to the implementation of different techniques for targeting individuals (precision targeting, custom targeting, mass targeting, multicriteria searches, visualization). These methods of data exploitation will only be implemented on the specific request of a competent authority, will be based on objective criteria and will not all be accessible to all the services mentioned in the draft Decree.
These features allow, among other things, to establish a level of risk, based on objective criteria, and then apply it to one or more people in order to detect a behaviour known as " At risk " In the light of the purposes laid down in Article L. 232-7 of the Internal Security Code. They also allow the attention of one or more persons or objects, based on elements collected by the requesting services. Finally, they allow, under certain conditions, to see directly, for the sole agents of the Directorates-General for external and internal security, the data collected.
Pursuant to Article 10 of the Law of 6 January 1978 The Committee recalls that no decision producing legal effects vis-à-vis a person can be taken solely on the basis of automated processing of data intended to define the person's profile. It is therefore necessary to ensure that the profiling resulting from these decision-making tools does not automatically lead to a decision made against the persons concerned by this treatment.
In this regard, the Committee notes that Human and manual checks are carried out by the unit when it is seized of a request and then by the addressees who decide on the conduct to be held and may, where appropriate, carry out the supplementary checks that they Consider necessary. Furthermore, the responses provided to these services will not systematically lead to the implementation of a specific action.
It therefore considers that the data processed are adequate, relevant and not excessive in relation to the purposes For which they are collected, in accordance with Article 6-3. Of the law of January 6, 1978, as amended.
On the duration of data retention:
Article L. 232-7 of the Internal Security Code states that data can only be kept for a duration Up to five years. The draft decree is in line with this duration, which is also consistent with that laid down in the draft European directive on the use of PNR data.
Thus, Article R. 232-16 of the same code, such as According to the draft decree, personal data and information recorded in the processing operations are retained for five years from their receipt in the system. However, the Commission points out that these data will in no case be kept for that period in the absence of perpetuating the proposed system and an extension of the legislative provisions, in which case they will have to be destroyed
The data likely to reveal the identity of passengers shall be subject to an additional guarantee, resulting from the implementation of a masking process at the expiration of a period of two years from their collection. Thus, if these data were to appear in results as a result of requests, they will not be visible to the IPU, nor will they be visible to the services that have made such requests. In order to be aware of these data, it will be necessary to make a reasoned request to the IPU, whose director expressly authorises the removal of such masking.
In view of these elements, the Commission considers that the Data collected shall be kept for a period not exceeding the duration necessary for the purposes for which they are collected and processed, in accordance with Article 6-5 ° of the law of 6 January 1978 as amended
Data:
Article R. 232-15 of the Internal Security Code, as provided for in the draft decree, lists the categories of persons entitled to make requests to the IPU and to be addressed to the
. Categorised according to the distinct purposes laid down in Article L. 232-7 of that Code and include, in particular, the specialised intelligence services, the services on judicial competence, the services under administrative jurisdiction and the Services with expertise in airport matters.
En Firstly, the Committee notes that only the staff assigned to the IPU will have direct access to personal data, as the draft decree expressly mentions. As a result, there are few people who have direct access to data. In addition, the checks carried out by this unit at the time of data exploitation (withdrawal of doubt through manual checks, cooling-off period, whitelist) are an important filter to reduce the risk Invasion of privacy and the protection of personal data.
Nevertheless, the Committee notes that the only specialised officers in the Directorates-General for Internal and External Security will be able to view the data Collected under the system " AP1-PNR France ", only in the event of a serious threat, of a proven urgency and for the sole purpose of preventing acts of terrorism and of attacks on the fundamental interests of the Nation, as expressly provided for in the draft decree
Second place, depending on the grounds of the request, a distinction is made between the agents of the services entitled to make requests to the IPU and to be the addressees of the corresponding replies and those who cannot make any request But being entitled to receive certain data for a purpose Operational (intervention on airport platforms).
In practice, requests made by the agents of the services concerned will be made through a virtual workspace, after prior identification with the An agent card. This workspace will contain the results made available by the IPU as well as a number of activity indicators.
In addition, the type of request that can be made is specific to each service and conditions the operating procedures Data to which the officers have access.
In this regard, the Committee notes that the headquarters of the Central Directorate of the Judicial Police and of the Regional Directorate of the Judicial Police of Paris may be required to formulate Requests for the prevention and recognition of terrorist acts, of Gathering evidence of these acts and the research of their authors. On this point, the department clarified that these requests were contingent on the existence of special circumstances related to emergency or crisis situations. The Committee invited the Ministry to state this explicitly in the draft decree.
Finally, it took note that it was not intended to establish specific international exchanges allowing the exchange of the data collected, which would debase the Instruments and agreements already in force in the field of police and customs cooperation and that the IPU of the Member States of the European Union will not be networked.
The Commission considers that the purposes of the To justify that all the addressees listed by the draft Decree may have access to the data collected in the context of their respective missions and clearances and that the details of their terms of access to the data constitute an additional guarantee with regard to the number Important recipients.
On the information of individuals:
Article L. 232-7 of the Internal Security Code expressly requires air carriers to inform persons In
to comply with the requirements of Article 6-1 ° of the amended law of 6 January 1978 relating to the lawfulness and loyalty of the data collection, the Ministry must therefore ensure that the Information, by air carriers, of the persons concerned. Thus, effective information of passengers on the collection and processing of their data must be carried out in a language understood by the persons concerned. In addition, the Committee recalls that this information must be clear, complete and educational in so far as it determines the exercise of the rights of the persons concerned by the treatment
. That beyond the issuance of this information by air carriers, information will also be provided by the Government through a general public Internet site. Thus, information relating to the transmission of API and PNR data to the IPU, to the purposes of the exploitation of such data, to the duration of storage and to the procedures for the exercise of the rights of persons will be communicated
Provide an additional guarantee in order to ensure, on the one hand, the protection of the personal data of the persons concerned by the processing and, on the other hand, the legitimacy of the implementation of the proposed system. In view of the urgent need to ensure the information of the persons concerned by the processing, the Commission will pay particular attention to the actual arrangements for the issue of the processing.
Rights of access, rectification The
of objection under section 38 of the Act of January 6, 1978, as amended, does not apply to the proposed treatment. In view of the purposes of the latter, this item does not require any particular comment from the Commission.
The draft decree provides for a mixed right of access to data recorded in the processing. Thus, these rights are exercised indirectly with the National Commission on Informatics and Freedoms for the reference " Known " Or " Unknown " To the RPF, SIS II, FOVeS, SILCF and the Interpol database, in accordance with the provisions of Article 41 of the law of 6 January 1978 as amended.
In application of the last paragraph of the same Article, the rights of access and rectification of others Data recorded in the system " API-PIN France " Exercise directly with the Director of the IPU or his/her assistant.
If the Commission can only welcome this additional guarantee, it nevertheless recalls that all the elements mentioned in Article 39 of the Law of 6 January 1978 Modified, and in particular Article 39-1-5 ° (information enabling to know the logic behind the treatment), will have to be communicated to any person by making the request.
On data security and traceability of shares:
The security measures described and provided for by the controller are in accordance with the security requirement under section 34 of the amended Act of January 6, 1978.
The Department has, in particular, implemented safeguard mechanisms Automatic of any file received and added as a base. These are signed and stamped. A receipt is sent to the airline issuing the file. This receipt allows the department to verify the integrity of the information received by the department through an ergonomic verification tool that it has provided. The confidentiality of backups is primarily ensured by physical security measures.
Mechanisms and procedures are provided for the prevention, detection, analysis and response in the event of an incident.
The set of flows are Encrypting and using mutual authentication mechanisms, with the exception of a backup that allows suppliers to send their data.
Network partitioning, business profile, and traceability mechanisms Systematic and detailed, including any action of the Administrators, allow you to limit the risk of infringement of the right to know. The system is administered by two teams of administrators with a separate hierarchy, which facilitates mutual control. Anomaly detection gives rise to an alert.
The authentication of authorized recipients and agents is by agent card, ensuring strong authentication, while vendor authentication is performed by a certificate Hardware and, on the other hand, by ID and password sent by two separate channels.
Mechanisms and procedures to ensure that there is no residual information on the devices being rebuilt is implemented.
On traceability, the Committee notes that the future Article R. 232-17 of the Safety Code Internal, as provided for in the draft decree, provides for the implementation of systematic and detailed logging of all operations (consultation, creation and modification) of the processing; traces are kept for five years.
Finally, The Committee recalls, however, that the security obligation laid down in Article 34 of the amended law of 6 January 1978, which is the responsibility of the controller, requires the updating of the security measures on the basis of a regular reassessment Risks. In particular, the Committee stresses the importance of periodic re-evaluation of the measures relating to the tools used in the proposed treatment, which are based on taking into account different criteria that need to be changed in order to better understand Changes in criminal behaviour.
The President,
I. Falque-Pierrotin
