European Union (Future Relationship) Act 2020

PART 1Amendments to the PNR regulations

1The PNR regulations are amended as follows.

2(1)Regulation 2 (interpretation) is amended as follows.

(2)Insert the following definitions at the appropriate places in paragraph (1)—

• ““the Agreement” means the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part, as it has effect on the relevant day (as amended or supplemented from time to time on or before its coming into force);”;”;

• ““air carrier” means the owner or agent of an aircraft operating passenger services to or from the United Kingdom;”;

• ““the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);”;

• ““designated independent authority” means the person for the time being designated under regulation 4A by a direction given by the Secretary of State;”;

• ““EU PIU” means an authority based in a member State which has been notified to the United Kingdom under the Agreement as the passenger information unit for that member State;”;

• ““EU PNR data” means PNR data—

  (a)

  relating to an aircraft arriving, or expected to arrive, in the United Kingdom from or by way of a member State,

  (b)

  relating to an aircraft leaving, or expected to leave, the United Kingdom to travel to or by way of a member State,

  (c)

  stored in a member State by an air carrier,

  (d)

  stored by an air carrier incorporated in a member State, or

  (e)

  received by the PIU from an EU PIU;”;

• ““EU PNR information” means EU PNR data, the result of processing EU PNR data or analytical information containing EU PNR data;”;

• ““Eurojust” means the European Union Agency for Criminal Justice Cooperation as established by Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) and replacing and repealing Council Decision 2002/187/JHA (as it has effect in EU law as amended from time to time);”;

• ““European Commission” means the Commission of the European Union;”;

• ““Europol” means the European Union Agency for Law Enforcement Cooperation as established by Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (as it has effect in EU law as amended from time to time);”;

• ““PNR information” means PNR data, the result of processing PNR data or analytical information containing PNR data;”;

• ““relevant day”, in relation to the Agreement or any aspect of it, means—

  (a)

  so far as the Agreement or aspect concerned is provisionally applied before it comes into force, the time and day from which the provisional application applies, and

  (b)

  so far as the Agreement or aspect concerned is not provisionally applied before it comes into force, the time and day when it comes into force;”;

• ““third country competent authority” means an authority based in a third country that is competent for—

  (a)

  the prevention, detection, investigation or prosecution of terrorist offences or serious crime, or

  (b)

  protecting the vital interests of persons;”.

(3)Omit the following definitions—

• “data subject”;

• “non-UK competent authority”;

• “the Passenger Name Record Directive”.

(4)In the definition of “processing”—

(a)for “PNR data” substitute “PNR information”;

(b)for “that data” substitute “that information”.

(5)For the definition of “serious crime” substitute—

• ““serious crime” means conduct which constitutes an offence in any part of the United Kingdom for which the maximum term of imprisonment (in the case of a person aged 21 or over) is at least 3 years (or would constitute such an offence in any part of the United Kingdom if committed there);”.

(6)In the definition of “third country”—

(a)before “the United Kingdom” insert “—

(b)at the end insert “, or

(7)For the definition of “terrorist offences” substitute—

• ““terrorist offences” means the offences listed in Annex LAW-7 to the Agreement;”.

(8)In the definition of “UK competent authority”—

(a)after “competent for” insert “—

(b)at the end insert “, or

(9)After paragraph (1) insert—

“(1A)References in these Regulations to protecting the vital interests of persons include protecting persons—

(a)who are, or may be, at risk of death or serious injury, or

(b)from significant threats to public health.”

3(1)Regulation 3 (designation of passenger information unit) is amended as follows.

(2)In paragraph (2)(c)—

(a)for “PNR data or the result of processing that data” substitute “PNR information”;

(b)at the end insert “, Europol or Eurojust”.

(3)After paragraph (2)(c) insert—

“(ca)where appropriate, exchanging PNR information with an EU PIU;”.

(4)In paragraph (2)(d)—

(a)for “PNR data and the result of processing that data” substitute “PNR information”;

(b)for “non-UK” substitute “third country”.

(5)After paragraph (2) insert—

“(3)The Secretary of State may by regulations amend paragraph (1) so as to designate a different authority as the PIU.

(4)The power in paragraph (3) is exercisable by statutory instrument and includes power—

(a)to designate different authorities for different purposes or in relation to different areas;

(b)to make supplementary, incidental, consequential, transitional, transitory or saving provision.

(5)Where regulations under paragraph (3) designate more than one authority as the PIU, the provision that may be made by virtue of paragraph (4)(b) includes, in particular, provision amending these Regulations to make provision for the transfer of PNR information from one authority so designated to another.

(6)A statutory instrument containing regulations under paragraph (3) is subject to annulment in pursuance of a resolution of either House of Parliament.”

4After regulation 4 insert—

“4ADesignated independent authority

(1)The Secretary of State must by direction designate a person as the designated independent authority in relation to the PIU.

(2)The person for the time being designated must be a person in relation to whom the Secretary of State is satisfied that the requirements of paragraph (3) are met.

(3)Those requirements are that the person—

(a)does not carry out relevant PNR data processing,

(b)acts independently of any person carrying out relevant PNR data processing, and

(c)has sufficient expertise and knowledge and has had appropriate training to exercise the functions of the designated independent authority under these Regulations.

(4)In paragraph (3), relevant PNR data processing is processing of PNR data otherwise than in exercise of the functions of the designated independent authority under these Regulations.

(5)The PIU must make EU PNR data available to the designated independent authority for the purposes of the authority’s functions under these Regulations.

(6)The designated independent authority may process EU PNR data for the purposes of exercising the authority’s functions under these Regulations.”

5(1)Regulation 5 (scope) is amended as follows.

(2)The existing text becomes paragraph (1).

(3)After that paragraph insert—

“(2)This Part also applies in respect of PNR information provided to the PIU by an EU PIU or a third country competent authority.”

6(1)Regulation 6 (processing of PNR data by the PIU) is amended as follows.

(2)In paragraph (1)—

(a)for “5” substitute “5(1)”;

(b)omit “personal”;

(c)omit “immediately”.

(3)In paragraph (2), at the end insert “, subject to regulation 4A (6)”.

(4)For paragraphs (3) and (4) substitute—

“(3)The purposes are—

(a)preventing, detecting, investigating and prosecuting terrorist offences or serious crime, and

(b)protecting the vital interests of persons.

(4)Where the PIU compares PNR data against a database, the PIU must ensure that the database is—

(a)reliable and up to date, and

(b)used for a purpose described in paragraph (3).”

(5)In paragraph (5)—

(a)at the beginning insert “Where the PIU processes PNR data against pre-determined criteria,”;

(b)omit “referred to in paragraph (4)(b)”;

(c)in sub-paragraph (a), at the beginning insert “reliable,”.

(6)After paragraph (5) insert—

“(5A)The PIU must not take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(a)only by reason of the automated processing of PNR data, or

(b)on the basis of any of the matters described in paragraph (5)(c) in relation to that person.”

(7)Omit paragraphs (6) to (8).

(8)In paragraph (9)—

(a)for “PNR data or the result of processing that data” substitute “PNR information”;

(b)for the words from “otherwise” to the end substitute “except where it does so on a case by case basis where it is satisfied that—

“(a)it is necessary to transfer that PNR information for a purpose described in paragraph (3); and

(b)the UK competent authority has arrangements in place for the protection of personal data that are equivalent to the arrangements for the protection of personal data required of the PIU under these Regulations.”

7(1)Regulation 7 (processing of PNR data by a UK competent authority) is amended as follows.

(2)In paragraph (1)(a)—

(a)for “PNR data or the result of processing that data” substitute “PNR information”;

(b)for the words from “the prevention” to “crime” substitute “a purpose described in regulation 6(3)”.

(3)In paragraph (2)—

(a)after “functions” insert “—

(a)”;

(b)at the end insert “, or

(b)in relation to public health.”

(4)After paragraph (2) insert—

“(3)Where the PIU transfers PNR information under regulation 6(9), the UK competent authority must not transfer the PNR information to another person without the consent of the PIU.”

8Before regulation 11 insert—

“10Requests for PNR data made by the PIU

(1)Any request made by the PIU to an EU PIU for PNR information must be—

(a)made only for the purpose described in regulation 6(3)(a),

(b)made in respect of a specific case, and

(c)duly reasoned.

(2)Any request made by the PIU to a third country competent authority for PNR information must be—

(a)made only for a purpose described in regulation 6(3),

(b)made in respect of a specific case, and

(c)duly reasoned.”

9(1)Regulation 11 (requests for PNR data made by a UK competent authority) is amended as follows.

(2)In the heading omit “to a non-UK competent authority”.

(3)In paragraph (1)—

(a)for “PNR data” substitute “PNR information”;

(b)for “a non-UK competent authority” substitute “an EU PIU or a third country competent authority”;

(c)omit “UK’s”.

(4)In paragraph (2)—

(a)for “PNR data” substitute “PNR information”;

(b)for “non-UK” substitute “third country”.

10After regulation 11 insert—

“11ATransfers of PNR data to an EU PIU

(1)The PIU must transfer PNR information to an EU PIU in a specific case, as soon as possible, where—

(a)the EU PIU has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2)The PIU must transfer analytical information containing PNR data to an EU PIU in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).

11BTransfers of PNR data to Europol and Eurojust

(1)The PIU must transfer PNR information to Europol or Eurojust in a specific case, as soon as possible, where—

(a)Europol or Eurojust has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2)The PIU must transfer analytical information containing PNR data to Europol or Eurojust in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).”

11(1)Regulation 12 (transfers of PNR data to third country competent authorities) is amended as follows.

(2)In the heading—

(a)after “PNR” insert “data”;

(b)for “non-UK” substitute “third country”.

(3)For paragraph (1) substitute—

“(1)Paragraphs (1A) to (2A) apply to PNR information that is not EU PNR information.

(1A)The PIU must not transfer that PNR information to a third country competent authority except where it does so on a case by case basis where paragraph (2) or (2A) applies.”

(4)In paragraph (2)—

(a)for “The first condition is that” substitute “This paragraph applies where”;

(b)in sub-paragraph (b) for the words from “the prevention” to “crime” substitute “a purpose described in regulation 6(3)”;

(c)for “the data” substitute “the information”;

(d)in sub-paragraph (c) for “non-UK”, in both places it occurs, substitute “third country”.

(5)In paragraph (2A)—

(a)for “The second condition is that” substitute “This paragraph applies where”;

(b)omit sub-paragraph (a);

(c)for the words from “the prevention” to the end substitute “a purpose described in regulation 6(3)”.

(6)After paragraph (2A) insert—

“(2B)The PIU must not transfer EU PNR information to a third country competent authority except where it does so on a case by case basis where—

(a)paragraph (2C) applies and the PIU is satisfied that it is necessary to transfer the EU PNR information for a purpose described in regulation 6(3), or

(b)paragraph (2D) applies.

(2C)This paragraph applies where—

(a)there is an agreement in force between the third country and the EU that provides for a level of protection of personal data that is equivalent to the level of protection required under the Agreement, or

(b)the European Commission has decided that the third country ensures an adequate level of protection of personal data, and that decision has not been repealed or suspended, or amended in a way that demonstrates that the Commission no longer considers there to be an adequate level of protection of personal data.

(2D)This paragraph applies where—

(a)the PIU considers that it is necessary to transfer the EU PNR information—

(i)for the prevention or investigation of an immediate and serious threat to public security, or

(ii)to protect the vital interests of persons, and

(b)the third country competent authority provides a written confirmation to the PIU that the EU PNR information will be subject to a level of protection that is equivalent to the level of protection under these Regulations and the data protection legislation.

(2E)Where the PIU transfers EU PNR information that it received from an EU PIU to a third country competent authority under this regulation, the PIU must notify that EU PIU as soon as possible.

(2F)Where, under this regulation, the PIU transfers to a third country competent authority EU PNR data that originated in a member State, and was provided by an air carrier, the PIU must notify the EU PIU for that member State as soon as possible.”

(7)In paragraph (3)(a) for the words from “the purposes” to “case” substitute “a purpose described in regulation 6(3)”.

(8)In paragraph (4)—

(a)for “PNR data” substitute “PNR information”;

(b)for “non-UK” substitute “third country”.

12(1)Regulation 13 (period of data retention and depersonalisation) is amended as follows.

(2)For paragraph (1) substitute—

“(1)Paragraphs (1A) and (1B) apply to PNR data transferred to the PIU—

(a)by air carriers pursuant to a requirement imposed under—

(i)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or

(ii)section 32(2) of the Immigration, Asylum and Nationality Act 2006, or

(b)by an EU PIU.”

(3)After paragraph (1) insert—

“(1A)In the case of EU PNR data, the PIU must permanently delete the data before the end of the period of five years beginning with the date of the transfer, subject to regulation 13B if the data is restricted EU PNR data within the meaning of that regulation.

(1B)In any other case, the PIU must—

(a)retain the PNR data for a period of five years beginning with the date of the transfer, and

(b)permanently delete that data upon expiry of that period.

(1C)Paragraphs (1A) and (1B) do not affect the power of the PIU to retain PNR data where it is used in the context of specific cases for a purpose described in regulation 6(3).”

(4)In paragraph (2)—

(a)after “air carrier” insert “or an EU PIU”;

(b)in sub-paragraph (e) omit “and”;

(c)after sub-paragraph (f) insert—

“(g)Other Service Information (OSI), and

(h)System Service Information (SSI) and System Service Request information (SSR).”

(5)In paragraph (3) for “passenger” substitute “person”.

(6)After paragraph (3) insert—

“(3A)The PIU must ensure that unmasked PNR data is only accessible by persons specifically authorised by the PIU to access such data and must limit the number of persons authorised to the minimum number practicable.”

(7)In paragraph (4)(a) for “the purpose referred to in regulation 6(3)(b)” substitute “a purpose described in regulation 6(3)”.

(8)In paragraph (6) for “upon expiry of the period referred to in paragraph (1)” substitute “when that data is no longer required in the context of the specific case for which it was transferred to the UK competent authority”.

(9)Omit paragraphs (7) to (10).

13After regulation 13 insert—

“13AUse and transfer of EU PNR data by the PIU: further provision

(1)The PIU may not use or transfer EU PNR data unless paragraph (2), (3), (4) or (5) applies.

(2)This paragraph applies where the PIU processes the EU PNR data for the purposes of security and border control checks.

(3)This paragraph applies if the designated independent authority has given consent for the use or transfer of the EU PNR data.

(4)This paragraph applies if the PIU considers that the use or transfer of the EU PNR data is necessary in an urgent case.

(5)This paragraph applies if the PIU considers that the use of the EU PNR data is necessary for the purpose of developing, or verifying the accuracy of, the pre-determined criteria referred to in regulation 6(5).

(6)Where the PIU—

(a)uses EU PNR data as mentioned in paragraph (3) or (4), or

(b)transfers EU PNR data to an EU PIU, Europol, Eurojust or a third country competent authority,

the PIU must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(7)Where the PIU transfers EU PNR data to a UK competent authority, the UK competent authority must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(8)A notification under paragraph (6) or (7) must—

(a)be in writing,

(b)be made within a reasonable period, and

(c)provide information about the procedures available for seeking redress of any grievance relating to the use or transfer.

(9)A notification need not be made under paragraph (6) or (7) during any period when the PIU or the UK competent authority (as the case may be) considers that notifying the person would, or would be likely to, prejudice any ongoing investigations.

(10)Nothing in paragraphs (2) to (5) affects the operation of regulation 6(2).”

14Before regulation 14 insert—

“13BRestricted EU PNR data: further provision

(1)For the purposes of this regulation, EU PNR data is “restricted EU PNR data” if it relates to a person arriving in the United Kingdom who—

(a)is not a UK national, and

(b)resides outside the United Kingdom.

(2)For the purposes of this regulation, restricted EU PNR data relating to a person is subject to deletion if—

(a)the PIU, acting as such, knows that the person has left the United Kingdom, or

(b)the period for which the person is permitted to stay in the United Kingdom has expired.

(3)But restricted EU PNR data is not subject to deletion—

(a)if, on the basis of a risk assessment based on objectively established criteria, the PIU considers that retention of the restricted EU PNR data is necessary for the purpose described in regulation 6(3)(a), or

(b)where the restricted EU PNR data is used in the context of specific cases for a purpose described in regulation 6(3).

(4)The PIU must permanently delete restricted EU PNR data that is subject to deletion as soon as possible.

(5)The PIU must ensure that the operation of paragraph (3)(a) is reviewed annually by the designated independent authority.

(6)In this regulation, “UK national” means—

(a)a British citizen,

(b)a person who is a British subject by virtue of Part 4 of the British Nationality Act 1981 and who has a right of abode in the United Kingdom, or

(c)a person who is a British overseas territories citizen by virtue of a connection to Gibraltar.”

15(1)Regulation 14 (protection of personal data) is amended as follows.

(2)After paragraph (1) insert—

“(1A)The PIU must permanently delete any PNR data referred to in paragraph (1).”

(3)In paragraph (3)(c) for “non-UK competent authorities” substitute “EU PIUs, Europol or Eurojust”.

16(1)Regulation 16 (application of other data protection enactments) is amended as follows.

(2)In paragraph (2)—

(a)after “purposes of” insert “—

(a)”;

(b)at the end insert “, or

(b)the protection of the public against threats to public health.”