Accords internationaux

Avis sur la proposition de règlement instaurant un code de conduite pour l'utilisation de systèmes informatisés de réservation, JO C 233, 11.09.2008, p. 1

The EDPS issued an opinion on the proposal for a Regulation on a Code of conduct for computerised reservation systems (CRSs).

The objective of the proposal is to update the provisions of the Code of Conduct for Computerized Reservation Systems that was established in 1989 by Regulation 2299/89. The Code would need simplification in order to reinforce competition - while maintaining basic safeguards, and ensuring the provision of neutral information to consumers.
A specific article on data protection has been developed in the proposal with a view to complementing the provisions of Directive 95/46/EC which continues to apply as a lex generalis.

The EDPS welcomes the inclusion of such principles in the proposal. He stresses that these provisions could nevertheless be usefully complemented by additional safeguards on three points:

• ensuring the fully informed consent of data subjects for the processing of sensitive data;
• providing for security measures taking into account the different services offered by CRSs;
• protecting marketing information relating to individuals from access by third parties.

With regard to the scope of application of the proposal, the criteria that make the proposal applicable to CRSs established in third countries raise the question of its practical enforcement, taking into account the complexity of the CRS network.

It is deemed as essential to put the CRS question in this global context and to be aware of the implications of having a large amount of personal data, some of them sensitive, processed in a global network practically accessible to third state authorities.

The EDPS considers it as decisive that effective compliance is ensured by competent authorities for enforcement (i.e. the Commission), as foreseen in the proposal, as well as data protection authorities.

Avis sur le projet de décision-cadre du Conseil relative à l'utilisation des données des dossiers passagers (Passenger Name Record - PNR) à des fins répressives, JO C 110, 01.05.2008, p. 1

• legitimacy of the processing: the proposal does not provide for sufficient elements of justification to support and demonstrate the legitimacy of the processing of data;
• applicable legal framework: a significant lack of legal certainty is noted as regards the regime applicable to the different actors involved in the matter;
• the identity of data recipients: the draft Decision does not provide for any specification concerning the identity of the recipients of personal data collected by airlines companies;
• transfer of data to third countries: it is imperative that conditions of transfer of PNR data to third countries be coherent and subject to a harmonised level of protection. 

Finally,  the EDPS advises not to adopt the draft Decision before the new Lisbon Treaty's entry into force, so that it can follow the co-decision procedure foreseen by the new Treaty and the European Parliament is fully involved.