Canada Gazette

Initially introduced in the Customs Action Plan 2000-2004, the Passenger Information (Customs) Regulations and section 269 of the Immigration and Refugee Protection Regulations brought into force the Advance Passenger Information/Passenger Name Record (API/PNR Program). Obtaining passenger information in advance of the arrival of a commercial conveyance provides officials of the Canada Border Services Agency (CBSA) with time to assess the risk of individual travellers and identify those who may pose a risk to the safety and security of Canada prior to their arrival. Certain information collected under the API/PNR Program is "personal information" within the meaning of the Privacy Act and is protected under the Canadian Charter of Rights and Freedoms (Charter).

The Immigration and Refugee Protection Act and the Customs Act provide the legal authorities to collect API/PNR data. Under paragraph 148(1)(d) of the Immigration and Refugee Protection Act, commercial transport companies are obligated to provide prescribed information on departure of the commercial vehicle before arriving in Canada. This information is prescribed in section 269 of the Immigration and Refugee Protection Regulations.

Section 107.1 of the Customs Act provides the authority for the Passenger Information (Customs) Regulations, which came into force on July 2, 2003, retroactive to October 4, 2002. Under these Regulations, all commercial carriers are required to provide the CBSA with information relating to all persons on board commercial conveyances bound for Canada. These Regulations specify the information that is to be provided.

Since the implementation of the API/PNR Program, world events necessitated the introduction of measures to enhance public safety. One of these measures was the passing of the Public Safety Act, 2002. This Act amended the Immigration and Refugee Protection Act by adding section 150.1 which provides for regulations to govern the collection, retention, disposal, and disclosure of information collected under the Act.

These regulations may be made for any matter related to the disclosure of information for the purposes of national security, the defence of Canada, or the conduct of international affairs. In addition, the regulations may outline conditions under which the collection, retention, disposal and disclosure may be made. This provision came into force on June 28, 2004.

The Protection of Passenger Information Regulations are made under section 150.1 of the Immigration and Refugee Protection Act. These Regulations are made to govern the management and retention of the information collected by the CBSA under the API/PNR Program. It is essential to clarify that these Regulations do not expand the information collected but restrict the handling of the information gathered by the CBSA under this program.

Advance passenger information includes a person's name, date of birth, gender, citizenship or nationality and travel document type, country of issuance, the number on the travel document, and their reservation record locator number. Passenger name record data includes details such as a person's travel itinerary, address and check-in information. This information is sensitive and is protected under the Privacy Act.

Commercial air carriers departing foreign countries are subject to the laws of the outbound country and to Canadian law when the flights are bound for Canada. In certain countries, carriers are precluded from providing passenger information unless there are adequate protections in place for handling the information. One such example is commercial carriers who process information within the European Union (EU), as they are subject to EU laws governing the protection of personal information.

The Protection of Passenger Information Regulations are being made under the Immigration and Refugee Protection Act to further strengthen the protection that the CBSA will provide to this information.

— govern the management of the handling and retention of the information that is collected by airlines which operate flights carrying persons bound for Canada;

— ensure that the CBSA only collects API/PNR Program information in respect of flights arriving in Canada;

— ensure that the CBSA will use API/PNR Program information collected from airlines only to identify persons who are inadmissible to Canada because of their potential relationship to terrorism or terrorism-related crimes or other serious crimes, including organized crime, that are transnational in nature;

— restrict the use of information that has been depersonalized, that is, information where the name has been blocked after 72 hours to prevent identification of the individual;

— restrict the use of information that has been unblocked, under the authority of the President of the CBSA, where it is necessary in the interests of national security or a threat to the health and safety of the public;

— ensure the retention for purposes of the Privacy Act or the Access to Information Act, which provide for access by the person to whom the information relates; and

— govern the disclosure of API/PNR Program information to other Canadian departments and to governments of foreign states.

The objective of the API/PNR Program is to identify persons who may pose a risk to the safety and security of Canada prior to arrival. Airlines which operate flights bound for Canada are required to provide passenger information to the CBSA in accordance with section 107.1 of the Customs Act and paragraph 148(1)(d) of the Immigration and Refugee Protection Regulations. However, to the extent that passenger information is processed in the EU, airlines are precluded from providing this information to a third country, unless that country has adequate protections in place for the information.

The rules, which govern the transfer of personal data outside the EU, are applied through a detailed investigation by the European Commission of the privacy regimes of the third country. As a result, the commercial carriers that process data within the EU (i.e. European carriers) are restricted from providing access to its reservation systems data to the CBSA without first ensuring that the data will be provided with an adequate level of protection.

Canadian officials have been negotiating an agreement with the European Commission to allow commercial carriers impacted by the data protection directive to provide passenger information to the CBSA. This will consist of three components: the agreement between Canada and the European Union, the CBSA's commitments regarding the access, use and disclosure of the passenger information and the Regulations.

A step in this process is to obtain a positive "adequacy finding" by the EU's Article 29 Data Protection Working Party. The "adequacy finding" is a decision on the level of protection the CBSA affords to the personal data. In rendering its decision, the Working Party reviews the CBSA's commitments in respect of the manner in which the CBSA administers its API/PNR Program. The position of the European Commission is that the series of commitments being appended to the agreement must be legally binding on the CBSA before it will sign the agreement and permit the airlines to provide the data to the CBSA.

Many of the commitments have already been satisfied by the current requirements of the Privacy Act, in respect of the retention and disclosure of personal information. There are remaining commitments relating to the collection, retention and disclosure of information that must, in some way, be legally binding on the CBSA before the EU will sign the agreement being negotiated.

All carriers bound for Canada must be subject to the same requirements and meet their legal requirements in that country as well as those of Canada. To provide any carrier with an exemption would dilute the effectiveness of the API/PNR Program while conferring a competitive advantage of lower operating costs to those carriers exempted. This is due to the fact that there is a cost to the airlines in providing the passenger data to the CBSA.

As a result, there is no alternative to these Regulations. Commercial carriers are legally obligated to provide API/PNR data to the CBSA. Without the agreement with the EU, the carriers will be contravening another country's laws.

These Regulations will ensure that the information provided to the CBSA for its API/PNR Program will be managed and retained under specified rules. These Regulations are an integral component of the agreement with the EU and will enable the CBSA to have access to the information collected by the airlines in the EU carrying passengers bound for Canada. The CBSA having access to passenger data in advance of travellers' arrival in Canada allows for a more efficient and comprehensive risk assessment process. This pre-arrival processing of travellers for risk assessment purposes can facilitate traveller processing by the CBSA upon their arrival in Canada.

The API/PNR Program information will be used to identify those travellers that may require closer questioning or examination on arrival in Canada. This is for the purpose of identifying whether the person may be inadmissible to Canada because of a potential relationship to terrorism or terrorism-related crimes or other serious crimes, including organized crime, that are transnational in nature. The API/PNR data will also be used for longer-term trend analysis and the development of risk factors.

There are no significant additional costs associated with these Regulations as Treasury Board funding has already been secured for the development of the API/PNR Program.

During the implementation of the API/PNR Program, there were consultations with stakeholders. The CBSA discussed concerns surrounding the protection of passenger information with the Privacy Commissioner of Canada in order to ensure that the API/PNR Program is consistent with the Charter. In response to concerns raised by the Privacy Commissioner, the CBSA implemented a number of administrative safeguards to protect the privacy of individuals.

Given that the Office of the Privacy Commissioner has previously indicated that it would prefer that the CBSA's administrative practices in managing this information be reflected in domestic legislation, and given that the legislative authority to do so is in the Immigration and Refugee Protection Act, it is now appropriate to do so.

The Regulations do not amend or alter the data that is to be provided or the means of providing the data, nor do they alter the API/PNR Program. Consultations with the airlines were not necessary as these stakeholders will not be affected by these Regulations.

These Regulations do not alter the existing compliance mechanisms under the provisions of the Passenger Information (Customs) Regulations enforced by the CBSA. The CBSA has committed to only accepting PNR data that is filtered and pushed from commercial carriers impacted by the data protection directive. As such, the carriers are responsible to provide the CBSA with the PNR data elements it requires.

The existing resources of the CBSA are adequate to ensure compliance with the terms of the Regulations.

Andrea Spry, Director, Risk Assessment Systems Division, Innovation, Science and Technology Branch, Canada Border Services Agency, 191 Laurier Avenue W, 7th Floor, Ottawa, Ontario K1A 0L5, (613) 946-1672 (telephone), (613) 952-8420 (facsimile), Andrea.Spry@cbsa-asfc.gc.ca (electronic mail).

Notice is hereby given that the Governor in Council, pursuant to subsection 5(1) and to section 150.1 (see footnote a) of the Immigration and Refugee Protection Act (see footnote b), proposes to make the annexed Protection of Passenger Information Regulations.

Interested persons may make representations with respect to the proposed Regulations within 15 days after the date of publication of this notice. All such representations must cite the Canada Gazette, Part I, and the date of publication of this notice, and be addressed to the Manager, Legislative Affairs, Canada Border Services Agency, Killeany Place, 4th Floor, Room 4023, 150 Isabella Street, Ottawa, Ontario K1A 0L8.

Persons making representations should identify any of those representations, the disclosure of which should be refused under the Access to Information Act, in particular under sections 19 and 20 of that Act, and should indicate the reasons why and the period during which the representations should not be disclosed. They should also identify any representations for which there is consent to disclosure for the purposes of that Act.

"advance passenger information" means, in respect of a person, information referred to in paragraphs 269(1)(a) to (f) of the Immigration and Refugee Protection Regulations that is provided to an officer in respect of that person. (information préalable sur les voyageurs)

"enforcement database" means an Agency database that contains information in respect of persons who have been investigated under or have been the subject of an enforcement action under an Act of Parliament administered or enforced by the Agency. (base de données sur le contrôle d'application)

"intelligence official" means an official who is employed by the Agency and is responsible for carrying out intelligence activities that relate to operations of the Agency conducted at an international airport in Canada or at the headquarters of the Agency for the purposes of the Act. (agent du renseignement)

"passenger name record information" means, in respect of a person, the passenger reservation information referred to in subsection 269(2) of the Immigration and Refugee Protection Regulations that is provided to an officer in respect of that person or in respect of which access is provided to an officer. (renseignements sur le dossier passager)

"PAXIS system" means the Passenger Information System of the Agency. (système SIPAX)

2. The Agency shall not, for the purposes of the Act, retain, provide access to or disclose advance passenger information (referred to in these Regulations as "API information") or passenger name record information (referred to in these Regulations as "PNR information") other than in accordance with these Regulations.

3. API information and PNR information may be retained by the Agency for the purpose of identifying persons who are or may be involved with or connected to terrorism or terrorism-related crimes or other serious crimes, including organized crime, that are transnational in nature.

4. API information and PNR information retained for the purpose referred to in section 3 must be stored in the PAXIS system and must be stored there separately from each other.

5. (1) API information may be retained in the PAXIS system for a maximum period of three years and six months after it is received and access to the information may be provided during that period to

(i) for the purpose referred to in section 3, or

(ii) for the purposes of conducting trend analysis or developing future risk indicators in relation to the purpose referred to in section 3; and

(b) officials employed by the Agency who are responsible for selecting persons for enhanced questioning on their arrival with a view to identifying persons described in section 3.

(2) Access to API information may not be used by an intelligence official to gain access to PNR information about the same person

(a) during the first two years of the period of three years and six months referred to in subsection (1), unless the intelligence official confirms that such access is necessary in order to proceed with an investigation for the purpose referred to in section 3; and

(b) during the period of one year and six months after the two-year period referred to in paragraph (a), unless such access by the intelligence official for that purpose is approved by the President of the Agency.

6. PNR information may be retained in the PAXIS system for a maximum period of three years and six months after it is received, during which period access to the information must be restricted in accordance with section 7.

7. (1) Access to PNR information that is stored in the PAXIS system may be provided during the first 72 hours of the period of two years after it is received to

(a) intelligence officials, if they require that information for the purpose referred to in section 3; and

(b) officials employed by the Agency who are responsible for selecting persons for enhanced questioning on their arrival with a view to identifying persons described in section 3.

(2) During the portion of the two-year period referred to in subsection (1) that is after the first 72 hours,

(a) access to the name of the person to whom the PNR information relates may be provided to an intelligence official if the official confirms that they require the name in order to proceed with an investigation for the purpose referred to in section 3; and

(b) access to the PNR information in respect of that person, other than their name, may be provided to an intelligence official for the purposes of conducting trend analysis or developing future risk indicators in relation to the purpose referred to in section 3.

(3) If access to the name of the person to whom the PNR information relates is provided to an intelligence official in the circumstances referred to in paragraph (2)(a), any of the PNR information in respect of that person, including their name, that may be required for the investigation referred to in that paragraph may then be copied from the PAXIS system, in which case the copy must be retained in an enforcement database in accordance with section 8.

(4) During the period of one year and six months following the two-year period referred to in subsection (1),

(a) access to the data elements contained in the PNR information that could serve to identify the person to whom the information relates may be provided to an intelligence official for the purpose referred to in section 3 if such access is approved by the President of the Agency; and

(b) access to the PNR information, other than the data elements referred to in paragraph (a), may be provided to an intelligence official for the purposes of conducting trend analysis or developing future risk indicators in relation to the purpose referred to in section 3.

(5) If access to the data elements contained in the PNR information is provided to an intelligence official in the circumstances referred to in paragraph (4)(a), any of those data elements that may be required for the purpose referred to in that paragraph may then be copied from the PAXIS system, in which case the copy must be retained in an enforcement database in accordance with section 8.

8. (1) Subject to subsection (2), where PNR information is copied from the PAXIS system and the copy retained in an enforcement database in the circumstances described in subsection 7(3) or (5), as applicable,

(a) the information may be retained in the enforcement database for not longer than the time that it continues to be required for the purpose for which it was copied, up to a maximum period of six years after the time it was first received; and

(b) during that period, access to the information may be provided only to intelligence officials whose duties require such access for the purpose referred to in section 3.

(2) Where API information or PNR information is required, by the Access to Information Act or the Privacy Act, to be retained in an enforcement database for a period longer than the six-year period referred to in paragraph (1)(a), access to that information may be provided during that longer period only for the purpose for which it is retained under the Access to Information Act or the Privacy Act, as applicable.

9. API information and PNR information retained by the Agency in the PAXIS system may be disclosed by the Agency to any Canadian government department for the purposes of the Act if

(i) relates to terrorism or crimes referred to in section 3, or

(ii) relates to an objective set out in section 3 of the Act and is required

(A) in order to comply with a subpoena or warrant issued by, or an order made by, a court, person or body with jurisdiction in Canada to compel the production of the information, or

(B) for the purposes of any judicial proceedings in Canada;

(b) that department has undertaken to provide the information with the same type of protection as that provided by the Agency and not to further disclose the information without the permission of the Agency, unless required by law to do so; and

(c) only the data elements contained in the information that are necessary for the purpose for which it is being disclosed are provided.

10. (1) In this section, "adequacy finding" means a decision adopted by the European Commission pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.

(2) API information and PNR information retained by the Agency in the PAXIS system may be disclosed to the government of a foreign state for the purpose referred to in section 3 if

(a) the foreign state is a member of the European Union or that government has received an adequacy finding or is covered by one; and

(b) the Agency discloses to that government only the minimum data elements contained in the information that are necessary for that purpose.

11. API information and PNR information retained by the Agency in an enforcement database may be disclosed on request to the government of a foreign state under an international agreement or arrangement if

(a) the Agency is in possession of evidence that directly links the request to the investigation or prevention of terrorism or crimes referred to in section 3;

(b) that government undertakes to provide the information with the same type of protection as that provided by the Agency; and

(c) only those data elements contained in the information that are necessary for the purpose for which the information is requested are disclosed.

12. These Regulations come into force on the day on which they are registered.