«The proposed EU passenger name records (PNR) directive Revived in the new security context SUMMARY After the Paris attacks of January 2015, the fight ...»
The proposed EU passenger name
records (PNR) directive
Revived in the new security context
After the Paris attacks of January 2015, the fight against terrorism and the
phenomenon of foreign fighters is now higher than ever on the EU agenda, with a
series of new measures being discussed, and existing ones refocused. In this context,
the EU Passenger Name Record (PNR) proposal is once again in the spotlight.
The current proposal dates back to 2011, but was rejected by the European Parliament's LIBE Committee in April 2013. However, given the new security context, and following numerous calls from EU Member States, the European Parliament committed to work towards the finalisation of an EU PNR directive by the end of 2015.
Nevertheless, not everybody is convinced by the efficacy of the proposed measure, and many stakeholders question its necessity and proportionality, whilst highlighting the different fundamental-rights risks inherent in any PNR scheme. It is also argued that legislators should take into account the impact of the recent annulment of the Data Retention Directive by the Court of Justice of the EU.
Privacy and civil liberties activists warn against the measure's intrusive nature, and see it as another step on the road to a surveillance society. On the other hand, air carriers advocate swift adoption of an EU PNR directive, providing harmonised legislation at EU level, rather than a set of diverging national rules. Indeed, more and more Member States are developing PNR data-collection systems, and the European Commission has made EU funding available for this purpose.
In this briefing:
Context The proposal for an EU PNR directive Fundamental rights issues Business and interest groups on the proposal National PNR systems Further reading EPRS | European Parliamentary Research Service Author: Piotr Bąkowski and Sofija Voronova Members' Research Service EN PE 554.215 The proposed EU PNR directive EPRS Context The 'new old' project Since the Paris attacks of January 2015, counter-terrorism issues have reached the summit of the political agenda, both in the Member States most concerned and at EU level. Creating an EU-wide system which would make Passenger Name Records (PNR) data transfer to law enforcement agencies possible is among the main measures under debate.
The idea is not new: the possibility of having an EU-wide PNR scheme has been discussed since 2007, when the Co
Members' Research Service Page 2 of 9 The proposed EU PNR directive EPRS Proactively i.e. for analysis and creation of criteria to be used for assessment of passengers prior to arrival or departure.
As to the transfer of the data to competent authorities, it may be done by:
The 'push' method, whereby the airline passes the data to the national authority, or
• The 'pull' method, whereby the authority obtains access to the airline reservation system to retrieve the data.
What is at stake?
The PNR proposal has resurfaced in the context of the widely perceived urgency to address the terrorist threat which − it is argued − has acquired a new dimension.
Historically, EU counterterrorism action has come in 'waves' following major crises including 9/11, the 2004 Madrid attacks and the 2005 London bombings. The postCharlie Hebdo situation is also seen as a possible trigger for enhanced EU involvement in the fight against terrorism, as illustrated by the EU's counter-terrorism coordinator, Gilles de Kerchove, using the oft-repeated advice: 'never let a serious crisis go to waste'.3 Yet voices can be heard warning against hasty adoption of instruments with farreaching consequences for fundamental rights of EU citizens − albeit perhaps to a lesser extent than in 2011, when the Commission's proposal was published. It is argued that, in the past, rapid and emergency-led policy responses took precedence over quality and democratically accountable decision-making, and that, once again, measures are being adopted without proper assessment of their necessity.4 As the EU PNR debate evolves, the idea of having some form of EU-wide PNR scheme seems to be gaining ground. Its limits are, however, yet to be defined, given the number of unresolved questions about the system’s implications for fundamental rights and, most notably, its proportionality and necessity.
The proposal for an EU PNR directive The key elements The proposal provides for the transfer, by air carriers, of PNR data from international flights (inbound and outbound flights between the territory of a Member State and a third country). It also covers further processing and retention of such data. The Commission proposed assessment of the feasibility and necessity of including internal flights in the scope of the Directive within two years following the transposition date.
Under the proposed Directive, air carriers are not required to retain data, and passengers do not have to provide additional information to that already requested from them as part of the reservation or check-in process. So-called Passenger Information Units (PIUs) would be set up by each Member State. The data would be transferred by airlines to these units exclusively by the 'push' method, to avoid Member States having direct access to carriers' IT systems. PIUs would collect, store, and analyse data, and transfer the result of their data processing to the competent authorities.
The data would have to be anonymised 30 days after their collection. This means that all elements enabling the identification of the passenger would be masked, and made available only on specific authorisation. Data could be retained beyond the 30-day limit, for no more than five years. The collection and use of sensitive data directly or indirectly revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life, would be prohibited.
Members' Research Service Page 3 of 9 The proposed EU PNR directive EPRS Moreover, any decision taken by a Member State producing adverse legal effects on a person, or seriously affecting him or her, could not be taken solely on the basis of automated processing of PNR data.
A PIU or − in the case of urgency − also a competent authority of another Member State could request the transfer of data from the PIU storing it. Data could also be transferred to third countries, but only in very limited circumstances and on a case-by-case basis.
Member States would have to ensure the monitoring of PNR data processing by an independent national supervisory authority (data protection authority).
Co-legislator positions The Council In April 2012, the Justice and Home Affairs Council agreed on a general approach to the
proposal. Two main elements differ from the Commission's original proposal:
A possibility (not an obligation) for Member States to collect PNR data from selected intra-EU flights, and Anonymising data after two years, instead of 30 days.
The European Parliament In April 2013, the proposal was rejected by the LIBE Committee by a narrow majority (30 votes to 25). The major points debated at the time included the necessity and proportionality of the Directive, its scope (the list of offences covered and possible inclusion of internal flights), as well as the length of the data retention period.
In its Resolution of February 2015 on anti-terrorism measures, the EP committed to working towards the finalisation of the Directive by the end of 2015. It urged the Commission to set out the possible impact of the EU’s Court of Justice Data Retention judgment on the PNR proposal. Moreover, it encouraged the Council to make progress on the Data Protection Package, so that trilogues on both the EU PNR Directive and the Data Protection Package could take place in parallel.
The revised draft report by Timothy Kirkhope (ECR, UK), published in late
February 2015, elaborates on the above elements. The changes proposed include:
Narrowing the scope to cover terrorism and serious 'transnational' crime instead of 'serious crime', Inclusion of intra-EU flights, Permanent deletion of sensitive data within 30 days from the last receipt of PNR containing such data, Reducing access to PNR data from five to four years for serious crime, and Making references to the Data Retention Judgment and to the current EU data protection rules.
Fundamental rights issues Fundamental rights at stake The proposed EU PNR scheme departs from the widely accepted form of using personal data for law enforcement purposes whereby data transfer is requested – normally on the basis of a court order – for a specific person, suspected of a specific crime, or at least representing a specific threat. The PNR scheme enables, on the contrary, proactive systematic checks on large sets of data concerning all passengers. These may be used for profiling, based on pre-determined general criteria (e.g. nationality), possibly resulting in individuals being refused boarding. Moreover, it provides for a wide Members' Research Service Page 4 of 9 The proposed EU PNR directive EPRS dissemination and lengthy retention of personal data. The system thus defined raises
questions as to its impact on fundamental rights including:
The right to privacy (Article 7 of the EU Charter of Fundamental Rights).
The right to data protection (Article 8 of the Charter), especially in the context of the ongoing reform of the EU data protection framework. The controversies relate inter alia to the lengthy period of data retention, the incomplete nature of anonymisation of data, allowing for its easy retrieval, and the transfer of data to third countries.
The right to non-discrimination, with indirect discrimination being more likely than direct discrimination, given the prohibition on processing sensitive data under the proposed Directive. One possible remaining risk of direct discrimination is that of transfer of such data contained in the field 'general remarks', covering a whole variety of personal characteristics.5 The right to free movement: According to the EU Free Movement Directive Member States may restrict the freedom of movement of EU citizens on grounds of public policy or public security. However, such restrictions need to comply with the principle of proportionality and be based exclusively on the personal conduct of the individual concerned representing a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society. A risk of the breach of this right is highlighted in regard to the extension of the EU PNR scheme to intra-EU flights.
Fundamental rights issues are at the core of the EU PNR debate. This is illustrated not only in the 2013 EP resolution, but also by the opinions on the Commission's proposal presented by other institutional stakeholders, including the European Data Protection Supervisor, the Article 29 Data Protection Working Party, the Fundamental Rights Agency, and the European Economic and Social Committee.
Necessity and proportionality The necessity of the EU PNR system – i.e. the question of whether such scheme is indeed indispensable to effectively address serious crime and terrorism – is widely debated. Evidence of the effectiveness of existing PNR systems is crucial to proving the necessity of having a system at EU level. There seems to be no agreement, however, as to whether PNR systems − and mass surveillance tools in general − are actually eﬃcient.
Whereas the Commission admits that relevant detailed statistics are not available, it points to information from individual countries, and argues that the PNR data has led to 'critical progress' in the fight against terrorism, illegal drugs and human trafficking. The Commission supports this statement with figures related to drug seizures in Belgium, Sweden and the UK. Nevertheless, it has been criticised for inconsistencies in, and the anecdotal nature of, the evidence presented.6 Some examples of successful use of PNR have also been provided by the UK, based on experience with the country’s e-Borders system.7 Moreover, it is held that such scheme can only be considered necessary if the existing measures – which at the EU level include the API Directive, the Schengen Information System and the Visa Information System – have been evaluated as insufficient. Yet such an evaluation has not been undertaken, and less intrusive alternative tools have not been proposed.
Members' Research Service Page 5 of 9 The proposed EU PNR directive EPRS Article 52 of the EU Charter of Fundamental Rights requires that any limitation to rights and freedoms recognised by the Charter respect the principle of proportionality. This requirement may be difficult to fulfil, considering the large scope of the proposed Directive (all passengers on all international, and possibly also intra-EU, flights, as well as the variety of crime categories covered). 'Article 29' Data Protection Working Party (DPWP) argues that measures impinging on the protection of the rights and freedoms of travellers are only proportionate when introduced temporarily and for a specific threat, which is not the case for this proposal. Systematic matching of all passengers on all flights against pre-determined criteria appears therefore to be particularly problematic.8 The impact of the Data Retention judgment Recently, proportionality and necessity issues have been debated in the context of the 2014 judgment of the Court of Justice of the EU (CJEU) invalidating the 2008 Data Retention Directive (Digital Rights Ireland; joined Cases C-293/12 and C-594/12). The Court formulated a series of requirements, arguably valid for all security measures interfering with the protection of personal data, especially if they provide for data retention. Whereas the Commission − urged by the Parliament − has expressed its views on the implications of this judgment for the PNR proposal, some commentators doubt whether these will be fully addressed.9 Business and interest groups on the proposal Civil society On the civil society side, critical voices are heard on the EU PNR proposal, which is often considered an intrusive measure and a further step towards a surveillance society.10 Various stakeholders active in the field of civil liberties and fundamental rights have commented extensively on the Commission's draft.