EU Surveillance society – the passenger data scandal

The 2007 European Commission proposal for a Council Framework Decision establishing a European system for the exchange of Passenger Name Records for law enforcement purposes, was, at the time, criticised by the Article 29 Data Protection Working Party and by the European Data Protection Supervisor for providing inadequate procedural safeguards and data protection arrangements. Several provisions proved to be very controversial during the negotiations at the Council working groups, such as a harmonised data retention period and the treatment of sensitive personal data. The Council decided to suspend negotiations on the proposal until the entry into force of the Lisbon Treaty.

On 2 February, the European Commission adopted a proposal, replacing the 2007 one, for a directive on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. The present proposal represents an improvement compared to the original one. But, there are still several issues, which should be carefully addressed. Nevertheless, one could wonder if such measures are really needed which justify the collection of data of innocent persons. And it costs billions of pounds to implement and operate such measures.

Whereas the original proposal would have been decided by unanimity, and the UK would have been able to avoid any provisions which were not acceptable, the new proposal is subject to the ordinary legislative procedure and QMV. The UK has an opt out from measures in the area of freedom, security and justice. However, once it has decided to opt-into a legislative proposal there is no right to opt-out even if the outcome of the negotiations is not acceptable and it is subject to the ECJ and the European Commission enforcement powers.

Nevertheless, the Government is very likely to opt into the present proposal. Damian Green MP, last December, in a House of Commons debate said “The UK, in common with many other EU Member States and third countries, places considerable value on the collection and analysis of passenger name record (PNR) data (…) for the purposes of combating terrorism and organised crime.” In fact, he said “In line with this view the Government continue to press for an EU PNR directive that includes provision for intra- EU flights.”

Presently, the UK is the only country, among the EU Member States, to have a fully functioning PNR system. However, if the draft proposal is adopted, the UK would have to adjust its national system to comply with the draft Directive. The Commission noted that although, presently, only the UK has a PNR system, several Member States are considering setting up one. Hence, in order to avoid having different national PNR legislations, the Commission has decided to create a “EU wide system.” The Commission proposes, therefore, common rules for Member States to establish their national PNR systems.

PNR data is collected and held by airlines and travel agents for their own commercial purposes, and consists of information provided by passengers during the reservation and booking of the tickets, such as travel dates, travel itinerary, ticket information, contact details, means of payment used, credit card details, seat number. The Commission proposed that all air carriers operating international flights coming or leaving the EU provide PNR data to the Member States’ competent authorities.

The proposal is, therefore, limited to the processing of PNR data to flights into and out of the EU, to and from third countries. However, the Coalition Government, like the former Labour Government, has been lobbying for a wider PNR system that would apply to flights between EU Member States. According to the Commission the costs of including PNR data relating to intra-Community flights in the EU instrument would be much higher. The Commission has agreed to review the issue whether is necessary to include internal flights in the scope of this Directive once the PNR system had been in operation for a few years.

It seems that the Directive, if adopted, would not affect Member States’ possibility to provide, under their domestic law, for a system of collection and handling of PNR data for different purposes and transportation. Moreover, the processing of PNR data on intra-EU flights would not be restricted by the instrument, but it must be “subject to compliance with relevant data protection provisions, provided that such domestic law respects the Union acquis.”

The PNR data would be collected and processed for “the prevention, detection, investigation and prosecution of terrorist offences, serious crime and serious transnational crime’, and it could be share with all member sates law enforcement authorities. “Terrorist offences” are to be defined by reference to the Council Framework Decision 2002/475/JHA on combating terrorism, serious crime and serious transnational crime are defined by reference to the list in the Council Framework Decision 2002/584/JHA on the European Arrest Warrant. The scope of the draft directive is considerably broad as it encompasses the processing of PNR data for all of the crimes listed in Article 2 of the Framework Decision on the European Arrest Warrant.

Each Member State will have to designate a competent authority, the Passenger Information Unit (PIU) that will be the data recipient. The PIU would be responsible for collecting PNR data from the air carriers, storing and analysing it and transferring the result of the analysis to the Member States competent authorities for the prevention, detection, investigation or prosecution of terrorist offences and serious crime.

The Commission on the previous proposal specified two methods for the air carriers transmit the PNR, the “push method” where the data is transferred into the PIUs’ database, or the PIU will be allowed to extract a copy of the required data from the carriers database by the “pull method.” The majority of Member States rejected the idea of having a centralised system of PNR at EU level, preferring, therefore, the establishment of databases at national level. The Commission has now proposed a decentralised collection of PNR data. Hence, air carriers would be required to transfer the PNR data to the database of the PIU of the Member State on the territory of which the international flight will land or will depart. The air carries would have to transfer the PNR 24 to 48 hours before the flight departure and “immediately after” flight boarding closure. If there is a specific threat related to terrorist offences or serious crime they may be required by the PIU to make the date available earlier. Member states would be required to provide for dissuasive, effective and proportionate penalties, including financial penalties, against air carriers that fail to meet their obligations regarding the transfer of PNR data.

There would be a systematic transmission of PNR data for all flights, rather than selected flights that present the greatest risk.

The PIU would process PNR data to carry out a risk assessment of the passengers before their scheduled arrival or departure from a Member State, in order to identify any persons who may be involved in a terrorist offence, or serious crime and who require further examination by the Member States’s law enforcement authorities.

The assessment criteria shall be set by the PIUs, in cooperation with the competent authorities. National law will therefore, rule the risk assessment criteria. The Passenger Information Units, in carrying out such assessment, might compare PNR data against different databases, including international, national or “national mirrors of Union databases.”

Member States must ensure that any positive match which results from an automated processing is reviewed by non-automated means in order to verify whether the competent authority needs to take action. Member States must share with each other the alerts created from the processing of PNR data. The PIUs would deal not only with data gathered on their Member State but also from other Member States. Hence, the result of processing of PNR data, with regard to persons identified by a Passenger Information Unit, must be transmitted to PIUs of otherMember States, if such transfer is considered to be necessary for the prevention, detection, investigation or prosecution of terrorist offences or serious crime. Then, such PNR data or the result of the processing of PNR data would be transmitted to the receiving Member States relevant competent authorities.

In the other hand, PIUs are allowed to request each other PNR data and the result of the processing of PNR data that are kept in their databases for a period of 30 days as well as anonymised PNR data and the result of the processing of PNR data that are kept in their databases for a period of five years. PIUS may also request access to specific PNR data, not masked out, kept by the PIU of another Member State in case of a specific threat or a specific investigation or prosecution related to terrorist offences or serious crime.

The competent authorities of a Member State, in cases where it is necessary for the prevention of an immediate and serious threat to public security, may request directly to the PIU of another Member State to provide it with PNR data that are kept in its database. Such requests shall be responded to as a matter of priority. Furthermore, if there is a specific and actual threat related to terrorist offences or serious crime, the PIU of a Member State is entitled to request the PIU of anotherMember State to provide it with PNR data of flights landing in or departing from its territory at any time.

Sensitive data such as “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning the health or sex life of the individual” was excluded from the draft proposal. Under the Commission’ proposal sensitive data shall never be transferred by air carriers, but if it can be found in PNR, the Passenger Information Unit shall delete it immediately.

Member States shall transpose the directive into national law two years after its entry into force.Member States would be required to ensure two years after this date, that the PNR data of at least 30% of all international flights into and out of the EU is collected and until two years after this period, Member States shall ensure that the PNR data from at least 60% of all into and out of the EU flights is collected. Hence, Member States would be required to ensure that within six years of the entry into force of the directive, the PNR data from all flights is collected. During the negotiations of the previous proposal the Member States could not agree on 100% collection of PNR data, nevertheless the Commission has proposed the same ambitious schedule. Such targets should not be decided by Brussels, but by the Member States.

The proposal is subject to the ordinary legislative procedure, hence it remains to be seen what will come out of the negotiations with the European Parliament.