In July 2015, the European Parliament’s Civil Liberties Commission backed plans to collect EU passenger data under the Passenger Name Record (PNR) system.
The final version of the directive follows a series of extensive amendments to its text and aims to tackle the “constantly evolving” nature of terrorism and transnational crime.
PNR data is information routinely collected by airlines for commercial purposes and covers nineteen fields of information provided by passengers at the time of booking, such as travel dates and itinerary, ticket information, contact details, means of payment used and baggage information. Under the new proposal, airlines and non-carrier economic operators, such as travel agencies and tour operators, would be requested to disclose to authorities their PNR data for all passengers travelling on international flights to or from the territory of the EU.
The first PNR initiative dates back to 2001, when the US started seeking new measures to fight terrorism following September 11. After extensive international talks about its use, a legislative proposal was published in February 2011, with the view to provide a legal framework for PNR information “for the prevention, detection, investigation and prosecution of terrorist offences and serious crime”.
To better understand passenger behaviour, Helsinki Airport, operated by Finavia, has incorporated location-based technologies.
Until recently, the proposal was repeatedly challenged, postponed and rejected by the European Parliament, with MEPs divided on PNR’s justification and compliance with fundamental human rights, particularly data protection and the right to privacy.
However, in the aftermath of the Paris terrorist attack on satirical magazine Charlie Hebdo, the proposal resurfaced, now with renewed support from MEPs. After a four-day plenary session, on 11 February 2015 the European Parliament passed a resolution on anti-terrorism measures, committing itself “to work towards the finalisation of an EU PNR Directive by the end of the year”.
Talks intensified during the following months and a new draft report on the proposal for a PNR directive was published by civil liberties committee rapporteur Timothy Kirkhope. It contained 47 amendments made to the original 2011 text, most notable of which included narrowing the scope to cover terror offences and serious “transnational” crime, a limited data retention period of 30 days (with five years for terrorism offences) and the provision of high-security measures in handling the information.
On July 15, draft EU rules were backed in Parliament, as MEPs agreed on a framework to use PNR data by member states, Europol and other authorised institutions for the prevention of terrorism.
The decision marked the biggest success PNR legislation has had so far. According to a European Parliament press release, Kirkhope praised the move, saying “PNR is not a ‘silver bullet’ but it can be an invaluable weapon in the armoury.”
Conflicting funding patterns
The strongest reasoning in favour of PNR argues that a blanket data collection system is preferable to “a patchwork” of different surveillance systems scattered amongst Member States. The argument was reiterated by Kirkhope after the directive’s July parliamentary triumph: “Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe.”
Oliver Smith, consultant solicitor at Keystone Law sees the advantage in harmonising national PNR regulation: “[PNR] is meant to tackle serious crime and terrorism, but some countries might have a different view about what a serious crime is to another country. So that may be a problem. In that sense, I think there would be advantages in implementing a unified system.”
However, the distribution of funds towards PNR implementation has so far proved incompatible with this rationale: in 2013, two years before a tangible legislative decision had been made; a total of €50m was made available by the European Commission and distributed among 14 EU countries towards developing their national PNR schemes.
Independent watchdog Statewatch, which routinely monitors anti-terrorist legislation and includes a dedicated PNR observatory, highlights that the funding pattern has helped create “considerably diverging systems”.
“Given the absence of EU rules on PNR systems, ‘considerably diverging systems’ may be exactly what the Commission is funding,” the watchdog says. “Despite the apparently schizophrenic nature of this activity, it seems likely to work in the favour of EU PNR advocates – the more national PNR systems that are in place, the greater the impetus for a harmonised EU framework to govern them, in order to overcome ‘uneven levels of protection of personal data… security gaps… and legal uncertainty'”.
At present, PNR continues to be funded by a portion of the €6m home affairs funding programme to 2020, according to the Commission’s figures, compiled by Statewatch.
Talks reveal privacy and mass surveillance fears
The collection of passenger data for surveillance measures is not new; systems such as the Advance Passenger Information (API), the Schengen Information System (SIS) and the second-generation Schengen Information System (SIS II) already provide a web of basic data on air travellers to EU watchdogs.
A stand-out feature of the PNR system is that it allows authorities to identify previously ‘unknown’ suspects. The draft report describes these as “persons previously unsuspected of involvement in serious crime and terrorism, but whom an analysis of the data suggests may be involved in such crime and who should therefore be subject to further examination by the competent authorities”. An important specification within the document highlights that the use of PNR data should be limited to crimes “intrinsically linked to travelling, hence the type of the data being processed.”
The information obtained would be used in a reactive, real time or pro-active way, including for investigations, prosecution, crime prevention and arrest, but also for “analysis and the creation of (new) assessment criteria” in identifying specific persons travelling. Any processing of the data prohibits the use of any discriminatory features, such as a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership or activities.
Introducing sophisticated and automated screening systems also means capturing data.
An operational guide published by the European Union Agency for Fundamental Rights (FRA), titled “Twelve fundamental rights considerations for law enforcement when processing Passenger Name Record (PNR) data” ensures that these and other limitations are strictly abided by.
But despite these specifications, critics have highlighted that PNR is needlessly intrusive. During a joint debate of the LIBE Committee European Parliament in January, European Data Protection Supervisor Giovanni Buttarelli questioned the reasoning behind PNR, saying that the “EU needs to justify why any massive, non-targeted and indiscriminate collection of data of individuals is really needed. It is clear that we cannot protect freedom of expression by undermining the right to privacy.”
Similarly, chairwoman of the 29 Data Protection Working Party, Isabelle Falque-Pierrotin, raised the same concerns in a letter to Claude Moraes, chairman of the LIBE Committee of the European Parliament, in which she wrote: “[…] considering the extent and indiscriminate nature of EU PNR data processing for the fight against terrorism and serious crime, the WP 29 believes that it is likely to seriously undermine the rights as set out in … the Charter of Fundamental Rights in the European Union.”
In a report titled Passenger Name Records, data mining & data protection: the need for strong safeguards, Emeritus Professor of International Law at London Metropolitan University Douwe Korff went further to describe PNR as “a new symptom of a much wider disease”. Korff argues that PNR is part of wider bulk data collection programmes such as “Total Information Awareness” and “New Collection Posture” in the US, linked to Edward Snowden’s surveillance revelations.
Korff’s report also quotes a study undertaken by the Max Planck Institute in 2012 at the request of the European Commission, which reportedly found that “there are no indications that compulsory suspicionless (e-communications) data retention has in the last years led to the prevention of any terrorist attack.”
The FRA, Buttarelli, Falque-Pierrotin and other figures have publicly called for hard evidence to support the case for PNR, including statistics and clear data compiled to prove its efficiency.
PNR’s advancement to be decided soon
The proposal’s July 2015 approval gave the rapporteur a mandate to start negotiations with the EU Council of Ministers to agree on the draft directive. Three-way talks, or trialogues, between Parliament, Council and Commission negotiators are expected to start in September.
Meanwhile, a leaked European Commission note from January specifies that fourteen Member States are currently setting up national PNR systems, while “a growing number of Member States are expected to have PNR laws in place in early 2016 when most PNR projects co-funded by the EU under a targeted call will finish.”