After the terrorist attacks at the beginning of this year, ranging from the Charlie Hebdo attack to the most recent train shooting in Northern France, the EU has decided, in response, to revive the debate on adoption of the draft PNR Directive.
The Passenger Name Record (PNR) is unverified data provided by passengers, collected and held by air carriers. The data incudes: names; travel dates; itineraries; seats; baggage; contact details and means of payment.
EU officials believe that PNR data could be used for the prevention, detection, investigation and prosecution of terrorists.
The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.
Considering that many EU countries have already developed their own systems for holding PNR data, European Parliament Civil Liberties (LIBE) Committee rapporteur Timothy Kirkhope believes that ‘with one EU-‐wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-‐called “foreign fighters” has made this system even more essential’.
The current Proposal is an amended version of a proposal presented in 2011.37 The ‘old’ proposal had been rejected by the LIBE Committee because it was considered too invasive. 38 The same Committee approved on 15 July 2015 the amended version of the proposal.
The new PNR rules would apply only for flights outside the EU and would concern air carriers and non-‐carriers such as travel agencies and tour operators. Internal flights between EU Member States are, for the moment, off the table, but some MEPs consider that the idea should be introduced in future discussions.
In the ‘new’ version some provisions have been added, requiring Member States to share the PNR data with each other and with Europol.39
The safeguards inserted in the new proposal include the following requirements:
- Member States' Passenger Information Units (PIUs) would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime and who requires further examination;
- PIUs would have to appoint a data protection officer to monitor data processing and safeguards and act as a single contact point for passengers with PNR data concerns;
- All processing of PNR data would have to be logged or documented;
- Passengers would have to be clearly and precisely informed about the collection of PNR data and their rights; and
- Stricter conditions would govern any transfer of data to third countries.
Furthermore, having regard to the recent judgment of the Court of Justice,40 in relation to the impact of the proportionality principle, two different limitation periods – five years for terrorism and four years for serious transnational crimes – have been introduced for accessing the data. The full information should be retained for the first 30-‐day period, after that it should be ‘masked out’ for the remaining period.41
After the four-‐five year period, the PNR data should be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).
Despite these new amendments some doubts remain about the impact of PNR data retention on fundamental rights, such as:
- The right to privacy;42
- The right to data protection, especially in the context of the on-‐going reform of the EU data protection framework. 43 The controversies relate -‐ inter alia -‐ to the lengthy period of data retention, the incomplete nature of anonymisation of data, allowing for its easy retrieval, and the transfer of data to third countries;
- The right of non-‐discrimination, with indirect discrimination being more likely than direct discrimination, given the prohibition on processing sensitive data under the proposed Directive;
- The right to free movement. According to the EU Free Movement Directive, 44 Member States may restrict the freedom of movement of EU citizens on grounds of public policy or public security. However, such restrictions need to comply with the principle of proportionality and be based exclusively on the personal conduct of the individual concerned representing a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society. A risk of the breach of this right is highlighted in regard to the possible extension of the EU PNR scheme to intra-‐EU flights.
The European Data Protection Supervisor, Mr Giovanni Buttarelli, has criticised the proposal stating that it is too invasive and is unlikely to stop terrorism.
The trilogue on this matter should begin in September.45 In a resolution voted on 11 February 2015, the EU Parliament has in fact committed itself ‘to work towards the finalisation of an EU PNR directive by the end of the year’.
The difficult balance between national security and citizens’ privacy is a frequent problem that our modern society must face. It is not only the EU that attempts to fight terrorism and crime. The EU Member States are trying to find acceptable solutions in order to protect their citizens.
For instance, the French Senate passed, on 24 June 2015, a new statute allowing the French authorities to monitor and intercept citizens’ communications. On 23 July 2015, the Constitutional Court approved that new law, finding only a few articles contrary to constitutional principles.
Manuel Valls, the French Prime Minister, believes that ‘from now on, France has a security framework against terrorism that respects liberties. It’s decisive progress’.
In France, for wireless phone taps, hidden cameras and microphones there will be no need of a warrant or any type court approval. The new law has now provided for the mandatory consultation of the National Commission for the Control of Intelligence. The recommendations of this Authority are not binding.
The LIBE Committee has raised concerns about the compatibility of some of the French provisions with the EU Treaties.
Mr Buttarelli was also critical of the French law saying that ‘mass surveillance is against values and has no legitimacy in the EU’. He also added that ‘as people become more monitored and more profiled, they risk discrimination in terms of access to services’.