The EU Passenger Name Record (PNR) Directive has had a turbulent ride: it was first proposed in 2011, rejected in 2013 by the Civil Liberties Committee and discussions suspended a year later. It was then revived in the aftermath of the Paris and Copenhagen terrorist attacks at the start of 2015 in a bid to address increasing safety and security concerns in Europe. Furthermore, a rise in the number of Europeans travelling to Syria and Iraq to join the Islamic State terrorist group ISIS has increased the pressure on the European Parliament to act. All of this alongside the discussions and negotiations which have been taking place over the past four years or so to put a new data protection framework in place, of more general application, for the EU as a whole.
Background of European Directives and Implementing National Regulations
EU directives, unlike regulations, are not directly applicable in EU Member States. In order to become effective in the national law of the Member States, the EU Member States must enact the directive into their national law which must then be interpreted in a manner consistent with the relevant directive. Directives set a time limit by which the national law should be in place and, at the end of the national transposition process, Member State governments are required to inform the European Commission as to how they have implemented the directive in question. The European Commission, for its part, verifies on a monthly basis the measures taken by the Member States to incorporate EU directives into their law. Failure by a Member State to notify, late or poor implementation may incur financial penalties under the EU Treaties.
PNR data is, in short, unverified data about passengers provided by passengers travelling on a particular mode of transport, and can include a variety of information, such as recent travel history, credit card information, ultimate destination, travel dates, travel itinerary, ticket information, contact details, the travel agent at which the trip was booked, means of payment used, seat number, baggage information, travel routes, computer IP-addresses, and hotel bookings. PNR data is collected by and held in the relevant carriers’ reservation and departure control systems for their own commercial purposes.
The data required is stated in the relevant legislation and is required to be submitted before passengers board the relevant mode of transport. In the context of the PNR Directive, this data is to be collected and used by Member States and Europol to fight terrorism and serious transnational crime and must be used exclusively to prevent, detect, investigate and prosecute these types of crimes.
Draft EU rules on the sharing and protecting of PNR data of passengers flying to or from the EU with a starting point or an end destination outside the EU, were approved by the Civil Liberties Committee on 15 July 2015.
Civil Liberties Committee rapporteur Timothy Kirkhope, a British MEP and supporter of the proposed directive on PNR data, has stated that:
“Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called ‘foreign fighters’ has made this system even more essential.”
Rules only apply to flights to and from the EU
The draft PNR rules only apply to air carriers and non-carriers such as travel agencies and tour operators operating international flights to or from the EU. Despite Mr. Kirkhope’s efforts to extend the PNR rules to include intra-European flights, in their current form the rules do not apply to intra-EU flights. Some Member States within the EU (including the UK) already collect data similar to that proposed under the draft EU rules and, in this regard, those air carriers operating within those countries already collecting such data are likely to be less affected by the introduction of the proposed PNR Directive.
What data can be collected and retained
The draft PNR Directive contemplates the collection and processing of the PNR data by a Passenger Information Unit (PIU) for the Member State where the flight arrives or departs. There are safeguards set out within the draft EU rules which are outlined below. The PNR data collected by the PIU would then be used for the prevention and detection of terrorism and serious organised crimes.
The use of sensitive personal data (revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual orientation), or the transfer of PNR data to private parties, is, at this stage, not included in the draft PNR Directive.
All PNR data collected by a PIU would be retained by them for an initial period of 30 days. After the 30 day period has elapsed, any information which could serve to identify a passenger would need to be redacted, and the anonymised data can then be held for a further five year period. Beyond this five year period, PNR data would have to be permanently deleted, unless it is being used for specific criminal investigations or prosecutions (which would then be regulated by the national law of the Member State concerned).
Use of data – Risk Assessment
PNR data may, under the provisions of the draft PNR Directive, be used in three ways for risk assessment purposes:
- for pro-active purposes to establish general, objective assessment criteria for which passengers should be subject to additional checks before or upon arrival;
- for real-time purposes to check the PNR data against such objective assessment criteria prior to the arrival or departure of passengers and against databases of persons and objects sought, to prevent crimes being committed; and/or
- for re-active purposes after a crime has been committed to facilitate the investigation, prosecution, and unravelling of criminal networks.
Despite the undoubtedly good intentions of the PNR Directive, many industry experts believe it to be far from the finished ‘article’. A series of international agreements have been agreed and re-negotiated over the years between the EU and third countries – the US, Canada, and Australia – under which those countries are permitted to collect and retain PNR data of EU passengers travelling to and from those countries. Such agreements, in particular, the one between the US and the EU, have been widely criticised by privacy groups and data protection regulators, and the agreement with Canada is the subject of a legal referral as to its validity by the European Parliament to the European Court. Concerns have been raised about, amongst other things, the practice of bulk transfers, the length of the retention period, as well as the lack of legal safeguards regarding the purposes for which the data may in practice be processed by third country authorities.
EU data privacy chief Giovanni Buttarelli has said that a new law intended to gather detailed information on air passengers is too invasive and is unlikely to stop terrorism, and he believes that it makes more sense to target specific categories of flights, passengers, and countries. Furthermore, civil liberties groups have concerns about the data of all passengers being stored for up to five years on a centralised, searchable database and that this may well run the risk of contradicting EU data retention laws, particularly with regards to the violation of privacy. In this regard, it is worth noting that this year saw the European Court strike down a data retention directive as being out of line with European law because of the fact that data on individuals was held for periods longer than those acceptable by European standards.
Data protection safeguards
Safeguards inserted by MEPs into the draft text of the PNR Directive include the following requirements:
- PIUs across Member States would be entitled to process PNR data for limited purposes only (e.g. identifying passengers who may be involved in a terrorist offence or serious transnational crime and who require further examination);
- PIUs would have to appoint a data protection officer to monitor data processing and act as a single contact point for passengers with PNR data concerns;
- all processing of PNR data would have to be documented;
- passengers would have to be “clearly and precisely informed” about the collection of PNR data and their rights; and
- stricter conditions would govern any transfer of data to third countries.
The approved text of the rules allow PNR data to be processed “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime”. MEPs have approved a list of crimes; for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.
On 15 July 2015, the committee in charge of the proposal at the European Parliament adopted a revised report on the PNR and a mandate to open negotiations with the Council. Negotiations between the institutions on the draft PNR commenced in September 2015.
The latest development in relation to the draft EU Directive is that on 24 September 2015 the European Data Protection Supervisor (EDPS) adopted a second opinion on the EU Directive. Whilst the EDPS acknowledges that Europe faces serious terrorist threats and has to take meaningful action, it considers that there is a lack of information to justify the necessity of an EU PNR scheme involving the large scale, non-targeted and indiscriminate collection of passenger data, that the measures proposed are not proportionate and that there is a lack of full transparency of the conditions of collection, access and use. The EDPS is of the opinion that the draft EU Directive still fails to satisfy the standards of Articles 7, 8 and 52 of the Charter of Fundamental Rights, Article 16 of the Treaty on the Functioning of the EU and Article 8 of the European Convention on Human Rights.