Draft EU rules on sharing and protecting Passenger Name Record (PNR) data of people flying to or from the EU, were approved by the Civil Liberties Committee on 15 July 2015. Once passed into law, this data will be collected and used by member states and Europol to fight terrorism and serious transnational crime and must be used exclusively to prevent, detect, investigate and prosecute these crimes. 32 Members of the European Parliament (MEP) voted in favor and 27 voted against the bill.
Mr. Timothy Kirkhope, a British MEP and champion of the proposed directive on PNR data, has stated that:
“Without this EU system in place a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called ‘foreign fighters’ has made this system even more essential.”
Rules Only Apply to Flights to and from EU
The draft PNR rules will only apply to air carriers and non-carriers such as travel agencies and tour operators operating international flights to or from the EU. Despite Mr. Kirkhope’s efforts to extend the PNR rules to include intra EU flights, in their current form the rules would not apply to intra EU flights.
Mr. Kirkhope has told EurActiv, however, that trialogue talks could bring back PNR collection for intra EU flights, saying: “In trialogue, I have no doubt that there are interests, particularly the Commission, and probably the Council, who would want intra [EU flights to be included].”
What Data Can Be Collected
Amongst the 60 different categories of PNR data that can be collected are: contact information, travel routes, computer IP-addresses, hotel bookings and credit card information.
Data Protection Safeguards
Safeguards inserted by MEPs into the draft text include the following requirements:
- Passenger Information Unit (PIUs) across member states would be entitled to process PNR data for limited purposes only (e.g. identifying passengers who may be involved in a terrorist offence or serious transnational crime and who require further examination);
- PIUs would have to appoint a data protection officer to monitor data processing and act as a single contact point for passengers with PNR data concerns;
- All processing of PNR data would have to be documented;
- Passengers would have to be “clearly and precisely informed” about the collection of PNR data and their rights; and
- Stricter conditions would govern any transfer of data to third countries.
PNR personal data can be stored for an initial period of 30 days. After this, all data which could serve to identify a passenger would have to be “masked out”. This “masked out” data would only be accessible to a limited number of staff from PIUs, with security training and clearance, and retained for a maximum of five years for terrorism cases.
Beyond five years, PNR data would have to be permanently deleted, unless it is being used for specific criminal investigations or prosecutions (which would then be regulated by the national law of the member state concerned).
The approved text of the rules allow PNR data to be processed “only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime”. MEPs have approved a list of crimes; for example, trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.
Following this positive vote, negotiations can now commence with the EU Council of Ministers to agree the proposed directive. Three-way negotiations with the European Parliament, Council and Commission (in what is known as the “trialogue process”) should start soon. And lastly, as to timing for the finalization of the rules, Mr. Kirkhope has confirmed that: “We will now open talks with national governments with a view to reaching a final agreement before the end of the year”.
This was always going to be a bill which divided opinions amongst security protagonists and those who are concerned about what many regard as the increasing legislative intrusions into citizens’ privacy. The legislators have a difficult task in trying to balance these concerns, and the measure of their success – primarily the prevention of security incidents - is often hard to assess. There is no doubt, however, that this is a piece of legislation which will need to be carefully policed and a strong and independent auditor appointed to monitor and audit the various authorities which collect the data in order to ensure that the legislation is adhered to.