What does this cover?
In a statement published this month the European Data Protection Supervisor (the EDPS) advised caution over a proposed EU Passenger Name Record scheme (the PNR).
What is the PNR? The PNR is a proposed directive which the European Parliament states "would oblige airlines to hand EU countries their passengers' data in order to help the authorities to fight terrorism and serious crime". The EDPS has added that the programme would enact "the first large-scale and indiscriminate collection of personal data in the history of the Union. Since it is likely to cover at least all flights to and from the EU and may also involve intra EU and / or domestic flights, millions of non-suspect passengers would potentially be affected by the EU PNR proposal".
When was the PNR proposed? The proposals were created amidst the developments of terrorist activity within the EU and the EDPS advise that "discussions on a possible Passenger Name Record scheme within the EU have been developing since 2007…an agreement is imminent." On 4 December 2015 the European Council issued a press release which confirmed that the PNR Directive compromise text had been approved by the European Parliament.
What are the EDPS's concerns? In its opinion, the EDPS writes that it "urges caution before such a scheme is agreed and recalls that the Court of Justice of the European Union defined a high threshold for the untargeted and indiscriminate collection of data in its decision on the Digital Rights Ireland case, which invalidated the data retention Directive […] to apply the necessity and proportionality test, the evidence justifying the PNR must be made available; so far, it has not been. Such evidence is of course a pre-requisite for its lawfulness and legitimacy."
What are the next steps? The Committee for Civil Liberties, Justice and Home Affairs will soon vote on the PNR proposals, after which the PNR directive will be submitted to the European Parliament and subsequently the European Council for potential adoption. If adopted, the UK will have 2 years to implement the provisions of the directive.
To view the EDPS statement, please click here.
What action could be taken to manage risks that may arise from this development?
None – for interest at present.