Questions asked about the necessity and proportionality of yet another state scheme authorising the bulk sharing of personal data, and its storage, for risk assessment purposes
– Will the EU get it right this time?
In light of the growing threat posed by Islamic State militants, the issue of the EU air travel industry’s passenger name record (PNR) system is riding high on the political agenda. The PNR system was conceived as a compulsory data-swap measure between states aimed at preventing and combatting terrorism.
PNR encompasses not just passenger name, but many other types of information provided voluntarily by air passengers to their chosen air carrier during reservation and check-in procedure. These include details such as dates of travel and travel itinerary, ticket information, address and phone numbers, means of payment used, credit card number, travel agent, seat number, and baggage information.
The European Commission originally presented its proposal for a Directive on the sharing of PNR data (the draft PNR Directive) back in 2011. It sought to introduce obligations upon air carriers entering or departing from an EU Member State. The Directive would require the automatic transmission of PNR data by the airline carriers to the competent authorities of the relevant EU Member State, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, where certain conditions were satisfied. Such data may be used in three ways for risk assessment purposes:
- Pro-active purposes: to establish general, objective assessment criteria for which passengers should be subject to additional checks before or upon arrival;
- Real-time purposes: to check the PNR data against such objective assessment criteria prior to the arrival or departure of passengers and against databases of persons and objects sought, to prevent crimes being committed; and/or,
- Re-active purposes: after a crime has been committed to facilitate the investigation, prosecution, and unravelling of criminal networks.
Despite the EU Council of Minsters adopting a General Position on the draft PNR Directive in 2012, the European Parliament blocked the legislative procedure in 2013. Its Civil Liberties, Justice & Home Affairs (LIBE) Committee rejected the proposal because it questioned the adequacy of the safeguards proposed by the Commission regarding privacy and data protection, in particular raising doubts about the necessity and proportionality of the proposed scheme for risk assessment and profiling purposes.
To note, the European Data Protection Supervisor (EDPS) voiced similar concerns in a 2010 Opinion and a 2011 Opinion, in which he emphasised that any PNR agreement should include effective and directly enforceable rights of the data subject and the supervisory authorities. Furthermore, he indicated that clear demonstrations of the relationship between use and result should apply in all circumstances where PNR data is shared. The EU Article 29 Data Protection Working Party (WP) has also published similar views on this issue, summarised in its own 2010 Opinion and a 2011 Opinion, in which it argued that the systematic collection and analysis of all passengers’ data is disproportionate and called for a more balanced approach to the collection and use of PNR data.
If this all sounds familiar to our blog readers, this is not surprising as arguments about necessity and proportionality are recurrent themes, which echo criticisms aimed against the now defunct Data Retention Directive (2006/24/EC). Like the draft PND Directive, the Data Retention Directive also set rules regarding the mass sharing of private-sector data about individuals for the purposes of the investigation, detection and prosecution of serious crime by the state. Indeed, only last year, the WP published an Opinion on the application of necessity and proportionality concepts and data protection within the law enforcement sector, the principles of which could be applied equally to both Directives. Of course, these concepts have evolved not just in relation to data protection, but also in the wider context of the case law of the European Court of Human Rights and the right enshrined within the Charter of Fundamental Rights of the EU.
Since 2013, while the Council has repeatedly called on the European Parliament to resume negotiations on the draft PNR Directive, many Member States have gone ahead and established their own national systems based on new domestic laws (i.e. introducing rules that are not necessarily consistent and harmonised on a pan-EU basis). Separately, a series of international agreements have been agreed and re-negotiated over the years between the EU and third countries – the US, Canada, and Australia – under which those countries are permitted to collect and retain PNR data of EU passengers travelling to and from those countries. Such agreements – in particular, the one between the US and the EU – have been criticised widely by privacy groups and data protection regulators. They have voiced their concerns about, inter alia, the practice of bulk transfers, the length of the retention period, as well as the lack of legal safeguards regarding the purposes for which the data may in practice be processed by third country authorities.
Fast forward to February this year, spurred on by recent terrorist attacks, the European Parliament adopted a Resolution urging the Commission to seek independent experts’ views on the ‘necessity and proportionality’ of the PNR proposal and to assess the consequences of the EU Court of Justice’s annulment of the Data Retention Directive in the Digital Rights Ireland judgement. In turn, the Commission sent a letter to the LIBE Committee explaining its position in response to the latter request. It is worth quoting an extract in full:
The ruling …offers useful guidance as concerns other legal instruments of this kind, notably the proposed EU PNR Directive. In the Data Retention judgment, the Court considered that the retention and access by the competent authorities to telecommunication data represents an interference with the right to privacy and the right to protection of personal data set out in articles 7 and 8 of the Charter (points 35 and 36 of the judgment). The Court also stated that, in order to respect article 52 of the Charter, the limitations to the aforementioned rights must be provided for by law, respect the essence of these rights and, subject to the principle of proportionality, must be necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others (point 38). According to the Court, the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation in question and do not exceed the limits of what is necessary in order to achieve those objectives (point 46).
To overcome outstanding concerns, MEPs have endorsed the following requirements for inclusion in the text of the new Directive aimed at guaranteeing the lawfulness of any storage, analysis, transfer and use of PNR data:
- National Passenger Information Units (PIUs), set up in each EU Member State to collect PNR data, would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in an offence and who requires further examination.
- In turn, the processing of PNR data by PIUs should be limited to the purposes of prevention, detection, investigation and prosecution of terrorist offences, as well as certain types of serious transnational crime. The list approved by MEPs specifically singles out crimes encompassing trafficking in human beings, sexual exploitation of children, drug or weapons trafficking, munitions and explosives, money laundering, and cybercrime.
- Regarding data retention by PIUs, after an initial period of 30 days, all elements which could serve to identify a passenger within the data would have to be anonymised. The depersonalised data would then become accessible only to a limited number of PIU staff, with security training and clearance, for up to four years in serious transnational crime cases and five years for terrorism ones. After five years, PNR data would have to be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the national law of the EU Member State concerned would regulate the retention of the data).
- Each PIU would be required to appoint a data protection officer to act as a single contact point for passengers with PNR data concerns and ensure that data protection rules are being complied with. These include oversight of the logging of the processing of all PNR data, as well as ensuring that passengers are provided with clear and precise information about PNR data collection and their rights.
- Stricter conditions would govern any transfer of data to third countries from the EU.
- The use of sensitive personal data (revealing a person’s race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual orientation), or the transfer of PNR data to private parties, would be prohibited.
The Parliament has also called upon the Council to finalise the data protection legal reform package as soon as possible to provide a sound foundation of coherent data protection standards for the new PNR framework.
The latest news is that the LIBE Committee has announced its adoption of a draft report prepared by its rapporteur, who has been given a mandate to start negotiations with the Council to finalise the PNR Directive. Trilogue negotiations are expected to be completed by the end of the year. Will the EU get it right this time?