As well as Sophie in ‘t Veld reporting on the proposed EU-US PNR Agreement on Monday, Timothy Kirkhope (ECR) presented his draft report on the EU’s own Passenger Name Record regime. The PNR Directive is technical, but it involves a huge amount of data collection on people not suspected of a crime, and the processing of data to create models used to identify unknown criminals. The law poses major questions on data protection, and there are also issues of how necessary and effective the system is, and how much of the costs airlines (and therefore consumers) will bear to pay for the system. I’ll divide this post into outlining and discussing the proposed directive and briefly looking at Kirkhope’s report to the Committee on civil liberties, justice and home affairs.
The PNR Directive.
The proposed PNR Directive (PDF) would introduce a system where a wide range of data gathered by airlines on passengers on flights into and out of the EU would be processed for the purposes of fighting terrorism and serious transnational crime. The data gathered includes the information on passports, flight arrival and departure times and destination, check in status, payment details, address and contact information, frequent flyer information, travel agent, travel itinerary, general remarks (including information on unaccompanied minors and their guardian’s contact details and relationship to the minor), seat number, baggage information, code share information, ticketing field information, and date of reservation/issue of ticket. This data would be collected from everyone on flights into and out of the EU regardless of whether or not they’re suspected of a crime and without distinction to how susceptible an air route is judged to be to use for terrorism of serious transnational crime (also the UK has suggested an amendment for the latter). This raises questions of proportionality.
PNR data is to be used in three different ways: re-actively, in real time, and pro-actively. The re-active use of PNR data is the use of data in the investigation or prosecution of a crime which has already taken place; use of PNR data in real time entails the use of data to arrest or place an individual under surveillance for a crime being committed or about to be committed; and the pro-active use of PNR data is using PNR data to build up criteria against to identify persons worthy of further surveillance or action. “Serious transnational crime” isn’t really harmonised by the Directive – it uses the list of crimes in the European Arrest Warrant, but Member States can decide to exclude some of these crimes from their transposing legislation if they think one is too “minor” – so the Directive can’t even decide what’s a “serious crime”!
The data is transferred by airlines to “Passenger Information Units” (PIUs) that will be set up to process and analyse the data, and alert national law enforcement agencies if necessary. PIUs can be national, or countries can set up joint PIUs if they want to share the costs. (The vast majority of EU Member States don’t have a PNR regime, so this PNR Directive will effectively introduce PNR systems into most Member States for the first time). The data will be retained for 30 days, after which it will be “depersonalised” (identifying data removed, but not deleted so it can still be restored and used) and retained in this masked state for a further 5 years. Data can be kept for longer if it’s used in criminal investigations or prosecutions. 5 years seems disproportionate if the data isn’t being used in an investigation or prosecution – and even the Council’s own legal service has suggested a maximum retention period of 2 years ("Draft Agreement on the Use of Passenger Name Records (PNR), Note for the Attention of Mr Stefano Manservisi Director General, DG Home, European Commission Legal Service, SJ.f(2011)603245, 18/5/2011").
Data subjects (people who own data that is being stored or processed) have rights of access, rectification and erasure, and the National Supervisory Authorities set up under EU data protection legislation (Framework Decision on Data Protection) monitor the PIUs’ use of data and assist data subjects with their requests to exercise their rights. However the purposes for gathering and processing the data is so wide that it’s debateable how much substance there is to these rights. For example, PIUs can use the data for general analysis work and to update and create criteria for “objective assessment criteria” to identify unknown criminals – a very wide purpose to use and process data, so PIUs could probably refuse under the Directive to erase a person’s data even if they aren’t suspected of a crime. Also, this use of objective assessment criteria means that the PNR regime is open to the profiling of individuals by law enforcement authorities, where they might be put under closer scrutiny simply because they happened to match a certain pattern of behaviour. There are no safeguards for independent external review of these objective factors (the National Supervisory Authorities don’t seem to have the power to do so), and nor has there been an assessment of the effectiveness of this method in identifying unknown criminals versus the false identification of innocent people.
There’s also little satisfactory evidence that PNR is necessary or effective for fighting terrorism and serious transnational crime. We already have the Schengen Information System, the Visa Information System and the Carrier’s Directive (Link) permitted the use of a less invasive Advance Passenger Information system in 2004, where airlines would transfer passport information of passengers and flight arrival/destination details (rather than the whole gamut of PNR information) – but there’s been no assessment of the effectiveness of API, or whether changes in it or the other systems could provide a cheaper and less invasive alternative. The main advantage offered by PNR is presumably the detection of unknown criminals. The Commission has used crime statistics to highlight the levels of serious crime and terrorism to establish the need for further security measures to be introduced and it has also used statistics on the of PNR data in drug seizures (see its impact assessment here: PDF) Interestingly, some of these impressive PNR statistics derive from some Member States which do not currently have a national PNR regime! (Like Belgium - PDF).
So PNR faces a lot of questions on several fronts: is it necessary, does it work, are there cheaper and less invasive alternatives? So how does the draft report in the Committee deal with this?
Timothy Kirkhope’s report.
The draft report (PDF) has contains a long list of proposed amendments to the directive (it should be noted that the report is open to amendments from the Committee before it votes on the report as a whole).
Some of these amendments would clarify the scope of the Directive – by stating that it applies to airlines incorporated in the EU and that store data in the EU, and expanding the Directive to include intra-EU flights as well as flights entering and leaving the EU. By including intra-EU flights, there would obviously be a much, much greater amount of data gathered on people. In Committee it was explained that the Commission wanted the Directive to avoid including intra-EU flights so it could test the system out first (the Directive includes provision for a review in 5 years on whether to include intra-EU flights), while Kirkhope countered that gradual introductions of schemes rarely work in his experience. The costs of transferring data to the PIUs would be borne by the airlines, while Member States would pay for the PIUs and their work. Kirkhope said that the estimated costs that would be passed on to consumers in ticket prices would be between 10 to 18 cents.
The report’s amendments insert provisions regulating the transfer of data between Member States to ensure that safeguard standards are maintained and that data is only shared in certain circumstances. There are also new provisions to more extensively regulate the transfer of data to third countries, though the assessment is still left to Member States so there isn’t a common decision on the adequacy of a third country’s data protection standards like there is for internal market matters.
The amendments would also clarify the state of data after the initial 30 day period – the Directive uses the phrases “masked” and “anonymised”. Unfortunately, the draft report decides to simply change the phrasing to a more unified “masked” terminology rather than changing the procedure so identifying data will be deleted after 30 days. Some amendments do aim to strengthen data protection by setting down punishment for data breaches such as demotion, denial of system access, formal reprimands, and removal form duty, as well as an obligation to inform data subjects that might be affected by a data breach. National Supervisory Authorities would be given powers to take disciplinary action against persons responsible for a privacy breach, increasing their powers of independent oversight.
Kirkthorpe believes that the use of a PNR regime is necessary and proportional. While the necessity of the Directive is probably best debated by the Committee and whole Parliament, there are still questions over how proportional the Directive would be even with the report’s amendments, particularly over the targeting (or lack of targeting) of air routes, the oversight of creating and use of objective assessment criteria, and the length of the retention period. It does provide some good improvements to people’s rights to access, rectify and erase their data and makes it easier and more effective to exercise these rights (though the problem of the content of these rights given the wide use of data remains).
I’m very sceptical of the necessity for a PNR system – a lot of the analysis backing up the proposal seems to be based on numbers on the increase of crime together with rhetoric on fighting crime and anecdotal examples of how PNR could be used, rather than an analysis of the benefits of PNR versus the existing EU databases. It seems that we are being asked to accept the creation of a massive information gathering system on trust, and I’m not convinced.