Thursday, 25 April 2013

Draft EU PNR Directive voted down at Committee Stage

The LIBE Committee of the European Parliament has shot down the draft Passenger Name Record Directive by a vote of 30-25, with the Liberal, Green and left wing groups voting against and the conservative groups for the draft law. The Directive concerned the collection of the information passengers give to airlines when booking a flight by law enforcement authorities (in the form of national "Passenger Information Units (PIUs)" that would analyse the data and pass on information to other law enforcement authorities). The data would be collected to fight terrorism and serious crime, and is a key plank of the Commission's counter-terrorism strategy.

I wrote about the PNR Directive at length last year. The information gathered covers everything from the flight to the food you order, so the authorities would be casting a wide net. There would be some rights for people to have their data corrected or deleted, but:

"However the purposes for gathering and processing the data is so wide that it’s debatable how much substance there is to these rights. For example, PIUs can use the data for general analysis work and to update and create criteria for “objective assessment criteria” to identify unknown criminals – a very wide purpose to use and process data, so PIUs could probably refuse under the Directive to erase a person’s data even if they aren’t suspected of a crime. Also, this use of objective assessment criteria means that the PNR regime is open to the profiling of individuals by law enforcement authorities, where they might be put under closer scrutiny simply because they happened to match a certain pattern of behaviour. There are no safeguards for independent external review of these objective factors (the National Supervisory Authorities don’t seem to have the power to do so), and nor has there been an assessment of the effectiveness of this method in identifying unknown criminals versus the false identification of innocent people.

[...]

 There’s also little satisfactory evidence that PNR is necessary or effective for fighting terrorism and serious transnational crime. We already have the Schengen Information System, the Visa Information System and the Carrier’s Directive (Link) permitted the use of a less invasive Advance Passenger Information system in 2004, where airlines would transfer passport information of passengers and flight arrival/destination details (rather than the whole gamut of PNR information) – but there’s been no assessment of the effectiveness of API, or whether changes in it or the other systems could provide a cheaper and less invasive alternative. The main advantage offered by PNR is presumably the detection of unknown criminals. The Commission has used crime statistics to highlight the levels of serious crime and terrorism to establish the need for further security measures to be introduced and it has also used statistics on the of PNR data in drug seizures (see its impact assessment here: PDF) Interestingly, some of these impressive PNR statistics derive from some Member States which do not currently have a national PNR regime! (Like Belgium - PDF)."

While the draft parliamentary report (by LIBE rapporteur Timothy Kirkhope [ECR Group]) clarified some issues with the original text, it did little to address the scope of both the data gathered and the purposes that it could be used for (without further restricting and defining these, it would be very difficult for the system to be held to account in that most uses for the data would be lawful and citizens would have little substance to their data rights).

The draft Directive could still go to the EP plenary, where the full European Parliament could still pass the law.

1 comment:

  1. The main advantage is that PNR can be collected, analysed and alerts raised before the aircraft has taken off, whilst most API is sent to governments 15 mins after departure. In many cases the aircraft arrives before the API data is checked.

    The PNR data that is sent to governments is limited to 19 elements that are useful for spotting known criminals and people who are on travel patterns that have been identified as potentially risky. It does not include Special Service Requests such as your food preference. Risk assessments are stored so that innocent people who share details with serious crimnals are not repeatedly intercepted, which can happen today.

    Personally identifiable data is only visible for a limited time and independent data authorities must inspect the conditions under which it is stored. These government systems are at least as secure as the travel industry global distribution systems that hold the original reservation data.

    The directive allows security authorities to ask the same questions pre-departure that they currently ask on arrival. This increases the chance of identifying serious criminals before they board the aircraft. I think most people would welcome a government service that automates in advance the checks that are undertaken whilst waiting in line at a border control point and reduces the possibility that they are sitting next to a serious criminal on their aircraft.

    ReplyDelete