EU PNR

Written by Sofija Voronova

Since the Paris attacks of January 2015, the issue of the EU PNR data collection system has been high on the political agenda as one of the measures to prevent and combat terrorism. The European Commission presented its proposal for a Directive on the use of Passenger Name Record data on 2.2.2011 and the Council adopted its general approach in April 2012. But the legislative procedure has been blocked so far, as the LIBE Committee rejected the proposal in April 2013, questioning its necessity and proportionality. The file was then referred back to the Committee and the Council has repeatedly called on the European Parliament to resume negotiations, especially in the light of the growing threat posed by the phenomenon of foreign fighters . In the meantime, a growing number of Member States have been establishing national PNR systems on the basis of domestic law. One of the arguments in favour of adopting EU legislation is to avoid having 28 different systems and to harmonise rules, namely in the area of the data protection. On the other hand, critics say that the current proposal does not contain enough safeguards regarding fundamental rights and privacy concerns. While the Commission is examining the options to achieve a workable compromise on the PNR proposal, the situation is evolving quickly. At its February plenary, the European Parliament adopted a resolution announcing that it will restart its work on the PNR proposal and calling on the Council to make progress on the Data Protection package, in order to guarantee that the new PNR framework is based on coherent data protection standards. Soon afterwards, the rapporteur Timothy Kirkhope published his revised draft report, which was discussed at the LIBE Committee meeting on 26 February. Following that debate and on the request of Members of the Committee, the European Commission has sent to LIBE a letter explaining its position on the implications of the Data Retention Directive annulment for the EU PNR proposal. Legislative work is expected to be completed by the end of the year 2015.

Overviews

EU Passenger Name Record (PNR) proposal: what’s at stake / European Parliament, background note, 26 January 2015
Background note from the European Parliament press service containing basic information about the EU PNR proposal and presenting the state of play.

ECR Group – Passenger Name Records – what does it mean? / Interview with Timothy Kirkhope on vieuws.eu, 15 January 2015, length: 5:35 min
A short video in which Timothy Kirkhope, the ECR MEP leading the proposal through the European Parliament explains what PNR is about and why we need an EU PNR system.

EU Passenger Name Record (PNR) – Frequently Asked Questions / European Commission, MEMO/11/60, 2 February 2011
European Commission Memo on EU PNR, presenting the background and the aim of the proposal, the possible functioning of the system, as well as the safeguards foreseen to protect personal data.

EU institutional views

European Parliament resolution on anti-terrorism measures / EP resolution No 2015/2530(RSP), P8_TA(2015)0032, 11 February 2015, point 13
In this resolution, the European Parliament announce its willingness to pursue negotiations on the EU PNR proposal, in parallel to the negotiations on the Data Protection package.

Proposal for a directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / European Commission, COM(2011) 32 final, 2 February 2011
Communication from the Commission presenting the proposal on the use of PNR data for law enforcement purposes.

Regulating the use of passenger name record data / Council of the European Union, policy page on Passenger name record data
This Council policy page contains general information on the PNR proposal, explaining why the proposal is necessary and giving a few details about it. It also contains a link to the Council general approach, adopted in April 2012.

Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / Official Journal of the European Union, 2011/C 181/02, 25 March 2011
In 2011, the EDPS issued a critical opinion on the proposal, noting that it does not comply with necessity and proportionality principles and that the use of the PNR data in a systematic and indiscriminate way, with regard to all passengers, raises specific concerns. In a speech given at the joint debate on counter-terrorism during the LIBE Committee meeting of 27 January 2015, the new European Data Protection Supervisor, Giovanni Buttarelli, expresses his doubts whether a massive, non-targeted and indiscriminate collection of data of individuals is really needed and offers his help to find effective security solutions while minimising impact on individual rights and freedoms.

Opinion of the European Union Agency for Fundamental Rights on the Proposal for a Directive on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / FRA Opinion – 1/2011, 14 June 2011
In its 2011 opinion, the Fundamental Rights Agency states that the necessity and proportionality of the PNR system would need to be demonstrated, advocates the introduction of anti-discrimination safeguards and suggests limiting the EU PNR system to serious transnational crime. In 2014, on the demand of the European Commission, FRA also published a practical guide on the processing of PNR data for Member States introducing their own national PNR system. More recently, the Agency came back to the PNR issue in its 2015 publication on Embedding fundamental rights in the security agenda, while its director Morten Kjaerum adressed the LIBE Committee during the joint debate on counter-terrorism of 27 January 2015, recalling the inherent fundamental rights risks of any PNR system and the need for the EU legislator to assess carefully the proportionality and necessity of the proposal.

Opinion 10/2011 on the proposal for a Directive of the European Parliament and of the Council on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / Article 29 Data Protection Working Party, 00664/11/EN – WP 181, 5 April 2011
In 2011, the WP 29 considered that the necessity of an EU PNR system had still to be proved and that the measures proposed were not in line with proportionality principle, especially as the proposal foresaw the collection and retention of all data on all travellers on all flights. In June 2012, the WP adressed a letter to the chairman of the LIBE Committee, reiterating some of its main concerns about the proposal. In the light of the recent events, the WP 29 issued a press release on 5 February 2015, indicating that if an EU PNR scheme proves to be necessary, it should provide sufficient data protection safeguards. On 19 March 2015, the WP expressed its views on the revised draft report by T.Kirkhope in another letter to LIBE, pointing to the problematic aspects and suggesting to introduce a sunset clause into the directive.

Opinion of the European Economic and Social Committee on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / Official Journal of the European Union, 2011/C 218/20, 5 May 2011
In its opinion, the EESC expresses some reservations on the proposal and voices its concern about privacy and fundamental rights issues. It feels a centralised system would still be better than a decentralised Member State-based option.

Stakeholder views

In favour

Joint letter to the European Parliament / International Air Transport Association (IATA) and Association of European Airlines (AEA), September 2014
In this letter, the IATA and the AEA urge the European Parliament to rapidly reach an agreement on an EU PNR system, observing that airlines are already confronted with PNR data requests from Member States’ authorities and from more than 15 non-EU countries.

Ensuring secure aviation while minimising the hassle for passengers / Association of European Airlines (AEA) position on security, 6 August 2014
In its position, the AEA supports the introduction of an EU PNR framework to avoid discrepancies between different national provisions.

Airline Perspective on Handling Data Protection Considerations / presentation at the 2nd European API-PNR Day, Lufthansa Group, 13 October 2014
The presentation highlights the difficult situation of the EU air carriers confronted to the requests for PNR data from governments in the absence of any legal framework. While pointing to the urgent need for a legal solution, EU air carriers call not to include intra-EU flights in the provisions for PNR data collection, given the freedom of movement principle applying within the Shenghen zone, the heavy costs for EU airlines and the unfavourable competitive position it would create for them compared to other transportation modes.

Statement by the President of the United Nations Security Council, 19 November 2014
In its statement, the UNSCR encourages the MS to provide Passenger Name Records.

Against

Proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / European Digital Rights (EDRi) comments on the EU PNR proposal, 2012
EDRi regrets that the PNR proposal is discussed before the revision of the Data Protection framework and the Data Retention Directive is completed and recommends the rejection of the proposed Directive. EDRi has also analysed the proposed EU PNR system in a booklet on EU surveillance (see pages 6-8). More recently, after the publication of the revised draft proposal by the EP rapporteur, EDRi sent a letter to the LIBE Committee members and issued a brief note, voicing its concerns and namely pointing to the freedom of movement infringement linked to the proposed inclusion of the intra-EU flights, while calling on MEPs not to make a similar mistake as with the adoption of the Data Retention directive in 2006 and to reject the proposal again.

Meijers Committee opinion, June 2011
In its opinion, the Meijers Committee considers that the EU PNR proposal fails to demonstrate its necessity and added value, points to the risks of violation of the rights to non-discrimination, privacy and data protection, as well as to the freedom of movement, and calls for the withdrawal of the proposed directive.

Common position of ECTAA and GEBTA on the proposal for a Directive on the use of PNR against terrorist offences and serious crime / The European travel agents’ and tour operators’ associations (ECTAA) and Guild of European, Business Travel Agents (GEBTA), 29 March 2011
In this common position paper, the ECTAA and the GEBTA raise concerns on many points of the proposed PNR directive. Moreover, in its 2012/2013 activity report, published in November 2013, the ECTAA supports the rejection of the proposal.

Analysis

Counter-terrorism perspective

The EU Counter-Terrorism Policy Responses to the Attacks in Paris: Towards an EU Security and Liberty Agenda / D. Bigo, E. Brouwer, S. Carrera, E. Guild, E-P. Guittet, J. Jeandesboz, F. Ragazzi , A. Scherrer, CEPS Paper in Liberty and Security in Europe No. 81, February 2015
This paper examines the EU counterterrorism policy responses to the attacks in Paris, 7-9 January 2015. It provides an overview of the main EU-level initiatives discussed at the informal European Council meeting of 12 February 2015. The paper argues that a majority of these proposals that had been put forward in the weeks following the events predated the Paris shootings and had until that point proven contentious as regards their efficacy, legitimacy and lawfulness. A case in point is the EU Passenger Name Record (PNR) proposal. The paper finds that EU counterterrorism policy responses to the Paris attacks raise two fundamental challenges, first to the freedom of movement, Schengen and Union citizenship and second, to EU democratic rule of law.

Fundamental rights perspective

The new profiling: algorithms, black boxes, and the failure of anti-discriminatory safeguards in the European Union / Matthias Leese, in Security Dialogue 2014, Vol. 45(5), p. 494–511
Leese argues that with increasingly large databases and computational power, profiling as a key part of security governance is undergoing major change. Using the European level efforts for the establishment of a Passenger Name Record (PNR) system as an example, the author finds that with pattern-based categorisations in data-driven profiling, safeguards such as the Charter of Fundamental Rights of the European Union or the EU data protection framework essentially lose their applicability, leading to a diminishing role of the tools of the anti-discrimination framework.

Digital security governance and accountability in Europe: ethical dilemmas in terrorism risk management / Quirine Eijkman, in Journal of Politics and Law, Vol. 6, No. 4, 2013, p. 35-45
This article focuses on digital security governance in the context of the Passenger Name Record (PNR), the Advance Passenger Information (API) and the Terrorist Finance Tracking System (TFTP) programmes. It considers in particular the ethical dilemmas of using and sharing digital personal data as well as accountability for this type of risk management.

European ‘smart’ surveillance: What’s at stake for data protection, privacy and non-discrimination? / Mathias Vermeulen, Rocco Bellanova, in Security and Human Rights, Vol. 23, no.4, 2013, p. 297–311
This article tackles the rise of smart surveillance in the European Union (EU). It introduces some of the main characteristics of smart surveillance systems, and analyses two sets of projects: a series of EU-funded research projects on smart CCTV systems, and a legislative proposal to set up an EU-wide security measure relying on passenger information. The article identifies the most important features of these projects, and assesses their potential impact in terms of privacy, data protection and non-discrimination.

Proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime / Marie Hynes, Statewatch analysis, 2011
This paper gives the background and the details of the proposed PNR Directive, warning against the systematic collection of passenger data and questioning the necessity and the proportionality of the proposal.

Situation at the MS level

Commission’s call for proposal

Action grants 2012 – Targeted call for proposals – Law enforcement cooperation through measures to set up Passenger Information Units in Member States for the collection, processing, analysis and exchange of Passenger Name Record (PNR) data / European Commission, January 2013
Call for proposals launched by the European Commission under its 2007-2013 programme “Prevention of and Fight against Crime” (ISEC) to help interested Member States to set up their Passenger Information Units. 14 countries benefited from the funding available (50 million euros).

Call for proposals 2014 – Law enforcement information exchange / European Commission, November 2014
Call for proposals launched under the new Internal Security Fund (ISF) Police with the aim of financing PNR data exchange between Member States.

Commission makes €50 million available for the development of “big brother” PNR databases – before legislation has even been agreed / Statewatch, January 2013.
Critical view on the EC financing the establishment of Passenger Information Units (PIUs) for PNR data collection in MS under the ISEC program. In a more recent article, Statewatch gives updated information on the outcome of the call for proposals.

United Kingdom

Immigration, Asylum and Nationality Act 2006
The IAN Act 2006 created new passenger, crew, service and freight data acquisition powers for the police, and extended and enhanced the powers of the Border and Immigration Agency and Her Majesty’s Revenue and Customs (HMRC) to require this type of data in advance of arrival. It also introduced a duty requiring the effective sharing of this information between the border agencies. The information sharing is governed by a Code of Practice, established under section 37 of the IAN Act 2006, which details how the legislative framework is to be implemented, how personal information is used and the safeguards for the use of the data collected.

‘Exporting the border’? An inspection of e-Borders / John Vine, Independent Chief Inspector of Borders and Immigration, October 2012 – March 2013, pp. 16-21
Report from the inspection of the e-borders program, presenting its functioning and results and containing a chapter on passenger data collection.

e-Borders: Friends of Presidency Group meeting Brussels / Presentation by T. Rymer, Head of Joint Border Operations Centre Border & Immigration Agency, March 2008, pp. 27−33
Presentation giving an overview of how the PNR data collection system is working in UK, under its e-Borders program, and some examples of its successful use.

Denmark

The Aliens Act 2006 foresees a possibility for the police to access airline booking systems for illegal immigration control puposes, while under Air Navigation Act (article 148a) as modified under the Anti-Terrorism Package II, the airline companies are required to register and retain certain passenger data for one year, and to grant Danish Security and Intelligence Service (PET) access to this information without a court order for the purposes of fighting terrorism.

Denmark plans to use PNR data for increased Schengen border control / EDRi article, 19 November 2014
This article warns against Danish plans to adopt a new law, which would extend the possibility to use PNR data for the purpose of illegal immigration control to intra-Schengen flights. See the draft law with amendments of the Alien Act for more effective control in border areas and airports (in Danish).

Belgium

Flux d’informations opérationnelles au sein des aéroports / Rapport complémentaire du Comité permanent de contrôle des services de police, 2012
Selon ce rapport, en Belgique, les données PNR sont actuellement analysées manuellement, à des fins de profilage, par la Police judiciaire fédérale (PJF/DR Airport) dans le cadre des enquêtes réactives ou proactives (notamment, en lien avec le traffic de drogues).

France

Loi n° 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers – Chapitre III : Dispositions relatives aux traitements automatisés de données à caractère personnel – Article 7
La loi de 2006 sur la lutte anti-terroriste impose aux transporteurs aériens l’obligation de receuillir et de transmettre aux services du ministère de l’intérieur les données des passagers (aussi bien les données API que PNR).

LOI n° 2013-1168 du 18 décembre 2013 relative à la programmation militaire pour les années 2014 à 2019 et portant diverses dispositions concernant la défense et la sécurité nationale – Chapitre III : Dispositions relatives au renseignement – Article 17
Loi autorisant la collecte de données PNR, à des fins de lutte contre le terrorisme et un certain nombre d’autres infractions, comme des atteintes aux intérêts fondamentaux de la Nation, sur l’ensemble des vols aériens, à l’exception des vols en France métropolitaine. La mise en œuvre concrète de ce traitement automatisé de données appelé “système API-PNR France” est régie par le décret d’application n° 2014-1095 du 26 septembre 2014, qui s’applique à partir du 1er janvier 2015.

The French API/PNR PIU project / Presentation by Mission PNR during the 2nd European API-PNR Day, 13 October 2014, Paris
Presentation explaining the functionning of the future French PIU and API/PNR system.

Données des passagers aériens: la France crée son propre fichier / Louise Fessard, 19 décembre 2013
Article critique sur la loi de programmation militaire et la création prévue de la plateforme de collecte des données de réservation (PNR) et d’enregistrement (API).

Sweden

Police Act (section 25) allows police authorities access to passenger data, such as a person’s name and details about his route, luggage, travelling companions and how his ticket was booked and paid for, when these are believed to be of importance in the fight against crime.

Authorities waiting for EU PNR Directive to upgrade passenger surveillance systems / Statewatch, 19 February 2015
Article explaining that Sweden has still not set up any digital database and is collecting passenger information from airlines by fax or in person.

Spain

Spain to monitor all passenger flight data to identify jihadists / El Pais, 8 Jan 2015
Article explaining the Spanish government plans to create PNR database as well as the context on the EU level.

El PP da el primer paso para regular el fichero de viajeros en aviones con una enmienda a la Ley de Seguridad Ciudadana / Thomson Reuters Aranzadi, 18 February 2015
Article on the new security bill being currently adopted by Spain, which contains a provision on PNR data use, as a legislative basis to the setting up of its PIU, foreseen for January 2016.