EDPS criticizes the EU PNR scheme
This article is also available in:
Deutsch: EU-Datenschutzbeauftragter kritisiert EU-PNR-Pläne
Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25 March 2011 his opinion on the European Commission's proposal to oblige airline carriers to provide EU Member States with personal data (PNR) on passengers entering or leaving the EU space, with the declared purpose to fight serious crime and terrorism.
On 2 February 2011, the European Commission made a new proposal for a PNR Directive, to extend the passenger-tracking systems already in use in the UK and US to all flights to and from the EU. PNR data may include personal information such as home addresses, email addresses, mobile phone numbers, frequent flyer information, and even credit card information.
In the EDPS' opinion, although the new proposal is an improved version as compared to the previous document released in 2007, particularly due to the addition of data protection safeguards, the restriction of the proposal's scope and the conditions for PNR data processing under EU data protection law, it is still unjustified.
The EDPS draws attention to the fact that the Proposal does not meet "the essential prerequisite to any development of a PNR scheme - i.e. compliance with necessity and proportionality principles".
The EDPS emphasizes that the need to collect or store massive amounts of personal data must be substantiated by a clear demonstration of the relationship between use and result (necessity principle). Hustinx believes the proposal and the accompanying Impact Assessment fail to demonstrate the necessity and the proportionality of a large collection of PNR data for the purpose of the systematic assessment of all passengers.
The EDPS raises concerns related to the use of PNR data "in a systematic and indiscriminate way" and believes that the only measure compliant with data protection requirements would be the use of PNR data on cases when there is a serious threat established by concrete indicators on a case-by-case basis.
Hustinx makes a series of recommendations, among which a further limitation of the proposal's scope that would exclude minor crimes and the possibility for Member States to extend its reach. He also questions the inclusion of serious crimes which have no relation to terrorism.
One recommendation is the limitation of the data retention period to 30 days, except for cases which require further investigation. The data should be retained in an identifiable form.
The EDPS recommends a higher standard of safeguards, especially in relation to the data subjects' rights and transfers to third countries.
While welcoming the fact that sensitive data were not included in the list of data to be collected, the EDPS still considers the list to be too extensive and recommends its further reduction in agreement with the recommendations of the Article 29 Working Party and the EDPS.
Hustinx says that an assessment of the EU PNR system "should be based on comprehensive data, including the number of persons effectively convicted - and not only prosecuted - on the basis of the processing of their data." He also recommends the assessment of the system "in a broader perspective including the ongoing general evaluation of all EU instruments in the field of information exchange management launched by the Commission in January 2010. In particular, the results of the current work on the European Information Exchange Model expected for 2012 should be taken into consideration in the assessment of the need for an EU PNR scheme."
Meanwhile, the UK Home Office has expressed concern over the delay of the draft PNR Directive and has shown its support for the extension of any passenger-tracking system to flights between EU countries as well as those outside EU territory. The House of Lords has recently urged the Government to opt in to the proposal, ensuring its change to include all international flights.
EU Passenger Name Record: proposed system fails to meet necessity
requirement, says EDPS (28.03.2011)
Opinion of the European Data Protection Supervisor on the Proposal for a
Directive of the European Parliament and of the Council on the use of
Passenger Name Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime (25.03.2011)
PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011)
EDRi-gram: Commission's proposal for PNR Directive fails to impress MEPs