Swedish border control becomes a privacy nightmare for travellers
European citizens are finding that their freedom of travel is being curtailed as more and more Schengen countries introduce temporary border controls in response to the flow of refugees from the Middle East war and conflict zones. Moreover, Sweden and Denmark have passed national legislations which gives train, bus and ship operators the responsibility of checking if their passengers have valid travel documents before they are transported through the border zone where state border guards officially check passports or identification documents. This is similar to the obligations imposed on carriers in the EU Directive 2001/51/EC, except that the new Swedish and Danish obligations apply to passengers transported within the Schengen area.
At the Swedish border, the obligations on transport operators to check IDs of passengers took effect on 4 January 2016. This has disrupted train travel from Copenhagen to Malmö, the main option of public transportation over the Øresund Bridge. At Copenhagen Airport Station, just before the bridge to Malmö, all passengers have to disembark the train and walk through a security checkpoint with ID inspection. After the checkpoint, passengers can board another train which takes them to the official border control on the first Swedish station after the Øresund Bridge, and then onwards to their final destination on the Swedish side of the Øresund Region.
In addition to the general disruption and travel delays for passengers, the ID inspection at Copenhagen Airport railway station has generated a lot of public controversy over privacy since the train operator DSB has decided to take photos of the identity documents presented for inspection at the checkpoint. This information is retained in a central database for up 30 days, and Swedish Police will be granted access to the database upon request, according to a press release from DSB.
Under the new Swedish law, transport operators are subject to a fine of 50000 SEK (about 5500 EUR) for every passenger that is transported to the border without a valid ID unless the operator can document that the ID inspection prior to crossing the border was carried out in accordance with Swedish law. The legal requirements for this documentations are unclear, and this has led DSB to take the radical step of retaining copies of the ID presented for every passenger. DSB is the only public transport operator in the Øresund Region that retains copies of passenger IDs for this documentation purpose.
The legality of the data retention has been questioned by a Danish data protection expert. The processing of personal data takes place in Denmark and is therefore subject to the Danish Data Protection Act. In Denmark, the processing of citizen ID numbers (present on all identity documents) is subject to special requirements similar to those for sensitive personal data, and the legal arguments submitted by lawyers for DSB to the Danish Data Protection Agency do not address this issue. A more general issue is the legal basis for the retention of copies of ID documents in the first place. The DSB lawyers refer to the exemption for “a task carried out in the public interest or in the exercise of official authority vested in the controller” in Article 7(e) of the Data Protection Directive, but the real purpose of the data retention is to avoid the possibility of fines being imposed on DSB for passengers without ID. In any case, there is clearly an issue of proportionality that must be considered here since a central database with pictures and other personal data of citizens, readily accessible by the Swedish Police (and possibly other public authorities), is a significant intrusion.
The Danish government has not yet imposed ID check obligations on transport operators between Germany and Denmark, and such a step would have to be negotiated with the German authorities since the ID check by the private operator takes place in Germany. However, if the Swedish-Danish idea of imposing ID check obligations on private transport operators spreads to other EU countries, it will have huge consequences for the freedom of travel and privacy for European citizens, especially if the private transport operators are pressured into keeping copies of the passenger IDs for their internal “documentation” of the ID checks. A partially privatised border control system along these lines would, in effect, extend the mass surveillance of European air travellers in the PNR (Passenger Name Records) Directive to train, bus and ship passengers on intra-EU cross-border routes.
Questions and answers for the DSB ID check (04.01.2016)
http://www.dsb.dk/kampagner/id-kontrol/id-inspection/
Practical Guide for the Swedish regulation on ID checks, Swedish Police (in Swedish only, 30.12.2015)
https://polisen.se/ImageVault/Images/id_9581/scope_0/filename_/storage_Original/ImageVaultHandler.aspx
DSB press release about the retention of passenger ID copies (in Danish only, 02.01.2016)
http://www.dsb.dk/om-dsb/presse/pressemeddelelser/xxxxx/
DSB has registered passengers in violation of the law, Politiken (in Danish only, 07.01.2016)
http://politiken.dk/indland/ECE3004551/dsb-har-registreret-passagerer-i-strid-med-loven/
(Contribution by Jesper Lund, IT-Pol Denmark)