Denmark prepares for passenger data exchange with the EU
In 2016, the European Union adopted the Passenger Name Record (PNR) Directive which obliges Member States to collect PNR data on all flights to third countries and exchange this information with other Member States through the Passenger Information Units (PIUs).
In 2016, the European Union adopted the Passenger Name Record (PNR) Directive which obliges Member States to collect PNR data on all flights to third countries and exchange this information with other Member States through the Passenger Information Units (PIUs). Member States can decide to apply the PNR Directive to intra-EU flight as well.
Denmark does not take part in the PNR Directive since Denmark has a general opt-out from EU legislation in the Justice and Home Affairs (JHA) area, except when it builds upon the Schengen acquis. Instead, Denmark has developed a comprehensive PNR system based on national law. The Danish customs authorities collect PNR data from air carriers with flight to or from Denmark, and make this information available to the Danish Security and Intelligence Service (PET) and the Danish Defence Intelligence Service (DDIS). They are, respectively, the domestic and foreign intelligence services of Denmark. PET and DDIS are exempted from the Danish implementation of the General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection (LEDP) Directive 2016/680.
Because of the JHA opt-out, the Danish PNR system is lacking the data exchange option with other Member States. The solution preferred by the Danish government is to seek an agreement with the EU for a Danish “association” to the PNR Directive. In preparation for this, the Danish Parliament will adopt a major revision of the Danish PNR law to make it compatible with the PNR Directive.
The new Danish PNR system follows the structure of the PNR Directive. This means general and indiscriminate retention of PNR data by the PIU and systematic profiling of all passengers, both of which have serious implications for fundamental rights. Citizens can become suspects in criminal investigations or be put on terrorism watch lists because of unusual travel patterns, if they are singled out by the profiling algorithms. The Danish PIU will collect PNR data for all flights, including all intra-EU flights and even domestic flights within Denmark. As in the PNR Directive, the data is retained for five years with depersonalisation of identifying PNR elements after six months. This is not an anonymisation of the data since the PNR data can be de-masked under certain conditions. The PUI will process the collected PNR data for assessing passengers before their scheduled arrival, for responding to duly reasoned requests from competent authorities (police and customs authorities), and for analysing PNR data for the purpose of creating or updating criteria for the passenger assessment.
Compared to the current PNR system, the Danish police will get direct access to the PNR data in the PIU, and there will be more profiling of passengers. This increases the risk that passengers will be incorrectly identified as suspects. In terms of transparency, it will be more difficult for citizens to keep track of which authorities have access to their PNR data. Moreover, despite the claim that the new Danish PNR law is based on the PNR Directive, the intelligence services PET and DDIS, operating completely outside the safeguards of EU data protection law, will keep and, in some cases even extend, their current access to PNR data. This is achieved by a number of extensions of the PNR Directive which effectively embed officers from the intelligence services in the PIU as a “competent authority” with almost unlimited data access.
When the PIU processes PNR data for the intelligence services, the data protection safeguards of the PNR Directive do not apply. The intelligence services can obtain PNR data from the PIU based on the “general relevance” criteria in the Danish intelligence laws. Unlike the competent authorities in the PNR Directive, there is no requirement for a duly reasoned request in specific cases. In principle, this will allow the intelligence services to build complete mirror databases of the PNR data that is collected by the PIU. For DDIS, this can only be done for passengers that are not either Danish citizens or have their permanent residence in Denmark. The broad provisions for data access by the intelligence services also apply to PNR data that has been obtained from PIUs in other Member States through data exchange.
Once the PNR data has been transferred from the PIU to the intelligence services, the personal data can be further processed in accordance with the laws governing the operations of PET and DDIS. Compared to the Danish police and customs authorities, data protection safeguards for PET and DDIS are much weaker since EU law does not apply. PET can process the PNR data for prevention and prosecution of offences under chapters 12 and 13 of the Danish Penal Code (mainly related to terrorism). The data retention period is 15 years, which is significantly longer than the five years of the PIU, and there is no requirement for depersonalisation after six months. Independent data protection oversight is provided by the Danish Intelligence Oversight Board (TET) which has fewer powers than the Danish Data Protection Authority (DPA).
For DDIS, the situation is even worse. DDIS can process PNR data for any foreign intelligence purpose, which even includes profiling passengers for possible recruitment as foreign agents of DDIS. Moreover, the limited data protection safeguards and oversight rules of the DDIS law only apply when DDIS processes personal data on Danish citizens or residents (“Danish persons”). In other cases, including EU citizens that are not Danish residents, the collected data can be retained indefinitely, and there are no restrictions on transfer of personal data to third countries. Moreover, there is no independent data protection oversight since the DDIS remit of TET is limited to processing of personal data for Danish persons. In summary, the Danish PNR law will allow DDIS to systematically collect and process PNR data for non-Danish persons without any oversight, and transfer the collected data to intelligence services in third countries, including the National Security Agency (NSA) of the United States.
In the opinion of the Ministry of Justice, the Danish PNR system is subject to EU law and the Charter of Fundamental Rights of the European Union, even though the PNR Directive is not binding for Denmark. In the explanatory remarks of the draft PNR law, the Ministry of Justice maintains that the Danish PNR system is compatible with the PNR Directive, and even that it fulfils the conditions in the Court of Justice of the European Union (CJEU) opinion 1/15 on the EU-Canada PNR agreement, as the collected PNR data is clearly prescribed by law and there is independent oversight by the Danish DPA. The consultation response by EDRi Member IT-Pol Denmark pointed out that these are just two of seven cumulative requirements in para 232 of the CJEU opinion (judgment). Like the PNR Directive, the Danish PNR law allows for general and indiscriminate retention of PNR data after the passengers have departed from Denmark, and access to the PNR data by competent authorities after arrival of the passengers does not require prior review by a court or an independent administrative body. This is in contravention of two requirements in para 232 of CJEU opinion.
During the legislative debate in Parliament, Members of Parliament asked questions about data protection, the role of the intelligence services in the PNR system and compliance with EU law. The answers by the Ministry of Justice note that national security is exempted from the EU Treaties, and that the issue of access to PNR data by Member States’ intelligence services is not mentioned in the PNR Directive. Furthermore, the Ministry of Justice argues that the transposition of the PNR Directive by some Member States allows access to the PNR data by intelligence and security services. Sweden is mentioned as an example of this. In essence, the Danish government seems to believe that Member States can circumvent the data protection safeguards of the PNR Directive simply by granting access to the PNR data by their intelligence services.
New Danish PNR system will rival the EU PNR Directive (22.04.2015)
https://edri.org/new-danish-pnr-system-will-rival-the-eu-pnr-directive/
Danish Defence Intelligence Service will get access to PNR data (08.03.2017)
https://edri.org/danish-defence-intelligence-service-will-get-access-to-pnr-data/
PNR: EU Court rules that draft EU/Canada air passenger data deal is unacceptable (26.07.2017)
https://edri.org/pnr-eu-court-rules-draft-eu-canada-air-passenger-data-deal-is-unacceptable/
IT-Pol consultation response on the draft PNR law (only in Danish, 22.11.2018)
https://itpol.dk/hoeringssvar/pnr-loven-2018
Proposal for a Danish PNR law (only in Danish, 15.11.2018)
https://www.ft.dk/samling/20181/lovforslag/L107/index.htm
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)