In Denmark, there is currently a public consultation for a new draft law which aims at improving the border checks at Denmark’s Schengen borders. Formally, the Schengen Border Code has abolished border checks at EU’s internal borders, but, under Article 21, member states are still allowed to carry out identity checks in the border territory, as long as the process is clearly distinct from systematic checks on persons at the external borders. In practice, this means that only spot checks are allowed at Schengen borders.
The draft law introduces a new legal framework for checking foreigners for illegal residence in Denmark. This part is inspired by Articles 4.17a and 4.17b of the Dutch decree on foreign nationals of 2000 (Vreemdelingenbesluit 2000), as well as a couple of recent judgments from the Court of Justice of the European Union (CJEU) clarifying the Schengen restrictions on identity checks in the border territory (C-188/10, C-189/10 and C-278/12).
Moreover, the Danish police will be allowed to use “intelligence-led policing” methods for improving the efficiency of the border control (identity checks). This involves collecting personal data on citizens passing the border and using that data for profiling and risk assessments of illegal immigration.
For citizens entering Denmark by car, automatic number plate recognition (ANPR) technology will be used. In a report about border control published in October 2014, the Danish Ministry of Justice cited a statement from the European Commission that the Dutch use of ANPR technology for control purposes in the border territory was not inconsistent with the Schengen Border Code.
ANPR will be used for counting the number of foreign motor vehicles entering Denmark (anonymously, it is claimed) for statistical purposes, and during specific time periods, the number plates of all foreign motor vehicles will be retained for further analysis. These number plates will be checked against Europol databases of wanted motor vehicles. It is also possible that the historic travel pattern of an individual motor vehicle will be used for the police analysis, for example the number of times that the motor vehicle has entered Denmark from Germany. A Danish police director has made statements to the media which could suggest that this type of individual profiling will be used. The Danish police is currently in the process of seeking approval of their ANPR plans with the Danish Data Protection Authority, so the specific use of ANPR could change. Barbara Körffer from the Schleswig-Holstein data protection authority (ULD) has expressed her concerns about the Danish ANPR plans in border areas in an interview with a daily newspaper Flensborg Avis on 18 October, as a similar surveillance scheme for Schleswig-Holstein was found unconstitutional in 2008 by the Federal Constitutional Court of Germany (BVerfG), but the preliminary reaction towards the ANPR plans from the Danish Data Protection Authority has been more forthcoming.
Border control at Danish airports for Schengen flights will also be based on data analysis of travellers, and passenger name records (PNR) will be used for that purpose. The draft law amends the Danish Alien Act with a new section that authorises the Minister of Justice to lay down rules for police access to PNR data in booking systems of airlines with flightsfrom other Schengen countries to Denmark.
The commenary of the draft law do not include a precise list of the specific PNR data which can be collected, for how long the PNR data can be retained by the Danish police, or an exhaustive list of purposes for which the PNR data can be processed. The comments only state that the purpose is risk assessment of illegal immigration, and among other things this will be based on information about suspicious ticket purchases and travel routes. It is not entirely clear from the comments of the draft law whether the data analysis will include profiling of individual passengers or just profiling of flights, but since ticket purchases and travel routes of passengers are mentioned specifically, some element of personal data processing is involved in the profiling scheme. Needless to say, the collection of PNR data is also processing of personal data.
In 2006, the Danish Parliament passed two laws granting police direct access to PNR data in the booking systems of airlines for, respectively, external border control (Alien Act) and anti-terror investigations. However, in 2012 the Ministry of Justice concluded that booking systems of airlines were too diverse, and that the planned pull method would not work. Instead, the Ministry of Justice wanted to wait for the adoption of the EU PNR Directive which is based on a push method with a standardised data format.
Against the background of the extensive rights of Danish police with regard passenger data, it is rather astounding that the Danish government now plans to introduce a new pull-method access to PNR data, this time for the purpose of checking (some) Schengen flights for illegal immigration. There are no comments in the draft law about earlier technical problems, or the apparent change of strategy in 2012 to await the possible adoption of the EU PNR Directive and a European-wide push-method system for exchange of PNR data.
The new Danish PNR initiative comes at a time when the PNR issue is becoming a hot topic at the European level. The UK government also wants access to PNR data from other EU Members States, but some are refusing, among them Germany. According to a recent article in the Guardian, the UK government is threatening to impose bans on airlines which refuse to hand over passenger lists in advance for British security screening.
Draft law with amendments of the Alien Act for more effective control in border areas and airports (only in Danish, 07.11.2014)
EDRi-gram: Denmark about to implement a nationwide ANPR system (02.07.2014)
More surveillance at the Danish border, Flensborg Avis (paywall, only in Danish with German summary, 18.10.2014)
German airlines face ban on UK landings without passenger lists, The Guardian (05.11.2014)
(Contribution by Jesper Lund, EDRi-member IT-Pol, Denmark)