Danish Defence Intelligence Service will get access to PNR data
Denmark does not take part in the EU Passenger Name Record (PNR) Directive since Denmark has an opt-out from the Justice and Home Affairs (JHA) area of the European Union. Instead, Denmark has a national PNR system which has been developed gradually on the legislative side since 2006. The practical implementation by Danish authorities has not been keeping pace with the political willingness to legislate about PNR, though. Even the basic system for automatic pre-travel checks at external borders with Advance Passenger Information (API), a subset of PNR, has not yet been implemented. This is the case even though this part is based on the API Directive that was transposed into Danish law in 2006. This was noted as an urgent issue of a 2016 EU evaluation of Danish border control under the Schengen acquis (of which Denmark is part).
Despite a 10-year history of stumbling blocks with airline reservations systems and PNR data formats that were more complicated than expected, the Danish Ministry of Justice is now convinced that all technical problems will soon be solved. The current Danish PNR framework is based on a 2015 law where the Danish Customs and Tax Administration (SKAT) receives PNR data from airlines. SKAT uses the PNR data for its own purpose of customs control and functions as a data warehouse for other Danish authorities that have a legal basis for collecting PNR data via SKAT. The automated PNR data exchange between airlines with flights to Denmark and SKAT should be in place by 1 July 2017. At least, this is what SKAT is demanding from airlines. Whether the July deadline for automated data exchange, completely independent of the future EU PNR system, is feasible or not remains to be seen.
One major disadvantage of this technical setup is that the concept of purpose limitation gets blurred. Airlines and their passengers may believe that PNR data is provided to SKAT for customs control, whereas in reality the PNR data is also used for different purposes by other authorities, and new purposes can be added at any time, even retroactively. Currently, the Danish Security and Intelligence Service (PET) can collect PNR data for prevention and prosecution of terrorism offences via SKAT, and two extensions of the PNR access scheme are already in the pipeline. The problems with receiving API data for border control will be handled by giving the Danish National Police access to the SKAT PNR database. A draft law for this, which also includes access to API data for non-systematic intra-Schengen border checks, is currently in consultation.
Much more concerning from a privacy and data protection point of view is the newly proposed law which will give the Danish Defence and Intelligence Service (DDIS) blanket access to the PNR database held by SKAT. Information about Danish citizens is excluded from the DDIS access, but it is very unclear how this distinction will be made for flights within Schengen where the PNR data does not include passport numbers. The comments of the proposed law mention using passenger contact information such as phone numbers and email addresses, which are somewhat unreliable indicators of nationality. For non-Danish citizens, DDIS can use the PNR data for any intelligence purpose directed against conditions abroad. Besides preventing threats against national security (such as terrorism), the comments of the law specifically mention monitoring travel patterns of persons that may act on behalf of foreign states, and even using PNR data to facilitate the recruitment of foreign agents.
The activities of DDIS generally fall under the national security exemption in the EU Treaties, but the Ministry of Defence states that the PNR access by DDIS is subject to EU law. This is rather unusual for processing of personal data by a defence intelligence agency. In the present case of access to PNR data, it raises several data protection issues based on case law from the Court of Justice of the European Union (CJEU) in, in particular, the Schrems judgment and the upcoming ruling on the EU-Canada PNR agreement, where the Advocate General opinion was published on 8 September 2016.
Under Article 52(1) of the Charter of Fundamental Rights of the European Union, any limitation of fundamental rights must respect the essence of these rights, besides the requirement of necessity and proportionality. According to paragraph 95 of Schrems judgment, the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter, includes legal remedies for citizens to have access to personal data about them, and to obtain the rectification or erasure of such data. For Danish citizens and residents in Denmark (Danish persons), some legal remedies exist through the Danish Intelligence Oversight Board (TET). Direct access to personal data held by DDIS is not available, but upon request, TET will check whether personal data about a Danish person is processed unlawfully (called “indirect access” under the Danish law governing DDIS operations). This option is not available for non-Danish persons, so it is highly questionable whether the essence of the fundamental right to effective judicial protection is respected.
The fact that DDIS only gets access to PNR data on non-Danish citizens could be seen as illegal discrimination under EU law. The CJEU ruled that the right to non-discrimination between EU nationals precludes, for the purpose of fighting crime, a system for processing personal data specific to Union citizens who are not nationals of that Member State. Finally, when viewed against the points raised by the Advocate General in the EU-Canada PNR case, there are multiple potential deficiencies in the proposed law giving DDIS access to PNR data. For example, a purpose that includes recruitment of foreign agents is hardly limited to what is strictly necessary. Moreover, for non-Danish persons, there are no limitations on profiling, no independent data protection oversight, and the PNR data can be retained indefinitely without any restrictions on the further transfer of the data to intelligence services in third countries, for example the National Security Agency (NSA) of the United States.
All of these issues were raised in the consultation response on the draft law by EDRi member IT-Pol Denmark. The Ministry of Defence maintains that the proposed law complies with EU law and the Charter of Fundamental Rights. In response to the specific criticism raised by IT-Pol, the Ministry of Defence only notes that the necessary legal remedies exist for non-Danish persons since the Danish constitution allows everyone to sue DDIS in the ordinary courts, and everyone can file a complaint with the Danish Parliamentary Ombudsman. However, it seems very unlikely that the courts or the Ombudsman will be able to examine personal data held by DDIS. The TET staff has special security clearances for this task.
The new PNR law is likely to be swiftly adopted by the Danish Parliament. At the initial public debate in the Parliament on 2 March 2017, there was a sizeable majority in favour of giving DDIS access to PNR data and very limited recognition of the privacy and data protection problems that this law would create for non-Danish citizens if they travel to Denmark by air or transit through Danish airports en route to other destinations.
Council Implementing Decision setting out a recommendation on addressing the deficiencies identified in the 2016 evaluation of Denmark on the application of the Schengen acquis in the field of the management of the external border (28.10.2016)
EDRi: New Danish PNR system will rival the EU PNR Directive (22.04.2015)
Consultation response by IT-Pol Denmark on draft law to give DDIS access to Danish PNR data (only in Danish, 30.01.2017)
Proposed law L 146 on access to PNR data by the Danish Defence Intelligence Agency (only in Danish, 24.02.2017)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)