Commission's proposal for PNR Directive fails to impress MEPs

By EDRi · February 9, 2011

This article is also available in:
Deutsch: [Kommissionsvorschlag zu Passagierdaten kann Europaabgeordnete nicht beeindrucken |]

On 2 February 2011, the European Commission released its proposal for a
directive on the use of Passenger Name Records. This would require airlines
flying into and out of the EU to give travellers’ personal information to
national authorities in the Member State of departure or arrival. Such data
includes, for example, home address, mobile phone number, frequent flier
information, email address and credit card information.

The document is a follow up to the proposal for PNR in 2007, for which the
European Parliament, led by rapporteur Sophia in’t Veld (ALDE, Netherlands),
requested from the Commission, particularly in terms of better
justifications regarding the measure’s supposed necessity and

With a number of databases related to travellers already in
existence, such as the Schengen Information System (SIS), the Visa
Information System (VIS) and the Advanced Passenger Information system
(API), many members of European Parliament were and are sceptical about the
necessity of a Passenger Name Record regime.

The scope of the purpose of PNR is widened. Whereas, in the 2007 document,
the purposes were preventing and combating terrorist offences and
organised crime, now it extends to “serious crimes” (defined as offences
which call for a minimum prison sentence of 3 years). As these crimes are
not specified, there is, by definition, no way of assessing the necessity
and proportionality of all crimes that could be covered by this wording.

The processing of the PNR data outlined in Article 4 stipulates that the
Passenger Information Unit (PIU -the body responsible for the storage and
management of PNR databases), can use the data for profiling purposes, an
issue that has been highly criticised in Parliament. The data can also
be compared with other “relevant” databases, while not making clear which
databases will be accessed by Member States. PIUs will also be obliged to
hand over PNR data at the request of the competent authorities in Member
States. Finally, the document proposes using the data to update and create
new profiling criteria.

The document indicates that it will “mask” some pieces of data after 30 days
of storage. The data is, however, not anonymised – instead, a certain amount
of data is “masked” with no actual anonymisation. These pieces of
information can be easily re-personalised and, in fact, access to the full
PNR data is always available to the Head of the PIU, “where it could be
reasonably believed that it is necessary to carry out an investigation and
in response to a specific and actual threat or risk or a specific
investigation or prosecution.”

Furthermore, considering the list of PNR data to be collected, there are a
number of personally identifiable information that will not be “masked”,
such as billing information (including credit card numbers).

The document also prohibits the collection, storage and processing of
“sensitive data”, defined in the proposal as “any personal data that could
reveal racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership or data concerning health or
sexual life of the individual concerned”. In the same paragraph however, it
states the PNR data “should contain details on the passenger’s reservation
and travel itinerary”, which include special meal requests which can
indicate religious orientation; special service requests that can indicate
disabilities or specific medical conditions and billing and contact

MEP Sophia in’t Veld seems pleased with the document, saying, “we will
closely scrutinise the proposals, but at first glance there is a substantial
improvement compared to the previous proposals”. However, she did indicate
that better justification of the necessity of collecting PNR data remains,
and that Parliament needs the facts and figures before they can make a well
founded decision.

Other members of the European Parliament are not so optimistic. EPP member
Manfred Weber (Germany) is sceptical of the necessity of PNR, saying, “there
are deficits in the usage of current data. So why should we collect even
more mass data?”

“The EU-US PNR agreement is already bad enough”, stated German Greens member
Jan Albrecht. “The last thing we need to do in Europe is to copy this model,
which infringes on the civil liberties of EU citizens.”

Claude Moraes (S&D, UK) has concerns about the Commission’s proposal to
profile individuals and indiscriminately collect personal data, calling on
Commissioner Malmström to “urgently come before the European Parliament and
to provide precise evidence that massively collecting air travellers’ data
is an effective and necessary way to prevent terrorists from flying to and
from Europe.”

Commissioner Malmström is likely to meet with the LIBE committee in the next
few weeks to discuss the contentious elements of the proposal. The entire
negotiation process in the Council and the Parliament is expected to
take around two years.

Proposal for a Directive on the use of Passenger Name Record data for the
prevention, detection, investigation and prosecution of terrorist offences
and serious crime (2.02.2011)

ALDE press release: EP insists on proof of proportionality of data transfer

Proposal for a Council Framework Decision on the use of Passenger Name
Record (PNR) for law enforcement purposes (6.11.2007)

EU proposal for passenger data to fight serious crime and terrorism

Commission PNR FAQ (2.02.2011)

EU to collect data of international air travellers (1.02.2011)

“Does the EU need to collect all air travellers’ data?”, ask S&D (2.02.2011)

Greens press release: Passenger data (PNR): Commission proposes system for
retaining passenger data based on spurious security grounds

(contribution by Raegan MacDonald – EDRi)