EDPS criticizes the EU PNR scheme

By EDRi · April 6, 2011

This article is also available in:
Deutsch: [EU-Datenschutzbeauftragter kritisiert EU-PNR-Pläne | http://www.unwatched.org/EDRigram_9.7_EDSB_uebt_Kritik_an_PNR]

Peter Hustinx, the European Data Protection Supervisor (EDPS) issued on 25
March 2011 his opinion on the European Commission’s proposal to oblige
airline carriers to provide EU Member States with personal data (PNR) on
passengers entering or leaving the EU space, with the declared purpose to
fight serious crime and terrorism.

On 2 February 2011, the European Commission made a new proposal for a PNR
Directive, to extend the passenger-tracking systems already in use in the UK
and US to all flights to and from the EU. PNR data may include personal
information such as home addresses, email addresses, mobile phone numbers,
frequent flyer information, and even credit card information.

In the EDPS’ opinion, although the new proposal is an improved version as
compared to the previous document released in 2007, particularly due to the
addition of data protection safeguards, the restriction of the proposal’s
scope and the conditions for PNR data processing under EU data protection
law, it is still unjustified.

The EDPS draws attention to the fact that the Proposal does not meet
“the essential prerequisite to any development of a PNR scheme – i.e.
compliance with necessity and proportionality principles”.

The EDPS emphasizes that the need to collect or store massive amounts of
personal data must be substantiated by a clear demonstration of the
relationship between use and result (necessity principle). Hustinx believes
the proposal and the accompanying Impact Assessment fail to demonstrate the
necessity and the proportionality of a large collection of PNR data for the
purpose of the systematic assessment of all passengers.

The EDPS raises concerns related to the use of PNR data “in a systematic
and indiscriminate way” and believes that the only measure compliant with
data protection requirements would be the use of PNR data on cases when
there is a serious threat established by concrete indicators on a
case-by-case basis.

Hustinx makes a series of recommendations, among which a further limitation
of the proposal’s scope that would exclude minor crimes and the possibility
for Member States to extend its reach. He also questions the
inclusion of serious crimes which have no relation to terrorism.

One recommendation is the limitation of the data retention period to 30
days, except for cases which require further investigation. The data
should be retained in an identifiable form.

The EDPS recommends a higher standard of safeguards, especially in relation
to the data subjects’ rights and transfers to third countries.

While welcoming the fact that sensitive data were not included in the list
of data to be collected, the EDPS still considers the list to be too
extensive and recommends its further reduction in agreement with
the recommendations of the Article 29 Working Party and the EDPS.

Hustinx says that an assessment of the EU PNR system “should be based on
comprehensive data, including the number of persons effectively convicted –
and not only prosecuted – on the basis of the processing of their data.” He
also recommends the assessment of the system “in a broader perspective
including the ongoing general evaluation of all EU instruments in the field
of information exchange management launched by the Commission in January
2010. In particular, the results of the current work on the European
Information Exchange Model expected for 2012 should be taken into
consideration in the assessment of the need for an EU PNR scheme.”

Meanwhile, the UK Home Office has expressed concern over the delay of the
draft PNR Directive and has shown its support for the extension of any
passenger-tracking system to flights between EU countries as well as those
outside EU territory. The House of Lords has recently urged the
Government to opt in to the proposal, ensuring its change to include all
international flights.

EU Passenger Name Record: proposed system fails to meet necessity
requirement, says EDPS (28.03.2011)

Opinion of the European Data Protection Supervisor on the Proposal for a
Directive of the European Parliament and of the Council on the use of
Passenger Name Record data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime (25.03.2011)

PNR should be deleted after 30 days, says EU privacy watchdog (1.04.2011)

EDRi-gram: Commission’s proposal for PNR Directive fails to impress MEPs