New Danish PNR system will rival the EU PNR Directive
For the second time in the parliamentary year 2014-15, the Danish government has made a legislative proposal for increased access to Passenger Name Records (PNR). The draft law, currently in public consultation, also sheds new light on the use of PNR data by Danish customs authorities. So far, the PNR discussion in Europe has mainly focused on police and intelligence services.
The main purpose of the new law is to give the Danish Security and Intelligence Service (PET) access to PNR data collected by the Danish Customs and Tax Administration (SKAT). Under Section 17 of the Danish Customs Act, SKAT can collect passenger information from airlines. Currently, SKAT is collecting all nineteen PNR elements in the Annex of the proposed PNR Directive, except the Advance Passenger Information (API) data in item 18. The new law will amend Section 17 so that SKAT has a legal basis to collect PNR data from airlines for itself as well as for the PET, and this can be done even if SKAT does not need the specific PNR data for its own operations.
The amended Section 17 will make it mandatory for airlines with flights to and from Denmark to provide PNR data (all 19 elements in the Annex, if available) to SKAT, which can use the data for customs purposes and share the data with PET for an entirely different purpose, namely prevention and prosecution of offences under Chapters 12 and 13 of the Danish Penal Code (mainly related to terrorism). Moreover, airlines will be required to provide the data in digital form to a new IT system under development by SKAT. The PNR data can be retained for up to two years by SKAT.
From the comments of the draft law, it appears that SKAT is already collecting PNR data from all airlines with flights to and from Denmark, including intra-EU flights. This is either done through information received from airlines on paper forms or direct access to booking systems. No airlines are named in the comments of the draft law, but a Danish Institute for International Studies (DIIS) report from 2011 about counter-terrorism in Denmark since 9/11 mentions that Scandinavian Airlines is giving SKAT free access to their database for customs control. SKAT is using the PNR information to actively profile all passengers, so that targeted customs checks can be performed at the gate before passengers leave the plane. The main objective is to find passengers smuggling narcotics and other illegal goods. The new IT system and mandatory digital transmission of PNR data will expand and streamline the PNR profiling done by SKAT.
Moreover, PET gets direct access to the PNR data collected by SKAT. PET is exempted from the Danish Data Protection Act, and PET can generally collect any information unless it can be completely ruled out beforehand that the information will be irrelevant to PET. This extremely vague criterion also applies to PNR data obtained from SKAT. PET can process the PNR data for as long as PET believes that the data is relevant for possible terrorist offences. This includes profiling of citizens’ travel patterns and data mining for unknown terrorist suspects. PET can also share the PNR data with the Danish Defence Intelligence Service (DDIS), and since DDIS is completely free to exchange data with other intelligence services, European PNR data collected by Danish customs authorities could end up in the hands of the United States National Security Agency (NSA).
The joint PNR operation of SKAT and PET is described as the Danish PNR system, and it shares many similarities with the highly controversial proposed EU PNR Directive. Currently, Denmark will not automatically be covered by the proposed EU PNR Directive due to an opt-out from EU Justice and Home Affairs (JHA) legislation, but this is likely to change in 2016 after a referendum on the JHA opt-out. The Danish government strongly supports adoption of the PNR Directive, but the excessive Danish PNR demands go much further than the PNR Directive; this indicates that the special Danish PNR system is meant to co-exist along with the EU PNR system.
For European citizens, the Danish PNR plans should be a cause for concern. The data protection safeguards of the proposed PNR Directive are quite weak, but they are even weaker in the Danish PNR system. For example, there is no right to access or rectification for PNR data held by PET. Furthermore, there is no maximum retention period or limitation on use for PNR data held by PET. The use of PNR data for customs profiling (by SKAT) is clearly incompatible with the principle of purpose limitation.
The draft law contains an interesting discussion of whether a national PNR law is subject to the EU Charter of Fundamental Rights. The Danish government argues that this is the case because the national PNR law regulates the freedom to provide services in the EU, which is guaranteed by Article 56 of the Treaty on the Functioning of the EU. The comments also mention the data retention judgment by the Court of Justice of the European Union (CJEU). However, the Danish government argues that the blanket collection of PNR data is much more limited in scope, and of a different character, than telecom metadata, and accordingly, the PNR provisions are necessary and proportionate. With respect to the legal basis in the Data Protection Directive 1995/46/EC, the proposed Danish PNR system relies on a combination of the public interest exemption in Article 7(e) for the initial collection by SKAT from airlines, and the general national security exemption for the subsequent data transfer to PET.
Draft law to amend the Customs Act and PET Act with PNR provisions (only in Danish, 10.04.2015)
Procedure file for 2011/0023(COD), EU PNR Directive
EDRi-gram: Denmark plans to use PNR data for increased Schengen border control (19.11.2014)
Counter-terrorism in Denmark since 11 September 2001, Danish Institute for International Studies, DIIS REPORT 2011:12 (only in Danish, 20.11.2011)
(Contribution by Jesper Lund, EDRi member IT-Pol, Denmark)