“We still need to watch you, really”: PNR back in the Parliament

By EDRi · April 2, 2015

Sequence from “PNR, the Movie”

Despite the decision of the European Parliament to refer the EU-Canada PNR agreement to the Court of Justice of the European Union (CJEU) in December 2014, the urge to keep increasing surveillance citizens’ movements across Europe seems to be irrepressible. Timothy Kirkhope, Rapporteur (MEP in charge) of the Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD) ), is again launching the EU PNR proposal in the European Parliament, after it was rejected by the Parliament’s Civil Liberties Committee in 2013.

What is PNR?

Passenger Name Records (PNR) are data containing information provided by passengers and collected by air carriers for commercial purposes. This can contain several pieces of information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.

What kind of information do they contain?

  • Date of the trip and complete itinerary,
  • Name and contact information,
  • Form of payment,
  • Frequent flyer information,
  • Meal preferences,
  • Medical information,
  • Disabilities,
  • Non-flight matters administered by the airline, such as hotel bookings, car rentals, train journeys, travel associates, etc.

Many of these types of data can be used and aggregated to build profiles. For instance, meal preference can provide information about religious affiliation, hotel reservations can indicate passengers’ personal relationships, etc. Mr Kirkhope suggests comparing the PNR database against other databases, presumably to generate such extra data.

How will this information be used under the proposed EU PNR Directive?

The passenger data of all flights from or to the European Union could be processed for the purposes of the prevention, investigation and prosecution of serious crime, serious transnational crime and terrorist offences. However, the definitions in the Directive are so unclear that Member States are given the option of excluding “minor offences” that they cover. All passenger data would be retained by specific Passenger Information Units (PIU) up to five years (or five and a half years, if being stored by the Australian authorities under the bilateral EU/Australian agreement… or 15 years, if being stored by the US authorities under the bilateral EU/US agreement). Moreover, the proposal foresees the possibility to broaden the scope of the PNR directive by including internal European flights, a measure that Mr Kirkhope wants to introduce immediately.

What are the main problems of the EU PNR proposal?

  • The ruling of the EU’s court, the Court of Justice concerning the invalidation of the Data Retention Directive: The analysis provided in that ruling makes it difficult to believe that the current PNR proposal would be considered lawful
  • Excessive Data Retention Period: Even if the retention of data in the PNR context was considered necessary and proportionate, the proposed storage period excessive and lacking any meaningful justification
  • Lack of concrete protections from arbitrariness: In the text,it is unclear how and when data will be processed (prevention of badly defined “serious crime”). There are existing measures (VIS, SIS and API) which already provide a great deal of information. There is no evidence another system would be needed.
  • Lack of evidence showing that these measures are effective, necessary and proportionate in the detention or prevention of serious crimes.From the European Commission impact assessment, there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. In this regard, it is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” while remaining convinced – despite questionable accuracy – it could be used in real time “to prevent a crime”.
  • Lack of proportionality: The Fundamental Rights Agency, the European Data Protection Supervisor, and the Article 29 Working party  (most recently here) agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
  • Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the controversial call for proposal of 50 million euros issued by the European Commission to build PNR systems in several Member States. These funds were made available even though the legislation has not been agreed.

We have sent a letter to members of LIBE, and prepared a briefing paper and an analysis of the proposal. It is time to call and write your MEPs and let them know why this proposal needs to be rejected again.

You can also support our crowdsourcing campaign to produce postcards that will be sent to MEPs in order to make them aware of the risks of this proposal for the fundamental rights of citizens.