PNR: Losing rights and paying for it
Passenger Name Records (PNR) are files containing information provided by the passengers and collected by air carriers for commercial purposes. PNR can contain information ranging from itineraries, to credit card numbers and meal preferences. The fact that this type of data is obtained by flight companies is not new; similar data may be obtained internally by other private companies in other contexts, such as fidelity cards on supermarkets. The difference is that governments are seeking to have access to the PNR data in a systematic legal basis. The information can then be stored for months or even years and used to guess at who might be engaged in serious illegal activity.
The EU has been trying to introduce a Directive regulating the use of PNR at the EU level, but the proposal was rejected in the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament in April 2013. Now the Directive on the use of PNR data is again on the LIBE agenda. This proposal, if adopted, would oblige air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the Member State of departure or arrival.
In order to circumvent the European Parliament’s opposition to the Directive, the European Commission has been funding national PNR implementations on an unsystematic basis. This is generating a disharmony of the single market, instead of harmonising it, which the European Commission is expected to contribute to. The European Commission now argues it is obliged to resolve the disharmony introducing the Directive. This apparently duplicitous behaviour was the subject of heated exchanges in the European Parliament recently.
The necessity and proportionality of the PNR agreements and the proposed Directive have been discussed for a long time. The Fundamental Rights Agency, the European Data Protection Supervisor and the Centre for European Policy Studies (CEPS) have criticised different aspects of PNR. Furthermore, after the Court of Justice of the European Union (CJEU) ruling on data retention in April 2014, many doubts arise about how this proposal, as well as the agreements already in force with the US and Australia, can be legal at all. It is also very difficult to come up with coherent arguments to justify how, if the EU-Australia PNR agreement is necessary and proportionate, the more extensive EU-USA PNR agreement could not be considered to have crossed the bounds of what is necessary, proportionate and, therefore, legal.
There are also more mundane costs associated with excessive and needless airline data recording. It is not only that Governments will have access to a large amount of personal data of European citizens, but the cost may be higher than many realise. A BBC Watchdog report followed the issue of the payment of excessive administrative fees when a consumer tries to cancel a trip. The airline in question, Air France, argued that, since security agencies, in this case the Transportation Security Administration (TSA), are obliged to register the personal data connected to the traveller, changes in the traveller name that exceed, bizarrely, three letters, requires so much administrative cost that a completely new booking is required – costing 450 pounds in the case highlighted by Watchdog. Less a case of having your cake and eating it, more a case of losing your rights and paying for the privilege.
BBC One Watchdog report: Admin fees (13.11.2014)
European Commission: Passenger Name Record (PNR)
PNR: EDPS first reaction to the Court of Justice judgment (30.05.2006)
FRA: Twelve operational fundamental rights considerations for law enforcement when processing Passenger Name Record (PNR) data
CEPS Working Document: The EU Passenger Name Record (PNR) System and Human Rights: Transferring Passenger Data or Passenger Freedom?
Commission makes €50 million available for the development of “big brother” PNR databases – before legislation has even been agreed