Travel surveillance: member states seek to circumvent court judgment on PNR

What is PNR?

PNR data (names, flight information, address, travel itinerary, payment information, baggage information and more) is collected by airlines and travel agents from passengers, and under the 2016 EU Directive it must be shared with Passenger Information Units (PIUs), run by national law enforcement authorities.

PIUs are then able to:

• compare PNR data against databases and “pre-determined criteria” to determine whether departing or arriving passengers “require further examination by the competent authorities” due to suspected involvement in terrorism or serious crime;
• share data with other member state authorities or Europol; and
• analyse PNR data “for the purpose of updating or creating new criteria to be used in the assessments.”

The Directive applies to all flights entering, leaving or travelling between EU member states; the rules were also included in the post-Brexit Trade and Cooperation Agreement between the UK and EU and so should also affect the way the transfer of PNR data between the UK and EU takes place.

Due to the Directive’s intrusive nature and vast scope – covering almost every individual travelling by air within the EU, apart from flights within one country – its adoption was hugely controversial, with the European Parliament eventually caving in to member state pressure. After it came into force, a number of legal cases were filed against it.

Court ruling

The Court of Justice issued a judgment in one of those cases, brought by the Belgian group Ligue des droits humains, in June.

The ruling, summarised by the Court in a press release (pdf), requires that:

• “The system established by the PNR Directive must cover only clearly identifiable and circumscribed information”;
• The application of that system must be “limited to terrorist offences and serious crime having an objective link, even if only an indirect one, with the carriage of passengers by air”;
• The extension of the PNR system to all intra-EU flights – an option that was immediately taken up by all member states once the Directive was approved – must be “limited to what is strictly necessary,” and can only take place when there is a “terrorist threat which is shown to be genuine and present or foreseeable”;
  • If there is no such terrorist threat, the Directive “cannot be extended to all EU flights, but must be limited to certain intra-EU flights relating, inter alia, to certain routes or travel patterns or to certain airports,” with justification and regularly reviewed;
• for the purposes of advanced assessment, comparison of PNR data can only take place against “databases on persons or objects sought or under alert” and cannot use machine learning technology;
• human review and verification of ‘hits’ obtained by automated processing must be informed by “clear and precise rules capable of providing guidance and support” including “objective review criteria”; and
• any “subsequent assessment and disclosure of PNR data after the arrival or departure of the person concerned” must meet a series of substantive and procedural requirements.

This may seem clear enough – but the Council is now looking for ways to circumvent these requirements, as it has done previously with rulings on data retention.

Discussion paper

In a discussion paper (pdf) circulated within the Council on 9 September, the Presidency notes a number of possible ways around the requirements laid down by the judgment, and seeks delegations’ views on other possible options.

The paper is divided into four main sections.

1. Intra-EU flights

On the first point, the paper says:

“It appears that there are strong operational reasons for continuing the application of the PNR Directive on intra-EU flights, even considering the limitations resulting from the judgment.”

a. Flight selection

Under this heading, the paper continues:

“Many delegations pointed out that applying the system established by the PNR Directive to a selection of certain intra-EU flights only, presents a number of significant disadvantages. In light of that, it would be useful to explore any viable alternatives that might comply with the judgment.”

The question then becomes: how to establish that there is a terrorist threat that would justify the gathering of data from all intra-EU flights?

The Presidency notes that doing so:

“…could only be considered sound if all or most of Member States could, before a court, justify as being sound their successive assessments that the terrorist threat each of them is confronted with is genuine and present or foreseeable.”

And encourages other national delegations “to evaluate whether this is a realistic premise, at least in their situation.” Some clearly think so, as the paper notes that some delegations have argued that “the terrorist threat is not easily quantified and rarely limited to a specific time period.”

One way to carry on whilst claiming to meet the requirements of the judgment could be to introduce a “filter”, suggests the Presidency:

“Effective limitation of processing of PNR data could potentially be achieved by “filtering” PNR data from all intra-EU flights by an automatic comparison with relevant databases (alerts) that lead to specific actions. In this “filter” procedure, false positives would be subsequently eliminated by feedback from the competent authorities or even verified by an independent body. It could be argued that as long as such processing retains only data on persons already actively sought by the law enforcement or judiciary and does not involve application of pre-determined criteria on or subsequent storage of personal data of other passengers, it does not apply indiscriminately to all air passengers.” [emphasis added]

The question here seems to be: when is data processing not data processing?

b. Selecting intra-EU flights – technical, organizational, economic and operative issues

The Presidency highlights a number of issues for the authorities:

“Technical challenges relate to the need to distinguish between the relevant flights (airports) within each air carrier data. Organizational challenges relate to the need to establish, activate and deactivate as necessary the data transfer relationships with relevant air carriers. These challenges would also be duplicated on the side of the air carriers in every Member State where they operate.”

The same question as previously – when is data processing not data processing? – seems to arise:

“One potential mitigation option could be to limit the collection of PNR data through the action on the part of PIUs or other authorities, rather than through only limiting the transfer of PNR data by air carriers. This would require the PIU or other authority to delete – immediately and without any processing under Article 6 of the PNR Directive – incoming PNR data from flights or airports that have not been selected for processing for the applicable time period . Consequently, the burden on the part of air carriers would not increase.”

The paper continues:

“…the judgment frequently (e.g. in paragraphs 165, 171 and 174) uses the term “transfer and processing”. This may be interpreted as the obligation to limit the scope of the “transfer” from air carrier to PIU. However, the “transfer” is addressed here only in parallel with the “processing”. It could be argued that the limits are intended to apply to the whole processing. In the same vein, paragraph 173 simply speaks about “application of the system established by the PNR Directive”. The point 7 of the operative part of the ruling explicitly uses both sets of terms and does not consider “transfer” separately.”

c. Efficiency issues related to fragmentation of data collection

The Presidency refers to “concerns” that limitations on data collection “could result in reduced operational efficiency of PNR processing,” but when it comes to flight selection, “certain measures may help to avoid undesirable consequences.”

For example, determining the existence of a terrorist threat on an EU-wide, rather than national, level:

“One such practice could be for the Member States to allow their selection of intra-EU flights, airports and travel patterns be informed by the European-level threat assessment. With that in mind, Europol has been invited to present their activities related to PNR matters and to the threat assessment focused on air travel, as well as to discuss the added value of EU support to the Member States.” [emphasis added]

Other options are also available – member states could “be ‘mutually aware’ of the risk assessments elaborated by other member states. This could lead to focused discussion among Member States on the actual risks relevant for the internal security of the EU.”

d. Exchange of PNR data collected from selected intra-EU flights

The paper suggests that the judgment may leave open the possibility for:

“…the PIU to share PNR data and results of processing of those data with other Member States, even if the relevant PNR data are derived from intra-EU flights, airports or patterns that other Member States did not (or could not) include in their own selection of intra-EU flights.”

However, there may be administrative and operational issue with this approach – for example, were a PIU to share its list of selected flights, “this might give rise to security risks,” while “the handling of PIU requests for PNR data not collected by the requesting PIU may present significant administrative burden on both units.”

The Presidency asks: “What solution would be most appropriate?”

e. Review of selecting intra-EU flights

The Presidency interprets the judgment to mean:

“…that independent review is required for collection of PNR data when that collection is applied to all intra-EU flights but the Member States have more flexibility as regards review of their assessments leading to a selection of intra-EU flights.

…Do all delegations share this understanding?” [emphasis added]

2. Retention of PNR data

Here, the Presidency underlines that: “Paragraph 258 [of the judgment] explicitly forbids retention of the PNR data of all air passengers for the later period” of 54 months, when data should be ‘depersonalised’ and only accessible under certain strict circumstances.

Data kept for that period must have “an objective link, even an indirect one, between retaining the data for the purpose of combating terrorism or serious crime and the carriage of passengers by air,” the Presidency notes.

Noting what the requirements are for establishing such a risk, the paper then goes on to ask:

“What other circumstances could in practice present objective evidence of a risk? Could the PIU use new pre-determined criteria approved for future use even to re-assess already received PNR data (and stored for the initial period) to identify PNR data that should be retained for the whole 5 years?”

The Presidency is also looking for “other examples of direct or indirect objective link” – clearly with the aim of expanding the potential criteria for data storage.

The paper then goes on to say:

“In paragraph 220 the judgment interprets the words “sufficient grounds” in Article 6(2)(b) and “reasonably” in Article 12(3)(b) and makes a general comment that these words mean “objective evidence capable of giving rise to a reasonable suspicion” of a person’s involvement in a serious crime”. (Similar requirement is made in paragraph 204.) As regards terrorist offences, those requirements are satisfied when there is objective evidence from which it can be inferred that the PNR data could, in a given case, contribute effectively to combatting such offences.

Since the judgment requires these standards of evidence from all reasoned requests for access to retained PNR data (during both initial and later periods), it could be argued that the standards for mere retention of PNR data should be lower. The judgment appears to indicate as much by using the phrase “may present a risk” in paragraph 259 and by the word “risk” in point 5 of the operative part of the ruling.” [emphasis added]

3. Flights within the territory of a single Member State

The Presidency is seeking member states’ views on whether they should “apply for rules for intra-EU flights to domestic flights” – that is, flights within a single member state’s territory. According to the paper: “About half of replying Member States do not apply the PNR Directive to domestic flights or travel patterns, for various reasons,” and the Presidency asks:

“What is the position of delegations?

…Is the application of the limitations in the judgment to purely domestic flights a material issue for delegations?”

4. Criteria for selecting risk person

Finally, the paper comes to the issue of “risk person”, in particular the requirement set out in the judgment that:

“…competent authorities ensure, without necessarily disclosing specifics, that the person concerned is able to understand how these criteria and assessment programs work. The purpose of this requirement is to allow the data subject to decide “with full knowledge of the relevant facts” whether to exercise the right to judicial redress against the possible unlawful (e.g. discriminatory) nature of such criteria.”

The Presidency argues, on the basis of the judgment, that the EU’s Law Enforcement Directive (LED), dealing with data protection in the law enforcement sector, applies to such a situation, and notes:

“The extent to which information on data processing under LED is required or necessary for data subjects to initiate judicial redress guaranteed by the same is, incidentally, subject to a separate request for a preliminary ruling (proceedings in the case C-333/22 Ligue des droits humains) and further consideration of this topic might benefit from the replies and explanations given by the Court in those proceedings.

…What mechanisms could be employed to provide required information to data subject while avoiding prejudice to future deployment of criteria?”

The article was first published by Statewatch here.

Contribution by: EDRi member Statewatch