The Commission is revisiting the Passenger Name Record Directive again, this time hoping that it has struck the right balance between privacy and security. It’s an issue that’s been around for a long time – the draft directive was rejected at committee stage in the last parliamentary session. Older versions of the proposed directive centred on detailed information being collected from passengers on flights into and out of the EU. The aim was to harmonise the collection and use of such information for anti-terrorism and serious crime offences across the EU – and start such collection in the Member States that didn’t already collect it.
The issue has been argued over for the last decade. The EU already has treaties with the US, Canada and Australia mandating the transfer of the personal data of passengers by airlines operating in the EU to the security services of those countries. While some of the Member States, such as the UK and France, have their own national PNR regime, the EU as a whole does not “benefit” from having the same haul of data. Rather than look at what data is really necessary for fighting terrorism, however, the Commission has essentially copied and pasted the scope of the US’s data haul, apparently on the basis that Europe cannot receive less information than the US. It’s a pity this approach has been taken rather than looking at what was necessary, drafting European law on that basis and then seeking to change the US Treaty in line with data protection standards.
The various treaties have been up for renegotiation and review. The European Parliament has recently voted to refer the Canadian PNR Treaty to the European Court of Justice to test its compliance with data protection rights enshrined in EU law. As the Court recently annulled the Data Retention Directive (PDF), data protection rights are still a big issue and the legal test is a serious one.
The Commission’s compromise draft of the EU PNR directive however, retains the list of 42 categories of passenger information. Another change is that the data will be “depersonalised” after 7 days rather than anonymised after 30 – though this would actually weaken the data protections as depersonisation can easily be reversed while anonymisation can’t. There are positive changes, such as the narrowing of the purpose of data collection to terrorism and serious transnational crime rather than “serious crime” (which was always a bit vague), and the appointment of data protection officers to oversee the use of the data.
In the wake of the September 11 attacks, one of the anti-terrorism measures passed by the EU was the Advance Passenger Information Directive which concerned information from the machine-readable part of the passport (name, date of birth, nationality, passport number and expiry date). This, along with the Schengen Information System* and the Visa Information System gave authorities identity verification and border management tools. It’s not clear why simply adding flight information to API – to track suspects’ movements using the API parts of PNR – would not be sufficient information.
There is an understandable desire on the part of law enforcement agencies to gather as much information as possible in the hopes of becoming more effective, but too much information can not only be an unnecessary infringement on privacy but could even obscure the relevant information and make their job harder. Anti-terrorism legislation needs to be both necessary and proportionate. As the Parliamentary Assembly of the Council of Europe has just reported, mass surveillance is counter-productive and endangers human rights. We need a leaner, controlled approach to security that will preserve as well as defend our way of life.
*Note: EU interior ministers have called for Schengen Information System checks to be made more systemic.