The Commission is revisiting the Passenger Name Record
Directive again, this time hoping that it has struck the right balance between
privacy and security. It’s an issue that’s been around for a long time – the draft
directive was rejected at committee stage in the last parliamentary session. Older versions of the proposed directive
centred on detailed information being collected from passengers on flights into
and out of the EU. The aim was to harmonise the collection and use of such
information for anti-terrorism and serious crime offences across the EU – and
start such collection in the Member States that didn’t already collect it.
The issue has been argued over for the last decade. The EU
already has treaties with the US, Canada and Australia mandating the transfer
of the personal data of passengers by airlines operating in the EU to the security
services of those countries. While some of the Member States, such as the UK
and France, have their own national PNR regime, the EU as a whole does not
“benefit” from having the same haul of data. Rather than look at what data is
really necessary for fighting terrorism, however, the Commission has
essentially copied and pasted the scope of the US’s data haul, apparently on
the basis that Europe cannot receive less information than the US. It’s a pity
this approach has been taken rather than looking at what was necessary,
drafting European law on that basis and then seeking to change the US Treaty in
line with data protection standards.
The various treaties have been up for renegotiation and
review. The European Parliament has recently voted to refer the Canadian PNR
Treaty to the European Court of Justice to test its compliance with data
protection rights enshrined in EU law. As the Court recently annulled the Data
Retention Directive (PDF), data protection rights are still a big issue and the legal
test is a serious one.
The Commission’s compromise draft of the EU PNR directive
however, retains the list of 42 categories of passenger information. Another
change is that the data will be “depersonalised” after 7 days rather than
anonymised after 30 – though this would actually weaken the data protections as
depersonisation can easily be reversed while anonymisation can’t. There are
positive changes, such as the narrowing of the purpose of data collection to
terrorism and serious transnational crime rather than “serious crime” (which
was always a bit vague), and the appointment of data protection officers to
oversee the use of the data.
In the wake of the September 11 attacks, one of the
anti-terrorism measures passed by the EU was the Advance Passenger Information Directive which concerned information from the machine-readable part of
the passport (name, date of birth, nationality, passport number and expiry
date). This, along with the Schengen Information System* and the Visa
Information System gave authorities identity verification and border management
tools. It’s not clear why simply adding flight information to API – to track
suspects’ movements using the API parts of PNR – would not be sufficient
information.
There is an understandable desire on the part of law
enforcement agencies to gather as much information as possible in the hopes of
becoming more effective, but too much information can not only be an unnecessary
infringement on privacy but could even obscure the relevant information and
make their job harder. Anti-terrorism legislation needs to be both necessary
and proportionate. As the Parliamentary Assembly of the Council of Europe has
just reported, mass surveillance is counter-productive and endangers human
rights. We need a leaner, controlled approach to security that will preserve as
well as defend our way of life.
*Note: EU interior ministers have called for Schengen
Information System checks to be made more systemic.
No comments:
Post a Comment