EU Passenger Name Records

Summary

In April 2016 the EU has enacted legislation on the processing of passenger name records (PNR) that has serious privacy implications. These records are created when a flight is booked: the information is collected by the website or travel agent and is then stored in the air carrier’s database. The purpose for collecting and processing this data is to prevent, detect, investigate and prosecute terrorist offences and serious crime. A vast amount of personal information concerning the passenger is contained in these records, such as personal credit card details, complete travel itineraries, and the contact details of that individual, to name but a few. A full list of the type of data collected can be found in the EU Directive. This private information is retained in the system for five years, and personal data that could be used to identify an individual is depersonalized through masking after six months, however it is not difficult to re-personalize this data. Each Member State creates its own list of competent authorities who are given access to this data. Transfer of this data is done on a case-by-case basis, and automated processing must be subject to individual review by non-automated means.

Background

The EU PNR Directive was adopted in April 2016. In 2013, before its adoption, the Civil Liberties Committee initially rejected the 2011 draft directive. They had a number of reasons for doing so, including proportionality concerns in terms of compliance with fundamental rights, namely data protection. On August 30th, 2014, the European Council called on the Parliament and the Council of Ministers to finalize work on the PNR proposal. This proposal was once again catapulted into the limelight following the January 2015 terrorist attacks in Paris.

Originally, the Directive’s intended use was just to create records containing the itinerary of a passenger or passengers travelling as part of a group to allow the exchange of reservation information between airlines in the case that passenger required the use of different companies in order to reach their final destination. When drafting the legislation, EU Member States insisted that there should not be an obligation for better cooperation or better data sharing. The Directive was adopted despite concerns raised by the Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS), Article 29 Working Party, and civil society.

To accommodate transfers of data between the EU and the US, a number of frameworks were implemented. According to EU law the transfer of personal data outside the European Union is prohibited unless there is a legal basis to do so. Among other mechanisms, such as standard contractual clauses, the Privacy Shield (former Safe Harbor) framework provides for a legal basis for commercial data transfers, while the Umbrella Agreement covers law enforcement data disclosures between the European Union and the United States.

The Safe Harbor mechanism was invalidated by the CJEU and replaced by the Privacy Shield framework. However, this new framework contains provisions that are inconsistent with EU law. There have been calls for the European Commission to review and improve this system of data transferring.

The Umbrella Agreement is a EU-US framework that is aimed at protecting the privacy of personal data that is transferred overseas for law enforcement purposes.

Questions Presented

Q: Is PNR data effective in achieving its goal in preventing terrorism and stopping serious crime?

A: The Council of Europe, when answering this question in its study, stated that: “no serious, verifiable evidence has been produced by the proponents of compulsory suspicionless [bulk] data collection to show that data mining and profiling by means of the bulk data in general, or the compulsory addition of bulk PNR data to the data mountains already created in particular, is even suitable to the ends supposedly being pursued - let alone that it is effective.” A FAQ on the PNR issue in Europe, conducted by EDRi, gave a similar answer: “in many of the recent terrorist attacks the terrorists had already been flagged as people who needed further tracking. Thus, the attackers from the last terrorist incident in Paris were already known to French authorities and details of their travels were also known. An EU PNR Directive would not have brought any more security, only more risks. For example, there have already been cases of people being wrongly labelled on these lists based on profiling schemes and, consequently, handed over to repressive regimes and tortured.”

Q: What are the main concerns presented by the PNR Directive?

A: Access Now listed issues such as “theft, misuse, abuse, profiling concerns, with no evidence that it will stop or prevent terrorism/crime” as serious problems resulting from the implementation of this Directive. EDRi also compiled a list of potential problems arising from the implementation of the Directive, which included: unlawful blanket data retention, lack of concrete protections from arbitrariness, existing measures that already provide sufficient info, lack of evidence showing that these measures are effective, proportionate & necessary in the investigation/prevention of serious crimes, excessive costs.

Q: Does the PNR Directive respect the fundamental rights to privacy and data protection?

A: EDRi is of the view that PNR does not respect these rights that are enshrined in the Charter of Fundamental Rights. Infringements of fundamental rights by means of long-term storage of such data are only permissible if they “genuinely meet objectives of general interest”. As has been discussed already, the consensus is that this does not meet such objectives.

Some other questions to consider regarding this topic are:

  • What will be the rights of individuals to control their personally identifiable information?
  • Member States must provide the Commission with a list of authorities allowed to access the PNR data by 25 May 2017, and this list can be modified at any time - is this power given to each Member State too broad or vague? Is there sufficient regulation here regarding who has access to the data?
  • Will there be a reversal of the presumption of innocence?
  • Will there be an absence of public oversight in this area?
  • Would other methods of identifying subjects be sufficient without the PNR system, such as the Schengen Information System, Visa Information System, Eurodac, ECRIS, API data (Advance Passenger Info)?

Comparative Study: EU v. US

The European Commission compiled a fact sheet of information pertaining to the attitudes of EU citizens regarding the protection of their personal data. Similarly, Pew Research Center conducted a survey of US citizens to determine their views and behaviors relating to privacy. While there are some legal differences between the treatment of privacy and data protection in the EU and the US, these surveys show that citizens on both sides of the Atlantic have similar, if not identical concerns and wishes. What everyone wants are effective privacy safeguards, as citizens in both regions expressed the view that they felt as though they had lost control over their personal data - 91% of Americans and 67% of Europeans voiced this concern.

Citizen’s Rights and Constitutional Affairs conducted a comparative study of the EU and US laws governing PNR. A number of interesting findings were observed in this work. Firstly, while data protection and privacy are fundamental rights in the EU under various legislation, such as Directive 2016/681, the Treaty on the Functioning of the European Union (TFEU), and the Charter of Fundamental Rights, there is no equivalent protection of these rights in the US. This is because of restrictions to the protection of the Fourth Amendment, the Third Party Doctrine, and the exclusion of non-US persons from both the Fourth Amendment and the Privacy Act protection. These follow an approach that is contrary to the EU’s perspective of privacy and data protection as comprehensive fundamental rights.

Secondly, in the EU, if there is a legal act that interferes with a fundamental right in general, it triggers standing to bring legal action. In the US, on the other hand, the existence of a bulk collection of data doesn’t automatically give someone the right to sue. This was the holding in Obama v. Klayman.

Thirdly, fundamental rights in the EU cover all persons targeted by law enforcement and surveillance measures, regardless of their nationality or domicile, whereas the US distinguishes between US & non-US citizens, which discriminates against the latter. While the Umbrella Agreement and the Judicial Redress Act supposedly give judicial redress to Europeans in these situations, in reality this is very limited and discriminatory.

In the view of the author of this comparative study, “it can be established that whilst the EU data protection framework in the LE sector is shaped by comprehensive data protection guarantees, which are codified in EU primary and secondary law accompanied by EU and European Court of Human Rights (ECtHR) case law, the US data protection guarantees in the LE and national security sector vary according to the instruments in place and are far less comprehensive… In the US, proportionality considerations do not play a decisive role in the determination of restrictions to data protection rights of individuals, thus LE and national security interests typically prevail over the interests of the individual concerned.”

EPIC’s Interest - Previous Work on the Issue

  • Webpage - Privacy Shield EU-U.S. Data Transfer Arrangement. The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the US.
  • Webpage - Max Schrems v. Data Protection Commissioner (Safe Harbor) In this case, the Court invalidated the Safe Harbor arrangement, which governed data transfers between the EU and the US.
  • Webpage - EU-US Umbrella Agreement. This Agreement is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.
  • Webpage - EU-US Airline Passenger Data Disclosure. The United States announced that by March 5, 2003 all international airlines had to provide the government full electronic access to detailed airline passenger data on all travellers contained in the airline's computer system. European airlines and European officials are concerned that providing unfettered access to U.S. law enforcement authorities would violate their privacy laws.
  • Analysis of the US TSA No Fly List (April 4, 2003). The Transportation Security Administration (TSA) is authorized by law to maintain watch lists of names of individuals suspected of posing "a risk of air piracy or terrorism or a threat to airline or passenger safety.
  • Statement on identifying the threats that extensive US profiling programs raise for European and American travellers privacy; (March 27, 2003)
  • Comments - (February 3, 2003). Pursuant to the notice published by the Immigration and Naturalization Service ("INS") regarding a proposed rule requiring commercial carriers to submit passenger manifest information, 68 Fed. Reg. 292 (January 3, 2003), EPIC submits the following comments on the privacy and constitutional implications of the proposed rule.

EPIC Advisory Board Members' Work

Links, References, Resources

Legislation, Regulations, Directives

  • Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • H.R.1428 - Judicial Redress Act of 2015, Public Law No. 114-126 (02/24/2016)
  • H.R.2048 - USA Freedom Act of 2015, Public Law No. 114-23 (06/02/2015)
  • Charter of Fundamental Rights of the European Union (Art. 7 - Respect for private and family life, Art. 8 - Protection of personal data)
  • European Convention on Human Rights
  • Council of Europe Treaty No. 108
  • Case Law

  • Case C-362/14 Schrems v. Data Protection Commissioner, Oct. 6, 2015
  • Case C-293/12 Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General 8 April 2014
  • Obama v. Klayman, 800 F.3d 559, 2015 U.S. App. LEXIS 15189 (D.C. Cir. 2015)
  • Press Releases, Articles, Reports

  • Estelle Massé, Europe approves privacy-invasive PNR Directive and privacy-protecting GDPR in one day, AccessNow (April 14, 2016)
  • The Greens in the European Parliament | European Free Alliance, PNR air passenger data retention: Mass surveillance placebo will not tackle terror threat; (April 14 2016)
  • Joe McNamee, Vote on Data Protection and Passenger Name Record package, EDRi (April 13, 2016)
  • Diego Naranjo, Surveillance of air passengers: Letter to Parliamentarians, EDRi (June 4, 2015)
  • The Greens in the European Parliament | European Free Alliance, Data protection: new EU rules provide major step forward in consumer protection, (April 14 2016)
  • Estelle Massé, EU Council greenlights Umbrella Agreement, but Parliament hasn't given final consent yet, Access Now (June 2 2016)
  • Estelle Massé, EU Parliament tells Commission Privacy Shield is likely illegal, AccessNow (May 26, 2016)
  • The Greens in the European Parliament | European Free Alliance, EU-US data protection: New Privacy Shield data transfer framework a cosmetic change, (Febr. 29, 2016)
  • Diego Naranjo, FAQ: Passenger Name Records (PNR), EDRi (Dec. 9, 2015)
  • EU Passenger Name Record (PNR) proposal: an overview http://www.europarl.europa.eu/news/en/news-room/20150123BKG12902/EU-Passenger-Name-Record-(PNR)-proposal-an-overview
  • Lee Rainie, The state of privacy in America: What we learned, Pew Research Center (Jan. 20, 2016)
  • Michael Birnbaum, After Paris attack, E.U. leaders call for more sharing of information, intelligence, The Washington Post (January 19 2015) https://www.washingtonpost.com/world/europe/after-paris-attacks-eu-leaders-call-for-more-sharing-of-information-intelligence/2015/01/19/9a3e6438-9fe6-11e4-903f-9f2faf7cd9fe_story.html
  • EU PNR: useful against terrorism, but privacy and proportionality worries remain, WiredGov (April 14 2016)
  • Academic Studies

  • European Parliament, A Comparison Between US and EU Data Protection Legislation for Law Enforcement, Directorate-General for Internal Policies, Policy C - Citizens Rights and Constitutional Affairs (a study for the LIBE Committee) (2015)
  • The Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD): Passenger Name Records, data mining & data protection: the need for strong safeguards (June 15 2015)
  • European Commission: Data Protection Eurobarometer fact sheet, June 2015
  • Share this page:

    Support EPIC

    EPIC relies on support from individual donors to pursue our work.

    Defend Privacy. Support EPIC.

    #Privacy