EU Passenger Name Records
In April 2016 the EU has enacted legislation on the processing of passenger name records (PNR) that has serious privacy implications. These records are created when a flight is booked: the information is collected by the website or travel agent and is then stored in the air carrier’s database. The purpose for collecting and processing this data is to prevent, detect, investigate and prosecute terrorist offences and serious crime. A vast amount of personal information concerning the passenger is contained in these records, such as personal credit card details, complete travel itineraries, and the contact details of that individual, to name but a few. A full list of the type of data collected can be found in the EU Directive. This private information is retained in the system for five years, and personal data that could be used to identify an individual is depersonalized through masking after six months, however it is not difficult to re-personalize this data. Each Member State creates its own list of competent authorities who are given access to this data. Transfer of this data is done on a case-by-case basis, and automated processing must be subject to individual review by non-automated means.
The EU PNR Directive was adopted in April 2016. In 2013, before its adoption, the Civil Liberties Committee initially rejected the 2011 draft directive. They had a number of reasons for doing so, including proportionality concerns in terms of compliance with fundamental rights, namely data protection. On August 30th, 2014, the European Council called on the Parliament and the Council of Ministers to finalize work on the PNR proposal. This proposal was once again catapulted into the limelight following the January 2015 terrorist attacks in Paris.
Originally, the Directive’s intended use was just to create records containing the itinerary of a passenger or passengers travelling as part of a group to allow the exchange of reservation information between airlines in the case that passenger required the use of different companies in order to reach their final destination. When drafting the legislation, EU Member States insisted that there should not be an obligation for better cooperation or better data sharing. The Directive was adopted despite concerns raised by the Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS), Article 29 Working Party, and civil society.
To accommodate transfers of data between the EU and the US, a number of frameworks were implemented. According to EU law the transfer of personal data outside the European Union is prohibited unless there is a legal basis to do so. Among other mechanisms, such as standard contractual clauses, the Privacy Shield (former Safe Harbor) framework provides for a legal basis for commercial data transfers, while the Umbrella Agreement covers law enforcement data disclosures between the European Union and the United States.
The Safe Harbor mechanism was invalidated by the CJEU and replaced by the Privacy Shield framework. However, this new framework contains provisions that are inconsistent with EU law. There have been calls for the European Commission to review and improve this system of data transferring.
The Umbrella Agreement is a EU-US framework that is aimed at protecting the privacy of personal data that is transferred overseas for law enforcement purposes.
Q: Is PNR data effective in achieving its goal in preventing terrorism and stopping serious crime?
A: The Council of Europe, when answering this question in its study, stated that: “no serious, verifiable evidence has been produced by the proponents of compulsory suspicionless [bulk] data collection to show that data mining and profiling by means of the bulk data in general, or the compulsory addition of bulk PNR data to the data mountains already created in particular, is even suitable to the ends supposedly being pursued - let alone that it is effective.” A FAQ on the PNR issue in Europe, conducted by EDRi, gave a similar answer: “in many of the recent terrorist attacks the terrorists had already been flagged as people who needed further tracking. Thus, the attackers from the last terrorist incident in Paris were already known to French authorities and details of their travels were also known. An EU PNR Directive would not have brought any more security, only more risks. For example, there have already been cases of people being wrongly labelled on these lists based on profiling schemes and, consequently, handed over to repressive regimes and tortured.”
Q: What are the main concerns presented by the PNR Directive?
A: Access Now listed issues such as “theft, misuse, abuse, profiling concerns, with no evidence that it will stop or prevent terrorism/crime” as serious problems resulting from the implementation of this Directive. EDRi also compiled a list of potential problems arising from the implementation of the Directive, which included: unlawful blanket data retention, lack of concrete protections from arbitrariness, existing measures that already provide sufficient info, lack of evidence showing that these measures are effective, proportionate & necessary in the investigation/prevention of serious crimes, excessive costs.
Q: Does the PNR Directive respect the fundamental rights to privacy and data protection?
A: EDRi is of the view that PNR does not respect these rights that are enshrined in the Charter of Fundamental Rights. Infringements of fundamental rights by means of long-term storage of such data are only permissible if they “genuinely meet objectives of general interest”. As has been discussed already, the consensus is that this does not meet such objectives.
Some other questions to consider regarding this topic are:
- What will be the rights of individuals to control their personally identifiable information?
- Member States must provide the Commission with a list of authorities allowed to access the PNR data by 25 May 2017, and this list can be modified at any time - is this power given to each Member State too broad or vague? Is there sufficient regulation here regarding who has access to the data?
- Will there be a reversal of the presumption of innocence?
- Will there be an absence of public oversight in this area?
- Would other methods of identifying subjects be sufficient without the PNR system, such as the Schengen Information System, Visa Information System, Eurodac, ECRIS, API data (Advance Passenger Info)?
Comparative Study: EU v. US
The European Commission compiled a fact sheet of information pertaining to the attitudes of EU citizens regarding the protection of their personal data. Similarly, Pew Research Center conducted a survey of US citizens to determine their views and behaviors relating to privacy. While there are some legal differences between the treatment of privacy and data protection in the EU and the US, these surveys show that citizens on both sides of the Atlantic have similar, if not identical concerns and wishes. What everyone wants are effective privacy safeguards, as citizens in both regions expressed the view that they felt as though they had lost control over their personal data - 91% of Americans and 67% of Europeans voiced this concern.
Citizen’s Rights and Constitutional Affairs conducted a comparative study of the EU and US laws governing PNR. A number of interesting findings were observed in this work. Firstly, while data protection and privacy are fundamental rights in the EU under various legislation, such as Directive 2016/681, the Treaty on the Functioning of the European Union (TFEU), and the Charter of Fundamental Rights, there is no equivalent protection of these rights in the US. This is because of restrictions to the protection of the Fourth Amendment, the Third Party Doctrine, and the exclusion of non-US persons from both the Fourth Amendment and the Privacy Act protection. These follow an approach that is contrary to the EU’s perspective of privacy and data protection as comprehensive fundamental rights.
Secondly, in the EU, if there is a legal act that interferes with a fundamental right in general, it triggers standing to bring legal action. In the US, on the other hand, the existence of a bulk collection of data doesn’t automatically give someone the right to sue. This was the holding in Obama v. Klayman.
Thirdly, fundamental rights in the EU cover all persons targeted by law enforcement and surveillance measures, regardless of their nationality or domicile, whereas the US distinguishes between US & non-US citizens, which discriminates against the latter. While the Umbrella Agreement and the Judicial Redress Act supposedly give judicial redress to Europeans in these situations, in reality this is very limited and discriminatory.
In the view of the author of this comparative study, “it can be established that whilst the EU data protection framework in the LE sector is shaped by comprehensive data protection guarantees, which are codified in EU primary and secondary law accompanied by EU and European Court of Human Rights (ECtHR) case law, the US data protection guarantees in the LE and national security sector vary according to the instruments in place and are far less comprehensive… In the US, proportionality considerations do not play a decisive role in the determination of restrictions to data protection rights of individuals, thus LE and national security interests typically prevail over the interests of the individual concerned.”
EPIC’s Interest - Previous Work on the Issue
- Webpage - Privacy Shield EU-U.S. Data Transfer Arrangement. The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the US.
- Webpage - Max Schrems v. Data Protection Commissioner (Safe Harbor) In this case, the Court invalidated the Safe Harbor arrangement, which governed data transfers between the EU and the US.
- Webpage - EU-US Umbrella Agreement. This Agreement is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.
- Webpage - EU-US Airline Passenger Data Disclosure. The United States announced that by March 5, 2003 all international airlines had to provide the government full electronic access to detailed airline passenger data on all travellers contained in the airline's computer system. European airlines and European officials are concerned that providing unfettered access to U.S. law enforcement authorities would violate their privacy laws.
- Analysis of the US TSA No Fly List (April 4, 2003). The Transportation Security Administration (TSA) is authorized by law to maintain watch lists of names of individuals suspected of posing "a risk of air piracy or terrorism or a threat to airline or passenger safety.
- Statement on identifying the threats that extensive US profiling programs raise for European and American travellers privacy; (March 27, 2003)
- Comments - (February 3, 2003). Pursuant to the notice published by the Immigration and Naturalization Service ("INS") regarding a proposed rule requiring commercial carriers to submit passenger manifest information, 68 Fed. Reg. 292 (January 3, 2003), EPIC submits the following comments on the privacy and constitutional implications of the proposed rule.
EPIC Advisory Board Members' Work
- Data Protection in the EU as a Fundamental Right- K. Irion, A Special Regard: The Court of Justice and the Fundamental Rights to Privacy and Data Protection;, in Faber et al (eds.) Festschrift fur Wolfhard Kohte (Baden-Baden: Nomos, forthcoming 2016) February 25, 2016
- Online Personal Data Processing and EU Data Protection Reform: Report of the CEPS Digital Forum. Rapporteurs: Kristina Irion, Central European University, and Giacomo Luchetta, Centre for European Policy Studies. April 2013
Links, References, Resources
Legislation, Regulations, Directives
Press Releases, Articles, Reports