The heavily criticized PNR system: privacy first or security first?
In dit artikel geschreven voor de Board of Airline Representatives In the Netherlands (BARIN) gaat Willem Balfoort (IT/IE/Privacy) in op de recente ontwikkelingen met betrekking tot de uitwisseling van passagiersgegevens.
It is a well-known observation that after a catastrophic event, such as a terrorist attack, legislators tend to respond by tightening up existing legislation and introducing new legislation aimed at preventing such disasters from happening again. Despite these good intentions, criticizers often regard such legislation as privacy infringing. The American Patriot Act, enacted one month after the horrible scene on September 11, 2001, is a prime example of such legislation.
The EU Directive
In retrospect it becomes evident that 9/11 brought about some major changes, not in the last place regarding the processing of personal data, such as passenger data. In the aftermath of 9/11, the US government determined that passenger name records (PNRs) were invaluable tools for preventing and investigating terrorist attacks. It took however another destructive event, specifically the Madrid train bombings which occurred in 2004, before a legal framework for the exchange of PNRs was adopted.
The Council of the European Union was the first one to formally act, replacing an Interim Arrangement under which PNRs were processed already since 2003. On April 29, 2004, Directive 2004/82/EC was enacted. The Directive is aimed at “improving border controls and combating illegal immigration” and places an obligation on airlines to send “by the end of check-in” details on the passengers they will bring into the EU to the authorities in the receiving EU member state. The Directive applies to all passengers, both EU citizens and visitors. The data to be sent comprises personal data on each passenger (type of travel document, nationality, full name and date of birth as well as the data held on the so called “machine readable zone” (MRZ) of passports). This information is known as Advance Passenger Information or “API”. Additionally, the details of the flight, such as place of entry into the EU, plane code, departure, arrival time, number of passengers, and point of embarkation are exchanged.
As personal data can, in principle, be freely exchanged within the EU, European authorities adopted other measures as well. This includes the Schengen Information System (SIS) and the EU Visa Information System (VIS). Please note that all these instruments are intended to improve border controls and to fight illegal immigration, not to prevent terrorist attacks from taking place.
US – EU Agreement on PNRs
In the wake of the Madrid train bombings, the United States pressed the European authorities to exchange passenger data with American authorities as well.
As European privacy legislation prohibits European data processors to exchange personal data with non-EU countries (“third countries”), the proposed exchange of passenger data with the US was controversial. However, European privacy legislation creates an exception where the ‘third country’ recipients have agreed to meet EU standards under the Directive’s Safe Harbor Principles. Using this exception, the US government negotiated the 2004 PNR Data Transfer Agreement – a safe harbor agreement with the European Commission – in May of 2004.
It is important to note that with the adoption of the US – EU Agreementthe exchange of passenger data was no longer merely aimed at “improving border controls and combating illegal immigration”, but was now primarily used “for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime.” Also, the subject of the data exchange was extended from (just) API data to the broader PNR data. According to the European Commission’s definition, PNR data comprises all the information provided by passengers during the reservation and booking of tickets and when checking in on flights, including data collected by air carriers for their own commercial purposes. It contains several different types of information, such as travel dates, travel itinerary, ticket information, contact details, the travel agent through which the flight was booked, means of payment used, seat number and baggage information.
Despite the careful approach of European and American authorities, the agreement was invalidated by the European Court of Justice on May 30, 2006, due to lack of legal authority to adopt the decision in question. Subsequently, EU officials hasted to stress that the Court did not rule that the agreement infringed on European privacy rights.
In July 2007, a new PNR agreement between the US and the EU went provisionally in force. However, measures taken by the Bush administration which could have resulted in European citizens being exempted from the protection provided by the US Privacy Act of 1974, gave rise to concerns about the protection of EU passenger data.
Following the entry into force of the Treaty of Lisbon, the 2007 agreement needed the formal approval of the European Parliament in order for the agreement to remain in force. In September 2010, the European Commission called for the re-negotiation of the PNR agreements with the US, Australia and Canada.
Negotiations between Europe and the US regarding a revised PNR agreement were launched in December 2010. In late May 2011, a draft of the new proposal was leaked to the press. Despite the resistance against the proposal, the agreement was approved by the European Parliament in April 2012.
The heavily criticized EU PNR
In the mean time, a proposal for an European PNR was being discussed as well. The goal of this proposed European PNR system is similar to the one with the US: “for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.” However, just like its American counterpart, the proposal for an European PNR system was greeted with skepticism and criticism.
The European ‘Article 29 Working Party’ plays an important role when it comes to the protection of privacy rights of European citizens. One of its official tasks is to “advise the Commission on any Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy.” The Article 29 Working Party is made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. In January 2011, the Working Party responded to the proposal stating: “the Working Party notes (modest) improvements in the draft agreement, but does not see its serious concerns removed.”
The European Data Protection Supervisor (EDPS) stated in an Advice in June 2011: “A higher standard of [privacy] safeguards […] should be developed”, “No data should be kept beyond 30 days in an identifiable form” and “The list of PNR data to be processed should be reduced”.
In June 2011 the European Union Agency for Fundamental Rights (FRA) stated in an Opinion: “One possible remaining risk of direct discrimination, however, concerns PNR data transmitted by air carriers. Although the Passenger Information Unit can be expected to delete such information immediately as stipulated in the proposal, there is a risk that air carriers will continue to transmit this type of sensitive or special data unless sufficient safeguards are in place to regulate its transmission to the Passenger Information Unit. It would therefore be useful to introduce a prohibition on the transmission of such data by air carriers.”
The European Parliament Civil Liberties Committee rejected the proposal in April 2013, as it does not comply with the principle of proportionality and does not adequately protect personal data: “There is still no clear evidence that PNR data are an effective tool to fight terrorism. It is not evident that collecting an amount of personal data could be the solution: indeed, last terrorist attacks like the attack in Boston or the Merah affair in France, proved that the persons responsible for it were already known by the law enforcement authorities as well as by the secret services, but this did not prevent or avoid these attacks.”
On June 10, 2013, the European Parliament decided to postpone the vote on the proposal. The main reason was formed by the fact that the proposal does not provide adequate safeguards for the protection of personal data of European citizens.
Following the dreadful events that took place in Paris earlier this year, the potential establishment of an EU PNR system was moved to the top of the European Commission’s agenda again. In response to this renewed call for a European PNR system, the Article 29 Working Party issued a press release earlier this month, stating that it “reaffirms that the extent and indiscriminate nature of EU PNR data processing for the fight against terrorism and serious crime is likely to seriously undermine the right to the protection of private life and personal data of all travelers as set out in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. […] Should the necessity of an EU PNR scheme be demonstrated, then in order to ensure proportionality for both collection and subsequent use of PNR data, the scheme should provide sufficient data protection safeguards.”
European countries have been exchanging Advance Passenger Information in order to improve border controls and to combat illegal immigration for over a decade now. Additionally, European authorities exchange PNRs with the US, Canada and Australia “for the prevention, detection, investigation and prosecution of terrorist offenses and serious crime”. However, the debate regarding the exchange of European passenger data with foreign authorities has been sparked again by a recent ruling of the European Court of Justice on data retention, which might have serious consequences for the legal basis of the PNR exchange agreements. According to the now invalidated directive, member states were required to store citizens’ telecommunications data for a minimum of six months. Under the directive the police and security agencies were able to request access to details such as IP address and time of use of every email, phone call and text message sent or received. In April 2014, the Court ruled that the Directive entails “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary”. As a consequence of the Court’s ruling, and due to the similar nature of the PNR agreements, the PNR agreement with Canada has been referred to the Court of Justice in November 2014 already.
As regards the European PNR, the proposal is still being discussed. The European Commission aims to amend the proposal in such a way that alignment with the recent ruling of the European Court of Justice on data retention is secured.
It is therefore to be expected that the debate regarding the storage and exchange of passenger data will continue the coming years. In the end, the debate seems to boil down to a seemingly simple question, though with great importance and severe potential consequences: does the chance that the privacy of passengers is being infringed upon outweigh the chance the world might become a little bit safer?
Willem Balfoort, specialized in IP, IT and Privacy law and attorney-at-law. This article is a follow-up on the author’s presentation for the General Assembly of the Board of Airline Representatives In the Netherlands (BARIN) on September 24, 2014.