‘I Travel, therefore I Am a Suspect’: an overview of the EU PNR Directive
By Niovi Vavoula, Queen Mary University of London
According to the PNR (Passenger Name Record) Directive 2016/681 of 27 April 2016, a series of everyday data of all air passengers (third-country nationals but also EU citizens, including those on intra-Schengen flights) will soon be transferred to specialised units to be analysed in order to identify persons of interest in relation to terrorist offences and other serious crimes. This new instrument raises once again fundamental rights challenges posed by its future operation, particularly in relation to privacy and citizenship rights. Therefore, the story of the PNR Directive, as described below, is probably not finished as such concerns open up the possibility of a future involvement of the Court of Justice.
1. The story behind the EU PNR System
In the aftermath of 9/11 and under the direct influence of how the terrorist attacks took place, the US legislature established inextricable links between the movement of passengers, ‘border security’ and the effective fight against international terrorism. Strong emphasis was placed on prevention through pre-screening of passengers, cross-checking against national databases and identification of suspicious behaviours through dubious profiling techniques. At the heart of this pre-emptive logic has been the adoption of legislation obliging airlines flying into the US to provide their domestic authorities with a wide range of everyday data on their passengers. These so-called PNR data constitute records of each passenger’s travel arrangements and contain the information necessary for air carriers to manage flight reservations and check-in systems. Under this umbrella definition, a broad array of data may be included: from information on name, passport, means of payment, travel arrangements and contact details to dietary requirements and requests for special assistance. Amidst concerns regarding the compliance of such mechanisms with EU privacy and data protection standards, this model was internalized at EU level through the conclusion of three PNR Agreements with the US – one in 2004, which was struck down by the CJEU in 2006, and others in 2007 and 2012. In addition, PNR Agreements with Canada (currently awaiting litigation before the CJEU) and Australia have also been adopted.
The idea of developing a similar system to process EU air travel data had been on the agenda for almost a decade, particularly since the EU-US PNR Agreements contain reciprocity clauses referring to the possibility of the EU developing such systems. The first proposal for a Framework Decision dates back to 2007. However, no agreement was reached until the entry into force of the Lisbon Treaty. A revised proposal was released in 2011, essentially mimicking the EU-US PNR model, at least as regards the types of data to be processed and the focus on assessing the risks attached to passengers as a mean of preventing terrorist attacks or other serious crimes. In comparison to the proposed Framework Decision it constituted an improvement (for instance, it provided for a reduced retention period and prohibited the processing of sensitive data), yet it was met with great scepticism by a number of EU actors, including the European Data Protection Supervisor, the Fundamental Rights Agency and the Article 29 Working Party who argued that it failed to respect the principles of necessity and proportionality. Eventually, the proposal was rejected by the European Parliament on fundamental rights grounds, but the voting was postponed and the proposal was transferred back to the LIBE Committee.
The EU PNR project was brought back to life after the Charlie Hebdo events in January 2015. In the extraordinary JHA Council meeting of 20 November, immediately after the Paris terrorist attacks, the Council reiterated ‘the urgency and priority to finalise an ambitious EU PNR before the end of 2015’. Indeed, on 4 December 2015 a compromise text was agreed. A few days later, the Council confirmed the agreement, but the Parliament did not give its blessing until April 2016, presumably in the light of the negotiations on the Data Protection legislative reforms, which were running in parallel. The fact that the legality of the EU-Canada PNR Agreement was disputed did not affect the course of the negotiations.
2. The EU PNR Directive in a nutshell
The EU PNR Directive places a duty on airline carriers operating international flights between the EU and third countries to forward PNR data of all passengers (as set out in Annex 1) to the Passenger Information Unit (PIU) established at domestic level for this purpose (Article 4). According to Article 2 of the Directive, Member States are given the discretion to extend the regime set out in the Directive to intra-EU flights, or to a selection of them (for a discussion see Council Documents 8016/11 and 9103/11, partly accessible). Perhaps unsurprisingly, all participating Member States have declared their intention to make use of their discretion.
Once transmitted, the data will be stored and analysed by the PIU. The purpose of this is to ‘identify persons who were previously unsuspected of involvement in terrorism or serious crime’ and require further examination by the competent authorities in relation to the offences listed in Annex II of the Directive. Contrary to the Commission’s assertions that PNR data will be used in different ways – reactively, pro-actively and in real-time – the focus on prevention is central. The analysis entails a risk assessment of all passengers prior to their travel on the basis of predetermined criteria to be decided by the respective PIU and possibly involving cross-checking with existing blacklists (Article 6(3)).
Furthermore, the PIUs will respond to requests by national authorities to access the data on a case-by-case basis and subject to sufficient indication (Article 6(2(b)). Nevertheless, processing should not take place on the basis of sensitive data revealing race, ethnic origin, religion or belief, political or any other opinion, trade union membership, health or sexual orientation etc. (Recital 20). According to Article 12, the initial retention period is six months, after which PNR data will be depersonalised, meaning that the PIU is entrusted with the task of masking out the names, address and contact information, payment information, frequent flyer information, general remarks and all API data. This process should not be confused with anonymisation, as the data could be re-identifiable and may still be used for criminal law purposes under ‘very strict and limited conditions’ (Recital 25). Therefore, upon expiry of the six-month retention period, disclosure of the full PNR data is permitted if so approved by a judicial authority or another national authority competent to review whether the conditions have been met and subject to information and ex post review by the Data Protection Officer of the PIU (Articles 12(3) and 5).
3. Privacy and surveillance of movement
The challenges that the development of the EU PNR system poses to the protection of privacy and data protection rights are acute. In essence, as with the PNR Agreements, the Directive allows the systematic, blanket and indiscriminate transfer, storage and further processing of a wide range of personal data of millions of travellers from and to the EU. Drawing from Digital Rights Ireland and the recent opinion of AG Mengozzi on the EU-Canada PNR Agreement, the interference with the rights to privacy (Article 7 EUCFR and 8 ECHR) and data protection (Article 8 EUCFR) is particularly serious. On the basis of the data collected, which include biographic information, credit card details and contact information, law enforcement authorities shall be able to compile a rather complete profile of travellers’ private lives.
The involvement of the private sector in the fight against terrorism and serious crime is considerably extended, particularly if one takes into account that the obligations on air carriers are extended to non-carrier economic operators (e.g. travel agencies). In addition, the inclusion of intra-EU flights within the scope of the Directive significantly expands the reach of surveillance. Indeed, back in 2011, it was noted that intra-EU flights represent the majority of EU flights (42%) followed by international flights (36%), and only 22% of flights operate within a single Member State (Council Document 8016/11). In this framework, the movement of the vast majority of travellers, including EU citizens, is placed under constant monitoring, irrespective of the fact that they are a priori innocent and not suspected of any criminal offence. In fact, the operation of the PNR scheme signifies the reversal of the presumption of innocence, whereby everyone is deemed as a potential security risk, thus necessitating their examination in order to confirm or rebut this presumption. Besides, there is no differentiation between flights transporting persons at risk and others.
Furthermore, the risk assessment will take place in a highly obscure manner, particularly since the Directive fails to prescribe comprehensively and in detail how the data will be analysed. The underlying rationale is the profiling of all passengers and the identifying of behavioural patterns in a probabilistic logic, but nowhere in the Directive it is indicated that this is indeed the case. This lack of clarity raises concerns considering that the recently adopted Data Protection Directive includes a definition of profiling (Article 3(4)). Moreover, it is stated that ‘relevant databases’ may be consulted, however, it is not clear which these are. For instance, a possible examination on a routine basis of the databases storing asylum seekers’ fingerprints’ or visa applicants’ data (Eurodac and VIS respectively) will frustrate their legal framework, resulting in a domino effect of multiple function creeps. It may even grow the appetite for Member States to desire the systematic processing of EU nationals’ personal data in centralised databases in the name of a more ‘efficient’ fight against terrorism.
This ambiguous modus operandi of PIUs may even call into question the extent to which the interference with privacy is ‘in accordance with law’ (Article 8(2) ECHR) or in EU terms ‘provided for by law’ (Article 52(1) EU Charter). According to settled case law of the ECtHR, every piece of legislation should meet the requirements of accessibility and foreseeability as to its effects (Rotaru v Romania). The lack of clear rules as to how the processing of data will take place may suggest that travellers cannot foresee the full extent of the legislation.
Another contested issue is the ambiguous definitions of terrorism and serious crimes at EU level. The offences falling under the remits of terrorism are currently revised, which had led to criticism for lack of clarity, whereas the definition of serious offences (acts punishable by a custodial sentence or detention order of a maximum period of three years or longer) constitutes a relatively low threshold, particularly in those Member States where domestic criminal law allows for potentially long custodial sentences for minor crimes. In addition, as regards the conditions of access by national competent authorities, the requirement that the request must be based on ‘sufficient indication’ seems to falls short of the criteria established in Digital Rights Ireland. The threshold is particularly low and may lead to generalised consultation by law enforcement authorities, whereas it is uncertain who will check that there is indeed sufficient indication. As for the offences covered by the scope of the Directive, although Annex II sets out a list in this regard, PNR data could still be used for other offences, including minor ones, when these are detected in the course of enforcement action further to the initial processing.
Moreover, in relation to the period for which the data will be retained, it appears that the EU institutions by no means have a clear understanding of what constitutes a proportionate retention period. For instance, the 2007 proposal envisaged an extensive retention period of five years, after which time the data would be depersonalised and kept for another eight years, whereas the 2011 proposal prescribed a significantly reduced initial retention period of 30 days, after which the data would be anonymised and kept for a further period of five years. In its General Approach (Council Document 14740/15), the Council called for an extension of the initial retention period to two years, followed by another three years of storage for depersonalised data. A more privacy-friendly approach can be found in an Opinion of the Council Legal Service dating from 2011, according to which the data of passengers in risky flights would be initially retained for 30 days and then be held for an overall period of six months (Council Document 8850/11 – in German). Some Member States supported a retention period of less than 30 days (Council Document 11392/11). Although it is welcomed that there are two sets of deadlines and, more importantly, that re-personalisation may take place only under limited circumstances. However, there is no indication of why the chosen retention periods are proportionate. Furthermore, an approach suggesting a differentiation between flights at risk or not at risk, with different retention periods, seems more balanced.
4. Free movement and citizenship concerns
In addition to the privacy challenges highlighted above, another point of concern is whether the processing of PNR data, including on intra-EU flights, could infringe free movement enjoyed by EU citizens. In this respect, the Commission Legal Service found that the EU PNR does not obstruct free movement (see Council Document 8230/11, which is partially available to the public, although the outcome of the opinion is attested in Council Document 8016/11). Nonetheless, the Parliament managed to include a reference that any assessments on the basis of PNR data shall not jeopardise the right of entry to the territory of the Member States concerned (in Article 4). The extent to which this reference is sufficient is doubtful.
According to Article 21 of the Schengen Borders Code, police controls performed in the territory of a Member State are allowed insofar as they do not have the equivalent effect of border control. Such an effect is precluded when, inter alia, the checks are carried out on the basis of spot-checks. In Melki, the CJEU found that ‘controls on board an international train or on a toll motorway’ limiting their application to the border region ‘might (…) constitute evidence of the existence of such an equivalent effect’ (para 72). By analogy, the focus on controls at the border area to the systematic manner set out in the directive, could have the equivalent effect of a border check. The lack of any differentiation between flights at risk or not at risk (an approach that was also favoured by the Council Legal Service, Council Document 8850/11) and the fact that member States are left entirely free to determine the extent to which they monitor flights to and from other Member States could enhance the risk of falling into the category of controls with an equivalent effect to border control.
The EU PNR Directive is yet another example of how the counter-terrorism rhetoric outweighs serious fundamental rights concerns in the name of ensuring security. The storyline is well-known: after a terrorist attack, numerous ideas – either incorporated in legislative proposals that have stalled or which were ultimately too ambitious and controversial to be presented in the first place – feature on the EU agenda. The EU PNR initiative was buried due to privacy concerns and was brought back from the dead when the circumstances matured. Soon national law enforcement authorities will put their hand into the passengers’ data jar and will deploy their surveillance techniques on an unprecedented and unpredictable scale.
By internalising US standards, the EU puts the privacy of individuals under threat. The new instrument does no longer target third-country nationals only, but also EU citizens, thus marking the end of an era where instruments were used ‘solely’ on foreigners. Undoubtedly, there is a strong ‘momentum’ for justifying mass surveillance practices. In waiting for the ruling on the EU-Canada PNR Agreement, as well as the ruling on Tele2 Sverige (following up on Digital Rights Ireland), one can only hope that the CJEU will uphold its inspiring reasoning and reiterate the important limits placed on deploying surveillance practices, by giving proper weight to the fundamental right to the protection of personal data.