After illustrating, in the previous issue of our newsletter, the impact of Regulation (EU) 679/2016 (the “GDPR”) on the Italian system, it is now appropriate to underline that, at the same time as the GDPR, Directives (EU) 2016/680[1] and 2016/681[2] were issued.
Such Directives are, along with the GDPR, part of the same EU data protection reform package, falling within the specific and delicate framework of personal data processing carried out in the context of investigation for crime prosecution. Although gone unnoticed (as attention was much more focused on the GDPR), the two Directives at issue are not less relevant for personal data protection purposes.
More specifically, Directive 2016/681 relates to the processing of so-called “Passenger Name Record” (“PNR”) data, which is a record of each passenger’s air travel requirements that contains information on bookings made by or on behalf of any person for prevention, detection, investigation and prosecution of terrorist offences and serious crime.
Insofar as is relevant here, we are going to correlate the content of Directive 2016/681 – on the use of PNR data – with the GDPR, with a view also to assessing their combined impact.
Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, requires air carriers to register and retain passengers’ data for a sufficiently long period.
More specifically, PNRs are records of passengers’ data, acquired and stored in Computerised Reservation Systems (“CRS”), developed precisely for exchange of information among air carriers.
PNR data is information provided by passengers and collected by air carriers for enabling reservations and carrying out the check-in process such as dates of travel, travel itinerary, purpose of travel, passenger contact details, baggage information, means of payment, specific requests (e.g. special assistance, special meals).
As is clear, such information is massively collected by air carriers and processed for commercial purposes. The Directive specifies, however, that processing can extend to the purposes of prevention, detection and prosecution of terrorist offences and similar crime.
Unlike the previous measures adopted at European level such as the API (Advance Passenger Information) and SIS II (second generation Schengen Information System) regulations, which did not allow the authorities to identify suspects unknown to authorities, Directive PNR provides the systematic collection, use, storage and retention of the PNR data of passengers of international flights. According to the European Commission, PNR data allows identification, by means of algorithms, of persons among those unknown by the police who may pose a terroristic threat. Therefore, the line between lawful processing – in the presence of a concrete risk for national security – and unlawful processing (potentially identifiable, particularly in the context of preventive activity, if there is no imminent threat) is pretty thin.
Under the PNR Directive, air carriers shall provide authorities with PNR data relating to extra-EU flights, with the right for the Member States to collect also PNR data relating to intra-EU flights, notifying the European Commission thereof in writing. Furthermore, EU countries may decide whether to also collect PNR data from non-carrier operators, e.g. travel agencies or tour operators, who likewise provide flight reservation services.
More specifically, PNR data are transferred by air carriers (or other operators) to a Passenger Information Unit (PIU) of the Member State concerned, usually no more than 24 hours before the scheduled flight departure or immediately after boarding or gate closure [3][4].
The PIU is responsible for collecting, storing and processing PNR data as well as for transferring such data to competent authorities and exchanging the same with the PIUs of other Member States and Europol. The PIU shall also appoint a person in charge of protection, responsible for overseeing PNR data processing and applying the relevant safeguards; access to the whole mass of PNR data, which allows direct identification of the party concerned, shall only be allowed under very strict and limited conditions. Any PNR processing shall be registered or documented; Member States shall however prohibit any processing of PNR data that could reveal a person's race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation of the persons concerned (which is not always possible, especially in respect of health, suffice it to think to special assistance requests made, for example, by passengers with restricted mobility).
PNR data shall be retained for five years after being transferred to PIUs. In the six months following the expiry of such period, the PNR data collected shall be depersonalised and anonymised by masking certain information such as name, address and contacts, which may be useful to directly identify a passenger.
PNR data are today recognised as among the most sensitive categories of personal data; there is, therefore, an obvious need to coordinate the provisions of the PNR Directive with those of the GDPR and, generally, with the statutory rules on personal data protection.
As is known, Article 5 of the GDPR sets out the principles governing personal data processing [5].
Concerning PNR data processing, particularly relevant is the principle of transparency, which involves any data collected having to be processed lawfully and in such a way as to allow the parties concerned to know how their own data is collected, processed or transferred to third parties. Accordingly, air carriers (or any other operators concerned) shall comply with the principle of transparency and for such purpose provide passengers with any useful information on the transfer of their PNR data to PIUs before the same occurs.
Besides the principle of transparency, PNR data processing must be in compliance with the principle of “accountability”, which requires data processing to be implemented in compliance with the provisions of the GDPR, with the burden of the proof of such conformity being with the data owner. This means that air carriers (or the operators concerned), in their capacity as data owners, shall process PNR data having regard to the provisions of both Directive 2016/681 and the GDPR and shall ensure that the PNR data collected not exceed what is necessary in relation to booking purposes (so-called “principle of proportionality”).
In addition, all air carriers, in light of their usual and large-scale processing of personal data such as PNR, shall appoint a Data Protection Officer (DPO) having the necessary skills to interpret and apply the GDPR rules. It is not by chance that the International Air Transport Association (“IATA”) requires all of its members to appoint a DPO and to involve a specialist lawyer when any doubt or issue arises that needs to be settled through a legal counsel.
Furthermore, given the potentially “sensitive” nature of the data in question, it is necessary verify from time to time whether processing is prohibited and, if not, on what basis it is allowed and to handle it in compliance with the GDPR requirements regulating the processing of special categories of personal data.
The risk that passenger data processing may exceed the purposes of collection and, consequently, the bounds set by the GDPR principles is very high, especially when the conflicting interest at stake is prevention and prosecution of serious crime connected to international terrorism.
It is not by chance that the European Privacy Authority expressed some doubt as to the conformity of the PNR Directive with the provisions of the GDPR [6], because of the lack of any “reason and proof to justify the creation of a database that is unprecedented in Europe”. The question is to what extent a massive and indiscriminate data collection involving the general population is necessary and how can this be consistent with the principle of proportionality stipulated by the GDPR. Emphasis is then shifted to the actual effectiveness of such kind of measures. Indeed, in the words of the European Data Protection Authority, “the same results could be achieved by taking more limited, less costly and less privacy-invading measures”.
On the other hand, that would not be the first-time personal data protection is subordinated to other interests, deemed more relevant after cautious balancing. Suffice it to think that the in-itself-unlawful disclosure of personal information obtained without the consent of the data subject may under certain conditions be lawfully used as a probationary element in criminal proceedings.
Now we only have to wait and verify whether the recipients of the PNR Directive will actually be able to remain within the bounds of the principles governing personal data processing, also identifying the way in which they can lawfully unbind themselves for the sake of higher interests.
This article is for information purposes only and is not intended as a professional opinion. For further information, please contact Filippo Di Peio or Ilaria Todaro.
itoda
[1]Transposed in Italy by Legislative Decree 51 of 18.5.2018.
[2]Transposed in Italy by Legislative Decree 53 of 21.5.2018.
[3]A PIU is responsible for storage, analysis and transmission of the data to competent authorities; Member States are however entitled to obtain PNR data also from PIUs of other States, if useful for a specific investigation.
[4]For example, in case of multi-stop flights, the PNR data of all passengers shall be transmitted to the PIUs of the Member States involved.
[5]More specifically, personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
[6]See www.repubblica.it/tecnologia/2016/04/14/news/privacy_buttarelli-137648874/
