After the terrorist attacks at the beginning of this year, ranging from the Charlie Hebdo attack to the most recent train shooting in Northern France, the EU has decided, in response, to revive the debate on adoption of the draft PNR Directive.
The Passenger Name Record (PNR) is unverified data provided by passengers, collected and held by air carriers. The data incudes: names; travel dates; itineraries; seats; baggage; contact details and means of payment.
EU officials believe that PNR data could be used for the prevention, detection, investigation and prosecution of terrorists.
The EU has already signed agreements allowing EU carriers to transfer PNR data to the United States, Australia and Canada.
Considering that many EU countries have already developed their own systems for holding PNR data, European Parliament Civil Liberties (LIBE) Committee rapporteur Timothy Kirkhope believes that ‘with one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe. The emerging threat posed by so-called “foreign fighters” has made this system even more essential’.
The current Proposal is an amended version of a proposal presented in 2011.[1] The ‘old’ proposal had been rejected by the LIBE Committee because it was considered too invasive.[2] The same Committee approved on 15 July 2015 the amended version of the proposal.
The new PNR rules would apply only for flights outside the EU and would concern air carriers and non-carriers such as travel agencies and tour operators. Internal flights between EU Member States are, for the moment, off the table, but some MEPs consider that the idea should be introduced in future discussions.
In the ‘new’ version some provisions have been added, requiring Member States to share the PNR data with each other and with Europol.[3]
The safeguards inserted in the new proposal include the following requirements:
Furthermore, having regard to the recent judgment of the Court of Justice,[4] in relation to the impact of the proportionality principle, two different limitation periods – five years for terrorism and four years for serious transnational crimes – have been introduced for accessing the data. The full information should be retained for the first 30-day period, after that it should be ‘masked out’ for the remaining period.[5]
After the four-five year period, the PNR data should be permanently deleted, unless the competent authorities are using it for specific criminal investigations or prosecutions (in which case the retention of data would be regulated by the national law of the member state concerned).
Despite these new amendments some doubts remain about the impact of PNR data retention on fundamental rights, such as:
The European Data Protection Supervisor, Mr Giovanni Buttarelli, has criticised the proposal stating that it is too invasive and is unlikely to stop terrorism.
The trilogue on this matter should begin in September.[9] In a resolution voted on 11 February 2015, the EU Parliament has in fact committed itself ‘to work towards the finalisation of an EU PNR directive by the end of the year’.
The difficult balance between national security and citizens’ privacy is a frequent problem that our modern society must face. It is not only the EU that attempts to fight terrorism and crime. The EU Member States are trying to find acceptable solutions in order to protect their citizens.
For instance, the French Senate passed, on 24 June 2015, a new statute allowing the French authorities to monitor and intercept citizens’ communications. On 23 July 2015, the Constitutional Court approved that new law, finding only a few articles contrary to constitutional principles.
Manuel Valls, the French Prime Minister, believes that ‘from now on, France has a security framework against terrorism that respects liberties. It’s decisive progress’.
In France, for wireless phone taps, hidden cameras and microphones there will be no need of a warrant or any type court approval. The new law has now provided for the mandatory consultation of the National Commission for the Control of Intelligence. The recommendations of this Authority are not binding.
The LIBE Committee has raised concerns about the compatibility of some of the French provisions with the EU Treaties.
Mr Buttarelli was also critical of the French law saying that ‘mass surveillance is against values and has no legitimacy in the EU’. He also added that ‘as people become more monitored and more profiled, they risk discrimination in terms of access to services’.
We will keep you posted on the adoption of the PNR Directive and the debate around the new French law and its compatibility with EU principles.
[1] Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, 2.2.2011.
[2] The LIBE Committee deals with Civil Liberties, Justice and Home Affairs (for further information, http://www.europarl.europa.eu/committees/en/libe/home.html).
[3] In sharing the PNR data the Europol’s Secure Information Exchange Network Application (SIENA) system should be used.
[4] Joined Cases C-293/12 and C-594/12, Digital rights Ireland Ltd and Karntner Landesregieurung, judgment of 8 April 2014, not yet published.
[5] When the information is ‘masked out’ all the data that could serve to identify the passenger is anonymised. In this period of time the data will be accessible only to a limited number of personnel of the Passenger Information Unit specifically authorized to carry out analysis of PNR data and develop assessment criteria.
[6] The right to privacy falls within the scope of Article 7 of the Charter of Fundamental Rights of the European Union (C 364 of 18.12.2000, p.1) providing that: ‘Everyone has the right to respect for his or her private and family life, home and communications’.
[7] The right to data protection is protected under Article 8 of the Charter of Fundamental Rights of the European Union reading as follows: ‘Everyone has the right to the protection of personal data concerning him or her. // 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. // 3. Compliance with these rules shall be subject to control by an independent authority.’
[8] Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC, OJ L 158, 30.4.2004, p.77.
[9] The three-way talks between Parliament, Council and Commission negotiators to agree on the final text of a legislative act when one or more of the three institutions have reached incompatible conclusions or introduced incompatible amendments.