written by Marine MARX
Wednesday the 24th of April, the EP Civil Liberties committee rejected the Commission Proposal for on the use of Passenger Name Record data (EU PNR). This proposal aimed at allowing the transfer of air passengers’ data for security purposes inside the EU territory.
Indeed, air carriers should collect PNR data from passengers during reservation and check-in procedures for flights entering or leaving the EU. PNR includes notably the passenger’s name, address, phone number, credit card details as well as “free text” linked with the management of the travel contract. Following an already settled US and Canada and Australia practices, the Commission proposed in February 2011 to oblige air carriers to provide EU countries with the data of passengers entering or leaving the EU, for use in preventing, detecting, investigating and prosecuting serious crime and terrorist offences.
The result of the vote led the Civil Liberties committee to a heated debate between the ones in favor of an EU PNR Scheme and the ones who voted against it (30 against, 25 in favour). This division has come without surprise on this issue as the PNR saga dates back to an EP resolution in March 2003 and has always been a divisive topic.
Yet, MEPs in favor, notably members of the EPP group and in particular the rapporteur Timothy Kirkhope (ECR) deplored the fact the European Parliament is not adopting a positive position on what they consider as an important tool in the fight against terrorism in Europe. They namely stressed the fact that if the EU has allowed the exchange of PNR with third countries, like the USA and has started negotiations with Canada, it is nonsense to refuse it within the EU. They also regret the fact that some Member States either have already developed a national PNR system, for instance the United-Kingdom or France, or have expressed their intention to implement such a tool which will require airlines to share PNR with national anti-terrorism bodies. Nevertheless, outside an European interoperable framework, the added value of the single Member State’s PNR system will lack of efficiency.
However, opponents of an EU PNR scheme argued that as it is proposed in the Commission text. it does not comply with the principle of proportionality and does not adequately protect personal data as required by the article 8 of the EU Charter and by the article 16 of the Treaty on the Functioning of the EU. Moreover the proposal makes reference to a EU framework legislation which is still under negotiation between the EP and the Council. The Commission should then wait for the result of these negotiations and the entry into force of the new general framework for data protection for security purposes before submitting a revised specialized legislation in this domain.
On the content, according to the same MEPs there is still no clear evidence that PNR data are an effective tool to fight terrorism. It is not evident that collecting an amount of personal data could be the solution : indeed, last terrorist attacks like the attack in Boston or the Merah affair in France, proved that the persons responsible for it were already known by the law enforcement authorities as well as by the secret services , but this did not prevent or avoid these attacks. MEPs against the EU PNR scheme are also particularly worried by the fact that PNR data linked with other personal data available to the Intelligence and police services create the opportunity of profiling users and store for years in LEA data bases data of innocent people in violation of their fundamental rights.
This is particularly true for the data retention period for passenger data (itinerary, hotel reservation, details on credit cards and other personal information) for at least five years which is seen as excessive and costly.
Arguments of the opponents to the proposal can rely on the Opinion of the European Data Protection Supervisor (EDPS) which stated that, although visible improvements in terms of data protection in the present Proposal have been made, the EDPS considers that the Proposal with its current content does not meet the requirements of necessity and proportionality, imposed by Article 8 of the Charter of Fundamental Rights of the Union, Article 8 of the ECHR and Article 16 of the TFEU.
Indeed, according to the EDPS there is notably not enough relevant and accurate background documentation which demonstrates the necessity (as required by the ECHR and by the EU Charter) of the system and a clear demonstration of the fact that the measures are essential and that there are no less intrusive alternatives is missing. The EDPS namely underlines that the development of such a system on a European scale, involving the collection of data on all passengers and the taking of decisions on the basis of unknown and evolving assessment criteria, raises serious transparency and proportionality issues.
Moreover, leaving the scope of application open and giving the Member States possibilities to extend the purpose is contrary to the requirement that the data may be collected only for specified and explicit purposes.
Yet, this issue is not over. The LIBE report will now be submitted to the Plenary vote. However the period when the debate and the vote will take place remains uncertain. As explained by Lopez Aguilar (S&D), Chair of this parliamentary committee, the Conference of the Presidents of the Political Groups could delay the inscription of this report on the Plenary agenda because it was included in the legislative proposal blocked in the framework of the EP-Council controversy on the new mechanism for evaluating the Schengen cooperation.
The LIBE negative vote, even if expected, has created some concerns on the Commission side. However Commissioner Cecilia Malmström still believes that a solution can be found before the plenary vote since “it is the only way of avoiding the fragmentation of PNR systems and of effectively protecting personal data.” In the coming weeks it will be clear if the Commissioner position is well founded or if supplementary work will be needed or a final negative vote will close the procedure.
For more information:</p>
Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crimeDraft report KIRKHOPE on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime: http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/891/891415/891415en.pdf AMENDMENTS 35-210 http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/am/898/898279/898279en.pdf AMENDMENTS 211-501 : http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/am/897/897635/897635en.pdf
 See for the EU-USA PNR agreement http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:215:0005:0014:EN:PDF and :http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/129806.pdf http://register.consilium.europa.eu/pdf/en/11/st17/st17434.en11.pdf For Australia : http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/124817.pdf For Canada : negotiations are still ongoing.
 European Parliament resolution on transfer of personal data by airlines in the case of transatlantic flights http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P5-TA-2003-0097+0+DOC+XML+V0//EN
 See the procedure file of the Droutsas’ report on “Personal data protection: processing of data for the purposes of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, and free movement of data”: http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2012/0010(COD)&l=EN
 See ECHR, Marper case : http://www.edri.org/edri-gram/number6.24/echr-marper-case-dna-uk
 For the UE-US PNR agreement, DHS retains PNR in an active database for up to five years. After this active period, PNR shall be transferred to a dormant database for a period of up to ten years (15 years in total). Following the dormant period, data retained must be rendered fully anonymized by deleting all data types which could serve to identify the passenger to whom PNR relate without the possibility of repersonalization. http://register.consilium.europa.eu/pdf/en/11/st17/st17434.en11.pdf