Another episode of the EU PNR saga: remarks of the national data protection authorities

LETTER SENT BY THE PRESIDENT OF THE ART 29 WORKING PARTY (*) TO THE CHAIRMAN OF THE PARLIAMENTARY COMMITTEE IN CHARGE OF THE EU PNR  DRAFT DIRECTIVE (emphasized by me)

Dear Mr Moraes,
Since the terrorist attacks in Paris and Copenhagen, the discussion on the possible introduction of an EU Passenger Name Records system (hereafter: EU PNR) has moved significantly forward, both in the Council and in the European Parliament. In particular, Mr Kirkhope, rapporteur on this issue, has presented an updated report on the Commission’s 2011 draft directive establishing an EU PNR to your Committee.
As stated early last month, the Article 29 Working Party (hereafter: the WP 29) is not in principle either in favour of or opposed to PNR data collection schemes  (See press release issued by the Article 29 Working Party on EU PNR on 5 February 2015), as long as they are compliant with the fundamental rights to respect for private life and to the protection of personal data.
However, considering the extent and indiscriminate nature of EU PNR data processing for the fight against terrorism and serious crime, the WP 29 believes that it is likely to seriously undermine the rights as set out in Articles 7 and 8 of the Charter of Fundamental Rights in the European Union.
In this regard, the Working Party acknowledges that there have been some improvements to the initial draft from a data protection perspective. Still, the Working Party wishes to urgently draw your attention to the following outstanding issues to ensure that the aforementioned fundamental rights are respected.
First, the necessity of an EU PNR scheme still has to be justified.  Precise argumentation and evidence are still lacking in that respect.   Further restrictions should also be made to ensure that the data processing is proportionate to the purpose pursued, in particular considering that the report now includes intra-EU flights in the data processing. Therefore, it is recommended that the data collection is limited with reference to specific criteria in order for the scheme to guarantee respect for individuals’ fundamental rights and to take the CJUE data retention judgment into account.  Besides this, the scope of the offences concerned should be further reduced and the retention period shortened and clearly justified.
In addition, a major error in the new Articles 10a and 12(1b) stemming from an apparent misunderstanding of the data protection authority’s role must be rectified in order to set the responsibilities of governments and data controllers.
Finally, the WP29 insists on the necessity to present as soon as possible a detailed evaluation of the efficiency of the PNR scheme. A sunset clause should also be inserted into the directive to assist in ensuring periodic review of the necessity of the system.

All these points will be developed in an appendix of this letter, as well as concrete modifications and improvements proposed to the text by the Working Party. I would be grateful if you would be so kind as to forward this letter to the members of your committee in order for them to take account of these views before the deadline for further amendments to the proposal. Naturally, the Working Party remains at your disposal for any clarification you would require and further input during the discussion on EU PNR.

Yours sincerely,
On behalf of the Article 29 Working Party,
Isabelle FALQUE-PIERROTIN Chairwoman

Appendix :
Demonstrating the necessity and ensuring the proportionality of the EU PNR scheme

As stated previously by the Working Party and stressed by the Court of Justice of the European Union (CJEU) in the data retention judgment (2) , a data collection scheme such as the one proposed under the EU PNR draft directive, must meet the fundamental necessity and proportionality requirements. Therefore, the Working Party recommends the following:

1 Demonstrating the necessity of the EU PNR scheme

Above all, the text should offer a concrete demonstration of the necessity and appropriateness of PNR data collection for the fight against terrorism and serious (transnational) crime. In this regard, the Working Party recommends the following modifications:
– The text should first clarify why the existing instruments at the disposal of Member States, such as, for instance, the Schengen information system, or the collection of API data, are not sufficient to achieve the purpose pursued.
– The text should also justify why less intrusive alternatives would not achieve the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious transnational crime. Examples of such less intrusive alternatives would be to address the shortcomings/flaws recently found in the response of the security services to terrorist threats, to improve the exchange of information between Member States or to adapt the existing instruments (such as the API directive).
– The legislator should then justify how the establishment of an EU PNR scheme is precisely the solution to achieve the purpose pursued as opposed to less intrusive alternatives. In this regard, it was said several times by national governments representatives that some terrorist attacks could have been avoided, had a PNR scheme already been in place. However, this has not been demonstrated by any evidence or facts.
Similarly, the claim that PNR processing is helpful to ensure security and protect citizens is not sufficient and is only reliable if it is accompanied by facts detailing examples of the impact on outcomes of investigations that make use of PNR data.
The recitals should explain the supposed efficiency of an EU PNR scheme and its added value with respect to existing and less intrusive solutions. Consequently, the text should refer to evidence, possibly statistics, gathered by EU and Member State studies regarding such efficiency of the scheme.
Further analysis of how effective the system is expected to be should also be provided. Considering that this data are provided by the would-be passengers themselves and have not been objectively verified, this justification is even more important.
– The choice made by the rapporteur to extend the collection of PNR data to intra-EU flights, thus dramatically increasing the number of passengers concerned by the intrusion into their rights, is another major reason requiring that a particular attention is paid to such demonstration.

2. Ensuring the proportionality of the processing

After addressing the necessity of the system, the legislator remains to ensure its proportionality by limiting the number of passengers impacted, the uses made of the data and their retention period to what is strictly necessary.
In this regards, the Working Party suggests the following changes to the text.
– The scheme, as proposed in the report, would cover 100% of the flights (and of the would-be passengers) departing from and in direction of the EU and intra-EU. To ensure compliance with the requirements laid down by the Court of Justice of the European Union in its data retention judgment (3), the Working Party considers that the proposed data collection scheme should be restricted with reference to specific criteria: “(i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.”(4)
– The uses made of the PNR data once collected should be limited to what is strictly necessary. In this regard, the Working Party welcomes that the report restricts the use to serious transnational crimes instead of serious crimes as originally foreseen. However, it notes that the list of crimes included in such qualification remains long, broad and sometimes very vague. In particular, the Working Party draws the attention of the Members of the Parliament on “computer-related crimes” which, depending on the definition given to them, could more or less cover any transnational crime without guaranteeing that they are effectively serious or to crimes from this list for the investigation of which the usefulness of PNR data remains unclear. The Working Party therefore invites the EU legislator to reduce the list to the crimes for which the use of PNR data would effectively prove necessary for the police investigators and, in any case, to justify, for each category of crime currently listed, that the use of PNR data is necessary for the prevention, detection, investigation and prosecution of these crimes.
– As already stated in its opinion 10/2011 on the proposal for an EU PNR directive, the Working Party views the proposal to retain data, even if masked, for four or five years as disproportionate. Besides, as held by the Court of Justice of the European Union, “the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary.”(5) The Working Party therefore invites the legislator to propose a shorter period of retention of the PNR data and recommends adding a recital specifying the criterion justifying to which concrete need the chosen period corresponds.

3. Rectifying errors in the allocation of roles between governments, data controllers and data protection authorities

The Working Party notes major errors are made in the new Articles 10a and 12(1b) of Mr. Kirkhope’s report with respect to the respective roles of governments, data controllers and data protection authorities. In particular, on the one hand, contrary to what is stated, it is up to national legislators to ensure that effective administrative, civil and criminal enforcement measures are in place for privacy incidents by the airlines (Article 10(a)), to provide all individuals with an administrative means to resolve travel- related inquiries including those related to the use of PNR data and to provide redress mechanisms for specific cases (Article 12 (1b)) and to ensure the removal of staff where appropriate (Amendment 42). On the other, in line with the proposal for a general data breach notification obligation that is currently being considered as part of the General Data Protection Regulation (6), and contrary to what is currently stated in Article 10(a) (2), it is up to the data controllers to inform affected individuals, as well as other relevant Member States authorities.
The Working Party therefore invites the legislator to modify these provisions in order to set the responsibilities of governments and data controllers.

4. Welcomed improvements and possible fine-tuning

The Article 29 Working Party finally welcomes the improvements made by the rapporteur to comply with key data protection requirements.
In particular, it notes the attempt made in new Article 4(3) to complement the list of sensitive data on the basis of which a decision that produces an adverse legal effect on a person or seriously affects him/her should, in no circumstances, be taken. It welcomes the stated aim to ensure that the pre-assessment of passengers is carried out in a non-discriminatory manner. It would however suggest that the sensitive data listed in article 4(3) and Recital 19 is adjusted with respect to the list enshrined in Article 8 of Directive 95/46/EC and Article 6 of Council Framework Decision 2008/977/JHA. As a result, at the very least, philosophical belief, trade union membership, health data and sex life should be added to the list of data on the basis of which no decision producing adverse legal effects, such as regarding pre-assessment of passengers, must be taken.
The Working Party also regards as crucial improvements the obligation for each Member State and each national authority to appoint a data protection supervisory officer (7) (“DPO”) and the establishment of an independent EU-PNR data protection committee. Still, the Working Party recommends clarifying that the DPO will be appointed within the passenger information unit or, at the very least, within the competent authority.
The Working Party would also suggest specifying the data protection committee’s composition and exact role. In this regard, DPOs and the Working Party should either be a party to the review board, or regularly heard by it so that their expert knowledge is reflected in the work of the board.

(5) Periodic review

If an EU PNR system were indeed to be introduced, the Working Party stresses that the serious intrusion into fundamental rights it represents would require critically evaluating the system as soon as possible. In this regard, a first evaluation should, at the latest, take place two years after the first EU PNR system has been activated and not five years after as currently suggested by the rapporteur. The Working Party therefore suggests modifying the proposed text to change the deadline for evaluation accordingly.
In this same perspective, the Working Party suggests introducing a sunset clause into the directive, set at no later than five years after its entry into force. Such timeframe would allow sufficient distance for a comprehensive evaluation of EU PNR in all Member States, in particular with regard to its necessity, proportionality and overall compliance with data protection requirements. Only if irrefutable evidence of compliance were to be provided during the evaluation, could the EU legislator take the explicit decision to maintain the EU PNR system.