Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)

24 September 2015

TABLE OF CONTENTS
I.THE PROPOSAL AND ITS CONTEXT 2
II.NECESSITY AND PROPORTIONALITY OF THE EU PNR SCHEME 4
11.1 Lack of information to justify the necessity of an EU PNR scheme 4
11.2 The measures proposed do not appear as proportionate to the objective of the EU PNR scheme 6
a) The bulk and indiscriminate collection of data 7
b) Data retention period 7
c) Purpose limitation and access by competent authorities 8
II.3. Lack of full transparency of the conditions of collection, access and use 8
II.4 Interim conclusion 9
III.SPECIFIC COMMENTS 9
111.1. Protection of personal data 9
111.2. Scope 9
111.3. The processing of and access to personal data by the competent authorities 11
111.4. The Passengers Information Units (PIU) 12
111.5. The role of Europol and the access to PNR data granted to Europol 12
111.6. Exchange of information between Member States 13
111.7. Transfer to third countries and applicable law 14
111.8. Retention of unmasked data 14
111.9. Statistical data 15
IV.CONCLUSION 15

THE EUROPEAN DATA PROTECTION SUPERVISOR,
Having regard to the Treaty of the Functioning of the European Union, and in particular its Article 16,
Having regard to the Charter of Fundamental Rights of the European Union, and in particular its Articles 7 and 8,
Having regard to the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,
Having regard to Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular Articles 41(2) and 46(d) thereof,

HAS ADOPTED THE FOLLOWING OPINION:

I. THE PROPOSAL AND ITS CONTEXT

1. Discussions on a possible Passenger Name Record (PNR) scheme within the EU have been developing since 2007, with the Proposal for a Council Framework Decision on the issue1. The original Proposal intended to oblige the air carriers operating flights between the EU and third countries to transmit PNR data to competent authorities for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. The EDPS issued an opinion on this proposal(2) and followed its developments.

2. On 2 February 2011, the Commission adopted a new Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Records data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (hereafter “the Proposal”). The EDPS issued an Opinion on this new Proposal (3) , where he made additional comments and remarks on the text regarding among others the necessity and the proportionality of the proposal, its scope, the exchange of information between Member States, and the retention of PNR data.

3. The Council adopted a general approach on the text proposed by the Commission on 23 April 20124, in view to start the negotiations with the Parliament.

4. The legislative procedure has been in abeyance since the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) rejected the Proposal on 24 April 20135, questioning its necessity and proportionality. Recently, the discussions have been revived following the terrorist attacks that took place in Paris in January 20156.

5. In its Resolution of 11 February 2015 on anti-terrorism measures (7), the European Parliament committed itself “to work towards the finalisation of an EU PNR Directive by the end of the year” and urged the Commission “to set out the consequences of the ECJ judgment on the Data Retention Directive and its possible impact on the EU PNR Directive”. The European Parliament also encouraged the Council to make progress on the Data Protection Package so that the ‘trilogue’ negotiations on both the EU PNR Directive and the Data Protection Package could take place in parallel. The Commission was also invited to hear the views of independent experts from the law enforcement, security and intelligence communities and representatives of the Article 29 Working Party to discuss the necessity and proportionality of the PNR scheme.

6. In addition, the Resolution called on the Member States “to make optimal use of existing platforms, databases and alert systems at European level, such as the Schengen Information System (SIS) and the Advanced Passenger Information Systems (APIS)(8)” and strongly encouraged “better exchange of information between Member States’ law enforcement authorities and EU agencies”(9).

7. In this context, an updated report has been presented by the rapporteur for the LIBE Committee, on 17 February 2015(10). Several modifications to the Commission proposal were proposed in this document, such as the inclusion of intra-EU flights. The Article 29 Working Party sent a letter to the LIBE Committee to submit its comments and remarks on the report (11). The LIBE Committee adopted its orientation vote on 15 July 2015 and agreed to enter into negotiations with the Council.

8. This EDPS Opinion will address the changes in the Proposal as proposed by the LIBE Committee and the Council in view of the trilogue negotiations that are due to begin by this month . This Opinion will take into account the Digital Rights Ireland judgement of the European Court of Justice (12) issued on 8 April 2014 (hereinafter “the DRI judgement”) and integrate it into its reasoning.

9. The EDPS acknowledges that Europe is facing serious terrorist threats and has to take meaningful action. The combat against terrorism and serious crime is a legitimate interest pursued by the legislator and the EDPS, as an EU independent supervisory institution, is not a priori in favour or against any measure. In full respect for the role of the legislator in assessing the necessity and the proportionality of the proposed measures, the EDPS respectfully analyses in the present Opinion their implications for the protection of the personal data of individuals and their privacy, taking into account the existing data protection and privacy legislative framework and case-law. This analysis relates to our mission to advise the institutions on the data protection implications of their policies, particularly when they have a more serious impact on the rights to privacy and data protection.

II. NECESSITY AND PROPORTIONALITY OF THE EU PNR SCHEME

10. As recently recalled by the Court of Justice jurisprudence, the demonstration of the necessity and the proportionality of the data processing is an absolute prerequisite for the development of the PNR scheme (13). The EU needs to justify on a basis of available evidence why a massive, non-targeted and indiscriminate collection of data of individuals is necessary and why that measure is urgently needed (14).

11. The EDPS concluded in his previous Opinion of 2011 that the Proposal did not meet at that time the requirements of necessity and proportionality imposed by Articles 7, 8 and 52 of the Charter of Fundamental Rights of the Union, Article 8 of the ECHR and Article 16 of the TFEU15. The Article 29 Working Party followed the same viewpoint in March 2015 in its letter to the LIBE Committee16.

II.1 Lack of information to justify the necessity of an EU PNR scheme

12. The EDPS has already pointed out in 2011 that, according to the information available, no elements reasonably substantiated the need for an EU PNR scheme as such, and in view of the less intrusive means available (17). In the meantime, no relevant information has been adduced to fully justify why and how the establishment of an EU PNR is necessary to achieve the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious (transnational) crime.

13. In particular, neither the Orientation Vote nor the General Approach make it possible to
evaluate how the current existing instruments fulfil the purpose of the EU PNR scheme. This issue has already been addressed by the EDPS Opinion of 25 March 2011 (18) and also raised by the European Parliament in one of its Resolutions (19).

14. As noted above (20) , at that time the European Parliament called on the Member States to make optimal use of the existing platform, database and alert systems at the European level, such as the SIS and the APIs (21). According to the available elements, the latest versions of the Proposal fail to show that a proper assessment has been done in conformity with the ECJ judgments, on the remaining gaps in the fight against terrorism and the possible ways to address them with the existing instruments at disposal of the Member States. While this assessment should also refer to new investigative approaches to more effectively monitor well known suspects by police and judicial authorities, various recent events in the EU demonstrate intelligence gaps unrelated to air travellers and that by targeting resources and intensifying efforts on known suspects would in some cases be more effective than profiling by default millions of travellers.

15. Regarding the alleged need for harmonisation of the data protection standards concerning the different PNR schemes adopted by various Member States, the EDPS recalls that in 2012, despite the rejection of the Proposal by the Civil Liberties Committee of the European Parliament (22), the Commission launched a project to fund several national PNR schemes (23) (hereinafter: “the 2012 call for proposals”). This initiative represented an incentive for many Member States to adopt national PNR schemes (24), contributing to a lack of harmonisation at EU level of data protection safeguards in those PNR (25), whereas the EU PNR Proposal was intended to harmonise the different conditions under which the Member States could collect, use and exchange the PNR data processed. Therefore, the EU PNR Proposal cannot be seen as an adequate response in terms of harmonization of data protection issues at national level but merely as an EU response to a situation subsidized at EU level.

16. In this respect, the General Approach of the Council allows each Member State to decide individually to include intra-EU flights within the scope of the Proposal for a Directive (26). This limits the harmonisation that the Proposal could bring and weakens the justification of the need for such a Proposal and that an EU measure is actually necessary to harmonise the national legislations (27).

17. Moreover, Article 17 of the General Approach also allows the Commission to propose to include intra-EU flights and other transportation providers than air carriers in the scope of the Directive. Such extensions of the scope would lead to the collection of even more information than originally foreseen in the Commission Proposal. Such a large collection of data makes it even more urgent to demonstrate, based on concrete evidence, that such additional data are necessary to achieve the purposes of an EU PNR (28).

18. Finally, it must be reminded that the European Parliament adopted a Resolution on 25 November 2014, in which it took the view that there was legal uncertainty as to whether the draft EU-Canada PNR agreement was compatible with the provisions of the Treaties (Article 16 TFEU) and the Charter of Fundamental Rights of the European Union (Article 7 and 8) (29). In the context of the DRI judgement of 8 April 2014 declaring the Data Retention Directive (30) invalid, the European Parliament addressed a request for an Opinion on the compatibility of the agreement with the Treaty to the Court of Justice. Since the functioning of the EU PNR and the EU-Canada schemes are similar, the answer of the Court may have a significant impact on the validity of all other PNR instruments, including the EU PNR. Therefore, the EDPS would invite the legislator to wait for the answer of the Court on this matter.

II.2 The measures proposed do not appear as proportionate to the objective of the EU
PNR scheme

19. Even if the necessity of the EU PNR scheme were to be established, quod non, the EU PNR Proposal should meet the requirements of proportionality. This was recalled by the Court in its DRI judgement, which stated that in any event, the derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary (31). To meet the requirements of the Court, an instrument such as the EU PNR Proposal needs to lay down clear and precise rules governing (i) the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (32) and (ii) the scope and application of the measures in question and imposing minimum safeguards to provide sufficient guarantees to effectively protect data subjects’ rights (33).

20. In the context of the performance of a proportionality test, the extent to which the EU legislature’s discretion may prove to be limited depends on a number of factors, including, in particular: the area concerned, the nature of the rights at issue, the nature and seriousness of the interference and the object pursued by the interference (34). The Court insisted that these limitations and safeguards are even more important where personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data (35). The EDPS has identified the main areas of concern concerning the proportionality of the EU PNR Proposal, as follows.

a) The bulk and indiscriminate collection of data

21. The EU PNR scheme as proposed would cover at least all flights from and to the EU, which would concern more than 300 million non-suspect passengers potentially targeted by the EU PNR Proposal (36). The EU PNR Proposal entails an interference with the fundamental rights of a very large number of air passengers, without differentiation, limitation or exception being made in the light of the objective of fighting against serious crime and terrorism. This general and indiscriminate manner to collect the data of the population was already retained by the Court as a basic element for its reasoning in its DRI judgement.

22. To ensure compliance with the requirements laid down by the Court in the DRI judgement, the data collection scheme should be restricted to specific criteria in relation ”
(i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or
(ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences”(37).
The Proposal does not follow the requirement of the Court with regard to such restrictions. Massive, non-targeted and indiscriminate collection of data of individuals as foreseen in the Proposal would need exceptional justification which has never been made available.

23. As already stated by the EDPS, “[t]he only purpose which would (…) be compliant with the requirements of transparency and proportionality, would be the use of PNR-data on a case-by-case basis, as mentioned in Article 4.2(c), but only in case of a serious and concrete threat established by concrete indicators” (38). In addition, the legislator should lay down objective criteria determining the limits of the access to and further processing of the data by the competent national authorities (see III.2 below).

b) Data retention period

24. Furthermore, the Court held that “the determination of the period of retention must be
based on objective criteria in order to ensure that it is limited to what is necessary” (39).
The Proposal foresees a period of 30 days of retention of the unmasked data followed by a
period of 4 to 5 years of retention of the masked data. Even masked out, the data remain
identifiable, and no evidence has been shown why there is a need to keep these additional
4 to 5 years. Nor has it been demonstrated why the data needs to be kept further in a form
that still renders possible the identification of the individuals for 30 years (40). Without any
exception to the retention period of 5 years and any criteria that could be applied to
shorten this period, the EDPS is not convinced that the Proposal meets the requirements
laid down by the Court.

c) Purpose limitation and access by competent authorities

25. Moreover, the Proposal lacks several elements required to meet the standards developed by the Court in terms of limitation of the use of PNR data by the competent authorities. There are no objective criteria to determine the limits of the access of the competent authorities to the data and their subsequent use, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (41).

26. Furthermore, the Proposal does not clearly mention how to strictly limit the access and
the subsequent use of the data in question to the purpose of preventing and detecting
precisely defined serious offences or of conducting criminal prosecutions relating hereto (42).

27. The EDPS already made clear that the Proposal should explicitly provide that the PNR
data may not be used beyond the purposes strictly identified (43). In this context, he
welcomes the deletion of Recital 28 in the LIBE Committee’s Orientation Vote. However,
it is difficult to conclude that the notions of “immediate and serious threat to public
security (44)” or “serious transnational crimes” (45), designing the purposes for which the
competent authorities may use the data, meet the standards laid down by the Court in its
DRI judgement since the text mentions neither that the use of PNR data is strictly limited
to the purposes of the PNR scheme, nor the conditions to limit any further access to these data (46).

II.3. Lack of full transparency of the conditions of collection, access and use

28. Article 52 of the Charter foresees that any limitation on the rights under Articles 7 and 8 must be provided for by law. In this respect, the jurisprudence of the European Court of Human Rights confirms that the law must be sufficiently precise to indicate to citizens in what circumstances and on what terms the public authorities are empowered to file information on their private life and make use of it (47). This information should “be accessible to the person concerned and foreseeable as to its effects”, which means that it must be “formulated with sufficient precision to enable any individual -if need be with appropriate advice- to regulate his conduct” (48).

29. The EDPS welcomes the introduction by the LIBE Committee of an obligation of information on the air carrier and non-carriers economic operators (49). However, the lack of full clarity regarding the purposes for which the EU PNR is used (50) and of the conditions and criteria required to access the data, are all elements currently indicating an insufficient degree of respect for the principles of transparency, accessibility and predictability of the law providing for the surveillance of citizens, as required by Article 52 of the Charter.

II.4 Interim conclusion

30. As explicitly stated in the Proposal, the main purpose of the scheme is not traditional border control, but intelligence, and arresting persons which are not suspects, before a crime is committed (51). The EDPS would recall that the development of such a system raises serious transparency and proportionality issues (52), and that it might lead to a move towards a surveillance society (53).
A statement such as the one made in Recital 8 of the Proposal (“The processing of personal data must be necessary and proportionate to the specific aim pursued by this Directive”) is not sufficient to address the proportionality and necessity issue (54).

31. Since, according to the information available, necessity has not been demonstrated and the measures put in place are likely not to meet the proportionality requirements, and in particular those underlined by the Court in its DRI judgment, the EDPS considers that the Proposal still fails to satisfy the standards of Articles 7, 8 and 52 of the Charter, Article 16 of the TFEU and Article 8 of the ECHR.

III. SPECIFIC COMMENTS

III.1. Protection of personal data

32. The EDPS welcomes the additional safeguards proposed by the Orientation Vote of the LIBE Committee regarding the protection of personal data (55). However, since a new data protection framework is negotiated in the trilogue at the time being, the EDPS considers it important to take into account the further developments of the applicable provisions regarding the processing of personal data for law enforcement purposes. The new provisions might not be in line with the provisions of the Proposal.

33. Therefore, the EDPS recommends waiting until the end of the negotiations of the new data protection package to fully align the obligations of the Proposal with the new provisions adopted.

III.2. Scope

34. The EDPS supports the fact that the Council General Approach and Parliament’s Orientation Vote, by listing specifically the crimes falling under the scope of ‘serious transnational crime’ under Article 2(h) (as a selection of the crimes listed in Council Framework Decision 2002/584/JHA, limited to those relevant in the PNR context), excludes the possibility for Member States to include minor offences. This had already been recommended by the EDPS (56) and is welcome.

35. However, the Orientation Vote of the LIBE Committee and the General Approach both reject the differentiation between serious crimes and serious transnational crimes. Such differentiation has been supported by the EDPS (57) since it was used to entail a different processing of data under Article 4(2) in the initial text of the Commission Proposal. Indeed, in the Commission proposal, the most disproportionate measures -i.e. the detection of unknown persons on the basis of predetermined criteria- are excluded when it comes to serious crimes which are not transnational. The EDPS regrets the disappearance of such distinctions, since it limited the most intrusive measures to the detection of the most serious transnational offences.

36. Because of this absence of differentiation (58) , the assessment against predetermined criteria would be allowed for the detection of persons who might be involved in a terrorist offence or serious crime listed in Annex II to this Directive (59). The Council gave no explanation as to the reasons why these specific serious crimes would allow the use of more intrusive measures than other crimes.

37. The text adopted by the LIBE Committee goes even further since it no longer makes clear
what is the difference between the assessment of passengers on the basis of Article
4(2)(a), and on the basis of Article 4(2)(b). Indeed, the distinction between the assessment
on the basis on predetermined criteria and the assessment of known persons on the basis
of existing databases does no longer appear. Both paragraphs relate to the detection of
persons who may be involved in a terrorist offence or serious transnational crime on the
basis of predetermined criteria or with a comparison of the PNR data against ‘relevant
databases, including international or national databases or national mirrors of Union
databases’, and including SIS and VIS.
The EDPS already stated how it would be controversial to permit such a systematic comparison of PNR data against an unlimited number of undefined databases, considering that this would be excessive and disproportionate (60).

38. Moreover, the text adopted by the LIBE Committee does not define the transnational
nature of a “serious crime” as proposed by the Commission in Article 2(i).
This leaves the interpretation of the transnational character up to the appreciation of the competent authorities. The EDPS notes that this is not in line with the judgement of the Court of
Justice, which requires that the purposes for which the data can be processed be precisely described (61).

39. The same comment is true regarding the notion of “immediate and serious threat to public security”. This notion, added by the Parliament, is not defined and constitutes and additional purpose of the EU PNR scheme that was not present in the Commission Proposal.

40. The list of crimes under the terms “serious transnational crimes” and “immediate and serious threat to the public security” in the Parliament version are not precise enough and leave room for interpretation. For this reason, the EDPS recommends that the legislator reduce the list of crimes for the prevention, detection, investigation and prosecution of which the use of PNR data is proven necessary (62), to further specify what is understood as “transnational” and as “immediate and serious threat to public security” and to justify why the EU PNR scheme is appropriate to prevent such a threat.

41. Finally, the LIBE Committee Orientation Vote added “non-carriers economic operators” to the list of entities subject to the obligation to provide the PNR data to the PIUs. This new notion will include travel agencies and tour operators” (63). The text does not provide any justification for the inclusion of such operators in the scope of the EU PNR scheme. Therefore, the EDPS urges the legislator to justify the necessity to include these operators in the scope of the EU PNR, should they be subject to the same obligation as the one of the air carriers.

III.3. The processing of and access to personal data by the competent authorities

42. Firstly, Article 4(2)(c) provides that the PIU shall process the data, among others, to respond to requests from competent authorities to provide PNR data as the result of such processing.
The EDPS notes that no criteria are provided under which access to data would be allowed. This does not meet the standards laid down by the Court of Justice in its DRI judgement, stating that the legislator should lay down the objective criteria by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences sufficiently serious to justify an interference (64). The EDPS therefore encourages the legislator to further define the specific cases in which the competent authorities can access the PNR data on the basis of this Proposal, so as to ensure respect for Articles 7 and 8 of the Charter.

43. Secondly, as already stated by the EDPS in his previous Opinion (65), the Proposal should explicitly provide that the PNR data may not be used for other purposes than the ones for which the EU PNR scheme is put in place. Article 5 (5) of the text remains problematic since it allows the competent authorities to use the data for other violations of criminal law, or other offences than the ones being the purpose of the EU PNR scheme. This contradicts the principle stated in Article 4 (4) and may constitute a violation of the purpose limitation principle enshrined in Article 8 of the Charter of Fundamental Rights as interpreted by the Court. For this reason, the EDPS calls once again upon a strict prohibition to use the data for other purposes than the ones stated in article 4 (4).

44. Finally, the text does not set out any procedural conditions on the access by law enforcement authorities. The Court of Justice, in the reasoning of its DRI judgement, examined the fact that “the access by the competent national authorities to the data retained was not made dependent on a prior review carried out by a court or by an independent administrative body whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request of those authorities submitted within the framework of procedures of prevention, detection or criminal prosecutions” (66).

45. The EDPS welcomes the requirement for the approval of a judicial authority or another national authority, as proposed by the Council (67). The EDPS also welcomes the additional provisions proposed by the LIBE Committee, imposing the consultation of the Data Protection Officer and the prior authorisation by the supervisory authority to communicate unmasked data (68). However, the EDPS notes that the supervisory authority may in some instances not be the most appropriate authority to authorise such a communication.

46. Nevertheless, these guarantees should be extended for the access by competent authorities to all PNR data and results even if they are masked, due to the high sensitivity of these data (69).
The EDPS underlines that such an access subject to prior approval of a judicial authority or an independent administrative body has already been proposed by the LIBE Committee regarding the requests of access by Europol (70). Nevertheless, such prior approval is neither required for the transfer of data to other Member States nor to third countries.
Therefore, the EDPS recommends providing for similar procedural guarantees for access to all PNR data, applicable to all authorities requiring access to the PNR data processed by the PIUs. This will lead to more consistency regarding the different conditions of access to PNR data by the different authorities involved.

III.4. The Passengers Information Units (PIU)

47. The EDPS welcomes the introduction by the LIBE Committee in its Orientation Vote of new provisions dedicated to additional safeguards regarding the processing of the PNR data by the PIU, such as the appointment of a data protection officer within each PIU (71), or the security of the data processed (72).

48. However, the concerns of the EDPS expressed in his previous Opinions (73) are still valid.
The DRI judgement stated that these rules should be “specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality” (74). The EDPS therefore recommends introducing such safeguards in the text, following the initiative of the LIBE Committee.

III.5. The role of Europol and the access to PNR data granted to Europol

49. The text of the Orientation Vote of the LIBE Committee inserted the possibility for Europol to play a role in the functioning of the EU PNR. Recital 20a states that an exchange of PNR data “between the Member States and Europol should be guaranteed. The development and operational management could be the responsibility of Europol. A one-stop-shop could be created as part of this system to register and transmit the requests for information exchanges”.
Recital 20a also recommends that the EDPS should be responsible for monitoring the processing of personal data performed through this European system for the exchange of data with Europol.

50. The EDPS recommends clarifying what is meant by the creation of a “one-stop-shop”. Clarifications are needed too with regard to the extent of supervision competences at EU or at national level, depending on the existence of local databases.

51. The text of the LIBE Committee gives Europol access to the PNR data under certain conditions. Article 4(2) a) refers to the new Article 7a proposed by the LIBE Committee. This provision mentioned the conditions under which Europol may submit on a-case-by-case basis a reasoned request to the PIU. Article 7a(2) provides for the review of a court or an independent administrative body that shall verify the conditions set out in paragraph 1 of this Article.

52. While such an access on a case-by-case basis by the national competent authorities is foreseen in Article 4(2)(c), without prior review where the data are masked (75), Europol is subject to a greater scrutiny. The EDPS recommends aligning the regime applicable to national competent authorities with the regime applicable to Europol, to restrict the conditions of access by the competent authorities to the PNR data processed by the PIU.

III.6. Exchange of information between Member States

53. Recital 13 of the Orientation Vote of the LIBE Committee mentions the possibility for the Member States to exchange information through the Secure Information Exchange Network Application (SIENA). This application is a tool designed specifically to enable communication and exchange of operational and strategic crime-related information and intelligence between Europol, Member States and third parties that have cooperation agreements with Europol. As it is a communication channel falling under the responsibility and remit of Europol, any information transmitted by using SIENA must comply with Europol’s mandate as specified in Council Decision 2009/371/JHA. Using SIENA for data falling outside the scope of Europol’s competence would be unlawful. Therefore, the reference to SIENA in this context is not appropriate.

54. Moreover, as already stated, the procedural guarantees to allow the exchange of information between different Member States are not subject to the same procedural rules as for the exchange between a national PIU and a national competent authority (76). Even the exchange of masked information is not subject to any prior judicial or administrative approval as it is proposed by the LIBE Committee (77) and the Council regarding the access by national competent authorities. The EDPS recommends that such procedural safeguards are added to the existing conditions to access the data.

55. Furthermore, at the end of this paragraph, the text mentions that “an alert shall be entered in accordance with Article 36 of the Schengen Information System”. The reference to SIS is not correct in this context; the text should instead refer to the SIS II Decision (78).

56. Finally, the EDPS recommends to clarify what is meant by “the results of the processing of PNR data, either analytical information obtained from PNR data or the results” in Article 7(1) as proposed by the LIBE Committee.

III.7. Transfer to third countries and applicable law

57. Reference to the Council Framework Decision 2008/977/JHA, when it comes to safeguards for data transfers, is insufficient. This Decision includes shortcomings, notably in terms of data subjects rights and transfers to third countries, and a higher standard should be developed.
It should be noted in that respect that the current discussions concerning a new Directive in the law enforcement area will design a new framework from which the Proposal should not derogate.

58. In this respect, the EDPS appreciates the efforts of the LIBE Committee to specify the conditions regarding the transfers to third countries. However, no more reference is made to the minimum standards laid down in the Framework Decision 2008/977 in the LIBE Committee Orientation Vote. Moreover, the new reference to Directive 95/46/EC79 is not appropriate since this Directive is not applicable to law enforcement authorities acting within the scope of the Framework Decision (80). The EDPS recommends therefore keeping the reference to the Framework Decision 2008/977, which is currently the applicable instrument to the exchange of personal data between law enforcements authorities for law enforcement purposes, together with the need to set out in the Proposal stricter conditions for the processing of personal data in order to meet higher standards (81), particularly to complete the shortcomings of the Framework Decision where they have been identified, especially in relation to the conditions of access to personal data.

III.8. Retention of unmasked data

59. The EDPS welcomes the fact that the texts of the LIBE Committee and the Council no longer mention the anonymisation of the PNR data, taking into account the comment made by the EDPS in his previous Opinion (82). Indeed, the data at stake could not be considered as anonymous since they would still be re-identifiable.

60. However, some confusion could still arise from the terms “identify”, “depersonalisation” or “re-identification” use in relation to the data which are listed at the end of Article 9 (2).
Such data are not anonymous and still allow the data subject to be identified. Indeed, the following information can easily be connected to a passenger: frequent flyer information, billing address, ticket number, etc.. Therefore, the EDPS recommends making clear in the text that if such data are still processed in the final Directive, they should be considered as personal data.

III.9. Statistical data

61. The EDPS supports the Council Proposal regarding Article 18(2), which details the statistical data to provide in order to perform the review of the Directive. This is in line with the previous EDPS Opinion that considered this information as necessary to perform a review and evaluate the necessity of the PNR scheme (83).

IV. CONCLUSION

62. The EDPS welcomes the various improvements made by the Council and the LIBE Committee on the Proposal, for example regarding the specific provisions on data protection, the presence of a Data Protection Officer, or a specific reference to the power of the supervisory authorities.

63. However, the essential prerequisite for a PNR scheme – i.e. compliance with necessity and proportionality principles – is still not met in the Proposal. The Proposal does not provide for a comprehensive evaluation of the ability of the current existing instruments to reach the purpose of the EU PNR scheme. In addition, it does not set forth any detailed analysis of the extent to which less intrusive measures could achieve the purpose of the EU PNR scheme.
Finally, the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance. In the view of the EDPS, the only purpose which would be compliant with the requirements of transparency and proportionality, would be the use of PNR data on a case-by-case basis but only in case of a serious and concrete threat established by more specific indicators.

64. Since there is no information available to the effect that the necessity and proportionality of the measures proposed have been adequately demonstrated, the EDPS considers that the Proposal, even modified, still does not meet the standards of Articles 7, 8 and 52 of the Charter of Fundamental Rights of the Union, Article 16 of the TFEU and Article 8 of the ECHR.

65. The EDPS would encourage the legislators to further explore the feasibility against current threats of more selective and less intrusive surveillance measures based on more specific initiatives focusing, where appropriate, on targeted categories of flights, passengers or countries.

66. In addition to the essential shortcomings of the Proposal identified above, the main comments of the EDPS in the present Opinion concern the following aspects:

– The Proposal should limit the data retention period to what is justified by objective criteria explaining the period retained;
– The proposal should more explicitly provide that the PNR data may not be used for other purposes than the prevention, detection, investigation or prosecution of terrorist offences and serious transnational crimes;
– A prior approval by a court or an independent administrative body should be obtained, in principle, upon a request of access to the data by a competent authority;
EDPS Opinion of 25 March 2011, §51.
– The Proposal should refer to appropriate safeguards guaranteeing the security of the data processed by the PIU;
– The scope of the PNR scheme should be much more limited with regards to the type of crime. Additionally, the definition of “serious transnational crime” and “immediate and serious threat to public security” should be further defined;
– The criteria required to access PNR data by the competent authorities should be better defined and more precise;

The legislators are invited to wait until the adoption of the new Data Protection Package to fully align the obligations of the Proposal with the new provisions adopted;
The evaluation of the Directive should be based on comprehensive data, including the number of persons effectively convicted and not only prosecuted, on the basis of the processing of their data.

Bruxelles, 24 September 2015
(signed)
Giovanni BUTTARELLI European Data Protection Supervisor

NOTES
1 COM (2007) 654 final.
2 Opinion of the EDPS of 20 December 2007 on the Proposal for a Council Framework Decision on the use of Passenger name record (PNR) data for law enforcement purposes, OJ C 110, 01.05.2008, p. 1.
3 Opinion of the EDPS of 25 March 2011 on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
4 General Approach of the Council, text adopted on 23 April 2013, 8916/2.
5 See Resolution of the European Parliament of 23 April 2013.
6 See https://en.wikipedia.org/wiki/Charlie_Hebdo_shooting. For the connection made with EU PNR proposals; see e.g. the statement by the members of the European Council following the Informal meeting of the Heads of State or Government Brussels, 12 February 2015: http://www.consilium.europa.eu/en/press/press-
releases/2015/02/150212-european-council-statement-fight-against-terrorism/ and the report on implementation of measures by the EU Counter-Terrorism Coordinator: http://data.consilium.europa.eu/doc/document/ST-9422-2015-REV-1/en/pdf.
7 Resolution 2015/2530 of the European Parliament.
8 Resolution, §11.
9 Resolution, §22.
10 The report is available on the following link.
11 Letter of 19 March 2015 from the Article 29 Working Party to the Chairman of the LIBE Committee.
12 CJUE, Digital Rights Ireland ltd, 8 April 2014, in joined cases C-293/12 and C-594/12.
14. As noted above20, at that time the European Parliament called on the Member States to
make optimal use of the existing platform, database and alert systems at the European
13 See EDPS Opinion of 25 March 2011, §8.
14 See EDPS Speech at the occasion of the Joint Debate during the extraordinary meeting of the LIBE Committee of January 27 2015,
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2015/15-01-27_Libe_speech_GB_EN.pdf.
15 EDPS Opinion of 25 March 2011, §10.
16 Letter of WP 29 of 25 March 2015.
17 EDPS Opinion of 25 March 2011, section II.
18 See §8.
19 Resolution of 11 February 2011 of the European Parliament, §14.
20 See §5.
21 Resolution of 11 February 2011 of the European Parliament, §11.
22 See the European Parliament Report of 29 April on the proposal for a directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (COM(2011)0032 – C7-0039/2011 – 2011/0023(COD)).
23 European Commission, “Prevention of and Fight Against Crime 2007 – 2013. Action Grants 2012 Targeted Call For Proposals Law enforcement cooperation through measures to set up Passenger Information Units in Member States for the collection, processing, analysis and exchange of Passenger Name Record (PNR) data”.
24According to the Commission, before the launching of the 2012 call for proposals, only one EU Member State (the UK) had a system in place for the automated processing of PNR data. (See the answer given by Ms Malström on 7 June 2013 to the parliamentary questions by MEPs of 12 April 2013). In 2011, at the moment of the publication of the Proposal, only five other Member States (France, Denmark, Belgium, Sweden and the Netherlands) were testing the use of PNR data or had enacted relevant legislation (See the Explanatory Memorandum of the Proposal, p. 4). However, the €50 million awarded in 2013 by the Commission were distributed among 14 EU Member States, which had presented projects relating to the development of national PNR schemes as encouraged by the call for proposals (See the European Commission list of awarded projects (available on http://ec.europa.eu/dgs/home-affairs/financing/fundings/pdf/isec/isec-grants-awarded-
2012_en.pdf, last accessed on 07/09/2015 and the graphic by the European Parliamentary Research Service (available on http://epthinktank.eu/2015/05/04/the-proposed-eu-passenger-name-records-pnr-directive-revived-in-the-new-security-context/pnr_systems_in_ms/, last accessed on 07/09/2015).
25 The 2012 call for proposals only mentioned a few elements relating to data protection (purpose limited to “the prevention, detection, investigation and prosecution of terrorist offences and serious crime,” exclusive use of the “push” method, measures related to the exercise of data protection rights). Subsequent recommendations were published, but only after the awarding of the funding and without binding nature (See the list of principles published by FRA at the Commission’s request “Twelve operational fundamental rights considerations for law enforcement when processing Passenger Name Record (PNR) data”). The EDPS has been only consulted in this
last phase (non-binding recommendations to Member States, after the awarding of the funding), not on the 2012 call for proposals.
26 Article 1 a) of the General Approach of the Council.
27 DRI judgement, §63-65.
28 See EDPS Opinion of 25 March 2015, §19.
29 Resolution of the European Parliament adopted on 25 November 2014 in Strasbourg, proc. 2014/2966.
30 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, O.J., L105/54.
31 DRI judgement, §52.
32 DRI judgement, §65.
33 DRI judgement, §54.
34 DRI judgement, §47.
35 DRI judgement, §48 and 55. See also EDPS Opinion of 20 December 2007, §30.
36 Council of the European Union, Interinstitutional File: 2011/0023 (COD) of 28 march 2011, p. 3. According to Eurostat, the number of flights passengers in the EU was 842 million in 2013 according to Eurostat (http://ec.europa.eu/eurostat/tgm/refreshTableAction.do?tab=table&plugin=0&pcode=ttr00012&language=fr).
37 See §59 of the judgement.
38 EDPS Opinion of 25 March 2011, §17.
39 DRI judgement, §64.
40 EDPS Opinion of 25 March 2011, §44.
41 DRI judgement, §60.
42 DRI judgement, §61.
43 EPDS opinion of 25 March 2011, §22.
44 As introduced by the LIBE Committee.
45 See hereunder, §35.
46 See hereunder, III.2.
47 EDPS Opinion of 20 December 2007, §24.
48 ECHR, Rotaru v. Romania, 28341/95, §§50, 52 and 55.
49 Article 6 (5) of the Orientation Vote of the LIBE Committee.
50 For example, the lack of clarity of the definition of “serious crimes”, “serious transnational crimes”,”immediate and serious threat to public security”
51 Explanatory memorandum, Chapter 1.
52 EDPS Opinion of 25 March 2011, §19.
53 EDPS Opinion of 20 December 2007, §35.
54 As expressly stated by the Court in its DRI judgement, see §61, in fine.
55 New provision regarding the Data Protection Officer (Article 3), additional provisions regarding the protection of personal data by the PIUs under Article 11 and regarding the national supervisory authorities under Article 12.
56 EDPS Opinion of 25 March 2011, §§ 26 and 27.
57 EDPS opinion of 25 March 2011, §26.
58 The Council replaced this by a list of some of the serious crimes listed in Article 2(2) of the Framework Decision 2002/584/JHA.
59 Article 4 (2) (ii) of the Council General Approach.
60 EDPS Opinion of 25 March 2011, § 18.
61 DRI judgement, §60.
62 See letter of the Article 29 Working Party of 19 March 2015, p. 2 of Appendix.
63 See Article 2aa proposed by the LIBE Committee.
64 See §§60 and 61 of the DRI judgement.
65 EDPS Opinion of 25 March 2011, §18.
66 DRI judgement, §62.
67 Article 9.3 of the General Approach of the Council.
68 Article 9.2a of the LIBE Committee.
69 Indeed, some PNR information not listed in Article 9.2a can easily connected to a passenger: frequent flyer information, billing address, ticket number… See §59 hereunder.
70 See Article 7a of the Orientation Vote of the LIBE Committee.
71 Article 3 of the Orientation Vote.
72 Articles 11.4 a, b, c and d of the Orientation Vote.
73 See EDPS Opinion of 20 December EDPS Opinion of 25 March 2011, §§ 70-71 and EDPS Opinion of 25 March 2011, §§31-35.
74 DRI judgement, §66.
75 See §37 here above.
76 See §§ 37 and 46 here above.
77 The LIBE Committee proposed to receive the prior approval of the Head of the requested PIU. However, the lack of independence of the head of the PIU does not meet the criteria laid down by the Court in its DRI judgement (see §45 here above).
78 Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II).
79 Articles 8.1 a) and 11.2a New of the LIBE Committee orientation vote.
80 Moreover, the current discussions concerning a new Directive in the law enforcement area will design a new framework to which the Proposal should not derogate.
81 EDPS Opinion of 25 Mars 2011, §§38-41.
82 EDPS Opinion of 25 March 2011, §44.