Why Europe should ditch plans for a jumbo passenger database

Monday was Data Protection Day. Find out how you can win the textbook on data protection.

Eurodac keeps asylum seekers' fingerprints. Information is also shared as a result of Europol, Eurojust and the Prüm Treaty.

The European Union, though, thinks there is room for another set of mass databases to collect information about us all. But this one is different. Instead of tracking people to deal with those suspected of crimes it will be used to predict who is likely to be a criminal.

The proposed Council Framework Decision on the use of Passenger Name Record for law enforcement purposes would result in the use of information on us gleaned from airlines to attempt to predict who is likely to be a criminal. The process is called profiling, and is highly controversial.

Airlines would have to pass over almost all the information that they hold on passengers, including travel agencies used, seat reservations and allocations, credit cards used to book flights as well as names and details of travel. The information would be about every traveller going outside the EU or entering it and would be kept for 13 years.

The purpose of collecting all this data would be to find people who fit into so-called categories of risk. It would be collected by a new unit, a Passenger Information Unit, set up to deal with the collection of the information in each country.

The PIU would analyse the information "in order to identify the persons requiring further examination" for the possibility that they might be involved in terrorism or organised crime or be associated with such persons. Having decided which of the travellers merited such further examination the PIU would pass the details to whoever is responsible in that country for the prevention of terrorism or organised crime.

Where the PIU also thinks that the data would be relevant to another Member State it would be able to pass the information on to the authorities in that State.

The collection of all this data for this purpose would be a major development affecting individual privacy of travellers into and from the EU and serious concerns are being voiced by European Privacy regulators about the sheer size of the database, its long-term retention and the use to which the information could be put.

Merely fitting the same profile of known criminals does not make you one of them. The traveller who uses the same travel agent as a people trafficker may well have done so in complete ignorance of the sinister connection.

There are also legal concerns as to how this proposal fits with the institutional changes being brought about following the Treaty of Lisbon. At the moment important parts of this new system would be outside EU data protection law but in the longer term the effect of the Treaty may alter that.

That matters because if all the collection and processing of the information is covered by mainstream EU law then normal data protection principles and protections apply, and in the UK it will be covered by the UK's data protection laws. . If this does not happen then the arrangements for protecting people's privacy rights will not be as clear or as accessible to ordinary people.

It would be better if the EU waited to see if the US – already a keen practitioner of profiling – actually finds that the techniques being used are successful. If this proves to be the case and European Governments decide to go ahead, it should wait until the data protections for citizens are clear before creating yet another new collection of information about us all.

By Rosemary Jay, Head of the Information Law team at Pinsent Masons, the law firm behind OUT-LAW.COM. Find out how to win a copy of Rosemary's book, Data Protection Law and Practice.