Out-Law / Your Daily Need-To-Know

Annulled EU data retention rules prompt new doubts over passenger name record laws

Out-Law News | 11 Nov 2014 | 4:10 pm | 2 min. read

Proposed new laws on the exchange of airline passenger information may need to be bolstered with additional privacy safeguards in light of a ruling earlier this year by the EU's highest court, some MEPs have said.

A majority of the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee said there is a need to review the Court of Justice of the EU's (CJEU's) decision to annual the EU's Data Retention Directive before they agree to a new EU Passenger Name Record (PNR) Directive, the Parliament has said.

"A draft law that would oblige airlines to hand EU countries the data of passengers entering or leaving the EU, in order to help fight serious crime and terrorism, was discussed in LIBE Committee on Tuesday," a Parliament statement said. "MEPs were still divided on the issue, but most stressed the need to assess the CJEU ruling annulling the Data Retention Directive, to assess whether existing measures suffice before taking new ones and to put in place adequate data protection safeguards."

In April, the CJEU ruled that the EU Data Retention Directive disproportionately infringed on privacy rights enjoyed by EU citizens. Although the CJEU found that the retention of data for the purposes of allowing law enforcement bodies to access the data to help detect and prevent serious crime legislated for under the Directive "genuinely satisfies an objective of general interest", it concluded that data retention periods needed to be more strictly controlled than they were within the legislative text.

In 2011 the European Commission outlined plans for a new PNR Directive which would, if introduced, require airlines to share data about passengers who board their flights to and from the EU with law enforcement bodies. The Commission said that the information can help authorities fight serious crime and terrorist offences.

PNR data can include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.

The EU already has an agreement with the US over PNR data sharing, although many MEPs objected to the deal on privacy grounds.

The EU-US PNR agreement, set in April 2012, includes restrictions on what PNR data shared with US authorities can be used for. PNR data can only be used by the authorities, under the terms of the agreement, for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement, PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases.

The EU-US agreement contains rules on how long PNR data can be retained for in an identifying format. US authorities are able to store PNR information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.

After the first five years the data must be moved to a 'dormant' database, with stricter access requirements for US officials. It may be retained for a further 10 years before being fully anonymised.

Some data protection safeguards, including a prohibition on taking decisions affecting passengers based solely on the automatic processing of data, are included within the agreement. EU citizens also have the right to access their own PNR data and seek corrections or possible erasure by the US authorities where this is found to be inaccurate. The agreement also provides "the right to administrative and judicial redress in accordance with US law" to EU citizens whose data is misused.