Out-Law News 3 min. read
25 Sep 2015, 4:14 pm
In an opinion published this week, the EDPS said there is "a lack of information to justify the necessity" of the scheme, and that the measures proposed do not seem proportionate to the scheme's objectives.
The EDPS is an independent supervisory authority set up to protect personal data and privacy in EU institutions.
Under the proposed EU PNR directive airlines would have to give passenger data, including seat numbers and payment information, to law enforcement authorities for flights into and out of the EU. The European Parliament approved a PNR agreement with the US in 2013.
PNR data can include any personal information collected during bookings for flights, including home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The information that is available on the EU scheme does not justify the massive, non-targeted and indiscriminate collection of passengers' personal information or explain why it is needed, the EDPS said.
The scheme as proposed would concern more than 300 million non-suspect passengers, and as such "entails an interference with the fundamental rights of a very large number of air passengers, without differentiation, limitation or exception being made in the light of the objective of fighting against serious crime and terrorism," the opinion said.
There is also a lack of clarity on how citizens' data will be collected, accessed and used, it said.
"The jurisprudence of the European Court of Human Rights confirms that the law must be sufficiently precise to indicate to citizens in what circumstances and on what terms the public authorities are empowered to file information on their private life and make use of it. This information should "be accessible to the person concerned and foreseeable as to its effects", which means that it must be "formulated with sufficient precision to enable any individual - if need be with appropriate advice - to regulate his conduct", the EDPS said.
The proposed scheme therefore does not meet the "essential prerequisite" for a PNR scheme, which is compliance with necessity and proportionality principles, the EDPS said.
The proposal also does not properly evaluate how existing tools or less intrusive measures could meet the purposes of the scheme, and "the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance", it said.
"The main purpose of the scheme is not traditional border control, but intelligence, and arresting persons which are not suspects, before a crime is committed," the EDPS said. This "raises serious transparency and proportionality issues, and … might lead to a move towards a surveillance society".
Negotiations are currently underway on the EU General Data Protection Regulation (GDPR), a package of data protection reforms. The EDPS recommended that decisions on the EU PNR should be postponed until these negotiations are complete, "to fully align" the two sets of rules.
The European Parliament said in July that it had added data protection safeguards to the draft PNR rules while negotiations progress on the GDPR.
Discussion on a possible EU PNR scheme began in 2007, but has been "in abeyance" since the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) rejected the proposal in April 2013, questioning its necessity and proportionality, the EDPS said.
Recently, the discussions have been revived following the terrorist attacks that took place in Paris in January 2015, it said.
"The EDPS acknowledges that Europe is facing serious terrorist threats and has to take meaningful action. The combat against terrorism and serious crime is a legitimate interest
pursued by the legislator and the EDPS, as an EU independent supervisory institution, is not a priori in favour or against any measure, it said.
The EU-US PNR agreement includes restrictions on what the data can be used for. PNR data can only be used by the authorities for the purpose of the "prevention, detection, investigation and prosecution" of terrorism and certain 'transnational' crimes punishable by three or more years of imprisonment. Under the agreement, PNR data can also be used on a case-by-case basis for "the protection of vital interests of passengers", for example to protect against communicable diseases.
The EU-US agreement contains rules on how long PNR data can be retained for in an identifying format. US authorities are able to store PNR information in an 'active database' for up to five years. Information which could be used to identify a passenger must be "depersonalised" after six months, with identifying information such as name and contact details codified.