The European Parliament’s Civil Liberties and Justice Committee approved the first EU passenger name record (PNR) bill today (15 July), two years after that same committee rejected an earlier draft of the data sharing law for flight passenger information.
Thirty two MEPs voted in favour and 27 voted against the bill, which will be negotiated further in so-called trialogue talks between the Parliament, the European Commission and the Council starting in September.
British MEP Timothy Kirkhope (ECR), the rapporteur on the bill, said he wants to reach an agreement by the end of the year.
The agreed on draft allows for collection of personal data of flight passengers entering or leaving the EU. According to the Commission proposal, 60 different categories of PNR data should be collected, including contact information, travel routes, computer IP-addresses, hotel bookings, credit card information and diet preferences.
The data could greatly help investigators tracking terrorists across borders, Kirkhope said.
“Sensitive” personal data can be stored for thirty days, while other data would remain accessible to a limited number of operators and could be drawn on for up to four years in case of a cross-border crime, including human or drug trafficking and cybercrime. Data can be accessed within five years in terrorism cases.
Kirkhope had tried to get a deal through that would require PNR to also be stored for passengers on flights within Europe, but that was struck down by the committee.
But Kirkhope says trialogue talks could bring back PNR collection for intra-European flights.
“In trialogue, I have no doubt that there are interests, particularly the Commission, and probably the Council, who would want intra. My mandate at the moment from the Parliament is that I have to at the very least stand up for the decisions we’ve made not to include intra,” Kirkhope told EurActiv.
But, Kirkhope said, he struck a compromise with other committee members although he still supports the storage of PNR data for passengers flying within Europe too.
“Because patterns of activity, people coming into Europe and then traveling to different locations within Europe and their circuitous routes, is one of the ways in which criminals operate.”
Statistics from the Parliament show that most EU countries already have their own PNR systems in place. In 2013, the European Commission spent €50 million to start domestic PNR collection in 14 member states.
Kirkhope said an EU system would even out the differences between member states and give them common data protection for PNR.
A European Court of Justice decision last year ruled blanket data retention for law enforcement purposes an illegal violation of privacy and fundamental rights.
After the armed attacks on Paris satirical newspaper Charlie Hebdo this January, EU leaders began calling for the PNR bill to be taken up again in Parliament.
>> Read our LinksDossier: From 9/11 to Charlie Hebdo: The EU’s response to terrorism
Kirkhope said the new draft takes the ECJ ruling on data retention into account and insisted PNR collection doesn’t amount to profiling of flight passengers. “It reduces profiling by focusing on behaviour rather than on backgrounds,” he said.
Green and Liberal critics in Parliament weren’t convinced by that argument.
Green shadow rapporteur MEP Jan Philipp Albrecht said the PNR deal would mean disproportionate monitoring.
“If these proposal do not infringe constitutional or Treaty provisions, then civil rights in the EU is meaningless. The only remaining chance to stop these infringements will be the European Parliament’s final plenary vote after negotiations of EU home affairs ministers,” Albrecht said.
Sophie in ‘t Veld, shadow rapporteur for the Alliance of Liberals and Democrats for Europe (ALDE), said the draft didn’t include suggestions for more targeted data collection.
“It is a shame that a majority in the Civil Liberties Committee voted against this proposal. This vote leaves it – once again – to the courts to ensure the protection of fundamental rights and the rule of law,” she said.
The EU already has bilateral PNR data sharing agreements with the US, Canada and Australia. Currently up to 16 EU countries have decided to collect PNR data, according to Kirkhope.
On the same day as Parliament’s Civil Liberties Committee vote on an EU PNR deal (15 July), European Home Affairs Commissioner Dimitris Avramopoulos opened negotiations for a similar agreement with Mexico.
Joe McNamee, executive director of NGO European Digital Rights: "Sadly, the Civil Liberties Committee appears unable to resist the temptation to reject its own considered views. It rejected illegal telecoms data retention, it then approved illegal telecoms data retention, it rejected PNR data profiling, it then adopted PNR data profiling. It approved bilateral deals to store PNR data for 15 years and for five and a half years and now a Directive with a storage period of five years. Meanwhile the European Court ruled that storage of personal data for arbitary periods is illegal, but respect for the law appears not to be a concern when adopting law enforcement measures."
German MEP Birgit Sippel, S&D civil liberties spokesperson: "For me the main point of concern is the indiscriminate collection of the data of all passengers which may contravene the CJEU judgement on data retention. We will continue to put pressure on the negotiators to reach an agreement that can be supported by a large majority in the European Parliament."
Data retention refers to the storage of traffic and location data resulting from electronic communications.
The main legislative instrument at EU level governing this field was the Data Retention Directive, which was adopted in November 2006 following the Madrid terrorist train bombings in 2004 and the public transport bombings in London in 2005. These resulted in a text which gave room for different applications at national level and which did not guarantee a sufficient level of harmonisation.
Currently up to 16 EU countries have decided to collect PNR data, according to Timothy Kirkhope, a British Conservative MEP who steers the file through Parliament. But because there is no EU framework, he said, “airlines have no clarity on how to process the data, and passengers have no clear EU-wide rights to protect booking information such as credit card details, seat number and emergency contact”.
Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002, although it has been slightly revised in 2009.
Germany and Belgium were taken to court by the EU, after refusing to implement the 2006 Data Retention Directive. The measure was overturned in April 2014.
- September 2015: Trialogue talks between the European Parliament, Commission and Council will begin on the passenger name record (PNR) draft bill