Justice and Home Affairs ministers from EU member states are meeting today (20 November) in Brussels to discuss new security measures following the terrorist attacks in Paris last weekend that left 129 people dead.
Council officials called the passenger name registry (PNR) a top priority for the ministers’ meeting.
French Interior Minister Bernard Cazeneuve called for an EU-wide PNR after the attacks in Paris.
Negotiations have been going on between the Council, the European Parliament and the Commission over the controversial PNR legislation. But critics of the data collection law for flight passenger information have warned that the Council’s demands would clamp down on civil liberties and privacy rights.
Council ministers will also focus today on security measures at the Schengen zone’s external borders, regulating firearms and a counterterrorism centre within Europol that will be set up on 1 January.
Negotiations over PNR are expected to change the position agreed by the Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) in July, which allows data collection only for flights entering or leaving the EU.
Member states have signalled that they want the law to apply to flights within Europe as well. Negotiators are set on finishing talks by the end of the year. It’s still unclear what types of flights will be included in the law.
British MEP Timothy Kirkhope (ECR), Parliament rapporteur on the PNR bill, voted for data to be collected for flights within Europe too, but that was rejected by other MEPs.
Kirkhope said collecting PNR data for flights within Europe is “something which I believe has value, not just in the fight against terrorism, but also in the fight against trafficking, drug smuggling, and a number of other serious kinds of criminality.”
The original European Commission proposal included 60 different categories of personal data to be collected, including passengers’ contact details, flight origins and destinations, IP addresses and payment information.
The Parliament wants data from passengers on charter flights to also be collected, but member states are divided over that.
Dutch MEP Sophie in ‘t Veld, the ALDE shadow rapporteur on the PNR legislation, said the Council’s focus on PNR in today’s meeting is an attempt to push member states’ agenda during trialogue negotiations with the Parliament and Commission.
“Parliament has voted for a position which is clearly different from the position of Council. Rather than trying to sort out differences in trialogue as we’re supposed to do, they’re now trying to put pressure on the process by issuing press releases and Council conclusions,” in ‘t Veld told EurActiv.
In ‘t Veld said there is “zero” agreement on whether the PNR data that’s collected will be shared between member states, which Parliament voted in favour of. Member states have been much more reluctant to share intelligence information.
“What is the point of a European directive on the processing of European data if those data are stored in national silos and not shared?” she said.
Critics of PNR warn that the draft legislation could face the same fate as the data retention directive, which was struck down by the European Court of Justice in 2014 for allowing “general and blanket data retention.”
“Whatever the question is in relation to security, the answer from our political leaders is always surveillance. But the answer is rarely untargeted surveillance,” said Joe McNamee, director of NGO European Digital Rights.
In an opinion published in September, European Data Protection Supervisor Giovanni Buttarelli said it isn’t clear why mass PNR data should be collected instead of on a targeted basis.
Since the attacks in Paris last week, supporters of tightened national security measures increasingly spoke out in favour of PNR.
German MEP Monika Hohlmeier (EPP) sent out a press release yesterday calling for PNR negotiations to move ahead and suggested that legal action be taken to weaken encryption.
“Data privacy is an important priority, but protecting the lives of innocent people in Europe takes precedence,” she said.
Hohlmeier also blamed “left-wing groups” who advocated for “loopholes in our safety and security legislation.”
“The movements of terrorists have to be monitored, their financial sources have to be drained and their encrypted communications must be accessed,” Holmeier said in the statement.
Earlier this year, Commission Vice-President Andrus Ansip denied rumours that the Commission wanted to propose legislation allowing backdoors to bypass encryption.
David Cameron and other European politicians amped up their calls for backdoors to encryption following the terrorist attack on the office of Paris-based magazine Charlie Hebdo in January.
Privacy advocates argue limiting encryption would do more harm than good—and wouldn’t do much to stop crimes.
“The only impact of restrictions on encryption will be that innocent people will be less secure,” said Joe McNamee.
Data retention refers to the storage of traffic and location data resulting from electronic communications.
The main legislative instrument at EU level governing this field was the Data Retention Directive, which was adopted in November 2006 following the Madrid terrorist train bombings in 2004 and the public transport bombings in London in 2005. These resulted in a text which gave room for different applications at national level and which did not guarantee a sufficient level of harmonisation.
Currently up to 16 EU countries have decided to collect PNR data, according to Timothy Kirkhope, a British Conservative MEP who steers the file through Parliament. But because there is no EU framework, he said, “airlines have no clarity on how to process the data, and passengers have no clear EU-wide rights to protect booking information such as credit card details, seat number and emergency contact”.
Data protection and privacy in electronic communications are also governed by the E-privacy Directive, which dates back to 2002, although it has been slightly revised in 2009.
Germany and Belgium were taken to court by the EU, after refusing to implement the 2006 Data Retention Directive. The measure was overturned in April 2014.