Passenger Name Record: EU to harvest more data to stop crime

Brussels airport check-in, 3 Apr 16 Image copyright AFP
Image caption Brussels airport: The EU is boosting surveillance after last month's bomb attacks by Islamic State (IS)

The EU is poised to set up a joint system for police and justice officials to access airline passenger data, covering all flights to and from the EU.

The need to prevent terrorism, in particular, is cited as justification for it.

Passenger Name Record (PNR) data is already collected by airlines but new legislation sets out detailed rules for national authorities to access it when tackling serious crime.

The new PNR directive is expected to be passed in the European Parliament on Thursday. Gun and bomb attacks by the Islamic State (IS) group in Paris last year and Brussels this year boosted support for such data monitoring in the EU.

What passenger details does PNR cover?

When you book a flight the airline routinely collects PNR data, including: names, contact details, itinerary, the credit card used for payment and baggage information. Passport details are also collected, known as the Advance Passenger Information (API).

That data is processed for commercial purposes but the plan now is to set up "Passenger Information Units" (PIUs) in each EU member state, where PNR data will be stored.

Processing of PNR data to prevent terrorism or other serious crimes will be the responsibility of the new units, not the airlines. The units will pass the data on to law enforcement officials only in such specific cases.

The text rules out any processing of data revealing a person's race or ethnic origin, religion, political opinion, trade union membership, health or sexual life. PIUs will be obliged to delete any such data if they receive it. That is to avoid infringing EU anti-discrimination law, embodied in treaties and the Charter of Fundamental Rights.

The parliament's lead negotiator - or rapporteur - on the PNR issue is UK Conservative MEP Timothy Kirkhope. He said the amount of information gathered from an individual was "much less than, say, when you open a clubcard account with a local supermarket".

In order to comply with EU data protection legislation, there is to be no automatic data transfer from PIUs. Transfers will have to be strictly in line with the remit to combat serious crime, and handled by "highly trained operatives", Mr Kirkhope said.

Why is the EU doing this?

The existing use of PNR data to combat serious crime in the EU is regarded as patchy.

The IS attacks - which caused more than 160 deaths - caused great alarm about intelligence gaps. There have been urgent calls for police across Europe to exchange timely information on terrorists and other criminals, which could save lives.

An EU-wide PNR system for crime prevention was first proposed in 2007 but lawmakers struggled to pass it because of privacy concerns.

The UK already has such a system and other countries, including France and Italy, have been developing their own. In 2013, the European Commission provided €50m (£40m; $57m) of funding to 14 EU countries for that purpose.

All 28 EU states apart from Denmark will participate in the new PNR system.

Image copyright EPA
Image caption A tricky balance has to be struck between crime prevention and passengers' privacy rights

Mr Kirkhope said it was important for the EU to establish "common high standards" on data exchanges and privacy, "so we don't end up with a piecemeal arrangement".

He said PNR data had already helped to thwart some terrorist attacks. It was "instrumental" in capturing collaborators of the 7 July 2005 London bombers and the 2008 Mumbai terror attackers, he argued.

Besides terrorism, the serious crimes covered by the new legislation include trafficking in drugs, people or weapons; cybercrime; and sexual exploitation of children.

Is PNR data sent to countries outside the EU?

Yes. The EU has PNR exchange agreements with the US, Canada and Australia, and is negotiating one with Mexico.

After the 11 September 2001 attacks by al-Qaeda the US authorities demanded that all carriers flying to the US provide PNR data.

Image copyright AP
Image caption Chicago O'Hare airport: The US values PNR data highly for combating international terrorism

The EU says detailed passenger data can only be sent to countries that meet the EU's own data protection standards.

The new PNR directive will also prohibit transfers of PNR data from one non-EU country to another.

How long will PNR data be retained?

The compromise agreed with EU governments says PNR data will be retained for five years maximum, so that law enforcement officials can access it if necessary.

After six months the data will be "masked out" or anonymised by PIUs. But during the five-year period investigators in a serious crime case will be able to "unmask" it if necessary to reveal a suspect's details.

Privacy is a big issue in the EU - does this directive go too far?

There are major privacy concerns - not least because in 2014 the European Court of Justice (ECJ) struck down an EU data retention directive, which allowed telecoms firms to store citizens' communications data for up to two years. The ECJ ruled that the directive violated some fundamental privacy rights.

The European Digital Rights (EDRI) campaign group argues that a five-year data retention period is too long, that the directive may not prevent discriminatory profiling of individuals and that it will be an ineffective tool against terrorism.

EDRI and others have pointed out that PNR was irrelevant in the Paris and Brussels bombings - those jihadists did not fly to Europe to carry out their attacks. Instead, critics say, the EU should focus on improving intelligence-sharing between police forces.

The EU Agency for Fundamental Rights (FRA) has also questioned the effectiveness of PNR collection for crime prevention. FRA says any such law needs to be backed up by statistical analysis, to detect any discrimination and measure the importance of PNR in crime investigations.

There will be a review of the new PNR system two years after it is launched. So far there is no overall estimate of the cost.

And the system will only apply to intra-EU flights on a voluntary basis. Some see that as a weakness. For example, if the French authorities wanted to see PNR data for incoming flights from Greece they would have to tell the EU Commission about that - it would not be automatic.

More on this story