On 2 December 2015, the European Parliament’s Civil Liberties (LIBE) Committee endorsed a directive on “the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime” (EU-PNR). It seems, therefore, that the long journey of the EU-PNR directive – initially proposed in 2011 – is coming to its end, as the European Parliament (EP) is expected to hold a final vote in February 2016. However, this directive still seems strongly contestable – and contested – on the grounds that it jeopardizes EU citizens’ fundamental rights to privacy and data protection (Art. 7 and 8), while its effectiveness in fighting terrorism remains unclear
Simply put, the EU-PNR Directive would oblige airline carriers operating extra-EU flights (and probably even intra-EU flights) to transfer flight passengers’ data to EU member states’ national security and law enforcement agencies. The data collected, containing plethora of personal information, will be stored for 5 years (the first 6 months without being masked and with few restrictions to access full data). Despite the EU-PNR directive having been widely publicised by its supporters as a necessary counter-terrorism measure, its scope is in fact way broader than this, and includes, for instance, drug trafficking, cybercrime, counterfeiting or piracy of products. This broad scope certainly eases a potential invasion of any flight passenger’ privacy, while personal data will be massively stored with little guarantee against possible abuses.
The original proposal on a European PNR system was introduced in 2011 by the EU Commission, but was rejected in April 2013 by the LIBE Committee. However, in June 2013 the EP asked the Committee to review its decision, putting the proposal back on its agenda. The political pressure aimed at passing this legislative proposal has been incredibly high, especially after the recent terrorist attacks, when consequentially declarations calling for the urgent need to launch an EU-wide PNR system intensified. In February 2015, the EP accepted a resolution aiming at finalising a directive on EU-PNR by end of 2015; in June a revised version was adopted by the LIBE Committee, starting the final negotiations between the EP, the Council, and the Commission.
All along the process, there has been a total and frankly disturbing refusal to listen to the numerous opponents of the EU-PNR directive. The ARTICLE 29 Data Protection Working Party, the European Data Protection Supervisor (EDPS), well-known digital rights organisations such as Access or EDRi, as well as members of the EP all pointed out at least two crucial flaws:
- The lack of proportionally, as the indiscriminate data collection and retention of all flight passengers would directly contravene the EU Charter of Fundamental Rights. It should be noted that in April 2014 the Court of Justice of the EU (CJEU) ruled to invalidate the Data Retention Directive (which included shorter retention periods that the current EU-PNR proposal), stating that indiscriminate data retention from 6 months to two years is already disproportionately interfering with EU fundamental rights.
- The lack of necessity, as proofs regarding the effectiveness of such measure to tackle terrorism in Europe are yet to be demonstrated. Even if governments, often led by France, repeatedly declare that an EU-PNR system is of urgent need and an absolute prerequisite for security in Europe, no factual demonstrations has been provided yet, nor elements showing how a PNR-system would have prevented the recent Paris attacks – or any other terrorist act.
Last but not least, it seems paradoxical – at best – that the EU member states refused to put in the directive any mandatory provisions compelling them to exchange data analysis on EU-PNR. This refusal is one of the many illustrations of how governments request ever biggr access to their citizens’ data, legitimizing the invasion of their privacy in the name of national security, while still being reluctant to apply the same flawed principles to their own institutions. The Dutch MEP Sophie in’t Veld notably declared that “National security and law enforcement authorities will be able to retain passenger data in a near unlimited manner, but mandatory sharing of the analysis of this data has been rejected by Member States.” She added that “we could have agreed to a well-balanced proposal of purposeful data retention, sufficient protection of civilians’ rights and mandatory sharing of intelligence. The current proposal only gives a false sense of security.”
If the current EU-PNR directive is accepted as final by the EP, member states will then have two years to transpose the directive into their national laws. As many are already predicting a probable – yet distant – invalidation by the CJEU, an EU-PNR system would only extend the list of hasty EU and national measures prioritizing security over liberties. It is worrying that nowadays in the EU; any – supposedly – anti-terrorism measure does not even have to be demonstrated as efficient to allow severe breaches of EU fundamental rights.2 comments