On the 21st of April the EU Council adopted the Passenger Name Records Directive, a security mechanism which enables law enforcement and national security agencies to access the personal data of everyone flying into and outside of the EU. This includes addresses, names, credit card information and details on accompanying passengers, even minors.
Its coming into force was not without obstacles. Along its 9 year legal journey it has been struck down by the European Court of Justice and rejected from plenary debate, twice. It was criticized by private stakeholders, watchdog organizations and various political groups for its lackluster privacy safeguarding, excess of force and overall ambiguity. Essentially, this policy goes against several principles enshrined in European Convention on Human Rights, namely the right to privacy, non-discrimination and the presumption of innocence.
In the other camp, the PNR Directive was praised for its added value in the fight against terrorism and serious crime. Similar national mechanisms (funded by the EU) have apparently proven (but only under a veil of ambiguity) their worth in uncovering previously unknown suspects and foiling terrorist plots.
It has become apparent that this chapter in the tug of war between fundamental rights and European security concerns is concluded. In two years’ time, member states will have translated the mechanism into domestic law; a turn of events that seemed Orwellian to yesterday’s decision makers. Yet, the EU PNR policy’s adoption serves as an example of how our perceptions have changed in the past decade and how the limit of what governments can do for the sake of security has exceeded the boundaries of common sense.
It is time for a critical retrospective, one that might shed light on the volatile nature of surveillance politics in the EU.
When the proposal was initially tabled in 2007 it was met with wide discontent. Voices from inside Europe’s political core stressed that in order to deploy such an overarching apparatus of surveillance, its necessity had to be justified. The 2007 proposal excelled at portraying the measure as the only viable option to tackle the threat of terrorism travelling by air. It dismissed the possibility of revamping existing mechanisms, such as the API data, which was being collected since 2004. After being blocked by the CJEU, it resurfaced in 2011, with a key addition: the suggestion that intra EU airline passengers should be monitored.
Naturally, critique spearheaded by supervisory institutions such as the EDPS, FRA and the Article 29 Working Party soon followed this overarching extension. On the Member States level, the UK delegation was the only political body who rallied to this cause. However, by its adoption in April 2016, all Member States pledged to make full use of this provision before the transposition deadline.
This is not the only instance when the scope of surveillance was purposefully extended. There is a distinct possibility that this mechanism may open up avenues toward monitoring rail and sea travel, as well. Hailed by UK representatives back in 2008, the system could make use of existing infrastructure and data provisions (such as the Prüm Treaty) to greatly increase the number of potential data subjects.
Moreover, there is a pressing issue in what regards data transfers to third countries. Presently, there are three standing PNR data transfer regimes with the US, Canada and Australia, with another one under negotiation between the EU and Mexico. Now, in the light of the Snowden revelations and the subsequent annulment of other international data transfer provisions, the risk of handling massive amounts of private data to third countries must take center point in the EU’s external relations agenda.
Unfortunately, the varying data retention periods stipulated in the PNR transfer agreements with third countries demonstrate that these provisions are more a product of political leverage, rather than a genuine concern for citizens’ security.
So what should be next on Europe’s agenda? To begin with, a pragmatic assessment of our security achievements so far: there are mechanisms already in place (the VIS, SIS II, API to name but a few) that are capable of addressing challenges facing the EU today, and certainly in a more cost effective manner. Although this is not saying that there is nothing more to be done. Intelligence sharing is still a fundamental issue plaguing the counter-terrorism effort. Taking many forms and under various degrees of cooperation, structures such as the EU Intelligence and Situation Centre (IntCen), the EU’s Military Staff Intelligence Directorate, or the recently launched European Counter Terrorism Center (ECTC), are struggling to operate at the boundaries of a framework heavily entrenched in national politics. Realizing that the EU is not a typical intelligence actor goes a long way toward fostering intergovernmental cooperation. This can be done through clear and proportionate institutional mandates on information sharing or through engaging security professionals to these new paradigms early on in their careers.
Looking back on Europe’s security “breakthroughs”, through the lens of data retention mechanisms such as the PNR Directive, reveals a darker side of the war on terror: a realization that we have grown complacent, willing to sacrifice more freedom for less security. The portrayal of recent terrorist attacks have stoked the flames and left us and our decision makers impressionable and unwavering in front more considerate security alternatives. But, the choices Europe will be faced with should not set it on a path away from its core values.