1. The proposal
The current proposal for a directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR) was approved by The Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 15 July 2015. The original proposal was presented in 2011 but was rejected by LIBE on the grounds of the possible consequences for EU counter-terrorism policy.
Given the new security context and the concern of the Member States the EU realised that it was necessary to take measures to prevent and combat terrorist offences and serious transnational crimes. Because of the undeniable growing danger of terrorist attacks on the EU states, the European Parliament engaged in the finalisation of the PNR directive by the end of 2015.
2. What are Passenger Name Records?
PNR data is information provided by passengers and collected by air carriers during reservation and check-in procedures. According to the International Civil Aviation Organisation (ICAO) guidelines, PNR data contains the passenger's full name, telephone number, itinerary, seat number, baggage information and method of payment. The current proposal does not require airlines or passengers to provide any additional information.
The aim of the PNR directive is to harmonise and create a legal framework for the high level protection of personal data and exchange of PNR data between the Member States and between the Member States and Europol. According to EU officials, a common PNR data would be far more effective and efficient for airlines and will help authorities to identify terrorist suspects' travel patterns.
The directive would apply to air carriers as well as to non-air carriers for international flights. The PNR data would be processed only with the purposes of prevention, detection, investigation and prosecution of terrorist offences and of certain types of serious transnational crimes.
3. The main elements
The new proposal foresees setting up Personal Information Units (PIUs) which would be carefully limited in scope and would be responsible for storing, processing, analysing and transferring data. The data would be transferred by airlines to these units exclusively by the 'push' method, to avoid Member States having direct access to carriers' IT systems. Each PIU should appoint a data protection supervisory officer responsible for monitoring PNR data processing.
According to the proposal the retention period under national PIUs would be an initial 30 days, after which all information which could identify a passenger would have to be "masked out". The data could be held for up to 5 years and then permanently deleted. There is a possibility for the retention period to be regulated by national law of the Member States when competent authorities are using the PNR data for criminal investigations.
4. The protection of fundamental rights
The main concerns about the proposed directive include the impact on privacy and the existence of a possible infringement on fundamental human rights. Even if the proposal sets down rules regarding the protection of human rights, the possibility of endangering them does exist.
Throughout the last few years of discussions, concerns existed and questions were often raised by the EU officials and institutions about the necessity and the proportionality of the PNR directive. It can be considered the enactment of the directive is well-founded, taking into consideration recent events that have occurred in the EU. However, the aspect of the proportionality is another question.
During the PNR data debates, the issue of being only a "mass collection of data" came up. When we analyse this aspect, we have to take into consideration the simple fact that the majority of passengers are innocent people. It is without a doubt that once the directive comes into effect, the passengers will become more profiled and supervised.
Even if the proposal provides several measures to protect privacy, the possibility of being too invasive is still there. Many fundamental rights can be easily violated (eg. the right to privacy, the right to free movement, the right of data protection etc.) if the responsible authorities do not use the data in a so called "limited manner".
5. The main objective
While analysing all the aspects presented above, we should not forget the main scope of the directive, which is to fight terrorism and serious crimes by enforcing cooperation among the Member States. In countries where they have an operational PNR system, such as the UK, major improvements were achieved in the fight against criminal activities. The introduction of a PNR data directive on the EU level is upheld by the fact that many national PNR systems are already set up and the lack of any legal framework could result in security gaps and legal uncertainty.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.