nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Europe a step closer to keeping records on all passengers flying in and out of the Continent

Privacy activists alarmed by profiling implications

By Jennifer Baker, 15 Jul 2015

The European Parliament's civil liberties committee LIBE voted on Wednesday in favor of collecting and storing information about all air passengers traveling into or out of the EU.

The so-called Passenger Name Record (PNR) scheme requires the storage of all data collected by airlines about passengers – including sensitive and personal information such as email addresses, credit card details, phone numbers, and meal choices (halal, kosher, etc) – for use by security agencies. The committee approved the scheme by 32 votes to 27, and also agreed to start negotiations with national ministers with a view to agreeing on a new law by the end of the year.

However, civil rights groups have been outraged at some of the proposals, particularly after the European Court of Justice (ECJ) ruled [PDF] the old Data Retention Directive illegal and disproportionate in April last year.

"To date, and despite countless requests, the European Commission has not been able to show that an EU PNR scheme would meet the standards of proportionality and necessity established by the Charter of Fundamental Rights. In the aftermath of [the ECJ ruling] it is hard to imagine how the proposed arbitrary period of maximum five year retention for every citizen's travel data could be considered necessary and proportionate," said Joe McNamee, director of privacy warriors EDRi.

Even the vice-chairman of the committee and the Parliament's Mr Data Protection, Jan Philipp Albrecht, said the new PNR text [PDF] goes too far. "The shamelessness with which centre-right and some centre-left MEPs disregarded the jurisprudence of the ECJ and voted in favor of unjustified mass surveillance of all air passengers is alarming. Today's vote means that all air passengers in the EU will be placed under general suspicion and their personal details scrutinized," said Albrecht.

The EU-PNR proposal has a rocky history. It was first proposed by the European Commission in 2011, but was rejected by the LIBE committee in 2013. However, following the Charlie Hebdo murders in Paris earlier this year, new pressure from security agencies and national ministers saw the plan unearthed. As EDRi points out, the history of the law closely resembles that of the Data Retention Directive.

Infographic of the timeline of the changes

Timeline ... How we got to this point (click to enlarge)

Both were rejected by the civil liberties committee and dropped, only to be resurrected and fast-tracked following a terrorist attack.

One of the arguments in favor of the EU-wide plan is that it would harmonize national rules.

"Without this EU system in place, a number of EU governments will go it alone and create their own systems. That would leave gaps in the net and create a patchwork approach to data protection. With one EU-wide system, we can close the net and ensure high standards of data protection and proportionality are applied right across Europe," said UK Conservative MEP, and the man in charge of promoting the law in the European Parliament, Timothy Kirkhope. However EDRi says that most national scheme only came about because the European Commission pumped €50 million ($54.7 million) into them, thus "creating a problem to be solved."

However, some civil liberties fears proved unfounded. The text approved on Wednesday would only apply to flights to and from the EU, not "intra-EU" flights between EU member states. Flights to and from the US would not be affected.

And the data could only be processed "for the purposes of prevention, detection, investigation and prosecution of terrorist offenses and certain types of serious transnational crime," including trafficking in human beings, sexual exploitation of children, drug trafficking, trafficking in weapons, munitions and explosives, money laundering and cybercrime.

The five-year retention period is on a sliding scale. After an initial period of 30 days, information that could identify a passenger would have to be "masked out." However, the masked-out data would still be accessible to certain staff for four years for serious transnational crime cases and five years for terrorism ones. After the five years, PNR data would have to be permanently deleted, unless the authorities are using it for specific criminal investigations or prosecutions.

Elsewhere, Home Affairs Commissioner Dimitris Avramopoulos has opened negotiations for a specific EU-Mexico PNR agreement. The EU already has PNR agreements with the US and Australia, and a draft deal with Canada is awaiting the OK from the ECJ. It seems likely that the EU PNR with the rest of the world scheme will meet a similar fate of being evaluated by the courts in due course.

Before that, however, the European Parliament as a whole will get to vote on an EU PNR text thrashed out between national ministers and Europarl negotiators. Then it's over to the European Commission to get it into law. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing