The latest terrorist events that took place in Europe had impact on the EU legislative work, accelerating the approval of acts regarding the fight against the transnational threat. One of those is the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, the EU-PNR Directive 2016/681, approved on April 21st, 2016.
The scope and application of the mentioned Directive, as enunciated on Article 1, are: the transfer by air carriers of PNR data of passengers of extra-EU flights; the processing of the data, including its collection, use and retention by Member States (MS) and its exchange between them. The Directive also allows MS to extend its application to all intra-EU flights or only to selected ones, but the interest on the extension shall be notified in writing to European Commission.
In order to comply with abovementioned provisions, each MS has to create a branch or designate an authority to act as Passenger Information Unit (PIU). According to Article 4 (2), the PIU responsibilities are: collecting PNR data from air carriers, storing and processing those data and transferring them – or only the result of the data processing – to the competent authorities; and, exchanging both PNR data and the result of data processing with the PIUs of other MS and with Europol. The PIU shall also appoint a data protection office, as established on Article 5 (1), which will analyse the exchange and the processing of PNR data, guaranteeing the passengers’ personal information will not be used for other purposes than those enumerated on Article 6 (2), namely:
- Identifying persons who require further examination by the competent authorities due to suspicion of involvement in a terrorist offence or serious crime;
- Responding, on a case-by-case basis, to a duly reasoned request based on sufficient grounds from the competent authorities to provide and process PNR data;
- Developing and updating the PNR data analysis to improve the identification of persons who may be involved in a terrorist offence or serious crime.
Concerning what states the Article 12, the PNR data provided by the air carriers to the PIU shall be retained in a database at the PIU for a period of five years after. However, after six months of the transfer, all PNR data shall be depersonalised, aiming to avoid the passenger direct identification and to protect his/her personal and human dignity.
Even those objectives seem to adjust themselves to the current environment of security control in Europe, it is important to bear in mind that EU was not the first one to legislate the use of PNR data with counter-terrorism purpose. Following the 9/11 terrorist attacks, in 2001, the United States of America (USA) established an obligation to all air carriers provide electronic access to the data contained in PNRs of passengers who were flying from or to USA. In 2002, in response to this request, the European Commission declared some concerns regarding the direct access to PNR data, as the processing of personal data could violate some fundamental and human rights. In disregard to this argument, in 2003, the USA administration established penalties to the air carriers which refuse or do not provide access to PNRs of passengers who would fly from/to USA.
Facing this sensitive situation, in December 2003, the Commission issued a Communication to the Council and the European Parliament with "a comprehensive EU approach" to the transfer of PNR data to US authorities. In this approach, the Commission indicated as important topics to be considered regarding the transfer of Passengers’ data were:
- A legal framework for the existing transfers of PNR data to US authorities;
- The provision of complete and updated information to passengers in order to let them consent the transfer of their personal data to US customs;
- The substitution of the method of direct data extraction by the US government (pull method) for the method of data exportation (push method), in which it is possible to use filters that prevent the leakage of information by other channels;
- The development of an EU position regarding the use of passenger data for surveillance and border control;
- The creation of a multilateral framework for the transfer of PNR data within the framework of the International Civil Aviation Organization (ICAO).
Following this, on April 29th, 2004, the Council issued the Directive 2004/82/EC, which considered as legitimate acts the PNR data processing for border control and the use of such information as a type of evidence in legal proceedings. The air carriers became obliged to transfer to US authorities the Advance Passenger Information (API), until the end of the ship registration. However, the 2004 Directive also established that any data treatment in any way incompatible with the legislative purpose would be contrary to the principle set out in point (b) of Article 6 (1) of Data Protection Directive 95/46/EC1
It is important to mention that API is a transcript of passport data, which only allows the identification of terrorist and organized crime suspects who were already known by the authorities. To fill this gap, in November 2007, the Council forwarded a proposal for a Framework Decision on the use of Passenger Name Record (PNR) data by the MS. The proposal stressed that cooperation and exchange of information between MS and their services, as well as with Europol, would be a necessary tool to face the transnational threat. By collecting and analysing the PNR data, the competent authorities could identify persons who would have a link to terrorism or serious crime and take appropriate action in advance.
As the proposal was not contemplate by the Commission, on the “Stockholm Program - An open and secure Europe serving and protecting the citizens”2, the Council called the Commission to adopt a position regarding the use of PNR data with a high level of personal data protection. In September 2010, the Commission issued a Communication3 with a comprehensive approach on the transfer of PNR data to third countries. On this document, it is possible to remark the EU intention on creating a specific legislation about the transfer of PNR data for flights that arrive or depart in/from Europe, «the EU-PNR». However, as a practical issue, EU had some concerns regarding the possible evocation of reciprocity from third countries which allow their air carriers to transfer PNR data to European authorities.
Working to overstep the obstacles for an EU-PNR legislation, on November 11th, 2010, the European Parliament launched the “EU External Strategy on Passenger Name Record (PNR) data”4. In this strategy, the Parliament stressed the importance of combating terrorism and transnational crime without lessening the protection of civil liberties and fundamental rights. In this context, it is important to pay attention on Articles 7 and 8 of the Charter of Fundamental Rights of the European Union; and Article 8 of the European Convention on Human Rights. With regard to the legal basis, the EU-PNR legislation would be based on Article 16 of the Treaty on the Functioning of the European Union, especially on the first number, which states that «everyone has the right to the protection of personal data». The strategy also pointed out the principles of necessity and proportionality, as the political and legal measures could not violate the personal data protection. In fact, what the EU Parliament wanted to avoid was the use of PNR data for “data exploration” or “determination of Profiles”.
After almost 6 years since the EU External Strategy was published, the debate about the EU-PNR came up as a response to the terrorist attacks in Paris (2015) and Brussels (2016). As above mentioned, the EU-PNR Directive was issued in April 2016, in which there is the reference, on Article 14, for MS establish the rules and penalties applicable, including financial ones, against air carries which do not transfer the PNR data of the EU-extra flights (and Intra-EU flights, if it is the case) to the PIUs. According to Article 16, all referred transfers shall be made by electronic means, complying the level of security for that kind of transactions.
It is possible to verify that the referred articles are based on the North American legislation on the subject. However, it is important to note that the way in which the terrorist attacks happened in Europe was different from that of the United States. In America, foreigners with a study visa hijacked planes and threw them at buildings that represented American economic and military power. In Europe, the attacks were mostly triggered by nationals of Member States, clad in the figure of “foreign fighters” or “lonely wolves” against European cultural and ideological symbols. Therefore, it does not seem that massive control will provide many indications of terrorist suspects as the EU wondered to, this because the character of terrorism has changed over time, becoming more diffused and transnational.
Also, it is important to highlight the report of the European Regions Airlines Association (ERA) on the subject. In the report, ERA explains that “API and PNR are located in different systems and their transmission requires programming by the airlines, which can take 3 to 6 months for a standard API request and 6 to 12 months for a PNR request”5. Besides the high costs to create the infrastructure to transfer faster all PNRs, the air carriers face the penalties for not sending on time and under a high level of security the PNR data to the PIUs.
Summing up, the MS shall transpose the Directive to their internal law by May 25th, 2018, in accordance with the Article 18 (1). The relation between security and privacy and the effectiveness of exchange information will be re-evaluated by May 25th, 2020, when the Commission shall review all elements of the EU-PNR Directive, submitting the report to the European Parliament and to the Council, as established on Article 19.
As trick issue, it is too soon to say for sure if the EU-PNR transfers will work properly, but it is possible to foresee the deadline postponements for transposition and review of the Directive. Firstly, based on the example of other directives, the transpositions do not happen at the same time MS, each one transposes the EU legislation on its own time and according to its capacity to provide the necessary means for the legislative implementation. Secondly, during the transposition MS use their discretion, adjusting more or less than other the European rules to its domestic rules. And finally, there are MS that do not transpose at all the directives on the deadline and they must be notified and/or penalized to comply with this obligation.
It will be when all MS will be applying all rules established by the Directive and domestic legislations that we could properly verify if the complex data transfer system is a useful tool on the European “War on Terrorism”.
By Emellin de Oliveira
Ph.D. in Law Candidate at NOVA University of Lisbon and Researcher at CEDIS (Centro de Investigação e Desenvolvimento em Direito e Sociedade)
note1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 6: 1. Member States shall provide that personal data must be: (a) processed fairly and lawfully.
note2 No. prev doc. 16484/1/09 REV 1 JAI 866 from the Council of the European Union of 02 December 2009.
note3 COM(2010) 492 final of 21 September 2010, Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries.
note4 P7_TA(2010)0397, European Parliament resolution of 11 November 2010 on the global approach to transfers of passenger name record (PNR) data to third countries, and on the recommendations from the Commission to the Council to authorise the opening of negotiations between the European Union and Australia, Canada and the United States.
note5 ERA - European Regions Airlines Association, API-PNR, available on: http://www.eraa.org/policy/security/advance-passenger-information-api-and-passenger-notifications-records-pnr.