Where did you travel on your last flight? How did you pay for it? Did you book a hotel through your airline and what did you eat on board? The government wants to know – and under a new measure approved by the European Parliament this week, your airline is obliged to tell them.
The Passenger Name Record (PNR) directive, an anti-terrorism measure pushed forward after the attacks in Paris, will require airlines to hand over to national authorities extensive passenger data for all flights into and out of the EU, and may be extended to flights between EU countries.
The information, which is all provided by passengers when booking, checking in or boarding, includes data like passport numbers and nationality – but also passengers’ full travel itineraries, payment details and even special service requests like meal preferences.
The data will be kept for five years, although identifying details like name, address and contact details will be masked out after six months to protect people’s identities.
Supporters of the directive say it will close gaps in countries’ intelligence systems that terrorists and criminals can exploit and help in the prevention and investigation of terrorist offences.
Critics, however, consider it an excessive infringement on individual privacy and civil liberties, and a disproportionate response to the threat being faced, with limited proof of its effectiveness.
The European data protection supervisor has described it as “the first large-scale and indiscriminate collection of personal data in the history of the EU”.
“The latest position and vote is nothing but proof that terrorism is winning, and this to the detriment of our rights to privacy,” Antonio Ghio, a lecturer in data protection law and president of the Malta Information Technology Law Association, told The Sunday Times of Malta.
“While it is clear that no right is absolute and balance should be achieved between the interests of society and the personal fundamental rights of individuals, an indiscriminate collection of personal data as being envisaged by the PNR plan is hard to understand.”
Passenger data will be kept for five years, although identifying details like name, address and contact details will be eliminated after six months.The legislation, Dr Ghio suggested, could suffer the same fate as the Data Retention Directive, a similar measure on the collection of internet data which was shot down in 2014 by the European Court of Justice, which declared it a “particularly serious interference” with the right to privacy.
“Laws restricting privacy should be based on the principles of proportionality and necessity, and I seriously have my doubts as to whether such plans would or could pass such proportionality test.”
In the European Parliament, which approved the measure on Thursday by a large majority, the PNR has been a hot topic for years, having previously been rejected by the civil liberties committee over privacy concerns.
Nationalist MEP Roberta Metsola, who was involved with the development of the dossier as a member of the committee, said she was confident the new legislation contained adequate safeguards for privacy.
“The new data protection standards are very high. We ensured that there is very targeted access to data and that this is used only in cases of serious crimes, in a restricted manner,” she said.
“The collection and use of sensitive data revealing a person’s race or ethnic origin, religious or philosophical beliefs, political opinion, trade union membership, health or sexual activity is also prohibited.”
Nevertheless, advocacy groups such as European Digital Rights (EDRi) have noted that the data can still be used to build profiles: meal preferences can provide information about religious affiliation, while hotel reservations can indicate personal relationships.
Dr Metsola stressed, however, that the information in question was already being collected by airlines and had been for decades already.
“Now we have the technology to share that information with law enforcement, and to me it makes no sense to say that this data can be used by airlines for commercial purposes but not to prevent, detect and investigate crime and prosecute perpetrators,” she said.
Meanwhile, Labour MEP Miriam Dalli, who sits with the Socialists and Democrats group on the civil liberties committee, stressed the “need to ensure that unwarranted access to citizens’ personal data should be limited”.
The S&D opposed a previous proposal on the PNR and insisted it should be tied to new data protection rules, which were ultimately also passed last Thursday.
“By approving the Data Protection Package, we now have a European system that will allow national agencies to concurrently process and protect all data,” Dr Dalli said, highlighting the need to improve the sharing of information between law enforcement agencies.
Member states will now have two years to adopt the new measures into national law once the legislation is formally approved by the Council of Ministers.
What Europe is saying
“By collecting, sharing and analysing PNR information our intelligence agencies can detect patterns of suspicious behaviour to be followed up. PNR is not a silver bullet, but countries that have national PNR systems have shown time and again that it is highly effective.”
– Tim Kirkhope, British Conservative MEP who spearheaded the directive
“The PNR Directive is a disgrace. It is absurd that we are being told that these huge databases are hugely valuable to law enforcement, yet we are also told that member states rejected mandatory sharing of this allegedly valuable data.”
– Joe McNamee, Executive Director of European Digital Rights (EDRi)
“The PNR directive can be a useful tool in the fight against terror. However [...] we won’t defeat terrorism with a water gun. First and foremost, it lacks an automatic and mandatory exchange of PNR data. Secondly, it will only be useful under the condition that member states realise there is no other way out than working together to fight back against terrorist threats.”
– Gianni Pitella, S&D Group President