Observatory: EU surveillance of passengers (EU-PNR, 2003-2008) - and restart in 2011


Process restarted: 2 February 2011: See for current process: EU-PNR (Passenger Name Record) 2011 ongoing

EU: Commission makes €50 million available for the development of "big brother" PNR databases - before legislation has even been agreed: One of the most controversial pieces of EU legislation currently on the table is the proposed EU-Passenger Name Record (PNR) directive, which would require the establishment throughout the Member States of systems for collecting, storing and analysing vast amounts of personal data from people flying into (and possibly within) Europe, with the stated purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.

EU:
European Commission's Legal Service says EU-USA PNR agreement is "not compatible with fundamental rights"

- Scope covers minor crimes: "proportionality of the agreement in question"
- R
etention period goes far beyond that of the Agreement with Australia
- Agreement extended to cover US border security: "which is not linked to the purpose of preventing terrorism or serious crime"
- "no judicial redress to data subjects"
- "no guarantee of independent oversight"
-
Legal Service advice ignored

See: Note from Commission Legal Services to DG Home Affairs (18.5.11, pdf), EU-US PNR Agreement (20.5.11, pdf) and Air passenger data plans in US-EU agreement are illegal, say lawyers (Guardian, link, pdf).

EU: Report from the Commission to the Council and the European Parliament: Evaluation report on the Data Retention Directive 2006/24/EC (COM 2011, 225 final, pdf). See EDRi evaluation of data retention shows it has significant costs but no benefits (link), Action group calls for ban on telecommunications data retention in the EU (link) and Background information and facts Evaluation of the Data Retention Directive 2006/24/EC (link).

European Data Protection Supervisor: Opinion on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (pdf) and Article 29 data protection Working Group: Opinion on EU-PNR scheme (pdf)

EU-PNR: European Commission: Proposal for a Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (pdf), Impact Assessment (SEC 132, pdf) and Staff Working Paper (SEC 133, pdf).

All passengers flying in and out of the EU will have to provide their "Passenger Name Record" (PNR) data, eg: home address, mobile phone number, credit card information and email address – which will be checked against national watch-lists for suspected links with terrorism or serious crime (although the above documents sometimes refer to crime in general) prevented from flying or arrested. Flights within the EU will not be covered - for now.

Background: EU to collect data of international air travellers (euobserver, link).

Historical Archive


Update: The European Parliament refused to vote on proposal in November 2008. In the Council working group discussion began in February 2008; discussed at July 2008 JHA Council; discussed at 24 Oct. 2008 JHA Council; progress report to Nov. 2008 JHA Council; on advance agenda of June 2009 JHA Council for ‘general approach’; not on final agenda. Proposal for an EU-PNR scheme included in the Stockholm Programme (December 2009).

EU-PNR (Passenger Name Record): Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes (17.4.09, EU doc no: 5618/1/09, pdf).

EU-PNR: Council: Report on thematic work carried out from July to November 2008 (pdf)

EU-PNR: Latest Council document: General discussion of matters relating to the analysis and transmission of PNR data and data-protection (pdf) and PNR: Opinion of the Fundamental Rights Agency (pdf)

EU-PNR scheme being re-written by the Council: EU-PNR system to cover all flights in and out of the EU and to cover everyone, EU citizens and visitors - in addition any EU state that wants to (like the UK) can extend this to cover flights within the EU as well. Processed PNR data to be checked against: "national, international and European files"

EU-PNR: European travel operators and travel agents' comments on the EU-PNR (passenger name record) system reveal strong reservations on the proposal: European Travel Agents’ and Tour Operators’ Associations letter to Council Presidency (EU doc no: 12360/08, pdf).

- Scope: the Framework Decision: "ECTAA considers that the proposal for a Framework Decision should only cover data for passengers on flight into and out of the EU. It is essential that it is not extended to intra-EU flights."

- Scope: "it is fundamental that data will not be used other than for border purposes"

- Costs: "This proposal will have significant technical, operational and financial consequences for carriers. Inevitably that cost will be passed on by the carriers to the end user, the passenger" - so we will be paying for our own surveillance

- US demands: PNR data is currently transmitted to the USA after a flight departs. The USA demand for data 24 hours in advance and immediately after flight closure is called "an uneccessary duplication". In addition: "Charter carriers in particular rarely receive such information in advance of 24 hours" and "To put in place an advance system for charter carriers would be costly and require considerable time as the current systems used by tour operators do not lend themselves to this."

Background: The Council working party has abandoned discussions on the Commission's proposal for an EU-PNR scheme and are going to start again drawing up their own proposal because a number of EU governments want to go much further. With the UK in the lead a number of member states want:

- the system to cover not just flights in and out of the EU but also flights between EU countries plus all flights within each country;
- the system to cover not just all flights but all sea and land travel as well;
-  the data and information gathered to be used not just for entry-exit but also for any law enforcement purpose.

See: Note from the Austrian delegation: EU doc no: 11724/08 Council Presidency Note: EU do no: 11281/08 and Council Presidency Note: 11772/09 plus penultimate draft of the proposal during discussions in the Council's Multidisciplinary group on organised crime: EU doc no: 7656/08 Rev 2

EU-PNR: EU endorses idea of collecting air passenger data (euobserver, link). EU Justice and Home Affairs Ministers say they have "reached an agreement on the principle of the European PNR". In fact, they have abandoned discussions on the Commission's proposal for an EU-PNR scheme and are going to start again drawing up their own proposal because a number of EU governments want to go much further. With the UK in the lead a number of member states want:

- the system to cover not just flights in and out of the EU but also flights between EU countries plus all flights within each country;
- the system to cover not just all flights but all sea and land travel as well;
-  the data and information gathered to be used not just for entry-exit but also for any law enforcement purpose.

See: Note from the Austrian delegation: EU doc no: 11724/08 Council Presidency Note: EU do no: 11281/08 and Council Presidency Note: 11772/09 plus penultimate draft of the proposal during discussions in the Council's Multidisciplinary group on organised crime: EU doc no: 7656/08 Rev 2

EU-PNR: Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes - State of play (pdf)

EU-PNR: UK House of Lords' European Union Committee: The Passenger Name Record (PNR) Framework Decision (89 pages, pdf). A very useful report which considers amongst other issues the scope of the proposed EU-PNR Framework Decision which primarily rests on tackling terrorism:.

"Most significant of all, Ms Hillier’s [Home Office Minister] letter contains no reference to terrorism, and none of the examples she lists bears any relation to terrorism.

Likewise, in oral evidence she was unable to give an example of the successful use of PNR in relation to a terrorist-related offence. She did assert that PNR “has absolutely been a tool in tackling terrorism”, and explained the problems of sharing information about this in public (Q 28). However such a statement is unpersuasive when not accompanied by even a claim that PNR has succeeded in preventing, or assisting in the prevention of, a single terrorist attack, or bringing to justice the perpetrators of such an attack.

Similarly, Mr Hustinx told us that when the US Secretary of Homeland Security was addressing the European Parliament “he was careful to annex a list of some 20 or so examples to his speech and it was all about drugs and people evading paying taxes and things like that, but there was very little in terms of precision on terrorism” "

In this context it is interesting to note that in the UK Border & Immigration Agency: e-Borders: Friends of Presidency Group meeting presentation, Brussels, 27 March 2008 (pdf) it is stated that:

"The UK does not profile terrorists using PNR. In that respect we believe we are different to other governments who do use profiling techniques..." (emphasis added)

EU-UK: UK Border & Immigration Agency: e-Borders: Friends of Presidency Group meeting, Brussels, 27 March 2008 (pdf) This presentation took place as discussions are underway on a proposal to set up an EU-PNR scheme (see story below). It describes the UK timetable for checking all airline passengers against watchlists to "identify known persons of interest" and that it will eventually cover "all routes in/out on all modes of transport" (air, sea and land). See also: UK: Code of practice of practice on the management of information shared by the Border and Immigration Agency, Revenue and Customs and the Police (March 2008, pdf); Draft Regulatory Impact Assessment: Police and Justice Bill: Data Capture (pdf) and Police and Justice Act 2006 extends data gathering to passengers travelling inside the UK (pdf)

EU-PNR: Proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes (EU doc no: 7656/2/08, pdf) and later Discussion of the Council's position on EU-PNR (EU doc no: 9514/08). The Council is driving a "coach and horses" through the original proposal including increasing its scope beyond terrorism and organised crime. Although "Passenger Information Units" (PIUs) who will vet passengers are to some extent limited in their use of data national "competent authorities", to whom all the data can be passed, are to be allowed to further process the data if they come across "other offences" (ie: any crime, see Article 4.5). European Data Protection Supervisor: EDPS expresses serious concerns about EU PNR proposal (Press release and Opinion, pdf)

EU-PNR: Reactions: European Airline body dismayed at proposal for EU-PNR system (Association of European Arlines, press release, pdf) Ulrich Schulte-Strathaus, Secretary General of the Association of European Airlines said:

"Commissioner Frattini's proposed decentralised system means that our carriers will have to comply with 27 different national data collection systems. We are talking about an operational and technical nightmare – and the Commission totally ignores the financial implications for the airline industry, which we haven't even started assessing yet."

The Association is also calling for the EU-PNR system to be "applied to all transport modes, so as to avoid discrimination and comptetitive distortions" (that is, to sea, rail and land travel).

Green group in the European Parliament: Civil liberties: New anti-terror measures seem unnecessary and incoherent (link) Dutch Green and civil liberties spokesperson Kathalijne Buitenweg said the:

"proposal on the retention of air passenger data in the EU seems unnecessary and incoherent. The Commission has made no attempt to justify why these measures are necessary and why the existing legislation is not sufficient - an existing Directive on passenger data from 2004 has yet to be fully implemented! (1) It is also incoherent to propose a European-level decision on data storage, while leaving the issues of data protection and how the data should be processed fully to national legislators."

ALDE (liberal group) in European Parliament: New EU anti-terrorism measures will further erode our civil liberties (link) Sophie In't Veld (D66, Netherlands) and EP rapporteur on PNR issues for the committee on Justice and Civil Liberties said:

" We should not be compounding the mistakes of the July PNR agreement with the US by introducing our own - at least until there is serious and irrefutable proof that such mass exchange of personal data is resulting in the arrest of terrorists.I remain adamant that PNR data should not be used as an indiscriminate form of data profiling."

EU-PNR: Tony Bunyan, Statewatch editor, comments:

"Unless stopped in its tracks it is just a question of time before the scope of the EU-PNR scheme is extended to cover all crime, flights inside and between Member States and sea, land and rail travel as well."

European Commission PNR proposal: Summary of impact assessment (SEC 1422) (pdf) The EU-PNR scheme plans for the personal data of all travellers by air in and out of the EU to be checked against "watchlists". The terminology in this Impact Assessment at times refers to "terrorism and organised crime" and at other times to "terrorists and criminals" suggesting that the intended scope of the measure may be changed in the near future. This impression is confirmed when the assessment speaks of:

" a wider application at a later stage. It should be left to member states to extend the scope of the proposal to other modes of transport at this point.... the majority of consulted parties agree the scope of the proposal should be limited to air transport as a first step, with the possibility of extending it to other forms of transport at a later stage...At this stage, it is thought disproportionate to extend the scope of the proposal to flights from one Member State to another Member State and to internal flights within a Member State"

On data protection the assessment is equally confused. First, it refers to the draft Framework Decision on personal data in police and judicial matters which has yet to be agreed but which offers little or no protection - and anyway, only covers the transfer of data between member states not national laws. The assessment goes on to states that member states should:

"the Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data of the Council of Europe. In practice, all Member States should also already have national legislation in place to cover data processing by law enforcement authorities."

The term "should" tells us that the Commission does not know. Moreover, the failure to fully incorporate of Council of Europe's Convention 108 of 1981 plus Recommendation 15 of 1987 and its two Additional Protocols in the proposed Framework Decision is highlighted by EU Data Protection Commissioners

EU-PNR-PLAN: European Commission: PNR (passenger name record) scheme proposed to place under surveillance all travel in and out of the EU

- EU PNR plan mirrors controversial EU-US PNR scheme
- European Parliament only to be "consulted"
- Data protection fiasco
- "not convinced of the necessity of such a proposal and is therefore opposed to the proposal"
(Article 29 Data Protection Working Party)

Tony Bunyan, Statewatch editor, comments:

"This is yet another measure that places everyone under surveillance and makes everyone a "suspect" without any meaningful right to know how the data is used, how it is further processed and by whom..

We have already got the mandatory taking of fingerprints for passports and ID cards and the mandatory storage of telecommunications data of every communication, now we are to have the mandatory logging of all travel in and out of the EU.

The underlying rationale for each of the measures is the same - all are needed to tackle terrorism. Yet there is little evidence that the gathering of "mountain upon mountain" of data on the activities of every person in the EU makes a significant contribution. On the other hand, the use of this data for other purposes, now or in the future, will make the EU the most surveilled place in the world".

EU-API-PNR: Question to the European Commission from Sarah Ludford MEP (ALDE) on EU API (pdf) Spain is using the 2004 EC Directive on the collection of API (Advance Passenger Information) for people crossing the EU's external borders to require API for flights inside the EU. API is the personal data contained on the passport page machine readable zone - name, date of birth, place of birth, expiry date and issuing authority.

JULY 2007: EU: European Commission to propose EU PNR travel surveillance system

- why have we heard so little about the EU's API system?
- what is the difference between API, APP and PNR?
- new US PNR list the same as the old one

EU-Canada Passenger Name Record (PNR) agreement (pdf)

(15.9.04) EU-API-PNR Directive published in Official Journal: Text (pdf). Published on 6 August 2004 and came into force on 5 September. All Member States has to implement by 5 September 2006. See also: Justice and Home Affairs Council agrees on the surveillance of all airline passengers: PNR Directive, adopted text (pdf) & JHA Council to agree the surveillance of all airline passengers: Report and documents - data can be kept indefinitely by law enforcement agencies and dubious legal basis: European Commission wanted the Council to delay decision so as not to deal "piecemeal with law enforcement issues"

23.6.04: PNR: TransAtlantic Consumer Dialogue's Resolution on Passenger Name Records: civil society coalition to send resolution to EU-US Summit meeting in Dublin on 25 June: Resolution, background and signatories

29.4.04: EU-PNR: Justice and Home Affairs Council agrees on the surveillance of all airline passengers: PNR Directive, adopted text (pdf)

27.4.04: EU-PNR: UK parliament committee still has proposal under scrutiny -- Government has not even sent the latest draft Directive to parliament, how many other national parliaments has this happened to? Report and Letter

27.4.04: EU-PNR: JHA Council to agree the surveillance of all airline passengers: Report and documents

- "This is a classic case of sacrificing democratic standards in the name of the "war on terrorism" which is meant to be defending democracy"

- data can be kept indefinitely by law enforcement agencies and dubious legal basis: European Commission wanted the Council to delay decision so as not to deal "piecemeal with law enforcement issues"

update: 26.4.04: EU-PNR: JHA Council to agree the surveillance of all airline passengers? Report

Update 14.4.04: EU: The European Parliament's Committee on Citizens' Right and Freedoms has adopted a Second Report on the proposal for an EU-PNR (passenger name record) scheme which unanimously rejects the proposal (the first Report was agreed by 20 votes to 4 with 9 abstentions and referred by to the Committee by the plenary session). At their meeting on 5 April the Committee heard about the significant changes agreed by the Council on 30 March. Second Report (pdf) agreed by the Committee. The first report: Report on EU-PNR scheme (pdf).

The proposed Directive was put forward by the Spanish government last year and was radically altered by the Justice and Home Affairs Council on 30 March, see: Report and draft Directive  As the much-changed draft Directive is a member state initiative, by Spain, it has to be formally adopted by 1 May or it falls under the Amsterdam Treaty provisions.

1.4.04: EU-PNR scheme: The European Parliament referred back to the Committee on Citizens' Freedoms and Rights a report on the draft Directive on "the obligation of carriers to communicate passenger data" and calling for it to be withdrawn. The report: EP Report on EU-PNR scheme (pdf). The Directive was put forward by the Spanish government last year and was radically altered by the Justice and Home Affairs Council on 30 March, see: Report and draft Directive  As the much-changed draft Directive is a member state initiative, by Spain, it has to be formally adopted by 1 May or it falls under the Amsterdam Treaty provisions.

31.3.04: EU to adopt passenger name record scheme (PNR) - UK demands that data can be kept indefinitely and accessible by all law enforcement agencies agreed: Report and draft Directive

12.2.04: UK parliament committee criticises EU plan for collection of PNR data: Full-text of report

(28.1.04) EU PNR scheme: Irish Presidency seeking to push through plan for the surveillance of travel: Report and background

Updated 18.12.03: EU: Commission "compromises" and agrees on handing over passenger data to USA: Report and documents including the Commission's Communication on a global EU approach:

"What is quite unforgivable is that the European Commission thinks that the EU-USA deal - with a state which has no data protection laws and no intention of adopting them - is a better basis for a global standard than the EU's data protection laws which have served as a model for many countries around the world." (Tony Bunyan, Statewatch editor)

EU plan for wholesale security checking of every traveller: Report

UK takes lead on surveillance of passengers: "security and immigration risks" to be stopped from boarding: Report

(28.3.03) EU: Spain proposes data on all airline passengers to be sent to law enforcement agencies and for extra checks on all foreign nationals entering the EU: Special Report

Further evidence from Statewatch on proposed Directive on aircraft passenger data: October 2003

Evidence on proposed Directive on aircraft passenger data: Evidence to the Select Committee on the European Union, sub-committee "F": Proposed Directive on aircraft passenger data: September 2003

Documentation


1. Irish Presidency "compromise" dated 9 January 2004: 5183/04 (pdf)

2. Draft dated 17 December 2003: 16119/03 (pdf)

3. Statewatch analysis, December 2003, EU plan for wholesale security checking for every traveller

4, Commission's Communication on Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach (16.12.03, pdf)

5. Draft proposal dated 24 November 2003: 15165/03 (pdf)

6. Draft proposal 12 November 2003: 14652/03

7. Replies by governments to questionnaire on Spanish proposal: 13363/03, 15.10.03

8. Draft 27 October 2003: 11406/1/03

9. UK letter agreeing to wider scope: 10952/03

10. First draft proposal 25 March 2003: 7161/03 (pdf)

11. 1995 EC Directive on data protection

See also: Statewatch Observatory on PNR - USA


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.