EU plan for wholesale security checking of every passenger

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

In February 2003 the Spanish government put forward a proposal for an EU Directive requiring all airlines to collect and pass over passenger data for vetting. The purpose of the proposal was to combat "illegal immigration" and the first draft said data should be gathered on all "people" arriving in the EU. On 25 June the Permanent Representative of the UK government in Brussels wrote to the Council of the European Union formally stating that the UK intended to participate in the proposal as it then stood. On 9 July a number of other EU governments successfully argued that the term "people" should be replaced by "foreign nationals" thus excluding checks on EU citizens (Draft of 11.7.03). The UK government had no such concerns.

All EU Member States were asked for their views on the draft text and their responses are in a document dated 15 October 2003. The Netherlands government said that the proposal has "no added value" in "combatting illegal immigration" but "the proposal to include terrorism holds promise". The Portuguese want data to be held for six months but says it should not cover terrorism (and this could not be legal under Title IV TEC). Sweden was "not convinced that a routine-like collection of data of foreign nationals... can be considered not to be excessive" (under data protection law). Greece too saw no added value in the proposal as foreign nationals are checked anyway on arrival, that the further processing of data (checks against security and intelligence databases) would be contrary to its data protection law and said that: "it will not be possible to delete information" from the databases of the security agencies consulted.

The draft of 27 October (doc: 11406/1/03) was:

1) limited to air travel and combatting "illegal immigration";
2) limited to "foreign nationals";
3) provided for data to be passed over on boarding and checks to be made at "the airport of arrival" (not the airport of departure);
4) weak on "data processing" (no rights of data subject are set out) and said data "shall immediately" be deleted after "passengers have entered"

On 5 November the UK Home Office sent an Explanatory Memorandum (EM) to parliament. This starts by saying that the government supported the proposed Council Directive but had a number of reservations.

First, that data on passengers should to be handed over "at the time of boarding" not at the "time of check-in" (essential for the UK's proposed "board/not board" policy, see: UK takes lead on surveillance of passengers).

Second, and as fundamental, the UK government objects to the scope of the Directive being limited to immigration controls. The UK government comments that API (Advanced Passenger Information):

"should be used to support the work not only of the Immigration Service but also the other border agencies (Customs and police). The UK will suggest amendments that will allow data transmitted by the carrier to be used by Member States for other border control purposes and that there will not be a time limit for deletion of data" (emphasis added)

Thus the UK wants to use the passenger data handed over both for checking against all the immigration, customs, police and internal security agency databases for all purposes - immigration, crime and terrorism - and to keep data for future reference without a time limit. Third, the UK wants the Directive to apply to travel by air, sea and rail, not just to that by plane.

There are substantial changes to the proposed Directive in the 12 November draft. The new Article 1 is still apparently limited to tackling immigration. But: "the transmission of data on third country nationals" has been changed to:

"the transmission of advance passenger data" (emphasis added).

The draft has therefore reverted to covering all passengers rather than third country nationals and the word "advance" has been inserted - appearing to meet the UK demand - instead of data being handed over at "the end of boarding checks" it now reads: "in advance of departure").

The Netherlands government still has "doubts on how this directive could contribute to combating illegal immigration" (it wants to extend its scope to include terrorism and the exchange of biometric data). The Finland and Sweden entered a reservation against the extension of the measure to all forms of travel. Belgium and France said extending the scope to all forms of travel "represented a substantive change of the directive [and].. queried the proportionality of this change".

Seven EU Member States (including the UK) and the European Commission have "serious concerns" about the Spanish proposal that carriers should be responsible for informing the "competent authorities" if a third country national has "not returned to their country of origin" or continued their journey as set out on their travel tickets.

Article 4 says that carriers who do not hand over the passenger data or give incomplete or false data should be subject to fines of between 3,000 - 5,000 euros for each flight. The UK wants to go further and apply the fine in regard to: "each passenger".

Article 6.3 says that after the passengers have entered their country of destination the agencies carrying out the checks "shall immediately delete the data transmitted by the carrier" - but the UK and Ireland:

"preferred all provisions referring to deleting information to be removed".

Article 6.4 says that the carriers must delete the data given to the agencies within 24 hours of arrival - again the UK and Ireland again "preferred all provisions referring to deleting information to be removed."

A new Article 6.5 is a bit of a mess and is likely to be amended. Referring to the 1995 EC Directive on Data Protection it says that carriers (private companies) would not only inform passengers that their personal data had been handed over but also inform them on "their right of access" to the data storied by the carrier and "border control authorities' databases" and their right to request changes to "incorrect stored personal data". There is no way passengers will get access to the data held by law enforcement and internal security agencies, let alone correct them - and it might be asked if the agencies and carriers have deleted the data after the passengers arrive there should be no data anyway.


Much public attention has been given to the demand by the USA for passenger data on those leaving the EU to be handed over to them for security vetting. The European Parliament is overwhelmingly opposed to it and the European Commission is trying to negotiate a compromise. The issue is said to be that the USA has no data protection laws - which is does not - and that data collected for the purpose of booking a ticket should not be used for other purposes (ie: for immigration crime and anti-terrorist controls). Nor should data be passed on to other agencies who could added data or speculation which could not be checked or corrected.

There are however questions about how the USA will use the data - will people be refused boarding or be questioned or arrival or placed under surveillance as they move around. How long will the data be kept for, who will have access to it and how can it be corrected if the "suspect" never knows what is being said about them? See: EU: Form of deal on handing over passenger data to USA in doubt)

Many of the same criticisms and more can be levelled at the draft EU-wide plans.

How can data gathered under a Directive based on Title IV of the Treaty establishing the European Community (TEC) on visas, asylum and immigration be used for other purposes such as crime control and suspected terrorist checks? This would require a Directive under Title VI of the Treaty on the European Union (TEU).

How will EU citizens, resident third country nationals and visitors be able to check the information held on them and how long will it be held for?

Tony Bunyan, Statewatch editor, comments:

"The EU is moving towards the wholesale surveillance of all movement - by sea, land and air - where details of every traveller are checked out against immigration, police and internal security agency databases.

From there it is a short step to refusing entry or the right to board a plane or ship because a person is thought to be a immigration or security "threat" and it is another short step to extend this to stopping protestors, football fans, suspected "troublemakers" or critics too"


1. Replies by governments to questionnaire on Spanish proposal: 13363/03, 15.10.03
2. UK letter agreeing to wider scope: 10952/03
3. Draft 27 October 2003: 11406/1/03
4. Draft 12 November 2003: 14652/03
See also: Statewatch Observatory on passenger data

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error