EU: European Commission proposes PNR scheme to place all travel in and out of the EU under surveillance

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

- All passengers to be "profiled" and the data kept for 13 years

- EU PNR plan mirrors controversial EU-US PNR scheme

- European Parliament only to be "consulted"

- Data protection fiasco

- "not convinced of the necessity of such a proposal and is therefore opposed to the proposal" (Article 29 Data Protection Working Party)

The European Commission is to put forward, on Tuesday 6 November, a proposal to collect personal data (PNR) on everyone flying in and out of the EU. Full-text of Commission's PNR proposal (pdf).

The data to be collected is almost exactly the same as that being collected under the controversial EU-US PNR scheme. Every passenger's data is to be subject to a "risk assessment" which could lead to questioning or refusal of entry. The data is to be kept for 5 years (EU-US scheme is 7 years) and then for a further 8 years in a "dormant" database (the same as the EU-USA scheme). See: Observatory on the exchange of data on passengers (PNR) with the USA (link)

It also begs the question of why the 2004 EC Directive on the collection of API (Advance Passenger Information), due to be put into effect by all member states by September 2006, is not sufficient and why it appears only one state, Spain, is operating it? [Footnote 1] The API data required is more limited than PNR - it is the data held in the machine readable zone of EU passports (name, nationality, passport number, date of birth plus details of the flight: place of entry into EU, plane code, departure and arrival time, number of passengers and point of embarkation).

As it has not been implemented no data is available as to why this is not sufficient for the purposes of combating terrorism and organised crime. [Footnote 2] See:
Observatory: EU surveillance of passengers (PNR) See also Difference between API and PNR (links)

One of the most controversial aspects will be the "profiling" (risk assessment) of all passengers, including visitors from the USA. The "profile" will be updated and held for 13 years. The "profiling" of all passengers raises fundamental questions of privacy, data protection and human rights.

It should be noted that this is a proposal for legislation by the Commission which the Council - in its secret working parties - can change at will (and ignore European Parliament's opinion under "consultation"). So will the scope be extended cover internal EU flights (ie: between EU countries) as well?

Tony Bunyan, Statewatch editor, comments:

"This is yet another measure that places everyone under surveillance and makes everyone a "suspect" without any meaningful right to know how the data is used, how it is further processed and by whom. Moreover, the "profiling" of all airline passengers has no place in a democracy.

We have already got the mandatory taking of fingerprints for passports and ID cards and the mandatory storage of telecommunications data of every communication, now we are to have the mandatory logging of all travel in and out of the EU.

The underlying rationale for each of the measures is the same - all are needed to tackle terrorism. Yet there is little evidence that the gathering of "mountain upon mountain" of data on the activities of every person in the EU makes a significant contribution. On the other hand, the use of this data for other purposes, now or in the future, will make the EU the most surveilled place in the world".

The Commission's rationale

The Commission proposal notes that only "UK, France and Denmark" have enacted legislation for the "capture and use of PNR" - that is, only three member states out of 27 - and because there are "divergences" of standards in these three states harmonisation is needed across the EU. Moreover, as only "a limited number of Member States have adopted legislation" (just three) the "potential benefits" of an EU-PNR scheme is "not fully realised".

The Commission further says that on the basis of the EU-USA PNR agreement it has been able to:

"assess the value of PNR data"

Have they? Even in the USA they have difficulty in providing data to justify the the collection of PNR data. In October 2006 the US Department of Homeland Security said that out of 63 million visitors they had detected:

"1,200 criminals and immigration violators"

Well, that a very small number, and "criminal", how many were suspected terrorists? And what are "immigration violators" and what has this category got to do with terrorism?

The Commission also says it has learnt from:

"the experience of the UK from its pilot projects"

This is a reference to the "Semaphore" project. The long-term objective in the UK is to profile every air passenger travelling inside the UK, to and from the EU and visiting from outside the EU - is the EU going down this road?

The Commission proposes that "decentralised system" is set up, that is, one operated at national level rather than creating an EU-wide centralised system. This lends itself to different standards of data protection, different criteria for assessing risk, different criteria for watch-lists etc.

The reason for the rejection of a centralised collection of data is interesting as this is turned down because there would be: "a high risk of failure because of the vast amounts of data" - which is interesting as the VIS (Visa Information System for those visiting the EU) database is designed to hold 100 million records.

This document COM 654 (2007) is the proposal as put to the full meeting of the Commissioners dated 22 October 2007. With a bit of cleaning up (references) and a new front page it is due to be put out on Tuesday 6 November.

The Commission's proposal for EU PNR

It is being proposed as a Framework Decision (Art 43.2.b of TEU) which means that the European Parliament is only "consulted" and means that the EP's Opinion can be ignored as they routinely are.

Article 1: Objectives

Making available PNR (passenger name record) data on passengers on "international flights" to "competent authorities" in the EU member states for tackling terrorist offences and organised crime. [Footnote 3]

Article 2: Definitions

Includes: the "pull" system, where data is taken from airline reservation systems (as US does now) and "push" one, where relevant data is sent to agencies by the airlines

Article 3: Passenger Information Units

Each member state is to designate a "competent authority" as a "Passenger Information Unit" (Art 3.1)

PIU's are to collect data related to its own state. The only "good" point is that "special categories" of data like sexlife, trade union membership, political views if obtained are to be deleted "immediately" (Art 3.2)

THE PUI is to analyse the PNR data and reach a "risk assessment" for each passenger" - effectively introducing the "profiling" of all passengers. The criteria of "risk assessment" is to be based on national laws (Art 3.3). So the basis of each "risk assessment" could be different as each member state has different "watch-lists" based on different criteria and different national laws.

We now know that the USA has 755,000 people on its terrorist watchlist. However, it also uses watchlists to apprehend anyone who has broken any US law. How many people are on EU member states' lists? Will names and details be checked against the Schengen Information System (SIS and SIS II) databases whose scope goes well beyond terrorism and organised crime?

Art 3.5: says that risk assessments should:

"identify persons who are or may be involved in a terrorist or organised crime offence, as well as their associates"

The phrase "may be involved" seems very vague as does "associates". Putting the two categories together means that a person who "may be" involved in terrorism (or organised crime) and an unlimited number of "associates" can be added to the file.

Article 4: Competent authorities

Art 4.1 says that each member state shall provide a "list" of:

"competent authorities which shall be entitled to receive PNR data from the Passenger Information Units and to process them"

These PIUs and "competent authorities" in each member state would handle not just nationally gathered data but also that passed to it from other member states.

Under Art 4.2 "competent authorities":

"shall only include law enforcement authorities responsible for the prevention or combating of terrorist offences and organised crime"

But will the data be passed to internal/external security and the military defence agencies? The notion that this measure gives power solely to "law enforcement agencies" is nonsense - they may compile watchlists on organised crime but the one for terrorist suspects will be done by the security and intelligence agencies.

Almost certainly (see data protection implications below).

A key issue raised in the consultation process (see below) was which data should be transferred by the PIUs to other national agencies. Should "non-suspects" be screened out and only those presenting a risk passed to other national agencies? Or should there be the bulk transfer of all the PNR data to say MI5/MI6/GCHQ in the UK?

The Article 29 Data Protection Working Party said:

"Bulk transfer of personal data, which would include unsuspected travellers to other authorities would be disproportionate, as data may only be provided to an authority if necessary for a given purpose. This would automatically entail case-by-case provision only"

The draft Framework Decision is silent on this issue - presumably leaving it uncontrolled and up to national laws (a study of which in the security and law enforcement context has never been produced).

It also leaves quite open the issue of the onward transfer of bulk data to non-EU states such as the USA.

Article 5 : Obligation on carriers

PNR data is to be given by carriers 24 hours before departure and again and after flight boarding closure. They may be "required" to make data available earlier if there is a specific threat.

Art 5.4: Carriers based in EU must use "push" method", those outside EU "push" or "pull"

Article 8: Period of data retention

The Commission's own consultation options observed that a period long than 3.5 years:

"would be seen as excessive and not respecting data protection concerns"

Personal PNR data on every traveller is to be held in an active database for 5 years then a further 8 years in a "dormant" database (the EU-US PNR scheme: data held for 7 years then a further 8 years in "dormant" database).

Data is to be deleted after 5+8, a total of 13 years, except where data is being used for an: "ongoing criminal investigation or intelligence operation"

Why does data on passengers who have been cleared as a "risk" need to be kept for so long? This will involve millions of quite innocent people being kept on record - with the possibility that, in time, the scope of the measure is extend from organised crime, to serious crime then crime in general?

Article 10: Data protection

Art 10.1 says that

"The Council Framework Decision on the protection of data for police and judicial cooperation applies to the processing of data under this measure."

But this measure has not been adopted and is highly controversial having been completely changed by the Council ignoring the Opinions of the European Parliament, the European Data Protection Supervisor, and the EU's Article 29 Data Protection Working (Data Protection Commissioners from all 27 states) Party.

This Data Protection Framework Decision offers little or no "protection" to the individual and allows the unhindered exchange of personal data with third states like the USA. See: Statewatch's Observatory on data protection in the EU (link)

Most crucially this Framework Decision only applies to the exchange of data between EU member states and not the collection and processing of data at national level (which the PNR proposal is based on).

No reference is made to the main 1995 EC Directive on data protection which cover the collection of PNR data by the airlines in the first place. Thus the data provided by the passenger to the airlines for the purpose of buying a ticket to travel is then to be used for an entirely different purpose - to vet people suspected of involvement in terrorism or organised crime.

To summarise:

- passenger data is collected by airlines under the national laws in place in every country on data protection under the "first pillar" (1995 EC Directive)

- this data is then access by Passenger Information Units in each state where data protection is said to come from the yet-to-be-adopted Framework Decision on data protection in police and judicial cooperation (under the "third pillar") which only regulates the exchange of data between member states - not the national laws of member states. In effect there will be no data protection law regulating the national collection and processing of data.

- internal security and intelligence agencies are expressly precluded from this proposed Framework Decision


Categories of data - EU copies US list

During the negotiations on the new EU-US PNR agreement the number of categories of data to be transferred was reduced from 34 to 19. However, the 19 items included all the data from the 34 items.

The EU is set to adopt almost exactly the same 19 sets of PNR data to be accessed - which have been criticised by the Article 29 Data Protection Working Party on more than one occasion. [Footnote 4]

Consultation process - EU Article 29 Data Protection Working Party "opposed"

In the run-up to this proposal the Commission put out a consultation document listing options. The EU's Article 29 Data Protection Working Party in response was not convinced of the necessity of the measure and concluded that it:

"have not seen any information presented by the Commission that would substantiate the pressing need to process PNR data for the purpose of preventing and fighting terrorism and related crimes or law enforcement"

It further concluded:

"Evaluation of the necessity and proportionality of the measures can only be based on the experiences with the US PNR framework. A lack of available information in this context makes it problematic to assess the necessity, effectiveness and proportionality. Anecdotal information on the processing of API and PNR data by US authorities however concerns mainly passengers incorrectly identified as a risk to air security." and

"For the reasons mentioned above, and until the Working Party is provided with clarification on these fundamental points, the Article 29 Working Party cannot conclude that the establishment of an EU PNR regime is necessary. Therefore, under these circumstances, the Working Party would be opposed to its development."

Their submission further states that:

"To the extent that measures to be developed, be they at EU level or at national level, entail a breach of Article 6 of Directive 95\46\EC and limitation to the right to private life, they should in any case respect the limits of Article 13 of Directive 95\46\EC and Article 8 of the European Convention on Human ~rights.

The Commission will have to substantiate the pressing need for the processing of PNR data' in particular in light of the following:

· The operational need and purpose of collecting PNR data at the entrance of the European Union Territory.

· The added value of collecting PNR data in light of the already existing control measures at the entrance of the EU for security purposes, such as the Schengen system, the Visa Information System, and the API system.

· The relationship with Directive 2004/82/EC. Does the Commission already have information on the implementation of this directive and its effects?

· The added value of the processing of PNR data over the processing of API data.

· The use that is foreseen for PNR data. For identifying individuals in order to ensure air security? For identifying who comes into the territory of the EU? For general negative or positive profiling of passengers? Is there an interest in specific PNR fields for specific purposes of investigating and fighting particular crimes? Would PNR data be the most adequate data for these purposes?"


1: Spain requires API data for flight inside the EU as well as those arriving from external destinations.

2: The 2004 Directive on the collection of API data on every travellers covers flight into the EU under border controls provisions. The new proposal covers flights in and out of the EU under police cooperation legislative powers.

3: The definition of "terrorism" is to be taken from Articles 1-4 of the Framework Decision 2002/475. The definition of "organised crime" from the, as yet not adopted, Framework Decision on the fight against organised crime - indeed, the discussions in the Council on this measure have stalled since a "general agreement" was reached in April 2006, over 18 months ago.

4: The exception being that under "General remarks" any "sensitive data" accessed is to be deleted.


- Commission proposal on the use of Passenger Name Record (PNR) for law enforcement purposes (pdf)

Observatory on the exchange of data on passengers (PNR) with the USA (link)

- Observatory: EU surveillance of passengers (PNR) (link)

- Difference between API and PNR (link)

- Commission: Transfer of Air Passenger Name Record (PNR) Data: A Global EU Approach (COM 826, December 2003, pdf)

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error