Statewatch News Online: EU: API, PNR, threat assessments, and data-mining: Member States push for access to travellers' personal data for customs authorities

EU
API, PNR, threat assessments, and data-mining: Member States push for access to travellers' personal data for customs authorities
22.02.2013

"Threat assessments"

A project initiated by the Cypriot delegation to the Council of the EU's Customs Cooperation Working Party (CCWP) is seeking to "obtain a wider knowledge and overview of the situation in the air transit sector and the resulting threats for the European Union" and "to achieve a better knowledge of the risks linked to transit passengers, and to better identify the transit routes and the modalities of travelling." It is expected that by October this year a draft of the final "threat assessment on air transit passengers" will be presented to the CCWP.

"Air transit" refers to goods and persons who are present in an airport solely for the purpose of transferring from one flight to another. The "threats" in question include illicit smuggling, with cocaine "considered to be the highest risk area, followed by tobacco products and synthetic drugs." [1]

Customs access to PNR and API

Part of the project, which aims to create a threat assessment that can be used by customs authorities throughout the EU, will see the group "further analyse the possibilities of obtaining access to the Passengers Name Records (PNR) [sic] and to the Advance Passenger Information." [2]

The document argues that a questionnaire issued last year, to which it received 25 responses, identifies a need for a study into access for customs authorities to PNR and API data. [3]

But notes from a meeting of the Customs Cooperation Working Party appear to indicate otherwise. "The majority of the Member States" - of the 24 that responded to the questionnaire, along with Croatia, making 25 - "indicated that the current legal instruments for the control of air transit passengers are sufficient."

"However, several MS indicated the need for a legal basis that will enable customs authorities to have access to the Passenger Name Record (PNR)," say the minutes from the meeting. [4]

The authorities in Cyprus appear to have a particular interest in airports and air travel - last October, during the Cypriot Presidency of the EU, the country hosted a conference on 'Aviation Security Against Terrorist Threats'.

Summing up the conference's proceedings, EU Counter-Terrorism Coordinator Gilles de Kerchove said that it is "not possible to determine" whether the implementation of new measures on aviation security "have improved security as such," but "it is clear that the process was effective in bringing together the key aviation and security actors at national and EU level, enabling the joint elaboration of intelligence-based security measures."

"What could the next step be?" asked de Kerchove. "Perhaps the EU should focus on the passenger - analysing all the security risks which relate to passengers so as to elaborate security measures which maximise aviation security while optimising control measures." (emphasis in original) [5]

API and PNR - what is it, who wants it, and why?

Law enforcement authorities have taken increasing interest in both PNR and API data over the past decade, arguing that it can be used in particular to detect evidence of terrorism and serious crime.

PNR data is generated during the booking or buying of an air or other travel ticket and can contain significant amounts of personal data, including full name, addresses, phone numbers and email addresses, travel itinerary, and more. [5] All EU Member States transfer PNR data to Australian, Canadian and US authorities following a series of legal agreements that have attracted significant criticism from MEPs and privacy advocates.

The data contained in API files is less controversial than PNR, and is generated when passengers check in for a flight. It consists of the traveller's full name, gender, date of birth, nationality, country of residence, type of travel document, and the travel document's number. Legislation from 2004, enacted for counter-terrorism purposes and "in order to combat illegal immigration effectively and to improve border control," mandates the transfer of API from passengers entering EU territory to Member State law enforcement authorities. [6]

Extending surveillance

Currently under discussion is a proposal for an EU PNR system, which would see Member States gathering and processing personal data on everyone entering the EU by plane, and possibly in the future by boat or land (railways and vehicles). Some Member States have called for the legislation to cover travel within the EU, as well as that entering the EU.

Statewatch revealed last month that the Commission has made €50 million available to fund the development of PNR databases in the Member States, despite the European Parliament not yet voting on whether to agree to the legislation or not. [7]

Many argue that there is no objective proof that the data obtained from PNR and API records is useful for addressing terrorism or crime. The Article 29 Working Party, made up of national data protection authorities, argued in response to a proposal on sharing PNR data with third countries that the European Commission "still has not presented objective proof or statistics that PNR data are valuable when combating terrorism or transnational crime." [8]

Green MEP Jan Philipp Albrecht has warned of the "the potential of using the data for the profiling of individuals," arguing that PNR agreements are part of "the ever-creeping drive for more pervasive retention and analysis of private data and big brother-style surveillance." [9]

Edward Hasbrouck, an American who campaigns on issues related to identity documents and free movement, argues that because of the way in which PNR data transfer from the EU to the US operates, the information is freely available to state authorities and marketing companies with a complete lack of oversight: "nobody knows who has accessed your PNR, or from what countries." His presentation, 'PNR in Practice', shows the web of private and public computer systems and databases through which travellers' personal data flows and the numerous public and private organisations to which it is available. [10]

The Commission's own proposal for an EU PNR scheme - which, if agreed by the European Parliament, would allow for its use in relation to terrorist offences and serious crimes - did not provide any statistics on the usefulness of the data. It argued that: "more systematic collection, use and retention of PNR data with respect to international flights, subject to strict data protection guarantees, would strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime." [11]

Mystery minority

An analysis of the responses to the Cypriot delegation's questionnaire is contained within the paper outlining the proposed project mandate, but has been removed from the publicly-available version. Statewatch is awaiting the outcome of a request for access to Member States' responses to the questionnaire.

While it is currently unknown which Member States believe access to PNR and API data for customs authorities is necessary, Austria, Belgium, Bulgaria, Finland, Hungary and Portugal had "indicated interest in participating to [sic] the project group" by the original deadline of 4 January. [12]

The Cypriot delegation to the CCWP has also sought the involvement of the European Commission and Europol and at the end of January, during a meeting at which the mandate for the "threat assessment on air transit passengers" project was approved, said that "participation by other Member States would also be welcome." [13]

The Irish Presidency takes an interest

The project group is due to meet for the first time in either March or April this year, and its work is likely to be boosted by a recent study launched by the Irish Presidency which seeks to find "a clear perspective of the Union-wide position" on the issue of the use of API and PNR data by customs authorities "to meet the challenge posed by transnational crime." [14]

"Furthermore, the Presidency believes that the outcome of this survey could be of interest to the project group led by Cyprus regarding air transit passengers and thus add value to the ongoing and evolving work in this important area of activity," says the document announcing the study.

A questionnaire issued by the Presidency asks a number of questions to Member States, including whether customs authorities currently have access to API and PNR "for the risk assessment of travellers" and what they are able to do with it - for example, whether they are able to "transfer, use and store" the data and if not, whether there are national proposals in place to provide them with a legal basis to do so.

The questionnaire also asks for what purposes customs authorities are able to access API and PNR data - "risk assessment for customs law only"; "risk assessment for other criminal law also"; or "data-mining for general anti-crime purposes."

Data-mining is defined as:

"The automatic or semi-automatic analysis of large amounts of data to extract previously unknown interesting patterns such as groups of data records (cluster analysis), unusual records (anomaly detection) and dependencies (association rule mining)."

Going global

The Irish Presidency's study follows the adoption by a June 2012 meeting of the World Customs Organisation's Council of a recommendation "concerning the use of Advance Passenger Information (API) and Passenger Name Record (PNR) for efficient and effective customs control." [15]

The World Customs Organisation (WCO) is an "independent intergovernmental body whose mission is to enhance the effectiveness and efficiency of Customs administrations." It has 179 member states which are together responsible for managing 98% of world trade and, along with the International Civil Aviation Organisation (ICAO) and International Air Transport Association (IATA), has developed global standards for the format and use of API and PNR data by state authorities.

The WCO Council's recommendation states that "the proper balance between the needs of Customs enforcement and the facilitation of legitimate travel can best be achieved if Customs enforcement is intelligence-based."

Therefore, "the use of API and/or PNR for risk assessment would greatly assist Customs administrations in developing and exploiting the best possible intelligence for the control of travellers."

It is recommended that members of the WCO or of customs or economic unions should "utilise advance information, namely API and/or PNR, for the risk assessment of travellers."

However, the extent to which these standards represent a global consensus is unknown. An ICAO document from October last year on changes to the "message standard for the transfer of PNR data from aircraft operators to Contracting States" was "presented by Australia on behalf of Australia, Canada, United Kingdom, United States." [16]