25 January 2023
Last June the EU's Court of Justice massively restricted the scope of the Passenger Name Record (PNR) Directive, which allows the mass surveillance and profiling of air passengers. According to the ruling, member states should make substantial changes to their practices in order to uphold fundamental rights. Instead, they would like to find ways to maintain maximum data collection to continue the hunt for "persons of interest" - yet such practices are incompatible with the rule of law.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
A key problem for the member states is that gathering data on all intra-EU flights (introduced as legally optional, but immediately taken up by all member states once the Directive was approved) is no longer permissible.
Rather, data on all intra-EU flights can only be collected when there is a "terrorist threat which is shown to be genuine and present or foreseeable."
If there is no such threat, then the rules "cannot be extended to all EU flights, but must be limited to certain intra-EU flights relating, inter alia, to certain routes or travel patterns or to certain airports," with justification and regular review.
Member states want access to as much data as possible so they can try to detect "persons of interest" previously unknown to the authorities - or as the Greek authorities have bluntly put it, "identifying the unknown terrorists and criminals by rule-based targeting."
That comment came in response to a questionnaire circulated in the Council last year; the responses themselves were circulated amongst national delegations in October.
The Danish delegation's comments refer to:
"...cross-referencing criminal databases and the utilization of rules and watch-lists, which bring to focus the passengers most likely worthy of greater scrutiny."
The aim of somehow complying with the ruling whilst maintaining mass data-gathering abilities is raised a number of times. For example, Austria's response states:
"In a new/adapted EU Directive after the ECJ ruling, a binding possibility for the processing of INTRA EU flights should therefore be determined in a well-considered manner and in a solution that is coordinated with the EU Member States. From an operational point of view this could be best achieved through a legally binding act in the form of a PNR Regulation. It has to be stressed however, that all rules of data protection have to be upheld and that any new legal text will not serve as a vehicle of circumventing the ruling of the ECJ." [emphasis added]
And the Belgian authorities say:
"Belgium fully recognizes the importance of the collection of PNR for intra-EU flights. It calls upon Member States to explore all options or solutions to comply with the Court ruling on PNR without losing crucial travel information." [emphasis added]
Some member states do not look kindly upon the possible need to justify their practices - the Greek response states:
"The practice of MSs justifying a terrorist threat before a court, is not considered by HPiU [Hellenic Passenger Information Unit] to be ideal.
...HPiU does agree that the terrorist threat is not easily quantified and rarely limited to a specific time period."
It is currently unclear what decisions were made on how to proceed, but different proposals were put forward:
"Finland support Belgium's call for the establishment of an expert working group under a Council structure (IXIM [the Working Party on Information Exchange] or other) that would be tasked with the development of a risk assessment methodology and the execution of it, in order for the member states to work collaboratively on the motivation of the necessity to collect information for a large majority of intra-EU flights."
Multiple submissions also refer to the need for a new or revised legal instrument, possibly in the form of a Regulation rather than a Directive.
Any new proposal would come on top of the recent Advance Passenger Information proposals, which seeks to enhance the processing of Passenger Name Record data by hoovering up additional data gathered from air passengers.
In June this year the the Court of Justice ruled that the rules governing the EU's system for travel surveillance and passenger profiling, set out in the Passenger Name Record (PNR) Directive, must be "interpreted restrictively" to conform with fundamental rights standards. The ruling requires substantial changes to member state practices - but the Council, in time-honoured fashion, is looking at how to circumvent it, and to ensure the greatest possible freedom of manouevre for law enforcement authorities.
The Council is set to approve a decision that will allow the UK's continued derogation from safeguards for the automated surveillance and profiling of all air passengers arriving from the EU. The UK-EU Trade and Cooperation Agreement allows the UK to derogate from applying those safeguards while it tries to align its systems with the requirements of Court of Justice jurisprudence. This is the final derogation permitted; it will expire on 31 December 2023.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.