As the deadline for amendments to the proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data (EU PNR) for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes was postponed until April the 1st, the European regulators meeting under the Article 29 Working Group, wrote a letter to the Civil Liberties Commission of the EP and his president Claude Moraes (S&D; Great Britain) to inform them about their queries.
The Article 29 Data Protection Working Party, set up under Article 29 of Directive 95/46/EC, is an independent European advisory body in data protection and privacy. In the letter sent by the president of the Working Party to the chairman of the parliamentary committee in charge of the EU PNR draft directive contains an introductory part, the Working Party congratulates the EP and the Commission for the significant steps forward made on the possible introduction of an EU Passenger Name Records system, and lists the outstanding issues to solve in order to ensure that the fundamental rights to respect for private life and to the protection of personal data are respected.
Demonstrating the necessity of the EU PNR scheme: As precise argumentations and evidence are still lacking in that respect, a concrete demonstration of the necessity and appropriateness of PNR data collection for the fight against terrorism and serious transnational crime is required. In this regards the recommendations of the Working Party are the following ones:
Demonstrate why the existing instruments at the disposal of Member States (Schengen Information System, or the collection of API data) are not enough to achieve the pursued objectives.
Justify why less intrusive alternatives seems to not work out, in a way of not achieve the purpose of preventing, detecting investigating and prosecuting terrorist offences and serious transnational crime.
Confirm why exactly the establishment of an EU PNR scheme is the right solution to pursue this goals, underlining its added value with respect to existing opposed and less intrusive alternatives. Moreover the effectiveness expectancy should also be provided
Avoid the intrusion into passengers rights given though, the rapporteur choose to extend the collection of PNR data to intra-EU flights.
Ensuring the proportionality of the processing: ‘After addressing the necessity of the system, the legislator remains to ensure its proportionality by limiting the number of passengers impacted, the uses made of the data and their retention period to what is strictly necessary. In this regards, the Working Party suggests following changes to the text’: As the scheme proposed in the report would cover 100% of the flights (and of the would-be passengers) departing from and in direction of the EU and intra-EU, the Working Party considers that the proposed data collection scheme should be restricted with reference to specific criteria: ‘(i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution or serious offences.’
Use of PNR data once collected should be limited to what is strictly necessary. In this regard, the Working Party welcomes that the report restricts the use to serious transnational crimes instead of serious crimes as originally foreseen. Moreover the Working Party invites the EU legislator to reduce the list of crimes for which the use of PNR data would effectively prove necessary for the police investigators and in any case, to justify, for each category of crime currently listed, that the use of PNR data is necessary for the prevention, detection, investigation and prosecution of these crimes.
Concerning the data retention period, the Working Party claims that the ‘determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly ‘necessary’. Inviting therefore the legislator to propose a shorter period of retention of the PNR data and recommending the addition of a recital specifying the criterion and justifying to which concrete need the chosen period corresponds.
Rectifying errors in the allocation of roles between governments, data controllers and data protection authorities The Working Party noticing major errors made in the new articles 10a and 12(1b) of Mr. Kirkhope’s report, referring to the respective roles of governments, data controllers and data protection authorities, invites the legislator to modify these provisions in order to set the responsibilities of governments and data controllers.
Welcomed improvements and possible fine-tuning The Article 29 Working Party welcomes the improvements made by the rapporteur to comply with key data protection requirements.
Especially concerning the new Article 4(3) where an attempt was made to complement the list of sensitive data on the basis of which a decision that produces an adverse legal effect on a person or seriously affects him/her should, in no circumstances, be taken.
Concerning, The obligation for each Member State and each national authority to appoint a data protection supervisor officer (‘DPO’) and the establishment of an independent EU-PNR data protection committee, the Working Group sees it as a positive thing but recommends to specify the data protection committee’s composition it’s exact role and clarify the aspect that the DPO will be appointed within the passenger information unit or, at the very least, within the competent authority.
Periodic review
Finally if an EU PNR system will be introduced, as it may represent a serious intrusion into fundamental rights, the Working Group calls for a critical evaluation of the system as soon as possible, at the latest, two years after its introduction and not five years as currently suggested by the rapporteur.
In the same perspective, the Working Party suggests introducing a sunset clause into the directive for a comprehensive evaluation of EU PNR in all member states. This sunset clause would be set at no later than five years, allowing sufficient time to evaluate the EU PNR regarding its necessity, proportionality and overall compliance with data protection requirements. Solely if, during the evaluation, irrefutable evidence of compliance were to be provided could the EU legislator take the decision to maintain the EU PNR system.
Patrick Zingerle
To know more:
EU PNR- Frequently asked questions: http://europa.eu/rapid/press-release_MEMO-11-60_en.htm