Zombies sketch.Wikicommons/Shannon Hayward. Some rights reserved.I
trust every reader is familiar with the image of a zombie; a malformed,
reanimated corpse with terrifying features, chasing down unsuspected people to
drag them into its miserable semi-existence. After a few good scares, usually the
story ends with someone brave enough to figure out its weakness and destroy it.
This article
focuses on an entirely different – but equally frightening– kind of zombie,
namely the forthcoming Directive regulating the use of PNR data for law
enforcement purposes; namely a system whereby
airlines flying into the EU (and perhaps those flying on intra-EU flights)
provide to state authorities a wide range of personal data on all their
passengers for security purposes.
I will
first outline the historical background behind the instrument; then explain its
key provisions, and examine the main fundamental rights challenges, in
particular those related to privacy and free movement. As for the reason why a
piece of EU legislation is paralleling a fictional creature, I guess you will
have to keep on reading to find out.
The EU PNR Directive in an era of
globalized terror
PNR
data constitute records of each passenger’s travel arrangements and contain the
information necessary for air carriers to manage flight reservations and
check-in systems. Under this umbrella definition, a wide array of data may be
included; from information on name, passport, means of payment, travel
arrangements and contact details to dietary requirements and requests of
special assistance.
In the
aftermath of 9/11 and under the direct influence of how the terrorist attacks
took place, the Americans established irreversible links between the movement
of passengers, border security and the effective fight against international
terrorism. Strong emphasis was placed on prevention through pre-screening of
passengers, crosschecking against national databases and identification of suspicious
behaviours through dubious profiling techniques.
The EU
followed the example and by now has concluded three PNR Agreements, with Canada (currently awaiting litigation before the CJEU), Australia and the US (the most notorious).
What
the EU is missing from its collection of PNR legislation is the development of
a system to process its own air travel data (it is worth noting that at
national level only a handful of Member States, including the UK, operates a
PNR system). The first proposal for a Framework Decision dates back to 2007. However, no
agreement was reached until the entry into force of the Lisbon Treaty. A new proposal was released in 2011,
essentially mimicking the EU-US PNR model, at least as regards the types of
data to be processed and the focus on assessing the risks attached to
passengers as a means of preventing terrorist attacks or other serious crimes.
In
comparison to the proposed Framework Decision it constituted an improvement (for
instance, it provided for a reduced retention period and prohibited the
processing of sensitive data), however it was met with great skepticism by a
number of EU actors, including the European Data Protection Supervisor, the Fundamental Rights Agency and the Article 29 Working Party arguing that it failed to
respect the principles of necessity and proportionality.
Eventually,
it was rejected by the European Parliament in
April 2013 on fundamental rights grounds. Nevertheless, the voting was
postponed and the proposal was transferred back to the LIBE Committee.
The EU
PNR project was presumed dead until the Charlie Hebdo events in January 2015. In
the wake of these attacks, the fight against terrorism, particularly in the
context of the threat posed by foreign fighters, became a top priority
resulting in pulling the proposal out of the EU drawer. On 17 February, the
European Parliament’s LIBE Committee released its second draft report essentially re-opening the
dossier and committed itself to reaching an agreement by the end of 2015. It
was official; the proposal was brought back from the dead.
From
that point on, negotiations moved speedily; between September and December 2015,
five trialogue meetings took place. In the extraordinary JHA Council meeting of
20 November, immediately after the Paris terrorist attacks, the Council reiterated ‘the urgency and priority to finalise an ambitious
EU PNR before the end of 2015’.
Indeed, on 4 December 2015 a compromise text was agreed. A few days later,
the Council confirmed the agreement and the Parliament is expected to vote in
plenary session within the coming weeks. The deal is done. The zombie is
released. But how dangerous is it?
Anatomy of a zombie
The EU
PNR Directive will place a duty to airline carriers operating international
flights between the EU and third countries to forward PNR data of all
passengers to the Passenger Information Unit (PIU) established at domestic
level for this purpose. Member States are given the discretion to extend the
regime set out in the Directive to intra-EU flights, even to a selection of
them (for a discussion see Council Documents 8016/11 and 9103/11, partly accessible).
Perhaps
unsurprisingly, all participating States have declared their intention to make
use of their discretion. This includes Ireland and the UK, which have expressed
their wish to participate in the instrument.
Once
transmitted, the data will be stored and analysed by the Unit. The purpose will
be to ‘identify persons who were previously unsuspected of involvement in
terrorism or serious crime’ and require further examination by competent
authorities in relation to the offences listed in Annex II of the Directive.
Contrary
to the Commission’s assertions that PNR data will be used in different ways – re-actively,
pro-actively and real-time – the focus on prevention is central. The analysis
entails a risk assessment of all passengers prior to their travel on the basis
of predetermined criteria to be decided by the respective PIU and possibly
involving crosschecking with existing blacklists. Furthermore, the PIUs will
respond to requests by national authorities to access the data on a
case-by-case basis and subject to sufficient indication.
Nevertheless,
processing should not take place on the basis of sensitive data that is revealing
on race, ethnic origin, religion or belief, political or any other opinion,
trade union membership, health, or sexual life.
The
initial retention period is six months, after which, PNR data will be
depersonalised, meaning that the PIU is entrusted with the task of masking out
the names, address and contact information, payment information, frequent flyer
information, general remarks and all API data.
They
may still be used for criminal law purposes under ‘very strict and limited conditions’
(that is, if permitted to do so by a judicial authority or another national
authority competent to review whether the conditions have been met and subject
to information and ex-post review by the Data protection Office of the PIU). Finally,
at the behest of the European Parliament, a Data Protection Officer will be
appointed in each PIU in order to monitor the processing of PNR data.
And the diagnosis is…mass surveillance
i) Surveillance and privacy
We
should not hide behind our fingers; the zombie we are dealing with is
aggressive and the challenges for privacy and data protection are acute
(Article 8 ECHR and 7 and 8 EU Charter for Fundamental Rights). Both the ECtHR and
the CJEU have categorically rejected the very idea of mass surveillance without
any limitations and in a series of landmark judgments have developed a series
of criteria of what constitutes a proportionate interference with privacy. Judgments
such as S
and Marper v UK
or more recently Digital
Rights Ireland
are key in this context.
In
essence, the EU PNR Directive allows the systematic, blanket and indiscriminate
transfer, storage and further processing of a wide range of personal data of
all passengers travelling in the EU. The involvement of the private sector in
the fight against terrorism and serious criminality deepens, particularly if
one takes into account that the duties to air carriers are extended to
non-carrier economic operators (e.g. travel agencies).
In
addition, the inclusion of intra-EU flights within the scope of the Directive significantly
expands the reach of surveillance. Indeed, back in 2011, it was noted that intra-EU
flights represent the majority of EU flights (42%) followed by international
flights (36%) and only 22% of the flight operate within a single Member State (Council
Document 8016/11). In this framework, the
movement of the vast majority of travellers, including EU citizens, is placed
under constant monitoring, irrespective of the fact that they are a priori innocent
and unsuspected of any criminal offence. In fact, the operation of the PNR
scheme signifies the reversal of the presumption of innocence whereby everyone
is deemed as a potential security risk, thus necessitating their examination in
order to confirm or rebut this presumption. Besides, there is no
differentiation between risky flights and non-risky ones.
Furthermore,
the risk assessment will take place in an unlimited and highly obscure manner; while
it is explained that sensitive data must not be processed, the Directive fails
to prescribe comprehensively and in detail how the data will be analysed. The
underlying rationale is the profiling of all passengers and the identifying of
behavioural patterns in a probabilistic logic, but nowhere in the Directive is
it indicated that this is indeed the case.
Moreover,
it is stated that ‘relevant databases’ may be consulted, however, it is not
clear which these are. For instance, a possible examination on a routine basis
of the databases storing asylum seekers’ fingerprints’ or visa applicants’ data
(Eurodac and VIS respectively) will frustrate their legal framework resulting
in a domino effect of multiple function creeps.
Apart
from the proportionality issues, the ambiguous modus operandi of PIUs may even
call into question the extent to which the interference with privacy is ‘in
accordance with law’ (Art. 8(2) ECHR) or in EU terms ‘provided for by law’
(Art. 52(1) EU Charter). According to settled case law of the ECtHR, every piece
of legislation should meet the requirements of accessibility and foreseeability
as to its effects (Rotaru v Romania).
The
lack of clear rules as to how the processing of data will take place may
suggest that travellers cannot foresee the full extent of the legislation. In
addition, with reference to the conditions of access by national competent
authorities, the requirement that the request must be based on ‘sufficient
indication’ seems to fall short of the criteria established in Digital Rights Ireland; the threshold is
particularly low and may lead to generalised consultation by law enforcement
authorities, while it is uncertain who will check that there is indeed
sufficient indication.
As for
the offences covered by the scope of the Directive, although Annex II sets out
a list in this regard, PNR data could still be used for other offences,
including minor ones, when these are detected in the course of enforcement
action further to the initial processing.
Moving
to the retention period of PNR data, you are invited to count with me the
different approaches as identified in various EU documents;
a)
The 2007 Framework Decision envisaged an extensive retention period of five
years plus, after which the data would be depersonalised and kept for another
eight years;
b) The proposal of 2011 prescribed a
significantly reduced initial retention period of 30 days after which data
would be anonymised and kept for a further period of five years (supported by
the Parliament);
c)
In its General Approach, the Council called for an extension of the initial
retention period to two years, followed by another three years of storage of
depersonalised data (Council Document 14740/15);
d)
According to the latter document, which depicts the state of negotiations right
before the adoption of the compromise text, at that point the options for the retention
period were either six months (which eventually prevailed) and one year.
e)
A more privacy friendly approach can be found in an Opinion of the Council
Legal Service dated from 2011 according to which data of passengers in risky
flights would be initially retained for 30 days and then be held for an overall
period of six months (Council Document 8850/11 – in German).
f)
Equally some Member States supported a retention period of lees than 30 days (Council
Document 11392/11).
These
wide-ranging options – one could add here the retention periods of the PNR
Agreements or those prescribed in centralised databases – seem to suggest that
the chosen retention period may be as random as the number in which a ball lands
in a roulette game and dependent on the negotiating power of the parties in the
negotiating table or the nature of the mechanism.
What
appears to be proportionate for one institution may be disproportionate for
another institution and vice versa. In the present case, it is welcomed that
there are two sets of deadlines and more importantly re-personalisation may
take place under limited circumstances. However, there is no indication why the
chosen retention periods are proportionate. Furthermore, an approach suggesting
a differentiation between risky and non-risky flights with different retention
periods seems more balanced.
One
final comment regarding the timing of the agreement; as mentioned above, the
proposal was vigorously negotiated in the last quarter of 2015, at the same
time when the package on Data Protection reform (including a Data Protection Directive specifically designed to
safeguard privacy in the context of law enforcement) was also under discussion.
It is regrettable that although the institutions were invited to halt the
negotiations until the package was adopted (even the Parliament supported this
idea), the institutions chose to proceed nonetheless.
In the
end, all the instruments were finalised at the end of 2015. However, given the
aforementioned problematic features of the EU PNR Directive, it is uncertain
whether it was indeed reconciled with the new data protection legislative
landscape.
ii) Surveillance and citizenship
On top
of the privacy challenges as highlighted above, another point of concern is
whether the processing of PNR data, including on intra-EU flights, could infringe
free movement enjoyed by EU citizens. Free movement is one of the four freedoms underpinning
the ‘area without internal frontiers’ formed by the internal market and a
fundamental right enshrined in Article 45(1) of the EU Charter.
The
Commission Legal Service found that the EU PNR does not obstruct free movement
(see Council Document 8230/11 which is partially available
to the public, but the outcome of the opinion is attested in Council Document 8016/11). Nonetheless the
Parliament managed to include a reference that any assessments on the basis of
PNR data shall not jeopardise the right of entry to the territory of the Member
States concerned (in Article 4).
The extent to which this reference is sufficient is doubtful. According to Article 21 of the
Schengen Borders Code, police controls performed in
the territory of a Member State are allowed insofar as they do not have the
equivalent effect of border control. Such an effect is precluded when, inter
alia, the checks are carried out on the basis of spot-checks. In Melki, the CJEU found that ‘controls on board an international train or
on a toll motorway’, limiting their application to the border region ‘might (…) constitute evidence of the existence of such an equivalent effect’
(para 72).
By analogy, the focus on controls at the border area in the systematic
manner that the Directive sets out could have the equivalent effect of a border
check. The lack of any differentiation between risky and non risky flights (an
approach that was also favoured by the Council Legal Service, Council Document 8850/11) and the fact
that Member States are left entirely free to determine the extent to which they
monitor the flights to and from other Member States could enhance the risk.
Besides, given the focus on pre-emption, it is hard to imagine that when
a law enforcement authority would consider that a person needs further
monitoring, they would still allow them to travel.
Conclusion
The EU
PNR Directive is yet another example of how the counter-terrorism rhetoric has set
aside fundamental rights concerns in the name of ensuring security. The
storyline is an old one; after a terrorist attack occurs, numerous ideas –
either incorporated in legislative proposals that have stalled or are too
ambitious and controversial to be presented in the first place – feature in the
EU agenda. The EU PNR was buried due to privacy concerns and was brought back
to life when the circumstances matured.
Soon
national law enforcement authorities will put their hand into the passengers’
data jar and will deploy their surveillance techniques on an unprecedented and
unpredictable scale. This zombie is out and is dangerous. However, it equally
has a number of weaknesses and the present article attempts to highlight at
least some of them. It remains to be seen who in this story will be the brave
one to bring it down.
This article is published in association with the Criminal Justice Centre at the Department of Law, Queen Mary University of London. The CJC’s members are drawn from both the legal profession and academia, researching the impact of securitisation on human rights. The Centre is one of the coordinating institutions of the European Criminal Academic Network.
