EU air passenger surveillance system could be ready for take-off by year end

Only the Greens in the European Parliament still oppose the plan

Despite privacy concerns and doubts over its usefulness, a plan to track passengers entering or leaving the European Union in a series of national databases is likely to become reality by the end of the year.

The call to build national databases of so-called passenger name records (PNRs) has become louder since the recent terror attacks in Paris in which 17 people were killed. EU countries have argued that storing data about who has flown where, and when, would help law enforcement with the prevention, detection, investigation and prosecution of terrorist offenses and serious transnational crime.

The plan is for airlines to send data collected during reservation and check-in procedures, including travel itineraries, ticket information and contact details, to an authority of the relevant country. That authority would be responsible for analyzing the data and sharing its analysis with other competent authorities, including those in other countries.

While some countries, such as the U.K., already have a PNR database, others don't, and there is no system in place to share that information. EU heads of state and government agreed during an informal meeting on terrorism on Thursday to go ahead with the plans for an EU wide system.

"We have agreed on new priorities in the fight against terrorism. What is needed most is agreement on the exchange of passenger records within the European Union. We need this soon," said Donald Tusk, president of the European Council, the institution that is composed of EU heads of state and governments, in a news release.

The heads of states urged EU legislators to urgently adopt a strong and effective European PNR directive with solid data protection safeguards.

Data protection is a key issue here. An earlier proposal to introduce a system to exchange passenger data between EU countries was rejected by the European Parliament, one of the EU legislative bodies, in 2013 out of concern that it would violate fundamental rights. But since the attacks, the European Commission has been working on a compromise to convince the Parliament to go ahead with the plan, promising better privacy protection.

This seems to be working. Ahead of the Council meeting the Parliament adopted a resolution on Wednesday in which it pledged to work "towards the finalization of an EU PNR directive by the end of the year." The Parliament wants to ensure though that data collection and sharing is based on a coherent data protection framework offering legally binding personal data protection standards across the EU.

Opponents of the flight database plan have questioned its legality since it has a similar law enforcement goal to an EU directive invalidated by the EU Court of Justice (CJEU). The court invalidated the Data Retention Directive, which required communications providers to retain information about the destination and duration of communications, because it interfered with fundamental privacy rights.

The usefulness of a PNR system has also been questioned by opponents, who argue that such a system would not have prevented the Paris attacks.

By pushing for an EU PNR directive,the Parliament is backing plans for more data centralization and more data storage without a cause, while ignoring the jurisprudence of the CJEU, said Alexander Sander managing director of German digital rights group Digitale Gesellschaft, in a Wednesday blog post.

In the Parliament, only the Green party still opposes an EU PNR system. Instead of investing an estimated €500 million in illegal surveillance of air passengers, it wants the money spent on field work and cooperation between police and security authorities.

However, being only a small party, the Greens are likely to lose this battle.

Meanwhile, the EU heads of state also agreed that law enforcement should step up information sharing and operational cooperation, while countries should also deepen cooperation of security services. Additionally, authorities should step up action to trace financial flows and to freeze assets used for financing terrorism. Detecting and removing Internet content promoting terrorism in cooperation with Internet companies is also a priority for the member states.

The next step for the proposals will be in April, when the Commission will present its security plans. The Council will report on the detailed implementation of the proposed measures in June.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags regulationeuropean unionsecuritylegislationgovernmentprivacy

More about EUEuropean CommissionEuropean ParliamentIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts