EU air passenger data retention system ready for take-off, says Parliament

Passengers flying into or out of the EU could have their personal data stored in law enforcement databases for up to five years

"European Parliament" in different languages on the European Parliament's Altiero Spinelli building in Brussels on June 17, 2015

"European Parliament" in different languages on the European Parliament's Altiero Spinelli building in Brussels on June 17, 2015

Air passengers entering or leaving the European Union could soon have their personal details stored and shared among EU countries, after lawmakers voted Wednesday to move forward with the proposal.

The creation of the passenger name record (PNR) system, recording such details as who flew where, when, and how they booked, is intended to help law enforcers fight terrorism and serious crime, but civil rights groups say it is disproportionate and undermines fundamental privacy rights.

The European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE) quickly dealt with almost 900 amendments filed on the proposal, including two calling for its outright rejection, before agreeing to enter negotiations on a final text with the European Commission and the Council of the EU, composed of representatives of national governments.

Under the committee's proposal, PNR data would be retained in national databases for an initial period of 30 days, after which all data used to identify a passenger would be "masked out" and then stored for up to four years in serious transnational crime cases and five years for terrorism ones. After that period, the data should be deleted unless authorities need it for specific criminal investigations or prosecutions.

The proposed rules would apply to air carriers and companies like travel agencies and tour operators that handle international flights to and from the EU. The rules would not apply to flights between EU member states.

The data could be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offences and certain types of serious transnational crime," Parliament representatives said in a news release. The offenses covered by the proposal include drug trafficking, sexual exploitation of children, money laundering and cybercrime.

EU countries would also be required to share data with each other and with Europol under conditions that still need to be determined. They would use Europol's Secure Information Exchange Network Application system to do so.

The committee proposed to let the data be handled by national "passenger information units" (PIUs). They would have to appoint a data protection officer to monitor data processing. Passengers would also have to be clearly and precisely informed about their rights. The committee also backed provisions that prohibit the use of sensitive data and the transfer of data to private parties.

The Commission first proposed a PNR system in 2007, mirroring an agreement already in place to send U.S. authorities details of passengers flying there from the EU. The Commission reiterated its proposal in 2011, and EU member states approved a version of the text in 2012. The following year, however, Parliament's LIBE committee rejected the proposal out of concern that it would violate fundamental privacy rights.

After terrorist attacks in Paris and Copenhagen earlier this year, the member states' calls for the databases became louder, and the Commission has been working on a compromise to convince the Parliament to go ahead with the plan, promising better privacy protection.

With Wednesday's vote in the LIBE committee, the Commission appears to have succeeded.

However, the victory may be short-lived: Opponents of the databases warn that they may be illegal.

European digital rights groups EDRi and Access Now warn that the EU risks making exactly the same mistake it made when it adopted the Data Retention Directive obliging telecommunications operators to retain data about customers' communications and location and provide it to law enforcers. The Court of Justice of the European Union (CJEU) invalidated the directive last year because it interfered with fundamental privacy rights.

"The Commission has still not produced evidence for the necessity and proportionality of an EU PNR scheme," said Member of the European Parliament Jan-Philipp Albrecht. This means that "terrorists will be able to enter the EU easily by train or car as we put all money into blanket PNR collection," Albrecht added.

EDRi and Access Now say it is not proven that creating a blanket surveillance measure like the PNR databases will work to prevent terrorism and serious crimes.

The EU has already signed bilateral PNR Agreements with the U.S., Canada and Australia, and on Wednesday the Commission started negotiations for an EU-Mexico PNR agreement. Some EU countries such as the U.K. already have a PNR system while others have either enacted legislation or are currently testing PNR data systems, according to the Parliament's website.

The Parliament hopes to end negotiations on the PNR system before the end of the year.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags securityJan-Philipp AlbrechtEDRigovernmentdata protectionEuropean ParliamentprivacyAccess Now

More about EUEuropean CommissionEuropean ParliamentEuropolIDGNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place