EU plan to collect, not share, air traveler data is ‘absurd'

By 2018, anyone flying to or from the EU will have their details logged for five years

Air passengers entering or leaving the European Union will have their movements kept on file by police authorities from 2018 under draft legislation approved by the European Parliament.

Critics, however, say a lack of provisions to share the data severely limits the plan's usefulness.

Airlines running flights into or out of the EU must hand over the data to national Passenger Information Units (PIUs) that will hold the data for law enforcers. Member states may choose to gather data from travel agencies and to retain information about passengers on flights within the EU too.

However, there will be no centralized EU database of arriving and departing passengers, and no automatic sharing of data between the various national PIUs. With open land borders between countries in the Schengen Area, and no mandatory collection of information on intra-EU flights, it will be difficult for investigators to use the data to determine whether a person of interest is in the EU.

That calls the usefulness of the whole system into question, according to Joe McNamee, executive director of lobby group European Digital Rights (EDRi), who is no fan of the legislation.

"It is absurd that we are being told that these huge databases are hugely valuable to law enforcement, yet we are also told that member states rejected mandatory sharing of this allegedly valuable data."

Beyond those practical restrictions on the usefulness of the databases, there will also be some legal restrictions on what law enforcers can do with the collected data.

It may be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offenses and serious crime." Police forces won't get to choose what constitutes a serious crime in their book: There is a list. It includes trafficking in weapons, munitions and explosives, and human beings, participation in a criminal organization, and child pornography.

Curiously for an offense that needn't involve physically visiting a country, cybercrime is also considered serious enough to make the list.

The Passenger Name Record (PNR) Directive Directive still requires the approval of the EU Council of Ministers, but this is expected to be a mere formality since the text voted by the Parliament on Thursday has already been agreed with the national governments the ministers represent.

Once approved by the Council, EU member states will have two years in which to transpose the directive into national law.

After that date, PIUs will retain the data for five years. After the first six months, though, parts of it will be "masked out" so that users of the database can't see passenger names, addresses or contact information. This is supposed to protect passengers' privacy. Accessing or searching on the hidden information will still be possible, but only upon application to the national data protection authorities charged with enforcing privacy rules.

Other privacy protections include a ban on processing information that reveals a person's trade union membership; health; sexual life or sexual orientation; race or ethnic origin; political opinions, religion or philosophical beliefs -- so vegans can at least rest assured that their choice of in-flight meal will remain private.

Law enforcers will have to keep an audit trail of how the passenger data is processed, and this will be used in a review of the law's effectiveness two years after it enters force.

Many Members of the European Parliament resisted the PNR directive, with tactics including delaying the final vote. The issue was controversial because parliamentarians had long opposed an agreement obliging airlines to provide U.S. authorities with PNR information for transatlantic flights.

European Parliament President Martin Schulz hailed the new deal as an important tool in the fight against terrorism and called on national governments to begin systematically sharing passenger data.

But EDRi's McNamee called the new legislation a disgrace. "It is shocking that, less than two years after the European Court overturned a Directive on needless storage of data of innocent citizens, the European Union seems hell bent on adopting another Directive which does almost exactly the same thing."

Join the CSO newsletter!

Error: Please check your email address.

More about EUEuropean Parliament

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Peter Sayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place