Zombies sketch.Wikicommons/Shannon Hayward. Some rights reserved.I trust every reader is familiar with the image of a zombie; a malformed, reanimated corpse with terrifying features, chasing down unsuspected people to drag them into its miserable semi-existence. After a few good scares, usually the story ends with someone brave enough to figure out its weakness and destroy it.

This article focuses on an entirely different – but equally frightening– kind of zombie, namely the forthcoming Directive regulating the use of PNR data for law enforcement purposes; namely a system whereby airlines flying into the EU (and perhaps those flying on intra-EU flights) provide to state authorities a wide range of personal data on all their passengers for security purposes.

I will first outline the historical background behind the instrument; then explain its key provisions, and examine the main fundamental rights challenges, in particular those related to privacy and free movement. As for the reason why a piece of EU legislation is paralleling a fictional creature, I guess you will have to keep on reading to find out.

The EU PNR Directive in an era of globalized terror

PNR data constitute records of each passenger’s travel arrangements and contain the information necessary for air carriers to manage flight reservations and check-in systems. Under this umbrella definition, a wide array of data may be included; from information on name, passport, means of payment, travel arrangements and contact details to dietary requirements and requests of special assistance.

In the aftermath of 9/11 and under the direct influence of how the terrorist attacks took place, the Americans established irreversible links between the movement of passengers, border security and the effective fight against international terrorism. Strong emphasis was placed on prevention through pre-screening of passengers, crosschecking against national databases and identification of suspicious behaviours through dubious profiling techniques.

The EU followed the example and by now has concluded three PNR Agreements, with Canada (currently awaiting litigation before the CJEU), Australia and the US (the most notorious).

What the EU is missing from its collection of PNR legislation is the development of a system to process its own air travel data (it is worth noting that at national level only a handful of Member States, including the UK, operates a PNR system). The first proposal for a Framework Decision dates back to 2007. However, no agreement was reached until the entry into force of the Lisbon Treaty. A new proposal was released in 2011, essentially mimicking the EU-US PNR model, at least as regards the types of data to be processed and the focus on assessing the risks attached to passengers as a means of preventing terrorist attacks or other serious crimes.

In comparison to the proposed Framework Decision it constituted an improvement (for instance, it provided for a reduced retention period and prohibited the processing of sensitive data), however it was met with great skepticism by a number of EU actors, including the European Data Protection Supervisor, the Fundamental Rights Agency and the Article 29 Working Party arguing that it failed to respect the principles of necessity and proportionality.

Eventually, it was rejected by the European Parliament in April 2013 on fundamental rights grounds. Nevertheless, the voting was postponed and the proposal was transferred back to the LIBE Committee.

The EU PNR project was presumed dead until the Charlie Hebdo events in January 2015. In the wake of these attacks, the fight against terrorism, particularly in the context of the threat posed by foreign fighters, became a top priority resulting in pulling the proposal out of the EU drawer. On 17 February, the European Parliament’s LIBE Committee released its second draft report essentially re-opening the dossier and committed itself to reaching an agreement by the end of 2015. It was official; the proposal was brought back from the dead.

From that point on, negotiations moved speedily; between September and December 2015, five trialogue meetings took place. In the extraordinary JHA Council meeting of 20 November, immediately after the Paris terrorist attacks, the Council reiterated ‘the urgency and priority to finalise an ambitious EU PNR before the end of 2015’. Indeed, on 4 December 2015 a compromise text was agreed. A few days later, the Council confirmed the agreement and the Parliament is expected to vote in plenary session within the coming weeks. The deal is done. The zombie is released. But how dangerous is it?

Anatomy of a zombie

The EU PNR Directive will place a duty to airline carriers operating international flights between the EU and third countries to forward PNR data of all passengers to the Passenger Information Unit (PIU) established at domestic level for this purpose. Member States are given the discretion to extend the regime set out in the Directive to intra-EU flights, even to a selection of them (for a discussion see Council Documents 8016/11 and 9103/11, partly accessible).

Perhaps unsurprisingly, all participating States have declared their intention to make use of their discretion. This includes Ireland and the UK, which have expressed their wish to participate in the instrument.

Once transmitted, the data will be stored and analysed by the Unit. The purpose will be to ‘identify persons who were previously unsuspected of involvement in terrorism or serious crime’ and require further examination by competent authorities in relation to the offences listed in Annex II of the Directive.

Contrary to the Commission’s assertions that PNR data will be used in different ways – re-actively, pro-actively and real-time – the focus on prevention is central. The analysis entails a risk assessment of all passengers prior to their travel on the basis of predetermined criteria to be decided by the respective PIU and possibly involving crosschecking with existing blacklists. Furthermore, the PIUs will respond to requests by national authorities to access the data on a case-by-case basis and subject to sufficient indication.

Nevertheless, processing should not take place on the basis of sensitive data that is revealing on race, ethnic origin, religion or belief, political or any other opinion, trade union membership, health, or sexual life.

The initial retention period is six months, after which, PNR data will be depersonalised, meaning that the PIU is entrusted with the task of masking out the names, address and contact information, payment information, frequent flyer information, general remarks and all API data.

They may still be used for criminal law purposes under ‘very strict and limited conditions’ (that is, if permitted to do so by a judicial authority or another national authority competent to review whether the conditions have been met and subject to information and ex-post review by the Data protection Office of the PIU). Finally, at the behest of the European Parliament, a Data Protection Officer will be appointed in each PIU in order to monitor the processing of PNR data.      

And the diagnosis is…mass surveillance

i) Surveillance and privacy

We should not hide behind our fingers; the zombie we are dealing with is aggressive and the challenges for privacy and data protection are acute (Article 8 ECHR and 7 and 8 EU Charter for Fundamental Rights). Both the ECtHR and the CJEU have categorically rejected the very idea of mass surveillance without any limitations and in a series of landmark judgments have developed a series of criteria of what constitutes a proportionate interference with privacy. Judgments such as S and Marper v UK or more recently Digital Rights Ireland are key in this context.

In essence, the EU PNR Directive allows the systematic, blanket and indiscriminate transfer, storage and further processing of a wide range of personal data of all passengers travelling in the EU. The involvement of the private sector in the fight against terrorism and serious criminality deepens, particularly if one takes into account that the duties to air carriers are extended to non-carrier economic operators (e.g. travel agencies).

In addition, the inclusion of intra-EU flights within the scope of the Directive significantly expands the reach of surveillance. Indeed, back in 2011, it was noted that intra-EU flights represent the majority of EU flights (42%) followed by international flights (36%) and only 22% of the flight operate within a single Member State (Council Document 8016/11). In this framework, the movement of the vast majority of travellers, including EU citizens, is placed under constant monitoring, irrespective of the fact that they are a priori innocent and unsuspected of any criminal offence. In fact, the operation of the PNR scheme signifies the reversal of the presumption of innocence whereby everyone is deemed as a potential security risk, thus necessitating their examination in order to confirm or rebut this presumption. Besides, there is no differentiation between risky flights and non-risky ones.

Furthermore, the risk assessment will take place in an unlimited and highly obscure manner; while it is explained that sensitive data must not be processed, the Directive fails to prescribe comprehensively and in detail how the data will be analysed. The underlying rationale is the profiling of all passengers and the identifying of behavioural patterns in a probabilistic logic, but nowhere in the Directive is it indicated that this is indeed the case.

Moreover, it is stated that ‘relevant databases’ may be consulted, however, it is not clear which these are. For instance, a possible examination on a routine basis of the databases storing asylum seekers’ fingerprints’ or visa applicants’ data (Eurodac and VIS respectively) will frustrate their legal framework resulting in a domino effect of multiple function creeps.

Apart from the proportionality issues, the ambiguous modus operandi of PIUs may even call into question the extent to which the interference with privacy is ‘in accordance with law’ (Art. 8(2) ECHR) or in EU terms ‘provided for by law’ (Art. 52(1) EU Charter). According to settled case law of the ECtHR, every piece of legislation should meet the requirements of accessibility and foreseeability as to its effects (Rotaru v Romania).

The lack of clear rules as to how the processing of data will take place may suggest that travellers cannot foresee the full extent of the legislation. In addition, with reference to the conditions of access by national competent authorities, the requirement that the request must be based on ‘sufficient indication’ seems to fall short of the criteria established in Digital Rights Ireland; the threshold is particularly low and may lead to generalised consultation by law enforcement authorities, while it is uncertain who will check that there is indeed sufficient indication.

As for the offences covered by the scope of the Directive, although Annex II sets out a list in this regard, PNR data could still be used for other offences, including minor ones, when these are detected in the course of enforcement action further to the initial processing.

Moving to the retention period of PNR data, you are invited to count with me the different approaches as identified in various EU documents;

a) The 2007 Framework Decision envisaged an extensive retention period of five years plus, after which the data would be depersonalised and kept for another eight years;

 b) The proposal of 2011 prescribed a significantly reduced initial retention period of 30 days after which data would be anonymised and kept for a further period of five years (supported by the Parliament);

c) In its General Approach, the Council called for an extension of the initial retention period to two years, followed by another three years of storage of depersonalised data (Council Document 14740/15);

d) According to the latter document, which depicts the state of negotiations right before the adoption of the compromise text, at that point the options for the retention period were either six months (which eventually prevailed) and one year.

e) A more privacy friendly approach can be found in an Opinion of the Council Legal Service dated from 2011 according to which data of passengers in risky flights would be initially retained for 30 days and then be held for an overall period of six months (Council Document 8850/11 – in German).

f) Equally some Member States supported a retention period of lees than 30 days (Council Document 11392/11).

These wide-ranging options – one could add here the retention periods of the PNR Agreements or those prescribed in centralised databases – seem to suggest that the chosen retention period may be as random as the number in which a ball lands in a roulette game and dependent on the negotiating power of the parties in the negotiating table or the nature of the mechanism.

What appears to be proportionate for one institution may be disproportionate for another institution and vice versa. In the present case, it is welcomed that there are two sets of deadlines and more importantly re-personalisation may take place under limited circumstances. However, there is no indication why the chosen retention periods are proportionate. Furthermore, an approach suggesting a differentiation between risky and non-risky flights with different retention periods seems more balanced.

One final comment regarding the timing of the agreement; as mentioned above, the proposal was vigorously negotiated in the last quarter of 2015, at the same time when the package on Data Protection reform (including a Data Protection Directive specifically designed to safeguard privacy in the context of law enforcement) was also under discussion. It is regrettable that although the institutions were invited to halt the negotiations until the package was adopted (even the Parliament supported this idea), the institutions chose to proceed nonetheless.

In the end, all the instruments were finalised at the end of 2015. However, given the aforementioned problematic features of the EU PNR Directive, it is uncertain whether it was indeed reconciled with the new data protection legislative landscape. 

ii) Surveillance and citizenship

On top of the privacy challenges as highlighted above, another point of concern is whether the processing of PNR data, including on intra-EU flights, could infringe free movement enjoyed by EU citizens. Free movement is one of the four freedoms underpinning the ‘area without internal frontiers’ formed by the internal market and a fundamental right enshrined in Article 45(1) of the EU Charter.

The Commission Legal Service found that the EU PNR does not obstruct free movement (see Council Document 8230/11 which is partially available to the public, but the outcome of the opinion is attested in Council Document 8016/11). Nonetheless the Parliament managed to include a reference that any assessments on the basis of PNR data shall not jeopardise the right of entry to the territory of the Member States concerned (in Article 4).

The extent to which this reference is sufficient is doubtful. According to Article 21 of the Schengen Borders Code, police controls performed in the territory of a Member State are allowed insofar as they do not have the equivalent effect of border control. Such an effect is precluded when, inter alia, the checks are carried out on the basis of spot-checks. In Melki, the CJEU found that ‘controls on board an international train or on a toll motorway’, limiting their application to the border region ‘might (…) constitute evidence of the existence of such an equivalent effect’ (para 72).

By analogy, the focus on controls at the border area in the systematic manner that the Directive sets out could have the equivalent effect of a border check. The lack of any differentiation between risky and non risky flights (an approach that was also favoured by the Council Legal Service, Council Document 8850/11) and the fact that Member States are left entirely free to determine the extent to which they monitor the flights to and from other Member States could enhance the risk.

Besides, given the focus on pre-emption, it is hard to imagine that when a law enforcement authority would consider that a person needs further monitoring, they would still allow them to travel.

Conclusion

The EU PNR Directive is yet another example of how the counter-terrorism rhetoric has set aside fundamental rights concerns in the name of ensuring security. The storyline is an old one; after a terrorist attack occurs, numerous ideas – either incorporated in legislative proposals that have stalled or are too ambitious and controversial to be presented in the first place – feature in the EU agenda. The EU PNR was buried due to privacy concerns and was brought back to life when the circumstances matured.

Soon national law enforcement authorities will put their hand into the passengers’ data jar and will deploy their surveillance techniques on an unprecedented and unpredictable scale. This zombie is out and is dangerous. However, it equally has a number of weaknesses and the present article attempts to highlight at least some of them. It remains to be seen who in this story will be the brave one to bring it down.

This article is published in association with the Criminal Justice Centre at the Department of Law, Queen Mary University of London. The CJC’s members are drawn from both the legal profession and academia, researching the impact of securitisation on human rights. The Centre is one of the coordinating institutions of the European Criminal Academic Network.