Documents considered by the Committee on 9 March 2011, including the following recommendation for debate: Use of Passenger Name Records for law enforcement purposes - European Scrutiny Committee Contents


1 Use of Passenger Name Records for law enforcement purposes


(32492)

6007/11

COM(11) 32

+ ADD 1

+ ADD 2

Draft Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes

Commission staff working paper: Impact Assessment

Commission staff working paper: Summary of Impact Assessment

Legal baseArticles 82(1)(d) and 87(2)(a) TFEU; co-decision; QMV
Document originated2 February 2011
Deposited in Parliament4 February 2011
DepartmentHome Office
Basis of considerationEM of 16 February 2011
Previous Committee ReportNone; but see HC 428-xi (2010-11), chapter 21 (15 December 2010), HC 19-xiii (2008-09), chapter 4 (1 April 2009), HC 19-xxi (2008-09), chapter 3 (24 June 2009) and HC 19-xxix (2008-09), chapter 4 (28 October 2009)
To be discussed in Council24-25 February 2011
Committee's assessmentLegally and politically important
Committee's decisionNot cleared; further information requested; opt-in decision for debate in European Committee B

Background

1.1 Passenger Name Record (PNR) data is the term used to describe unverified information provided by passengers when making a flight reservation and checking-in and boarding a flight and which is held in the air carrier's reservation and departure control systems. It includes personal information about the passenger, such as name and contact details and the means of payment used, as well as travel dates and itinerary, when and where the flight was booked, the seat number and baggage information.

1.2 An increasing number of countries have come to regard PNR data as an additional tool to help prevent, detect, investigate and prosecute terrorist or other serious criminal offences and therefore require air transport carriers to transmit the PNR data they collect on their passengers to the competent law enforcement authorities. This has led the EU to conclude agreements with the United States, Canada and Australia in order to enable carriers operating flights from the EU to comply with this requirement. The Commission anticipates that more third countries will seek to conclude PNR agreements and so, last September, it suggested that the EU should develop a "global approach" on the transfer of PNR data to third countries, based on a set of common criteria designed to ensure the effective protection of personal data, rather than concluding agreements on a case-by-case basis.[1]

1.3 Within the European Union, the UK already has a PNR system (called "e-Borders") and some other Member States are developing their own, but there is no overarching EU framework establishing common rules for the collection of PNR data and its use by Member States. An attempt was made, in 2007, to agree an EU Framework Decision but the Commission's proposal was criticised by the European Parliament, European Data Protection Supervisor and the EU Fundamental Rights Agency for providing insufficient data protection safeguards and it lapsed with the entry into force of the Lisbon Treaty on 1 December 2009.

1.4 In the Stockholm Programme establishing the EU's priorities in the Area of Freedom, Security and Justice for the period 2010-14, the European Council calls on the Commission to put forward a proposal to establish an EU PNR system for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime while also ensuring a high level of data protection.

The draft Directive

JUSTIFICATION FOR AN EU PNR REGIME

1.5 The Commission says that terrorist and other serious criminal activity, such as trafficking in human beings and drugs, often involves international travel or has a transnational character. Existing EU mechanisms for the collection and exchange of personal data between law enforcement authorities, such as the Schengen Information System (SIS), Visa Information System (VIS) and the Directive on Advance Passenger Information (the API Directive)—are mainly used to verify identity and to manage the EU's external border. So, for example, the API Directive allows biographical information taken from the machine-readable part of a passport (name, place of birth and nationality, passport number and expiry date) to be made available to border control authorities, primarily for immigration control purposes. SIS, VIS and API do not provide sufficient raw data to enable law enforcement authorities to make an assessment of passengers travelling to or from the EU or to detect as yet unknown criminals or terrorists. By contrast, PNR data are used primarily as a criminal intelligence tool:

  • to investigate and prosecute a crime after its commission (reactive use);
  • to check PNR data against pre-determined assessment criteria in order to identify a previously unknown suspect, or to check the data against databases of wanted individuals or objects (real-time use); and
  • to analyse the data as a means of establishing objective assessment criteria to help law enforcement authorities screen passengers who may present a security risk prior to their arrival or departure (pro-active use).

1.6 The Commission believes that the more systematic collection, use and retention of PNR data would strengthen the capacity of law enforcement authorities to tackle terrorism and serious crime. It says that the lack of harmonised EU rules creates a risk of fragmentation as an increasing number of Member States adopt their own national measures which diverge on such matters as the scope and purpose of the PNR system, the length of time for retaining PNR data, the modes of transport covered and standards of data protection and security. According to the Commission, these differences are likely to result in "security gaps, increased costs and legal uncertainty for air carriers and passengers alike."[2]

1.7 The Commission says that it has consulted a range of stakeholders, including national data protection authorities, the European Data Protection Supervisor and representatives of the airline industry and acknowledges that "several" remain to be convinced of the need to use PNR data. The Commission adds, however, that "all agreed that legislation at EU level is preferable to the development of diverging national PNR systems."[3] It says that the scope of the draft Directive is limited to those elements that require a harmonised EU approach, "including the definition of the ways in which PNR can be used by the Member States, the data elements that need to be collected, the purposes for which the information may be used, the communication of the data between the PNR units of the Member States, and the technical conditions for such communication."[4] The Commission adds that it has chosen a "decentralised system" which gives Member States a degree of flexibility in determining how to set up their PNR system.

CONTENT OF THE DRAFT DIRECTIVE

1.8 The main elements of the draft Directive are as follows:

  • each Member State would have to establish a Passenger Information Unit to collect, store and analyse PNR data provided by air carriers and to transmit the results of its analysis to the competent national authorities responsible for the prevention, detection, investigation or prosecution of terrorist and other serious criminal offences (Article 3);
  • the reference to "serious crime" means those offences listed in Article 2(2) of the Framework Decision establishing the European Arrest Warrant which are punishable by at least 3 years' imprisonment (but subject to a proportionality test to exclude the processing of PNR data relating to minor offences);[5]
  • the reference to "terrorist offences" means those offences referred to in Article 1 of the Framework Decision on combating terrorism (Article 2);[6]
  • Member States would be required to identify the competent national authorities entitled to request or receive PNR data (including the results of processing of that data) from their Passenger Information Units and to ensure that those authorities may not take any decision based solely on the automated processing of PNR data which has an adverse legal effect on, or significantly affects, an individual (Article 5);
  • Member States would be required to introduce measures ensuring that air carriers transfer PNR data already collected by them to the database of the national Passenger Information Unit in the Member State where the flight will land or depart (Article 6);
  • air carriers would be required to transfer PNR data by electronic means in two stages, the first between 24 and 48 hours before the scheduled flight departure time and the second immediately after all passengers have boarded and the flight has closed (Article 6);
  • where there is a "specific and actual threat related to terrorist offences or serious crime", a Passenger Information Unit may (in accordance with national law) require air carriers to transfer PNR data earlier (Article 6);
  • the obligation to transfer PNR data would only apply to "international flights" between an EU Member State and a third country, not to flights within the EU (Articles 1 and 2);
  • the Passenger Information Unit would only be able to process PNR data for the following purposes (Article 4):
    • to carry out an assessment of passengers prior to their arrival or departure by processing PNR data against pre-determined criteria, in order to identify whether any passenger may be involved in a terrorist offence or serious transnational crime—the assessment criteria would be established by the Passenger Information Unit, should be applied in a non-discriminatory manner, and should "in no circumstances be based on a person's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life";
    • to carry out an assessment of passengers prior to their arrival or departure, in order to identify whether any passenger may be involved in a terrorist offence or serious crime, by checking the PNR data against relevant databases containing information on wanted individuals or objects;
    • in response to a duly reasoned request from a competent national authority to provide and/or process PNR data in specific cases relating to a terrorist offence or serious crime; and
    • to analyse PNR data in order to update or to create new assessment criteria to help identify individuals who may be involved in terrorist offences or serious transnational crime.
  • Member States would be required to ensure that, where an assessment carried out by the Passenger Information Unit produces a positive match, it would have to be individually reviewed by non-automated means in order to verify whether there is a need for the competent national law enforcement authority to take action against a particular individual (Article 4);
  • PNR data provided by air carriers to the appropriate Passenger Information Unit would be held for 30 days from the date of transfer; after 30 days, the PNR data would be retained for a further period of five years in an "anonymised" form (so that the identity of the individual to whom the data relates is masked) and only the Head of each Passenger Information Unit would be entitled to authorise access to the full PNR data; thereafter, PNR data held by the Passenger Information Unit would have to be deleted (Article 9);
  • Passenger Information Units may exchange PNR data and/or the results of processing of that data in the following circumstances (Article 7):
    • where a Passenger Information Unit in one Member State conducts an assessment of passengers prior to their arrival or departure which identifies an individual who may be involved in a terrorist or other serious criminal offence, it shall send the data to Passenger Information Units in all other Member States if it considers the transfer of data is necessary for the prevention, detection, investigation or prosecution of the offence;
    • where a Passenger Information Unit deems it necessary, in order to prevent, detect, investigate or prosecute a specific case involving terrorism or serious crime, it has a right to request PNR data from a Passenger Information Unit in another Member State; if the data requested have already been anonymised, a Passenger Information Unit in another Member State may only obtain access to specific PNR data in their full form in exceptional circumstances, where there is a specific threat or specific investigation or prosecution related to a terrorist or serious criminal offence;
    • exceptionally, a Passenger Information Unit in one Member State may request early access to PNR data collected by a Passenger Information Unit in another Member State where necessary to respond to a specific and actual threat concerning terrorism or serious crime;
  • where a competent national authority wishes to obtain access to PNR data held by a Passenger Information Unit in another Member State, it should channel its request through its own Passenger Information Unit, but it may request direct access if it can demonstrate that the PNR data requested relates to a specific investigation or prosecution of a terrorist or serious criminal offence and is necessary to prevent an immediate and serious threat to public security (Article 7);
  • PNR data may only be transferred to a third (non-EU) country where necessary to prevent, detect, investigate or prosecute terrorist or other serious criminal offences and the third country provides an adequate level of data protection (Article 8);
  • Member States would be required to ensure that the processing of PNR data complies with the Framework Decision on data protection[7] as regards the rights of the data subject and the confidentiality and security of data processing, and to make provision for their national data protection supervisory authorities to advise on, and monitor the application of, the Directive (Articles 11 and 12) ;
  • the Directive would expressly prohibit the processing of PNR data revealing an individual's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life, as well as the transfer of PNR data to any private parties (Article 11);
  • all processing and transfer of, or requests for, PNR data should be logged in order to ensure appropriate checks as to the lawfulness of data processing (Article 11);
  • passengers on international flights should be informed of the collection and use made of PNR data and of their right to make a complaint (Article 11);
  • Member States, when implementing the Directive, would be required to make provision in national law for "dissuasive, effective and proportionate penalties" in the event that air carriers fail to transmit PNR data (Article 10);
  • the Commission would establish "common protocols and supported data formats" by means of a comitology procedure; these would be mandatory for all transfers of PNR data one year after their introduction (Article 13);
  • Member States would be required to ensure that PNR data of at least 30% of all flights are collected and transferred by air carriers no later than two years after the date on which the Directive enters into force; this should increase to 60% by the end of the next two-year period, and to 100% after six years (Article 16);
  • Member States would be required to provide the Commission with statistical information on the use of PNR data each year, including how many times it has resulted in the identification of individuals involved in terrorism or other serious crime and the number of law enforcement actions which have involved the use of PNR data per air carrier and destination (Article 18); and
  • the Commission should, within two years of the date on which the draft Directive enters into force, report to the Council and European Parliament on "the feasibility and necessity of including internal flights in the scope of the Directive," drawing on the experience gained by those Member States that already collect PNR data for internal (intra-EU) flights; and, within four years, report on the operation of the Directive as a whole, notably the data protection elements and the quality of the assessments based on PNR data (Article 17).

RESPECT FOR FUNDAMENTAL RIGHTS

1.9 The Commission says that the draft Directive has been subject to "in-depth scrutiny to ensure that its provisions are compatible with fundamental rights" and with the principle of proportionality. It highlights the following safeguards;[8]

  • the draft Directive complies with the 2008 Framework Decision on the protection of personal data processed for the purpose of police and judicial cooperation in criminal matters;
  • the scope of the draft Directive is "strictly limited and law enforcement authorities are allowed to use PNR data only for the purpose of combating an exhaustive list of specified serious crimes";
  • the creation and application of assessment criteria based on PNR data is limited to the identification of passengers who may be involved in terrorism or serious transnational crime;
  • the retention of PNR data is limited to five years, and the data must be anonymised after 30 days;
  • the collection and use of sensitive data revealing an individual's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life is prohibited;
  • decisions which have adverse legal effects or otherwise significantly affect an individual must not be taken solely on the basis of automated processing of PNR data;
  • Member States have no direct access to air carriers' IT systems;
  • the circumstances in which PNR data may be transferred to third countries are limited and must be determined case-by-case;
  • Member States are required to ensure that independent national data protection supervisory bodies can advise on and monitor the processing of PNR data;
  • each Passenger Information Unit is responsible for logging and documenting the processing of PNR data to ensure that compliance with data protection rules can be verified; and
  • air passengers must be informed about the collection of PNR data and their rights.

LEGAL BASE

1.10 The draft Directive is based on Articles 82(1)(d) and 87(2)(a) of the Treaty on the Functioning of the European Union (TFEU) which provide for EU measures to facilitate cooperation between judicial or equivalent authorities in Member States in relation to criminal matters and between police and other law enforcement services, including by means of the collection, storage, processing, analysis and exchange of relevant information.

The Government's view

1.11 The Minister of State for Immigration (Damian Green) says that the use of PNR data is "a proven and vital tool for the prevention and detection of serious crime and terrorism" and that the Government strongly supports an EU-wide PNR system. He believes that EU action is justified because:

"If Member States were to act in this area unilaterally, then this could lead to differing requirements being imposed on carriers across the EU. It could also frustrate the success of such a system if there is no clear legal basis for passenger data to be transferred from a carrier in one Member State to the passenger information unit in another Member State."[9]

1.12 He notes, however, that the draft Directive does not cover air travel between EU Member States and says that the Government

"strongly believes that the ability to collect and process PNR data on intra-EU travel flights is vital to improving security and fighting crime within the EU and beyond.

"The volume of journeys between Member States is three times greater than between Member States and third countries. A PNR system that provides cover only for travel to and from third countries would seriously limit Member States' ability to tackle criminal activity.

"Not collecting PNR on intra-EU routes—while at the same time collecting PNR on extra-EU routes—serves simply to displace rather than address the risk. This cannot be the intended consequence of a PNR Directive."[10]

1.13 The Minister explains that UK law already makes provision for carriers to provide travel-related data for immigration, customs or police purposes. He says that, under the UK's e-Borders system, advance passenger information (API) data is automatically screened against watch-lists to enable early identification of individuals known to be of interest for immigration, customs or law enforcement purposes, for example those for whom a European Arrest Warrant has been issued. Because PNR data is more comprehensive than API data, it is "an essential supply of data for the security, intelligence and law enforcement agencies for investigations and operations, and is used for automated rules-based targeting to identify unknowns; those potentially involved in terrorist and other criminal activity."[11] The Minister continues:

"The greatest benefits of e-Borders are realised when API data is processed in conjunction with PNR data. For example, if a known terrorist suspect is identified (via the watch-listing of API data) as intending to travel, PNR data is checked to identify whether there are unknown associates also intending to travel. Using these two datasets in parallel enables e-Borders and other agencies to identify a greater proportion of those individuals that pose a risk to the UK and other nations worldwide. PNR data can be operationally valuable in deciding whether or how to intervene; for example, notes indicating that the reason for travel is due to a sudden death in the family. PNR data is also used retrospectively, for example to create travel histories and to identify useful additional data that supports investigations."[12]

1.14 The Minister notes that the draft Directive is subject to the UK's Title V opt-in and that the UK has until 2 May to decide whether or not to opt in. In reaching a decision, he says that the Government will need to consider the views of the UK's devolved administrations and Gibraltar, as well as the likelihood of the Directive being amended to meet the UK's policy objectives. These include:

  • extending the scope of the Directive to include:
    • intra-EU flights; and
    • the processing and use of PNR data for all terrorist or serious criminal offences, not limiting it in certain circumstances to those which have a transnational element;
  • extension of the retention period for PNR data so that it is sufficient to allow Member States to "use it proactively to establish travel and behaviour patterns", while also ensuring that it remains proportionate; and
  • allowing the use of sensitive data in exceptional circumstances, as "[t]he UK has found that the use of sensitive personal data can help improve the quality of interventions and believes that ruling this out would be unhelpful and unwelcome."[13]

1.15 The Minister notes also that, if the UK were to decide to opt in, it would be necessary to amend UK law in order to ensure that PNR data could only be processed and used for the purposes specified in the Directive, which do not include immigration. He does not expect the draft Directive to have additional financial implications for the UK Government, but considers that it is likely to involve extra data transmission costs for UK-based air carriers which may be passed on to air passengers.

1.16 Finally, the Minister provides an analysis of the implications of the draft Directive for fundamental rights and concludes that any interference with the right to respect for private and family life and the right to protection of personal data is necessary and proportionate. He believes that the prohibition on the processing and use of sensitive data ensures respect for the principle of non-discrimination.

Conclusion

1.17 As the Minister acknowledges, the draft Directive would interfere with individuals' rights to privacy and to the protection of their personal data. The issue, therefore, is whether such interference is justified in light of the objectives of the proposal to enhance internal security within the European Union.

1.18 We note that Article 16 of the draft Directive requires Member States to ensure that PNR data from all international flights are collected within six years of the Directive entering into force. When our predecessors considered a similar provision in the Commission's 2007 proposal for a Framework Decision on the use of PNR for law enforcement purposes, they suggested that a blanket obligation to collect PNR data from all flights was unnecessary and disproportionate on the grounds that it might tip the balance between a legitimate and an illegitimate interference with the right to privacy and protection of personal data.[14] We should be grateful if the Minister could explain, first, whether the UK's e-Borders system requires air carriers to transmit PNR data on all flights to and from the UK and, second, whether the Government considers that it is appropriate for the draft Directive to require Member States to ensure blanket coverage of all international flights to and from the EU, rather than allowing Member States some operational flexibility, and whether such an obligation is necessary and proportionate.

1.19 We note also that the Minister's analysis of the implications of the draft Directive for fundamental rights is based on the proposal as currently drafted. However, some of the changes which the Minister says the Government would seek if it decided to opt into the draft Directive would appear to reduce the level of personal data protection, for example, by extending the retention period for PNR data and permitting the use of sensitive data in exceptional circumstances. We therefore ask the Minister to tell us whether he has consulted the Information Commissioner on the content of the draft Directive, as well as on the changes sought by the Government, and to inform us of his views.

1.20 The Minister says that the Government believes that PNR data should be used to prevent all serious crime, regardless of any transnational dimension. However, the Commission says that the transnational nature of terrorism and serious organised crime is one of the main reasons for taking action at EU level. The Commission also says in its analysis of the impact of the draft Directive on fundamental rights that the requirement for a transnational element in certain circumstances helps to limit the processing of PNR data to cases "intrinsically linked to travelling" and so is less intrusive. We would welcome the Minister's views on both points.

1.21 Finally, we note that recital 28 of the draft Directive says that "the Directive does not affect the possibility for Member States to provide, under their domestic law, for a system of collection and handling of PNR data for purposes other than those specified in this Directive, or from transportation providers other than those specified in the Directive, regarding internal flights subject to compliance with relevant data protection provisions, provided that such domestic law respects the Union acquis." We would find it helpful if the Minister could tell us what implications a decision to opt into the draft Directive would have for the UK's ability:

  • to collect and use PNR data for intra-EU flights; and
  • to collect and use PNR data for immigration purposes.

1.22 It is evident that the draft Directive may have important implications for the UK's existing e-Borders system. We think, therefore, that the Government's decision specifically on whether or not to opt into the proposal, should be debated in European Committee B. The draft Directive itself remains under scrutiny and we look forward to receiving the Minister's response to the questions we have raised, as well as progress reports on the negotiations.





1   See (31960) 13954/10: HC 428-xi (2010-11), chapter 21 (15 December 2010). Back

2   Seepage4oftheCommission'sexplanatorymemorandumaccompanyingthedraftDirective. Back

3   Seepage10oftheCommission'sexplanatorymemorandumaccompanyingthedraftDirective. Back

4   Seepages12-13oftheCommission'sexplanatorymemorandumaccompanyingthedraftDirective. Back

5   CouncilFrameworkDecision2002/584/JHA,OJLNo.190,p.1,18.07.2002. Back

6   Council Framework Decision 2002/475/JHA, OJ L No. 164, p.3, 22.06.2002. Back

7   Council Framework Decision 2008/977/JHA, OJ L No. 350, p.60, 30.12.2008. Back

8   See page 8 of the Commission's explanatory memorandum accompanying the draft Directive.  Back

9   Seeparagraph22oftheMinister'sExplanatoryMemorandum. Back

10   Seeparagraphs24-26oftheMinister'sExplanatoryMemorandum. Back

11   Seeparagraphs27-28oftheMinister'sExplanatoryMemorandum. Back

12   Seeparagraph29oftheMinister'sExplanatoryMemorandum.

 Back

13   See paragraphs 30-34 of the Minister's Explanatory Memorandum.  Back

14   See (30385) 5618/09 (30651) 5618/1/09: HC 19-xxi (2008-09), chapter 3 (24 June 2009) and (30385) 5618/09: HC 19-xiii (2008-09), chapter 4 (1 April 2009).  Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2011
Prepared 16 March 2011