Documents considered by the Committee on 18 April 2012 - European Scrutiny Committee Contents

15 Use of Passenger Name Records for law enforcement purposes



COM(11) 32

+ ADDs 1-2

Draft Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes

Commission staff working papers: Impact assessment and summary of impact assessment

Legal baseArticles 82(1)(d) and 87(2)(a) TFEU; co-decision; QMV
Document originated2 February 2011
Deposited in Parliament4 February 2011
DepartmentHome Office
Basis of considerationMinister's letter of 2 April 2012
Previous Committee ReportsHC 428-xxvii (2010-12), chapter 5 (18 May 2011); HC 428-xxii (2010-11), chapter 6 (30 March 2011); HC 428-xix (2010-11), chapter 1 (9 March 2011)
Discussion in Council 26-27 April 2012
Committee's assessmentLegally and politically important
Committee's decisionCleared


15.1 The draft Directive would establish an EU-wide framework for the collection, retention and use of Passenger Name Record ("PNR") data — that is, information provided by passengers which is held in air carriers' flight reservation and departure control systems — in order to prevent, detect, investigate and prosecute terrorism and other serious criminal offences. The Commission believes that the lack of common EU rules creates a risk of fragmentation if, as seems likely, an increasing number of EU Member States adopt their own national measures which may diverge on such matters as the scope and purpose of the PNR system, the length of time for retaining PNR data, the modes of transport covered, and standards of data protection and security. These differences, the Commission suggests, are likely to result in "security gaps, increased costs and legal uncertainty for air carriers and passengers alike."[117]

15.2 Our Report of 9 March 2011 summarised the content of the draft Directive, which is subject to the UK's Title V (justice and home affairs) opt-in, and set out the factors which the Government would take into account in deciding whether or not to opt in. These were:

  • the likelihood of extending the scope of the draft Directive to include flights between Member States ("intra-EU flights") — the Commission's proposal only applies to international flights between an EU Member State and a third country ("extra-EU flights") and would, in the Government's view, seriously limit Member States' ability to tackle criminal activity and displace the risk from extra-EU to intra-EU routes;
  • the ability to use PNR data for all terrorist or serious criminal offences — the Commission's proposal limits its use in certain circumstances to serious transnational crimes;
  • the extension of the data retention period in order to ensure that PNR data could be used "proactively to establish travel and behaviour patterns" — the Commission's proposal provides for PNR data to be held for 30 days, then retained for a further five years in an "anonymised" form (so that the identity of the individual to whom the data relates is masked); and
  • provision for the use of sensitive data (for example, data revealing an individual's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life) in "exceptional circumstances" — the Commission's proposal prohibits the processing of sensitive data.[118]

15.3 We recommended a debate in European Committee (which took place on 30 March 2011) to inform the Government's decision on whether or not to opt into the draft Directive and highlighted the need to balance the public interest in preventing and detecting terrorism and other serious crime against the risk of any unjustified and disproportionate encroachment on the privacy of individuals.

15.4 The Government informed us on 10 May 2011 that it had decided to opt into the draft Directive and indicated that its success in persuading a majority of Member States to support the inclusion of intra-EU flights was a critical factor. Our Reports of 30 March 2011 and 18 May 2011 provide further information on the Government's position. In particular, the Government indicated that it would prefer Member States to have the operational flexibility only to collect PNR data on their highest risk routes, whether they are intra-EU or extra-EU routes, rather than to collect data on all flights (blanket coverage). It also reiterated its concerns regarding the impracticability of distinguishing between transnational and other forms of serious crime when determining how PNR data may be used.

15.5 We noted that the Government's summary of the views of the Information Commissioner, as well as the Opinion issued by the Article 29 Data Protection Working Party (an independent advisory body which includes representatives from the UK's Office of the Information Commissioner and other national data protection authorities), raised a number of important concerns. We highlighted the following: the purposes for which PNR data may be processed; the definition of serious crime; the period during which PNR data may be retained; and the collection and use of sensitive data. We asked the Government to continue to provide progress reports on these issues and on the negotiations as they evolved.

The Minister's letter of 2 April 2012

15.6 The Minister for Immigration (Damian Green) says that the Danish Presidency intends to seek a political agreement on the draft Directive at the forthcoming Justice and Home Affairs Council on 26 April. He sets out the main changes to the Commission's proposal which have been agreed during the course of negotiations and suggests that the outcome "represents a good overall package for the UK" and that "it is in our national interest" to secure a deal at the April Council.

15.7 The Minister notes that the UK's principal negotiating objective was achieved at the Justice and Home Affairs Council in April 2011 when a majority of Member States agreed that the draft Directive should make provision for the collection of PNR data on intra-EU flights. He explains how this is reflected in the latest text. A new Article 1a gives Member States the option of applying the draft Directive to intra-EU flights. If they choose to do so, they may either apply the draft Directive to all intra-EU flights or to selected intra-EU flights.[119]

15.8 The reason for giving Member States the option of targeting intra-EU routes, when a similar flexibility does not exist for extra-EU routes, is to make it more palatable for those which continue to oppose the collection and sharing of intra-EU PNR data. According to the Minister:

"[They] might be more likely to support the overall package if they knew that Member States who elect to collect data on intra-EU flights would not be required to collect data on 100% of flights. It is counter-intuitive to force those who do want to collect intra-EU data to collect everything if those who don't want to collect it don't have to collect anything. This arrangement is likely to lead to a gradual build up of data collection; by the time the first review takes place, there is likely to be evidence from a wide range of Member States of the value of collecting data on intra-EU flights."

15.9 The Minister notes that the review clause (Article 17) has been amended to ensure that the Commission's first review of the operation of the Directive considers, in light of experience gained under Article 1a, whether all Member States should be required to collect PNR data on intra-EU flights and, if so, whether they should do so on a targeted or a blanket basis. He adds that the Commission has reserved its position on the inclusion of intra-EU flights whilst indicating that, if they are brought within the scope of the draft Directive, it would favour the mandatory collection of PNR data on all such flights.

15.10 Turning to the length of time during which PNR data may be retained, the Minister notes that the overall data retention period remains unchanged at five years. However, the initial period during which full PNR data may be held (without masking the identity of the individuals to whom they relate) has been extended from 30 days to two years. After two years, identifying details must be "masked out" and access to the full PNR data thereafter requires approval by a judicial authority or other national authority competent under national law to verify whether the conditions for access are fulfilled. The Minister believes that these stricter access controls provide an "effective counterweight" to the lengthening of the period in which full PNR data may be held. He says that it is for Member States to determine which authority they use, "with the objective being independent oversight", but indicates that the UK would choose the non-judicial option. Whilst UK experience suggests most requests for access to full PNR data will be made within the initial two year period, the Minister recognises that the requirement to mask data (rather than to archive it in accordance with existing practice in the UK) will have operational and cost implications for which the UK may seek EU funding.

15.11 The Minister notes that the draft Directive would only apply to air carriers and says that UK efforts to extend its scope to include other modes of transport and carriers have not met with success. The Presidency has, however, agreed to strengthen references to other carriers by linking recital 28 to the review clause in Article 17. Recital 28 leaves open the possibility for Member States to make provision in their domestic laws for the collection of PNR data from other carriers (for example, rail or maritime). The possibility of including these carriers within the EU PNR framework is anticipated in Article 17 which requires the Commission, as part of its review of the operation of the Directive, to consider whether its scope should be extended, taking into account the experience of Member States that have collected PNR data from other carriers.

15.12 The Minister believes that the recital and review clause are significant. Although they do not enable Member States to require other carriers to provide PNR data, they provide "a helpful indication of an acceptance at EU level that Member States can use domestic legislation to collect data from maritime and rail carriers."

15.13 The Minister explains that the concept of transnational crime is no longer included within the draft Directive. However, the processing of PNR data for the purpose of assessing passengers against a set of pre-determined criteria in order to determine whether they may be involved in a terrorist or other serious criminal offence (sometimes called "profiling") is only permitted for crimes listed in Annex 2 to the draft Directive. Similarly, the analysis of PNR data in order to update or create new assessment criteria ("trend analysis") is only permitted for those crimes listed in Annex 2.

15.14 The list of crimes in Annex 2 is narrower than that which applies to the processing of PNR data for other purposes, for example, to screen passengers against watch-lists of known suspects or to assist with a specific investigation. This is because

"The offences which are not included in the narrower list are offences which do not lend themselves to profiling or trend analysis as they are fact specific e.g. murder and rape."

However, the Minister believes that the inclusion of a narrower list of serious crimes for the processing of certain PNR data "will have little operational impact."

15.15 The prohibition on the use of sensitive data remains, as well as a requirement immediately to delete any sensitive data sent by a carrier, because "No Member State has been able to make the case that [their use] is essential operationally." The Minister notes that the draft EU-US PNR Agreement includes provision for the processing and use of sensitive data in exceptional circumstances but adds that "the prevalent view was that the EU should impose higher standards upon itself."

15.16 Finally, the period for transposing the Directive has increased from two to three years in order to make the overall package more attractive for those Member States that have not yet established systems for collecting and processing PNR data.


15.17 We agree with the Government that, if there is to be an EU-wide framework governing the collection and use of PNR data, then it should not distinguish between intra-EU and extra-EU flights. The inclusion of intra-EU flights in the latest compromise text, albeit on an optional basis, is therefore a welcome development. Nevertheless, the different levels of coverage proposed for intra- and extra-EU flights is a matter of concern. In our Report of 18 May 2011, we questioned whether a blanket obligation to collect PNR data on all extra-EU flights was necessary and proportionate. Whilst we accept that there is little prospect of changes being agreed at this late stage, we nevertheless think it would be helpful if the review of the operation of the Directive foreseen in Article 17 included the possibility of introducing selective or targeted collection of PNR data for extra-EU flights as well as for intra-EU flights.

15.18 We note the significant extension (from 30 days to two years) of the period during which full PNR data may be held before they are "depersonalised", even though the overall data retention period of five years remains unchanged. The Minister suggests that stricter access controls which limit the disclosure of the full PNR data after they have been masked provides a sufficient counterweight. By contrast, the draft EU-US PNR Agreement requires PNR data to be "depersonalised and masked" after six months, although the overall data retention period is considerably longer,[120] and the draft EU-Australia PNR Agreement provides for a similar overall data retention period as the draft Directive, but only requires the data to be masked after three years.[121] We simply observe that these disparities highlight the difficulty of determining whether the overall retention period, as well as the conditions for restricting access to full PNR data during that period, are necessary and proportionate.

15.19 Finally, we note that a growing body of specialist opinion (namely, the Article 29 Data Protection Working Party, the EU Fundamental Rights Agency and the European Data Protection Supervisor) continues to harbour doubts as to the necessity and proportionality of PNR schemes developed at EU level and internationally through the negotiation of PNR agreements with third countries. As our earlier Reports have indicated, we share some of these concerns. However, we also note that the draft Directive includes safeguards for the protection of personal data which are based on existing EU standards.[122] In light of the Minister's assessment that the compromise text proposed for agreement at the April Justice and Home Affairs Council offers the best chance of a reasonable outcome, we agree to release the draft Directive from scrutiny.

117   See p.4 of the Commission's explanatory memorandum accompanying the draft Directive.  Back

118   See paragraphs 30-34 of the Minister's Explanatory Memorandum.  Back

119   The UK will therefore be required to collect PNR data for all extra-EU flights - representing approximately 23% of traffic to and from the UK - but will have flexibility to determine how much data to collect on the remaining 77% comprising intra-EU flights. Back

120   See (33437) and (33438); HC 428-xliii (2010-12), chapter 4 (7 December 2011). The Agreement allows the retention of PNR data for up to 15 years. Back

121   See (32797) and (32798); HC 428-xxxi (2010-12), chapter 2 (29 June 2011).  Back

122   See Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; OJ No. L 350. 30.12.2008.  Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 27 April 2012