The Passenger Name Record (PNR) Framework Decision
CHAPTER 1: introduction
Passenger Name Record (PNR)
1. Passenger Name Record data, or PNR data, are detailed data about passengers, mostly personal and confidential, which airlines have for many years collected for their own operational and commercial purposes, but which they are now increasingly obliged to communicate to the authorities of the country of destination. The prime purpose of this is the combating of terrorism and serious organised crime. At its most basic, this enables the authorities of the country of destination to follow the movements of those about whom they already have suspicions, and to identify from their details and habits other passengers about whom they ought perhaps to have suspicions. They can then, if they wish, prevent passengers from entering the country, or use the information to prevent the commission of serious offences or identify those who have committed them.
2. Many countries have been collecting the PNR data of incoming passengers for a number of years; those countries include the United States, Canada and Australia. Among the Member States of the EU, the United Kingdom is at present the only country to have a fully functioning PNR system. Under it information on individuals will be captured before they enter the United Kingdom, with the aim of authorising or denying them permission to set off for Britain. This is part of the electronic borders (e-Borders) programme, which is more fully described in supplementary evidence from the Home Office, as is Project Semaphore, the e-Borders pilot project (p 22).[1] We think it important to emphasise that, while by April 2009 e-Borders will be able to handle data for 100 million passenger movements a year, and for 95% of passengers in and out of the United Kingdom by the end of 2010, 100% coverage of all passenger movements across all United Kingdom borders will not be achieved until March 2014.
3. France and Denmark have legislation for a PNR system in place, and other Member States are showing an interest. Now the EU has its own initiative: a draft Framework Decision which, if adopted in anything like its current form, will enable the authorities of all the Member States to collect PNR data in respect of passengers on flights entering the EU from third countries, to analyse those data, and to share them with the authorities of other Member States.
4. We have sympathy with those who argue that collecting PNR data is no more than a sensible precaution which any State should take before letting anyone into the country. Commenting on the requirements now imposed by the United States, the President of the Centre for a New Europe thought that "the most basic security precautions surely involve cross-checking passengers' data against suspicious behaviour patterns", and he added: "No one is compelled to hand over any information to the US, because no one is compelled to fly there ... If you don't like America's terms of entry, don't go".[2]
5. At the other extreme, no doubt there are passengers who object to any private and personal details about themselves being communicated to third parties for any purpose. We suspect however that most passengers would not greatly object to their personal details being passed to the authorities of another country if they could be sure that this would in fact contribute to preventing terrorism or other serious crime; that the information would be used for no other purpose; that it would be transmitted and kept securely; and that it would be destroyed as soon as possible after their travel.
6. A point which tends to be forgotten is that, because carriers collect PNR data for their own commercial purposes, they apply to the collection and processing of those data the standards of care and accuracy needed for their own purposes, and not the higher standards which would (or should) be applied if the data were collected specifically for law enforcement purposes.[3] The value of a PNR system will depend, among other things, both on the accuracy of the data and on the quality of the technology used to process them.
The EU/US PNR Agreement: our earlier inquiry
7. A PNR agreement is an agreement under which the State of destination which is the recipient of PNR data gives undertakings in relation to this information. Because that State's prime concern is its own security rather than protecting the data of incoming passengers, such undertakings can fall short of what most passengers would wish. Last year we conducted an inquiry into a succession of PNR agreements which the United States concluded first with the EC and then with the EU. Our report following that inquiry contains in Chapter 2 an analysis of the categories of PNR data in those agreements contrasting it with the more basic information from the Advance Passenger Information (API) system; an explanation of data profiling and data mining; a consideration of the positive value of PNR; and a warning of what can happen if the wrong conclusions are drawn from PNR data. We do not propose to repeat these matters here, and refer the reader to that report.[4]
The draft Framework Decision
8. The European Council held in March 2004, when negotiations on the first EC/US PNR Agreement were in progress, invited the Commission to bring forward proposals for a common EU approach to the use of PNR for law enforcement purposes. This was repeated later that year in the Hague Programme, and again at the extraordinary Council meeting held on 13 July 2005 after the London bombings. On 6 November 2007 the Commission brought out its proposal for a Council Framework Decision on the use of the Passenger Name Record (PNR) for law enforcement purposes—the draft PNR Framework Decision. On 7 December 2007 the Home Office supplied us with a full and clear Explanatory Memorandum giving the Government's views on this proposal. We print it with the evidence (p 1).
9. Framework Decisions under Title VI of the Treaty on European Union currently require consultation of the European Parliament and unanimity in the Council.[5] However none of our witnesses saw any prospect of negotiations on this Framework Decision being concluded by the end of 2008, and the position will then change. Assuming the ratification of the Treaty of Lisbon and its entry into force on 1 January 2009, co-decision with the European Parliament will then be needed. The Council will operate by qualified majority voting (QMV) rather than unanimity, but the United Kingdom will have the right not to opt in to the Framework Decision.
Striking the balance
10. In our earlier report we referred to the balance which has to be struck between the security of the public and the privacy of the individuals who make up the public. We said, and we repeat, that the collection and retention of data for security purposes must be no more invasive of individual privacy than is necessary to achieve the objective for which they are collected.[6]
11. The Government too believe there is a balance to be struck: "We believe it is vital, and possible, to achieve a result that strikes an appropriate balance between the right to privacy and the right to security and will work with Member States towards ensuring the data protection safeguards included in the proposal are appropriate."[7] However the Government wish to put more weight into the security side of the equation, as is clear from their part in the negotiations on the Data Protection Framework Decision to which we refer in the following chapter.
This inquiry
12. The focus of our brief inquiry has been the reasons why the Government wish to make radical changes to the draft Framework Decision, and whether such amendments can be justified. The inquiry was conducted by Sub-Committee F, whose members are set out in Appendix 1. They took evidence from Meg Hillier MP, the Parliamentary Under-Secretary of State at the Home Office responsible for the policy, and visited Brussels to take evidence from the Commission, from Mr Peter Hustinx, the European Data Protection Supervisor,[8] and from Sophie in't Veld MEP, the rapporteur of the LIBE Committee of the European Parliament[9] which is examining this proposal. A full list of witnesses is in Appendix 2. To all of them we are most grateful.
13. It has not been possible to consider the Government's views and their strategy for the negotiations without looking at whether the draft Framework Decision itself strikes the right balance between public security and individual privacy, even though this has not been a specific purpose of our inquiry. Inevitably some of the evidence has been relevant more to the Framework Decision itself than to the Government's intentions. In particular, we have received interesting views on the provisions on the use of sensitive data, on data profiling and on data protection. We believe this evidence will be of value in any wider study of the Framework Decision which we or others may subsequently undertake.
14. We make this report to the House for information.
1 There are also details of the e-Borders programme in Securing the UK Border: Our vision and strategy for the future, Home Office, March 2007. Back
2 Stephen Pollard, The Times, Monday 10 March 2008. Back
3 Ms Sophie in't Veld MEP, Q 110. Back
4 The EU/US Passenger Name Record (PNR) Agreement (21st Report, Session 2006-07, HL Paper 108) Back
5 Title IV of the Treaty establishing the European Community (TEC) deals with Visas, Asylum, Immigration and other policies related to free movement of persons. These are known as first pillar matters. Title VI of the Treaty on European Union (TEU) deals with Police and Judicial Cooperation in Criminal Matters, which include the proposal on the use of PNR for law enforcement which is the subject of our inquiry. These are third pillar matters.
Decisions in third pillar matters are reached by unanimity, and cannot therefore be binding on the United Kingdom without its agreement. The European Parliament is only consulted. However decisions in first pillar matters are reached by qualified majority voting (QMV), and by co-decision with the European Parliament. Under a Protocol to the Treaty of Amsterdam negotiated in 1997 the United Kingdom does not take part in first pillar measures unless within three months of a proposal for legislation it exercises its right to do so-i.e. it "opts in" to the proposal.
The distinction between the first and third pillars will disappear when the Treaty of Lisbon comes into force on 1 January 2009. At that stage the United Kingdom will have the right to opt in to proposals on all these matters; if it decides not to do so, the resulting measure will not be binding on it. Back
6 The EU/US Passenger Name Record (PNR) Agreement (21st Report, Session 2006-07, HL Paper 108), paragraph 5. Back
7 Explanatory Memorandum, paragraph 30. Back
8 The European Data Protection Supervisor, or EDPS, is an independent supervisory authority of the EU whose task is to make sure that the right to protection of personal data is respected by the EU institutions and bodies. It does so by monitoring processing of personal data by the EU administration; advising on policies and legislation that affect privacy; and co-operating with similar authorities, including the Information Commissioner in the United Kingdom, to ensure consistent data protection. The EDPS formal Opinion of 20 December 2007 on the draft Framework Decision can be found on its website: www.edps.europa.eu. Back
9 The Committee on Civil Liberties, Justice and Home Affairs. The rapporteur is the member of the Committee appointed to explore the topic in depth, liaising with the other institutions and more widely, and to prepare for the Committee a report which, once adopted by the Committee and by the Parliament as a whole, will represent their views. Back
|
