22.6.2011   

EN

Official Journal of the European Union

C 181/24

1.

On 2 February 2011, the Commission has adopted a Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (hereafter ‘the Proposal’) (3). The Proposal was sent to the EDPS for consultation on the same day.

2.

The EDPS welcomes the fact that he was consulted by the Commission. Already before the adoption of the Proposal, the EDPS was given the possibility to give informal comments. Some of these comments have been taken into account in the Proposal, and the EDPS notes that globally speaking data protections safeguards in the Proposal have been strengthened. Remaining concerns are however still present on a number of issues, especially in relation to the scale and purposes of the collection of personal data.

3.

Discussions on a possible PNR scheme within the EU have been developing since 2007, when the Commission adopted a Proposal for a Council Framework Decision on this issue (4). The main purpose of an EU PNR scheme is the establishment of a system obliging air carriers operating international flights between the EU and third countries to transmit PNR data of all passengers to competent authorities, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crimes. Data would be centralised and analysed by Passenger Information Units and the result of the analysis would be transmitted to competent national authorities in each Member State.

4.

Since 2007, the EDPS has been following closely the developments related to a possible EU PNR scheme, in parallel with developments regarding PNR schemes of third countries. On 20 December 2007, the EDPS adopted an opinion on this Commission proposal (5). At many further occasions, consistent remarks have been made, not only by the EDPS but also by the Article 29 Working Party (6), on the issue of compliance of the processing of PNR data for law enforcement purposes with the necessity and proportionality principles as well as other essential data protection safeguards.

5.

The main issue consistently raised by the EDPS focuses on the justification of the necessity of a European PNR scheme on top of a number of other instruments allowing for the processing of personal data for law enforcement purposes.

6.

The EDPS acknowledges the visible improvements in terms of data protection in the present Proposal, compared to the version on which he has previously advised. These improvements relate in particular to the scope of application of the Proposal, the definition of the role of different stakeholders (Passenger Information Units), the exclusion of the processing of sensitive data, the move towards a ‘push’ system without a transition period (7), and the limitation of data retention.

7.

The EDPS also welcomes the additional developments in the impact assessment on the reasons for an EU-PNR scheme. However, while there is a clear will to clarify the necessity of the scheme, the EDPS still fails to find in these new justifications a convincing basis to develop the system, especially with regard to large scale ‘prior assessment’ of all passengers. The necessity and proportionality will be analysed below in chapter II. Chapter III will concentrate on more specific aspects of the proposal.

8.

The demonstration of the necessity and the proportionality of the data processing is an absolute prerequisite for the development of the PNR scheme. The EDPS has already insisted on previous occasions, notably in the context of the possible review of Directive 2006/24/EC (the ‘Data Retention Directive’), on the fact that the need to process or store massive amounts of information should rely on a clear demonstration of the relationship between use and result, and should allow the assessment sine qua non of whether comparable results could have been achieved with alternative, less privacy intrusive means (8).

9.

With a view to justify the scheme, the Proposal, and especially its Impact Assessment, include extensive documentation and legal arguments to establish both that the scheme is needed and that it complies with data protection requirements. It goes even further in stating that it brings added value in terms of harmonisation of data protection standards.

10.

After analysing these elements, the EDPS considers that the Proposal with its current content does not meet the requirements of necessity and proportionality, imposed by Article 8 of the Charter of Fundamental Rights of the Union, Article 8 of the ECHR and Article 16 of the TFEU. The reasoning behind this consideration is developed in the next paragraphs.

11.

The EDPS notes that the Impact Assessment includes extensive explanations and statistics to justify the Proposal. These elements are however not convincing. As an illustration, the description of the threat of terrorism and serious crime in the impact assessment and in the explanatory memorandum of the Proposal (9) cites the number of 14 000 criminal offences per 100 000 population in the Member States in 2007. While this number may be impressive, it relates to undifferentiated types of crimes and cannot be of any support to justify a Proposal aiming and combating only a limited type of serious, transnational crimes and terrorism. As another example, citing a report on drug ‘problems’ without linking the statistics to the type of drug trafficking concerned by the proposal does not constitute in the view of the EDPS a valid reference. The same goes for indications of consequences of crimes, quoting the ‘value of property stolen’ and the psychological and physical impact on the victims, which are not data directly related to the purpose of the Proposal.

12.

As a last example, the Impact Assessment indicates that Belgium has ‘reported that 95 % of all drugs seizures in 2009 were exclusively or predominantly due to the processing of PNR data’. It should be stressed however that Belgium does not have (yet) a systematic PNR scheme implemented, comparable to the one foreseen in the Proposal. This could mean that PNR data may be useful in targeted cases, which the EDPS does not contest. It is rather the wide collection with a purpose of systematic assessment of all passengers which raises serious data protection issues.

13.

The EDPS considers that there is not enough relevant and accurate background documentation which demonstrates the necessity of the instrument.

14.

While the document notes the interference of the data processing measures with the Charter, the ECHR and Article 16 of the TFEU, it refers directly to the possible limitations to these rights and is satisfied with the conclusion that ‘as the proposed actions would be for the purpose of combating terrorism and other serious crimes, contained in a legislative act, they would clearly comply with such requirements provided they are necessary in a democratic society and comply with the principle of proportionality’ (10). However, a clear demonstration of the fact that the measures are essential and that there are no less intrusive alternatives is missing.

15.

In that sense, the fact that additional purposes such as immigration enforcement, ‘no-flight list’ and health safety have been envisaged and finally not included because of proportionality considerations does not mean that ‘limiting’ the processing of PNR data to serious crimes and terrorism is de facto proportionate because less invasive. The option of limiting the scheme to the fight against terrorism, without including additional crimes, as this was envisaged in earlier PNR schemes, notably in the previous Australian PNR scheme, has not been assessed either. The EDPS stresses that in this early scheme, on which the WP29 has adopted a positive opinion in 2004, the purposes were limited to ‘identification of those passengers who may pose a threat of terrorism or related criminal activity’ (11). The Australian system did not foresee either any retention of PNR data except for specific passengers identified as presenting a specific threat (12).

16.

Besides, as far as the predictability of the surveillance for data subjects is concerned, it is doubtful that the Proposal of the Commission fulfils the requirements of a sound legal basis under EU law: the ‘assessment’ of passengers (previously worded ‘risk assessment’) will be performed on the basis of constantly evolving and non-transparent criteria. As explicitly stated in the text, the main purpose of the scheme is not traditional border control, but intelligence (13) and arresting persons which are not suspects, before a crime has been committed. The development of such a system on a European scale, involving the collection of data on all passengers and the taking of decisions on the basis of unknown and evolving assessment criteria, raises serious transparency and proportionality issues.

17.

The only purpose which would, according to the EDPS, be compliant with the requirements of transparency and proportionality, would be the use of PNR-data on a case-by-case basis, as mentioned in Article 4.2(c), but only in case of a serious and concrete threat established by concrete indicators.

18.

Article 4(2)(b) provides that a PIU may carry out an assessment of the passengers and in this activity may compare PNR data against ‘relevant databases’, as indicated in Article 4.2(b). This provision does not indicate which are the databases that are relevant. Therefore the measure is not predictable, also a requirement under the Charter and the ECHR. The provision moreover raises the question of its compatibility with the purpose limitation principle: according to the EDPS, it should be excluded for instance for a database such as Eurodac which has been developed for different purposes (14). Besides, it should be possible only in case there is a specific need, in a particular case where there is a pre-existing suspicion on a person after a crime has been committed. Checking for instance the database of the Visa Information System (15) on a systematic basis against all PNR data would be excessive and disproportionate.

19.

The idea according to which the proposal would enhance data protection by providing for a uniform level playing field with regard to the rights of individuals is questionable. The EDPS acknowledges the fact that, would the necessity and the proportionality of the scheme be established, uniform standards among the EU, including data protection, would enhance legal certainty. However the present wording of the proposal, in its recital 28, mentions that ‘the Directive does not affect the possibility for Member States to provide, under their domestic law, for a system of collection and handling of PNR data for purposes other than those specified in this Directive, or from transportation providers other than those specified in this Directive, regarding internal flights (…)’.

20.

The harmonisation brought by the proposal is therefore limited. It may cover data subjects’ rights, but not purpose limitation, and it can be assumed that according to this wording PNR systems already used to combat for instance illegal immigration could continue to do so under the Directive.

21.

This means that, on the one hand, some differences would remain between Member States having already developed a PNR scheme, and on the other hand, the vast majority of Member States which do not systematically collect PNR data (21 out of 27 Member States) would be obliged to do so. The EDPS considers that from this perspective any added value in terms of data protection is highly questionable.

22.

To the contrary, the consequences of Recital 28 are a serious breach of the principle of purpose limitation. In the view of the EDPS, the proposal should explicitly provide that the PNR data may not be used for other purposes.

23.

The EDPS comes to a similar conclusion as the one drawn from the evaluation of the Data Retention Directive: in both contexts, absence of real harmonisation goes together with absence of legal certainty. Besides, additional collection and processing of personal data becomes compulsory for all Member States, where the real necessity of the scheme has not been established.

24.

The EDPS further notes that the developments on PNR are linked with the ongoing general evaluation of all EU instruments in the field of information exchange management launched by the Commission in January 2010 and developed in the recent Communication on the overview of information management in the Area of Freedom, Security and Justice (16). There is notably a clear connection with the current debate on the European Information Management Strategy. The EDPS considers in this respect that the results of the current work on the European Information Exchange Model expected for 2012 should be taken into consideration in the assessment of the need for an EU PNR.

25.

In this context, and in view of the weaknesses of the Proposal and especially of its Impact Assessment, the EDPS considers that there is a need for a specific privacy and data protection impact assessment in cases like this one where the substance of the Proposal affects the fundamental rights to privacy and data protection. A general impact assessment is not sufficient.

26.

Terrorist offences, serious crimes and serious transnational crimes are defined in Article 2 (g), (h) and (i) of the Proposal. The EDPS welcomes the fact that the definitions — and their scope — have been refined, with a differentiation between serious crimes and serious transnational crimes. This distinction is welcome especially as it implies a different processing of personal data, excluding assessment against predetermined criteria when it comes to serious crimes which are not transnational.

27.

The definition of serious crimes is however still too broad in the view of the EDPS. This is acknowledged by the Proposal which indicates that Member States can still exclude minor offences falling under the definition of serious crimes (17) but which would not be in line with the principle of proportionality. This wording implies that the definition in the Proposal may well include minor offences, the processing of which would be disproportionate. What exactly should be covered by minor offences is not clear. Instead of leaving the faculty of narrowing the scope of application to Member States, the EDPS considers that the Proposal should explicitly list offences which should be included in its scope and those which should be excluded as they should be considered as minor and do not meet the proportionality test.

28.

The same concern applies to the possibility left open in Article 5(5) to process data related to any kind of offence if detected in the course of an enforcement action, as well as to the possibility mentioned in Recital (28) to extend the scope of application to other purposes than those foreseen in the Proposal, or to other transportation providers.

29.

The EDPS is also concerned with regard to the possibility foreseen in Article 17 to include internal flights in the scope of the Directive, in the light of the experience gained by Member States which already collect them. Such a widening of the scope of the PNR scheme would threaten even more the fundamental rights of individuals and should not be envisaged before any proper analysis including a comprehensive impact assessment.

30.

To conclude, leaving the scope of application open and giving the Member States possibilities to extend the purpose is contrary to the requirement that the data may be collected only for specified and explicit purposes.

31.

The role of PIUs and the safeguards around the processing of PNR data raise specific questions, especially since the PIUs receive data of all passengers from the air carriers and they have — under the text of the Proposal — wide competences to process these data. This includes assessment of the behaviour of passengers who are not suspected of any crime and the possibility to match PNR data with undetermined databases (18). The EDPS notes that ‘restrictive access’ conditions are foreseen in the Proposal, but considers that those conditions alone are not sufficient, in view of the wide competences of the PIUs.

32.

In the first place, the nature of the authority designated as PIU and its composition remain unclear. The Proposal mentions the possibility that staff members may be ‘seconded from competent public authorities’, but does not offer any guarantees in terms of competence and integrity of the staff of the PIU. The EDPS recommends including such requirements in the text of the Directive, taking into account the sensitive character of the processing to be performed by PIUs.

33.

In the second place, the proposal allows for the possibility to designate one PIU for several Member States. This opens the door to risks of misuse and transmission of data outside the conditions of the Proposal. The EDPS recognises that there might be reasons of efficiency, in particular for smaller Member States, to combine forces, but recommends including in the text conditions for this option. These conditions should address the cooperation with competent authorities, as well as the oversight, in particular with regard to the Data Protection Authority responsible for supervision, and with regard to the exercise of the data subject's rights, as several authorities may be competent to supervise one PIU.

34.

There is a risk of function creep linked to the elements mentioned above, and in particular in view of the quality of the staff competent to analyse the data and the ‘sharing’ of a PIU between several Member States.

35.

In the third place, the EDPS questions the safeguards foreseen against abuse. The logging obligations are welcome but not sufficient. Self-monitoring should be complemented by external monitoring, in a more structured way. The EDPS suggests that audits are organised in a systematic way every four years. A comprehensive set of security rules should be developed and imposed horizontally on all PIUs.

36.

Article 7 of the Proposal envisages several scenarios allowing for the exchange of data between PIUs — this being the normal situation — or between competent authorities of a Member State and PIUs in exceptional situations. Conditions are also stricter depending on whether access is requested to the database foreseen at Article 9(1), where data are kept during the first 30 days, or to the database mentioned in Article 9(1) where data are further kept for five years.

37.

Conditions of access are more strictly defined when the access request goes beyond the normal procedure. The EDPS notes however that the wording used leads to confusion: Article 7(2) is applicable in a ‘specific case of prevention, detection, investigation or prosecution of terrorist offences or serious crime’; Article 7(3) mentions ‘exceptional circumstances in response to a specific threat or a specific investigation or prosecution related to terrorist offences or serious crimes’, while Article 7(4) concerns ‘immediate and serious threat to public security’, and Article 7(5) mentions ‘specific and actual threat related to terrorist offences or serious crimes’. The conditions of access by different stakeholders to the databases vary depending on these criteria. However the difference between a specific threat, an immediate and serious threat and a specific and actual threat is not clear. The EDPS underlines the need to further specify the precise conditions according to which transfers of data will be allowed.

38.

The proposal refers as a general legal basis for data protection principles to the Council Framework Decision 2008/977/JHA, and it extends its scope to data processing at domestic level.

39.

The EDPS has highlighted already in 2007 (19) the shortcomings of the Framework Decision with regard to data subjects’ rights. Among the elements missing in the Framework Decision, there are notably some requirements for information to the data subject in case of a request of access to his data: information should be given in an intelligible form, the purpose of the processing should be indicated, and there is a need for more developed safeguards in case of appeal to the Data Protection Authority in case direct access is denied.

40.

The reference to the Framework Decision has consequences as well with regard to the identification of the Data Protection Authority competent to monitor the application of the future Directive, as it may not necessarily be the same DPA as the one competent for (ex) first pillar matters. The EDPS considers it unsatisfactory to rely solely on the Framework Decision in the post-Lisbon context, when one of the main objectives is to adapt the legal framework to ensure a high and harmonised level of protection across the (ex) pillars. He considers that additional provisions are needed in the Proposal to complement the reference to the Council Framework Decision where shortcomings have been identified, especially in relation to the conditions of access to personal data.

41.

These concerns are also fully valid with regard to the provisions on transfers of data to third countries. The Proposal refers to Article 13.3(ii) of the Framework Decision, which includes wide exceptions to data protection safeguards: it derogates especially from the adequacy requirement in case of ‘legitimate prevailing interests, especially important public interests’. This exception has a vague wording which could potentially apply in many cases of processing of PNR data, if interpreted broadly. The EDPS considers that the proposal should explicitly prevent the application of the exceptions of the Framework Decision in the context of the processing of PNR data, and maintain the requirement for a strict adequacy assessment.

42.

The proposal foresees a period of 30 days of retention, with an additional period of five years in archive. This retention period is considerably reduced if compared to previous versions of the document, where retention went up to five plus eight years.

43.

The EDPS welcomes the reduction of the first period of retention to 30 days. He nevertheless questions the additional retention period of five years: it is unclear to him whether there is a need to keep these data further in a form that still renders possible the identification of individuals.

44.

He stresses also a terminology issue in the text, which has important legal consequences: Article 9(2) indicates that passengers data will be ‘masked out’, and will be therefore ‘anonymised’. However, later-on the text mentions that it is still possible to access ‘the full PNR data’. If this is possible, it means that PNR data have never been totally anonymised: while being masked out, they remain identifiable. The consequence is that the data protection framework remains fully applicable, which raises the fundamental question of necessity and proportionality as to keeping identifiable data of all passengers for five years.

45.

The EDPS recommends that the Proposal should be reworded, by keeping the principle of real anonymisation with no way back to identifiable data, which means that no retro-active investigation should be allowed. These data could still — and solely — be used in order to serve general intelligence purposes based on the identification of terrorism and related crime patterns in migration flows. This should be distinguished from the retention of data in identifiable form — subject to certain safeguards — in cases that have given rise to a concrete suspicion.

46.

The EDPS welcomes the fact that sensitive data are not included in the list of data to be processed. He stresses however that the Proposal still foresees the possibility that these data are sent to the Passenger Information Unit, which then has the obligation to delete them (Article 4(1), Article 11). It is unclear from this wording whether PIUs still have a routine obligation to filter out sensitive data sent by airlines, or if they should do it only in the exceptional case where airlines have sent them by mistake. The EDPS recommends that the text is amended in order to make clear that no sensitive data should be sent by airlines, at the very source of the data processing.

47.

Apart from sensitive data, the list of data which can be transferred mirrors to a large extent the US PNR list, which has been criticized as being too extensive in several opinions of the Article 29 Working Party (20). The EDPS considers that this list should be reduced in accordance with the opinion of the Working Party, and that any addition be duly justified. This is the case especially for the field ‘general remarks’ which should be excluded from the list.

48.

According to Article 4.2.(a) and (b), assessment of individuals against pre-determined criteria or against relevant databases can involve automated processing but it should be reviewed individually by non automated means.

49.

The EDPS welcomes the clarifications brought to this new version of the text. The ambiguity of the previous scope of the provision, in relation to automated decisions producing ‘an adverse legal effect on a person or significantly affect(ing) him (…)’ has been replaced by a more explicit wording. It is now clear that any positive match will be reviewed individually.

50.

It is also clear in the new version that in no circumstances can an assessment be based on a person's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life. In other words, the EDPS understands from this new wording that no decision can be taken, even partly, on the basis of sensitive data. This is consistent with the provision according to which no sensitive data can be processed by PIUs, and should also be welcomed.

51.

The EDPS considers of the utmost importance that a thorough assessment of the implementation of the Directive is conducted, as foreseen in Article 17. He considers that the review should not only assess general compliance with data protection standards, but more fundamentally and specifically whether the PNR schemes constitute a necessary measure. The statistical data mentioned in Article 18 play an important role in this perspective. The EDPS considers that this information should include the number of law enforcement actions, as foreseen in the draft, but also the number of effective convictions which have resulted — or not — from the enforcement actions. Such data are essential for the result of the review to be conclusive.

52.

The proposal is without prejudice to existing agreements with third countries (Article 19). The EDPS considers that this provision should refer more explicitly to the objective of a global framework providing for harmonised data protection safeguards in the field of PNR, within and outside the EU, as requested by the European Parliament and developed by the Commission in its Communication of 21 September 2010‘On the global approach to Transfers of passenger Name Record (PNR) data to third countries’.

53.

In that sense, agreements with third countries should not include provisions below the data protection threshold of the Directive. This is of particular importance now that agreements with the United States, Australia and Canada are being re-negotiated in this perspective of a global — and harmonised — framework.

54.

The development of an EU-PNR scheme, along with the negotiation of PNR agreements with third countries, has been a long-drawn-out project. The EDPS acknowledges that, compared to the Proposal for a Council Framework Decision on EU PNR of 2007, visible improvements have been brought to the draft text. Data protection safeguards have been added, benefiting from debates and opinions of different stakeholders including notably the Article 29 Working Party, the EDPS and the European Parliament.

55.

The EDPS welcomes these improvements and especially the efforts to restrict the scope of the Proposal and the conditions for processing of PNR data. He is however obliged to observe that the essential prerequisite to any development of a PNR scheme — i.e. compliance with necessity and proportionality principles — is not met in the Proposal. The EDPS recalls that in his view, PNR data could certainly be necessary for law enforcement purposes in specific cases and meet data protection requirements. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns.

56.

The Impact Assessment gives elements aiming at justifying the need for PNR data to fight against crime, but the nature of this information is too general, and it fails to support the large scale processing of PNR data for intelligence purposes. In the view of the EDPS, the only measure compliant with data protection requirements would be the use of PNR-data on a case-by-case basis, when there is a serious threat established by concrete indicators.

57.

In addition to this fundamental shortcoming, the comments of the EDPS concern the following aspects:

58.

The EDPS further recommends that the developments on EU PNR are assessed in a broader perspective including the ongoing general evaluation of all EU instruments in the field of information exchange management launched by the Commission in January 2010. In particular, the results of the current work on the European Information Exchange Model expected for 2012 should be taken into consideration in the assessment of the need for an EU PNR scheme.

—

Opinion of 19 October 2010 on the global approach to transfers of Passenger Name Record (PNR) data to third countries, available at http://www.edps.europa.eu/EDPSWEB/edps/Consultation/OpinionsC/OC2010

—

The opinions of the Article 29 Working Party are available at the following link: http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/index_en.htm#data_transfers