Last week the European Data Protection Supervisor (EDPS) posted a damning report into how the proposed Passenger Name Record (PNR) Directive was disproportionate and failed to protect the privacy of passengers arriving in Europe. At more or less the same time the UK Government, with the support of a Committee of the House of Lords, supported the extension of this Directive to include the capture of details of passengers using internal flights within Europe. This proposal is being pushed through despite the fact there is no published evidential basis for the need for this PNR Directive.
To understand why the EDPS criticism is so trenchant, you have to start with the Article 29 Working Party (WP29) report last November (see references: WP29 is a Committee whose members are national Data Protection Commissioners). At that time, many discussions were taking place about the content of a proposed PNR Directive, so the WP29’s objective was to guide those discussions into considering fundamental data protection matters.
That is why the WP29 insisted on saying that:
“Any PNR system should be:
1. demonstrably necessary to address the problem;
2. demonstrably likely to address the problem;
3. proportionate to the security benefit;
4. demonstrably less invasive than alternative measures;
5. regularly reviewed to ensure the measures are still proportionate”.
Now ask yourself a simple question: “why did the WP29 stress these five comments?”. The answer, I am afraid is obvious: “because what they had seen did not convince them that fundamental privacy requirements were being addressed”. When you look at these five items, they are - well - sort of obvious. The fact that they needed to be expressed meant that WP29 were implying that these five issues were not a priority for those involved in drafting the PNR proposals.
Additionally, the WP29 could not directly criticise something whose content was not finalised. But when the PNR proposal text was published in early February 2011 (see references), it only took seven weeks for the EDPS to enter the fray and give vent to the very concerns the WP29 had raised some four months earlier.
In the EDPS’s view, the PNR proposals “fail to demonstrate the necessity and the proportionality of a system involving a large-scale collection of PNR data for the purpose of a systematic assessment of all passengers” adding that it is “their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns". In other words, European Member States are proposing legislation that is likely to breach Article 8 of the Human Rights regime of every Member State.
In addition to this major shortcoming of the proposed system the EDPS recommendations included the following:
• That the scope of application should be limited to serious crimes where minor crimes are explicitly excluded. This comment has been made because current PNR proposal can include minor crimes (see blog of 8/02/2011: link in references)
• No personal data should be kept beyond 30 days in an identifiable form, except in cases requiring further investigation. This comment has been made because the current PNR proposal includes a 5 year retention criterion.
• The data protection principles adopted should be of the standard of the Data Protection Directive; This comment has been made because the Principles the PNR Directive authors have in mind are those specially adopted by law enforcement for law enforcement (the Framework Decision 2008/977/JHA) which are particularly weak in several areas (e.g. transfers to third countries, supervision).
• The list of PNR personal data remains too extensive and should be further reduced. This comment has been made because a prime function of the PNR system is to gather intelligence for a host of law enforcement bodies.
• The statistics required to justify implementation of the PNR system, once implemented, are not collected. This comment has been made because it is left to Member States to provide the statistics. I would go so far as to say the lack of independence in these provisions allows Member States to statistically “cook the books” in favour of self-justifying the need for the PNR Directive.
The EDPS criticisms have not deterred the House of Lords from issuing a report in favour of the PNR Directive. Not only do the Committee say the UK should opt-in to its provisions PNR Directive, but the Directive itself should be extended to internal flights within the European Union. It observes that “The Government made strenuous efforts to extend this to flights between Member States—intra-EU flights—but had not succeeded by the time the negotiations were suspended” and recommends that this step be taken. My own view is that such an inclusion to internal flights is inevitable: just think for a second: which flights do most European citizens take!
The Government’s position is clearly in favour of this extension. A memorandum given to the Committee (and published for the first time on this blog) states “The UK Government strongly believes that the ability to collect and process PNR data on intra-EU flights is vital to improving security and to fighting crime within the EU and beyond” (see references; paragraph 24’s emphasis).
The absence of evidence for the PNR Directive
In his report, the EDPS “notes that the Impact Assessment includes extensive explanations and statistics to justify the Proposal” but that “these elements are however not convincing”. He then details four examples of the “not-convincing” narrative and concludes that “there is not enough relevant and accurate background documentation which demonstrates the necessity of the instrument”. Strong stuff!
The Centre for European Politics (CEP) has also cast light on the lack of evidence for a PNR Directive (see references). It explains that “Commission itself, however, admits that “detailed statistics on the extent to which such data help prevent, detect, investigate and prosecute serious crime and terrorism are not available [COM(2011) 32, p. 6]”. However the CEP briefing then explains that “according to the Commission this is due to the fact that the EU has little experience in using PNR data” (see references).
However CEP then states that the Commission’s explanation is simply wrong. It recalls that “the existing experience gained from PNR agreements with third Countries” has been studiously ignored, and speculates that this lack of interest in existing PNR arrangements “could be explained by the fact that this experience indicates that the impact of PNR data on successful counter-crime and counter-terrorism is insignificant”.
No evidential problems, apparently, with the House of Lords. Its report notes that “In the course of our inquiry the following year into the draft EU PNR Framework Decision, we received from the Home Office further material which persuaded us that PNR data, when used in conjunction with data from other sources, can significantly assist in the identification of terrorists. We now have no hesitation in accepting the Home Office's assessment of the value of PNR data for the prevention and detection of serious crime and terrorism.” (Para 6 of the Report; Report’s emphasis).
Since the House of Lords Report did not publish this evidence, I asked the Committee officials where I could find “the Home Office further material” that the Committee had “received”. The response was as follows. In 2008, the Committee held an inquiry into the PNR Framework Decision in draft; it expressed support for the PNR Decision “based on confidential material – not formal evidence - received from the Home Office in May 2008. This was not distributed to the Committee but was read to members by the then Chairman at a meeting. It was not published”.
The comment concludes: “the current members (of the Committee) accept the views of their predecessors: hence their conclusion in para 6 of the 2011 report” (this is the “...no hestitation..” quote which the Committee emphasised – see above). In other words, there is no published evidence justifying the PNR Directive: the EDPS can’t find it, the CEP can’t find it, and Parliament hasn’t been given it in a way that can be independently examined.
So there we have it, Home Office whispers in a Committee Chairman’s ear three years ago amounts to evidence!
Lurking in the back of my mind is the fact that if the air carriers are monitored, any self respecting crook will travel by train or sea. Surely, if we apply the logic underpinning the PNR Directive, we conclude that internal EU flights have to be included and it can’t be long before the argument arises that if air travel has to be monitored, then other forms of international travel have to be monitored as well.
International car travel is already covered by a surveillance infrastructure: if one drives into the UK, there is a panoply of ANPR cameras all ready primed to “meet and greet” visitors to these shores. Similarly, foot passengers are already covered by CCTV; facial recognition linkage to digital photographs in passports and driving licences is just a matter of time.
Welcome to surveillance Europe!
The WP document “Opinion 7/2010 on European Commission's Communication on the global approach to transfers of Passenger Name Record (PNR) data to third countries” is available from http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2010_en.htm
The EDPS criticism is available from: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-03-25_PNR_EN.pdf
The Centre for European Politics briefing on PNR is on http://www.cep.eu/en/analyses-of-eu-policy/transport/passenger-name-record-data/
Download the House of Lords Committee report on PNR: Download Lords-select-cttee-report on PNR
Download the Home Office Memo to the Lords Committee on PNR:Download Lords-Home Office memo_select-cttee-report on PNR
The PNR Directive can be obtained from: http://ec.europa.eu/home-affairs/news/intro/docs/com_2011_32_en.pdf
Blogs: Why the PNR Directive is disproportionate and does not protect privacy. http://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html (please note the comment at the end of this blog).
Advert: Forthcoming courses: Data Protection in London starting on May 10th, Manchester 12th May. FOI starts in London on 13 June. Download course schedule here:Download Amber_dates_table_2011