The proposed PNR Directive, if implemented by Member States in its current form, promises a low level of data protection and the absence of obvious privacy safeguards. The Directive permits a system of data protection regulation for PNR data that is fragmented and role of the data protection authority that can be minimised by Member States. There are also particularly weak provisions relating to transparency.
The current text allows Member States the flexibility to transfer PNR data to any third country on the grounds of political expediency and national security aspects are excluded from the Directive’s reach. The PNR Directive is currently being redrafted to extend its reach to internal flights within the EU. As usual, a full set of references and downloads at the bottom of the blog.
A weak level of data protection
In summary, when air carriers are processing PNR personal data, the data are subject to the higher standards of Directive 95/46/EC. Yet when the same personal data are in the hands of the authorities the lower standards of Framework Decision 2008/977/JHA apply.
In other words, the PNR Directive proposes the transfer of personal data from a high level of data protection (when the data are in the hands of the air carrier) to the lower level of data protection (when the data are in the hands of organisations that involved in law enforcement). This standard becomes even lower, if one considers the prospect of allowed transfers of PNR data to Third Countries outside the EEA.
The result is bizarre to say the least. The more controversial the processing purpose (e.g. for law enforcement) the lower the level of data protection; the less controversial the purpose (e.g. processing for a seat booking), the higher the level of data protection. This is especially the case is that the PNR personal data are originally subject to Directive 95/46/EC (when in the hands of the airlines) and are unlikely to be transferred outside the EEA.
The PNR Directive thus creates an “inverse” data protection effect: the more controversial the processing, the weaker the protection; the less controversial the processing, the stronger the level of protection.
The position the Directive has arrived at is pure data protection nonsense. It probably explains why the European Data Protection Supervisor (EDPS) has also concluded that the provisions of Directive 95/46/EC should apply to the processing of PNR personal data.
The weak data protective elements of the PNR directive
This Directive is worded so that the development of mega Euro PNR databases are inevitable (despite contrary comments from the relevant Commissioner and a host of national politicians). This is because Passenger Information Units (PIU) established on one country can be merged with others into one single entity.
So suppose Member States A, B and C merge their PIUs. The use of the word “the” in Article 3(2) means that the three merged PIUs become ONE PIU for these three States. Thus the concept of transfers or PNR data between these three PIUs disappears.
It follows that any of the provisions in the Directive that provides for “safeguards” with respect to such transfers do not apply (as there isn’t a transfer). Of course, Member States can say that the intent is for these safeguards to continue to apply, but the Directive text does not insist that they do.
There is no provision relating to onward disclosure of PNR data by “competent authorities” who obtain personal PNR data from the PIUs. The result is that PNR data can be disclosed to bodies that are not competent authorities as identified in the Directive, outwith the reach of the Directive.
The PNR Directive excludes, for instance, reference to the national security agencies so the extent to which PNR data are processed by these agencies is also not specified by the Directive.
As national security agencies are likely to have generous powers to process PNR data and can take advantage of the normally broad exemptions found in national data protection laws for national security purposes, one can anticipate that these agencies could hold copies of all PNR data for more than the 5 year period.
If this is the case, then retention periods for PNR data as specified in the Directive are effectively rendered void. Some law enforcement authorities can always recover PNR data from national security sources.
The absence of transparency
The transparency provisions in the PNR Directive are designed to ensure that such quantitative and qualitative information that could allow for an independent assessment of the effectiveness of the PNR Directive are simply not collected.
In this regard, Articles 17-19 are particularly poor. They establish a review mechanism and statistical collection that is dependent on the organisations doing the interference into private and family life. These Articles are fundamentally flawed and compromised by the conflict of interest the Commission and Member States have, as they will want to justify to the public, the large amounts of money spent on this kind of mass surveillance.
For instance, suppose you ask the police to review the effectiveness of their use of CCTV and ANPR? What you expect to find? Evidence that CCTV and ANPR is effective, of course! This, in a nutshell, is what the European Commission is proposing.
Even when the Directive calls for a review of the processing of personal data, there is no obligation placed on Member States that requires that this review is undertaken by the data protection authority. So a data protection review not undertaken by the data protection authority? If that idea for an independent review does not ring alarm bells, nothing will.
On 31st May, the EDPS published an opinion on the European Commission's evaluation report on the Data Protection Directive (2006/24/EC). He criticised the statistics collected by Member States to justify the retention of telecommunciations data.
He says "Although the Commission has clearly put much effort into collecting information from the Member States, the quantitative and qualitative information provided by the Member States is not sufficient to draw a positive conclusion on the need for data retention as it has been developed in the Directive”.
In other words, history is set to repeat itself with the PNR Directive.
It has taken a long time to mull over this analysis (over a month on and off) and the blog text above does not give justice to all the issues that I have found. These are spelt out in detail in the analysis I have published (see references).
In summary, I conclude that the PNR Directive contains very shoddy pieces of data protection drafting that are so poor in their impact, that it is astonishing that they were ever published. Quite simply, the current draft of the PNR Directive is a data protection disaster waiting to happen.
The really worrying aspect is, I suspect, is that the European Commission considers them adequate and does not see the problems. There is a reason for this of course; the European Commission aided by a Council of Interior Ministers, are politically responsible for the interests of the law enforcement communities.
The fact that the Commission legislates to promote these interests should not surprise; the fact that this Directive pays lip-service to data protection and privacy is just an inevitable consequence.
My analysis of the PNR Directive can be downloaded here:Download PNR Proposal website COM _2011_32
Updated PNR official documentation on the PNR Directive from: https://wiki.vorratsdatenspeicherung.de/Passenger_Name_Record
Recent blog posts are “Data Protection: UK wants to extend PNR Directive despite proportionality fears and the lack of evidence” and “Why the PNR Directive is disproportionate and does not protect privacy”
These are on https://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html and https://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html
Readers who want more understanding of why, in the UK context, data protection legislation cannot protect individual privacy, and what should be done, in law, to resolve this problem should look at: "Nine principles for assessing whether privacy is protected in a surveillance society (Parts 1 and 2) – 2008" from https://www.amberhawk.com/policydoc.asp
The next DP courses start on July 13 in London. Next Update is October 17th 2011 in London. We have timetabled our Audit, Privacy Impact Assessment, and RIPA courses for September 12th, 13th and 14th in London. Full details on the Amberhawk main site (www.amberhawk.com).