Only two EU Member States have not yet implemented the EU PNR Directive, and almost all of them also use it for flights within the European Union. There are problems with data protection and data quality. Regardless of the lawsuits before the European Court of Justice, the EU Commission is working on an extension.
Four years ago, the European Union adopted the “EU Passenger Name Record (PNR) Directive”. In order to prevent, detect, investigate and prosecute terrorist offences and serious crime, the 26 EU member states participating in the directive are to set up a Passenger Information Unit (PIU), which will receive extensive data records on passengers from the airlines when they book and board flights. The European Commission has now submitted a report on the implementation of the measures, as required.
The directive should have been transposed into national law by each Member State by 25 May 2018. At the end of the review period, Slovenia had only notified partial implementation, while Spain had not notified any measures. Three weeks ago the Commission brought an action before the European Court of Justice (ECJ) against the government in Madrid for failure to transpose the Directive.
“Tangible results” cannot be verified
The Commission considers the collection and processing of PNR data in the report necessary and proportionate. The Member States have indicated that the data transmitted in real time and their “reactive and proactive” processing has produced “tangible results”. This refers to the use of the information for law enforcement and secret service purposes. The Commission does not publish the evidence sent by the Member States to this effect, which shows the importance of the processing of PNR data for the measures.
Originally, the directive was only intended for flights to and from third countries. The possibility of extending it “voluntarily” to flights within the European Union was subsequently agreed by the 26 governments in an additional protocol. All Member States but one have made use of it, according to the report. The Commission therefore intends to refrain from making such an extension to EU flights mandatory.
The Passenger Information Units are to pass on data to each other, for example if a suspicion about a person is substantiated. According to the report, cooperation and exchange on the PIU’s own initiative is not working sufficiently, however. The Commission attributes this to the unclear wording in the directive on spontaneous data transfers.
Commission must await complaints to the ECJ
There are also problems with data quality. For example, the airlines are not obliged to record the date of birth of passengers, which means that the incorrect spelling of names cannot be detected by the Passenger Information Unit.
The Commission report furthermore found shortcomings in the implementation of data protection requirements. While there is an “overall compliance”, some Member States had failed to adapt their national laws. Which countries are concerned remains unclear, as they are not mentioned anywhere in the report. Nor does the Commission say how data protection is being breached. If, for example, the earmarking of data processing for the sole purpose of combating terrorism and serious crime were to be circumvented, this would be a major violation.
The Commission is currently opposed to amending or extending the PNR Directive. First of all, it is to await the outcome of the actions pending before the European Court of Justice. There, the Austrian non-governmental organisation epicenter.works and the German Society for Freedom Rights are taking action against the mass storage and non-transparent processing of passenger data.
Plans for enlargement
But plans for expansion are not off the table. According to the report, the practical application of the PNR Directive has led to findings which “require further assessment”. For example, the scope could be extended to include train, bus or ferry services. The extension of the directive to include travel agencies, which, according to the report, collect a significant proportion of all PNR data but do not have to transmit it to the Passenger Information Units, is also under discussion. The Commission considers this to be an “important security gap”. Finally, the Commission also intends to transfer passenger data to third countries in future as part of its “external PNR policy”.
Notwithstanding the actions before the ECJ, the Commission has therefore announced a “thorough impact assessment”. This will also examine whether PNR data could be used to protect public health. For example, the German government had proposed within the framework of its EU Council presidency to use PNR data to identify persons who have sat in the vicinity of a passenger infected with Covid-19.