The EU PNR Directive is leading to more and more interventions by the German authorities. An extension to rail, bus and ship travel is not yet off the table, but before that the Court of Justice in Luxembourg will rule on the legality of the law. Similar agreements with Canada and Japan are apparently no longer coming into being.
The storage and processing of passenger data in air traffic led to significantly more interventions by the German Bundespolizei (Federal Police) last year. According to an annual report that has only just been presented, its headquarters received 25,280 personal data from the Federal Criminal Police Office (BKA) with a request for so-called follow-up measures. In 2019, this number was still 10,900, according to the report, which results in an increase of around 132 per cent despite a pandemic-related decline in passenger numbers.
Based on the list, the Federal Police executed 813 arrest warrants and made 547 “person matches related to politically motivated crime”. These are alerts for police observation, the persons concerned can be monitored and checked discreetly. Subsequently, a notification is made to the interested police or secret service authority.
The figures in the Federal Police’s annual report differ significantly from earlier information. In response to a parliamentary question, the Federal Ministry of the Interior had written in February that the Police and Customs had been informed of hits in 5,347 cases. On this basis, 460 arrests were made. It remains unclear why the figures are now significantly higher.
Many false matches
The processing of passenger data (Passenger Name Records – PNR) is regulated in the German Passenger Data Act. The German government has thus implemented the EU PNR Directive adopted in 2016. It obliges airlines to transmit passenger data first after a booking and a second time at boarding. It may be used by the authorities to prosecute and prevent serious and terrorist offences. Although the law does not provide for this, the police also track irregular entries with PNR data.
According to the PNR Directive, each EU Member State must establish a Passenger Information Unit (PIU) to receive the personal data. In Germany, this responsibility lies with the BKA. There, the personal data is compared with relevant police databases, including the German INPOL file, the Schengen Information System (SIS II) or files at Europol. For this purpose, the investigators use a matching system developed by the BKA. It delivers so-called “technical matches”, which then have to be checked manually. In the process, a considerable number are rejected as false; in 2019, 98 per cent of all hits turned out to be false alarms.
Among the reasons for the false matches, the Federal Ministry of the Interior cites similar spellings of the travellers’ names or first names as well as an often missing date of birth. Problems were also caused by different writing systems and the transcription procedures required for this. The EU member states have therefore commissioned the Commission with proposals to improve the quality of the data. A corresponding communication has been available since last week, but is classified as confidential.
Commission examines extension
If the BKA finds a “technically positively verified hit”, the Federal Police as well as the Federal Customs Administration will be tasked with further checking or prosecuting the person. If necessary, the other European Passenger Information Units can also receive a corresponding notification.
Great Britain also wants to continue participating in the EU PNR system. This is stated in the Trade and Cooperation Agreement that the government in London has concluded with the European Union. To do so, however, British authorities must submit a list showing the databases used for police searches. Until then, the country benefits from a transitional phase, which is now to be extended once again. However, the independent data protection authority in Great Britain has not yet issued a necessary statement.
The EU Commission is currently examining the extension of the PNR system to cross-border rail, bus and ship travel. In its conclusions, the Council commissioned an impact assessment on this two years ago. The member states could, for example, be forced to allow travel by high-speed train only with a personal booking. The German government, among others, had expressed reservations about this.
PNR Agreement in Court
So far, the European Union has also concluded two international PNR agreements with Australia and the USA. In a joint review, the EU Commission and the Parliament had raised concerns about compliance with the requirements of the General Data Protection Regulation (GDPR). In conclusions, the member states subsequently called for a draft framework agreement to apply to all interested third countries.
As far as is known, however, no foreign government is currently interested in this. A planned agreement with Canada was stopped by the European Court of Justice (ECJ) in Luxembourg four years ago due to non-compliance with the Data Protection Regulation, and the negotiations for a new draft are on ice. The PNR agreement planned with Japan will also not come about; the government in Tokyo considers it no longer necessary after the end of the Olympic Games.
Soon the ECJ will also rule on the legality of the EU PNR Directive. The judges will hear a lawsuit filed by the German Society for Civil Liberties (Gesellschaft für Freiheitsrechte), which sees it as a form of warrantless mass surveillance. The Belgian government has also filed a lawsuit in Luxembourg against the warrantless logging of passenger data. On 9 December, the Advocate General will present his opinion, but a ruling is not expected until several months later.