The proposal
depends on a soon-to-be adopted data sharing policy which has been
opposed by Europe's privacy regulator the European Data Protection
Supervisor (EDPS). It has also been opposed by civil liberties
campaign group Statewatch, which said that it contributed to making
Europe "the most surveilled place in the world".
Since 2004 the EU has required airlines to provide to countries
Advance Passenger Information (API), a limited amount of
biographical information that is contained in passports. It now
proposes the compulsory passing on of Passenger Name Records (PNR),
a more extensive collection of information including contact
details, baggage information and 'general remarks'.
The proposal would create a single state agency in every
country, the Passenger Information Unit (PIU), to which airlines
would have to send PNR data for everyone entering or leaving the
EU. It would not be necessary for flights within the EU or within
national borders.
The PIU will be responsible for processing that data and making
a risk analysis or profile of people on the PNR lists. Those
profiles will be retained for 13 years.
"The purpose of this proposal is to have air carriers make PNR
information available to law enforcement authorities in the EU
Member States and help them in the prevention and fight against
terrorist offences and organised crime," said a Commission
statement.
Statewatch editor Tony Bunyan said that the increased monitoring
was unwarranted. "This is yet another measure that places everyone
under surveillance and makes everyone a suspect without any
meaningful right to know how the data is used, how it is further
processed and by whom," he said. "Moreover, the profiling of all
airline passengers has no place in a democracy."
The office of the European Data Protection Supervisor Peter
Hustinx said that it would not issue an opinion on the proposal
until early December. However, a key part of the plan rests on a
separate proposal by the Commission which Hustinx does oppose.
The PNR plan says that the transfer of the data outside of the
EU will be governed by a Commission framework for data protection
in police matters. But the Supervisor objects to that plan, meaning
he is unlikely to endorse the new airline system.
"The soon-to-be-adopted Framework Decision on Data Protection in
criminal matters will govern all data processing under the
proposal, as well as the transfers of data to third countries,"
said the Commission statement.
The transfer of data to third countries is controversial because
most countries have weaker data protection systems in place than
the EU.
The EDPS has previously said that data sharing should not be put
in place in what the EU calls the third pillar – which covers
matters such as policing, organised crime and terrorism – until an
over-arching framework of data protection in that area is in
place.
Hustinx previously told OUT-LAW that the deal on which the new
PNR arrangement will rely was signed in the absence of those
protections. "I can once again note that an instrument facilitating
exchange of personal data has been adopted without the necessary
framework for third pillar data protection being in place. I very
much regret that," said Hustinx in June.
