Second Opinion of the European Data Protection Supervisor (EDPS) on the Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR Directive).
To recall, the legislative procedure has been in abeyance since the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) rejected the Proposal on 24 April 2013, questioning its necessity and proportionality. Recently, the discussions have been revived following the terrorist attacks that took place in Paris in January 2015.
In its Resolution of 11 February 2015 on anti-terrorism measures, the European Parliament committed itself to work towards the finalisation of an EU PNR Directive by the end of the year. It also:
- urged the Commission to set out the consequences of the ECJ judgment on the Data Retention Directive and its possible impact on the EU PNR Directive;
- called on the Member States to make optimal use of existing platforms, databases and alert systems at European level, such as the Schengen Information System (SIS) and the Advanced Passenger Information Systems (APIS);
- encouraged better exchange of information between Member States’ law enforcement authorities and EU agencies.
The European Parliament also encouraged the Council to make progress on the Data Protection Package so that the ‘trilogue’ negotiations on both the EU PNR Directive and the Data Protection Package could take place in parallel.
In this context, an updated report has been presented by the rapporteur for the LIBE Committee, on 17 February 2015. Several modifications to the Commission proposal were proposed in this document, such as the inclusion of intra-EU flights. The LIBE Committee adopted its orientation vote on 15 July 2015 and agreed to enter into negotiations with the Council.
This EDPS Opinion will address the changes in the Proposal as proposed by the LIBE Committee and the Council in view of the trilogue negotiations that are due to begin in November 2015.
The EDPS welcomed the various improvements made by the Council and the LIBE Committee on the Proposal, for example regarding the specific provisions on data protection, the presence of a Data Protection Officer, or a specific reference to the power of the supervisory authorities.
However, the essential prerequisite for a PNR scheme — i.e. compliance with necessity and proportionality principles — is still not met in the Proposal.
The EDPS notes that:
- the proposal does not provide for a comprehensive evaluation of the ability of the current existing instruments to reach the purpose of the EU PNR scheme;
- it does not set forth any detailed analysis of the extent to which less intrusive measures could achieve the purpose of the EU PNR scheme;
- the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance.
In the view of the EDPS, the only purpose which would be compliant with the requirements of transparency and proportionality, would be the use of PNR data on a case-by-case basis but only in case of a serious and concrete threat established by more specific indicators.
It is for this reason that the EDPS encourages the legislators to further explore the feasibility against current threats of more selective and less intrusive surveillance measures based on more specific initiatives focusing, where appropriate, on targeted categories of flights, passengers or countries.
The EDPS considered that:
- the Proposal should limit the data retention period to what is justified by objective criteria explaining the period retained;
- the proposal should more explicitly provide that the PNR data may not be used for other purposes than the prevention, detection, investigation or prosecution of terrorist offences and serious transnational crimes;
- a prior approval by a court or an independent administrative body should be obtained, in principle, upon a request of access to the data by a competent authority;
- the Proposal should refer to appropriate safeguards guaranteeing the security of the data processed by the PIU;
- the scope of the PNR scheme should be much more limited with regards to the type of crime;
- the criteria required to access PNR data by the competent authorities should be better defined and more precise.
The EDPS invited the legislators to wait until the adoption of the new Data Protection Package to fully align the obligations of the Proposal with the new provisions adopted. Moreover, the evaluation of the Directive should be based on comprehensive data, including the number of persons effectively convicted and not only prosecuted, on the basis of the processing of their data.