Air passengers entering or leaving the European Union will have their movements kept on file by police authorities from 2018 under draft legislation approved by the European Parliament.
Critics, however, say a lack of provisions to share the data severely limits the plan's usefulness.
Airlines running flights into or out of the EU must hand over the data to national Passenger Information Units (PIUs) that will hold the data for law enforcers. Member states may choose to gather data from travel agencies and to retain information about passengers on flights within the EU too.
However, there will be no centralized EU database of arriving and departing passengers, and no automatic sharing of data between the various national PIUs. With open land borders between countries in the Schengen Area, and no mandatory collection of information on intra-EU flights, it will be difficult for investigators to use the data to determine whether a person of interest is in the EU.
That calls the usefulness of the whole system into question, according to Joe McNamee, executive director of lobby group European Digital Rights (EDRi), who is no fan of the legislation.
"It is absurd that we are being told that these huge databases are hugely valuable to law enforcement, yet we are also told that member states rejected mandatory sharing of this allegedly valuable data."
Beyond those practical restrictions on the usefulness of the databases, there will also be some legal restrictions on what law enforcers can do with the collected data.
It may be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offenses and serious crime." Police forces won't get to choose what constitutes a serious crime in their book: There is a list. It includes trafficking in weapons, munitions and explosives, and human beings, participation in a criminal organization, and child pornography.
Curiously for an offense that needn't involve physically visiting a country, cybercrime is also considered serious enough to make the list.
The Passenger Name Record (PNR) Directive Directive still requires the approval of the EU Council of Ministers, but this is expected to be a mere formality since the text voted by the Parliament on Thursday has already been agreed with the national governments the ministers represent.
Once approved by the Council, EU member states will have two years in which to transpose the directive into national law.
After that date, PIUs will retain the data for five years. After the first six months, though, parts of it will be "masked out" so that users of the database can't see passenger names, addresses or contact information. This is supposed to protect passengers' privacy. Accessing or searching on the hidden information will still be possible, but only upon application to the national data protection authorities charged with enforcing privacy rules.
Other privacy protections include a ban on processing information that reveals a person's trade union membership; health; sexual life or sexual orientation; race or ethnic origin; political opinions, religion or philosophical beliefs -- so vegans can at least rest assured that their choice of in-flight meal will remain private.
Law enforcers will have to keep an audit trail of how the passenger data is processed, and this will be used in a review of the law's effectiveness two years after it enters force.
Many Members of the European Parliament resisted the PNR directive, with tactics including delaying the final vote. The issue was controversial because parliamentarians had long opposed an agreement obliging airlines to provide U.S. authorities with PNR information for transatlantic flights.
European Parliament President Martin Schulz hailed the new deal as an important tool in the fight against terrorism and called on national governments to begin systematically sharing passenger data.
But EDRi's McNamee called the new legislation a disgrace. "It is shocking that, less than two years after the European Court overturned a Directive on needless storage of data of innocent citizens, the European Union seems hell bent on adopting another Directive which does almost exactly the same thing."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.