If the European Commission has its way, all air travelers regardless of nationality will have to give their personal details to national authorities when they fly in or out of the European Union.
The Commission presented its proposals on Wednesday for a European Union-wide Passenger Name Record (PNR) Directive to fight serious crime and terrorism. Under the proposal, passengers flying to and from destinations in the E.U. would have their data, including home address, mobile phone number, credit card information and e-mail address, checked and stored by national police.
This PNR data is already collected by airlines as a by-product of their business and there are currently agreements to share this data between the E.U. and the U.S., Canada and Australia. However, the Commission’s proposal will greatly widen the scope and increase the amount of data collected.
The Commission said that such a measure was needed in order to crack down on terrorism, in particular. “While terrorism decreased in the EU during 2009, according to Europol’s E.U. Terrorism Situation and Trend Report 2010, the threat of terrorism remains real and serious. Most terrorist activities are transnational in character and involve international travel,” according to a Commission statement. However, concerns have already been raised about a possible expansion of the stated goals of the initiative, since the new directive would include ‘serious crimes’ as justification for accessing stored data.
This is just the first step in what will be a long battle for such a directive. The proposal must be approved by member states and the broadly pro-civil liberties European Parliament. Already some parliamentarians have questioned the need for a new system.
"We are skeptical about the absolute necessity of a European system of flight data storage," said German member of the European Parliament, Manfred Weber. "So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity.”
The Commission promises strong protection of privacy, with personal information stored nationally for only 30 days after passengers' flights. However, given recent breaches of other E.U. data systems such as E.U. emission trading records, concerns have been raised regarding security. National police will not have direct access to the airlines’ databases, but the air carriers concerned are obliged to send the data to them.
After 30 days, law enforcement authorities must make the data anonymous and can then retain it for no more than five years. The information, however, could be "re-personalized" on a case-by-case basis if there are suspicions of a serious crime or terrorist offense.
According to Wednesday’s proposal, passengers will have the right to “effective administrative and judicial redress where data protection rules have been violated, as well as the right to compensation.” But it is unclear how private individuals would find out if there have been violations.
Another matter that concerns some civil liberties groups is that the Commission would ideally like to see its directive extended to cover all E.U. internal flights. “Given that the objectives pursued by the collection of PNR data are the same inside and outside of the E.U., there would be an added value in including internal flights,” said the Commission adding that, currently the cost is prohibitive.
It is likely to take at least two years to negotiate the proposal in the Council of Ministers and the European Parliament – longer, if, as expected, the parliament refuses to play ball.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.