29 July, 2015
On 15 July 2015, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament voted in favour of a proposal for a Directive of the European Commission. The proposal aims to regulate the storage of passenger data of individuals entering and leaving the EU in a passenger name record (PNR) system.
When the Directive enters into force, airlines and travel agents are required to store data of passengers on flights from and into the EU, excluding flights between EU Member States, which then can be consulted by intelligence services. Travel and booking data, such as payment data, diet preferences, ticket- and credit card information and contact details are stored for a period of 30 days in a national database. In each Member State, a so-called Passenger Information Unit (PIU) will be established which is responsible for the collection, storage and analysis of the data. Subsequently, the results of the analysis could be provided to a competent authority. After this period, all data that identifies the passenger is anonymised and stored for another 5 years. The retention period can be extended if authorities require this for specific criminal investigations or prosecutions.
The aim of the new PNR system is to combat terrorism and certain international crimes, such as drug trafficking, sexual exploitation of children, cybercrime and money laundering. Representatives of the Parliament indicate that the data is only used for the purpose of prevention, detection, investigation and prosecution of terrorism and the aforementioned international crimes.
In 2007, the European Commission first proposed an EU-wide PNR system. This proposal was based on an existing agreement with US authorities, which allowed the exchange of passenger data. In 2011, the Commission reiterated the proposal. In 2012, the Member States approved the proposal. However, a year later the LIBE Committee voted against the proposal stating the PNR system would violate fundamental privacy rights.
After the terrorist attacks in Paris and Copenhagen earlier this year, the Member States again raised the desirability of a PNR system. In June 2013, the Commission published a new proposal in which a higher level of data protection was intended. The concerns about the level of data protection seem to have been removed, now that the LIBE Committee approved this proposal. Still, opponents remain concerned that PNR systems will prove to be violating fundamental privacy rights.
Some Member States, such as the UK, already have a PNR system in place at the moment. With the proposal, the European Commission hopes to harmonise the collection and processing of PNR data within the EU. Once the European Parliament approves the proposal, Member States have two years to transpose the Directive into national law. The European Parliament aims to conclude negotiations on the PNR system before the end of the year.
What are the consequences of a Brexit for the privacy and data protection obligations of your company?
Can I still transfer data to the United Kingdom? And is it still possible to transfer data from the...
On Tuesday November 4th, Bart Schermer (partner at Considerati) will be guest speaker at TekTok...