On 25 March 2011, the European Data Protection Supervisor (EDPS) adopted an opinion on a new Commission's proposal to oblige airline carriers to provide EU Member States with personal data on passengers (Passenger Name Record - PNR) entering or departing from the EU for the purpose of fighting serious crime and terrorism. Such data may include, for example, home address, mobile phone number, frequent flyer information, email address and credit card information.
The EDPS acknowledges the data protection improvements brought to the present Proposal, compared to an earlier proposal adopted in 2007, and in particular the efforts to restrict the scope of the Proposal and the conditions for processing PNR data.
The EDPS however recalls that the need to collect or store massive amounts of personal information must rely on a clear demonstration of the relationship between use and result (necessity principle). This is an essential prerequisite for any development of a PNR scheme. In the EDPS' view, the current Proposal and accompanying Impact Assessment fail to demonstrate the necessity and the proportionality of a system involving a large-scale collection of PNR data for the purpose of a systematic assessment of all passengers.
Peter Hustinx, EDPS, says: "Air passengers' personal data could certainly be necessary for law enforcement purposes in targeted cases, when there is a serious threat supported by concrete indicators. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns."
In addition to this major shortcoming of the proposed system, the EDPS recommendations include the following:
(*) Proposal of 2 February 2011 for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (COM(2011) 32 final)