European Data Protection Supervisor
European Data Protection Supervisor

EU PNR: EDPS warns against unjustified and massive collection of passenger data

EU PNR: EDPS warns against unjustified and massive collection of passenger data


EU PNR: EDPS warns against unjustified and massive collection of passenger data

Yesterday, as the EDPS published his Second Opinion on the use of Passenger Name Records (PNR) for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, he said that there is a lack of information to justify the necessity of an EU PNR scheme.

Giovanni Buttarelli, EDPS, said: “Europe is facing serious terrorist threats and we fully recognise the need for appropriate action. As an independent institution, we are not a priori in favour of or against any measure. However, according to the available information, no elements reasonably substantiate the need for the default collection of massive amounts of the personal information of millions of travellers. Necessity and proportionality are essential prerequisites for the legitimacy of any intrusive measure. We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries."

The latest EDPS' Opinion notes the role of the legislators in assessing necessity and proportionality and to analyse the impact of the proposed measures on the fundamental rights of individuals to the protection of personal data and to privacy. It is necessary for the EDPS to also carry out such an analysis in his mission to advise the EU institutions on the data protection implications of their policies, particularly when they have a more serious impact on the rights to privacy and data protection.

Since the proposed EU PNR scheme is likely to cover at least all flights to and from the EU, and may also involve intra EU and/or domestic flights, more than 300 million non-suspect passengers would potentially be interested by the EU PNR proposal.

Building on his earlier Opinions on PNR addressing the same issue, the EDPS says that the available information does not justify why the massive, non-targeted and indiscriminate collection of passengers' personal information is necessary and why it is urgently needed.

The EDPS highlights the 2014 ruling of the Court of Justice of the European Union (CJEU) in which it struck down the Data Retention Directive because of the general and indiscriminate collection of the data of the population: ‘the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter".

The EDPS points out that the EU legislator must ensure that it fully complies with the strict requirements laid down by the Court since the Court, applying the Charter, looks with great scepticism upon any measure which, like the Data Retention Directive, would ‘appl[y] to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime’.  

In the wake of recent terrorist incidents, governments in Europe are under pressure to take meaningful action. However, in a democratic society, the EDPS questions the necessity of collecting and storing excessive amounts of the personal information of all passengers in the EU. The legislator is encouraged to further explore if targeting resources and efforts on known suspects would be more effective than profiling all travellers.

Background information

Privacy and data protection are fundamental rights in the EU. Data protection is a fundamental right, protected by European law and enshrined in Article 8 of the Charter of Fundamental Rights of the European Union.

More specifically, the rules for data protection in the EU institutions - as well as the duties of the European Data Protection Supervisor (EDPS) - are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the 2015-2019 plan summarises the major data protection and privacy challenges over the coming years and the EDPS' three strategic objectives and 10 accompanying actions for meeting them. The objectives are (1) Data protection goes Digital (2) Forging Global Partnerships and (3) Opening a New Chapter for EU Data Protection.

Personal information or data: Any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Processing of personal data: According to Article 2(b) of Regulation (EC) No 45/2001, processing of personal data refers to "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." See the glossary on the EDPS website.

Necessity and proportionality: See Article 29 Data Protection Working Party Opinion 01/2014 on the application of necessity and proportionality concepts and data protection within the law enforcement sector

Purpose limitation: personal information may only be collected for specified, explicit and legitimate purposes. Once it is collected, it may not be further processed in a way that is incompatible with those purposes. The principle is designed to protect individuals by limiting the use of their information to pre-defined purposes, except under strict conditions and with appropriate safeguards.