Statement: EDPS supports EU legislator on security but recommends re-thinking on EU PNR

Europe is under attack. In the wake of new terrorist atrocities, the EU and the governments of its Member States are under pressure to take meaningful action.

More than ever, this is a time for solidarity in Europe; for the EU to stand united around our values and fundamental freedoms. The data protection community continues to offer its unconditional support in these difficult times and acknowledges that the EU needs to put reinforced measures in place to address the extraordinary difficulties facing Europe today.

Discussions on a possible Passenger Name Record (PNR) scheme within the EU have been developing since 2007 and an agreement is imminent. Unfortunately history is repeating itself. In his address to the LIBE committee on EU PNR in January following the Charlie Hebdo attacks in Paris, the European Data Protection Supervisor (EDPS) said that EU legislators were being tested "to learn lessons from the past and avoid investing energies on initiatives which are ineffectual or whose legality will be questioned". 11 months on, Europe finds itself at the same juncture.

An EU PNR scheme programme would be the first large-scale and indiscriminate collection of personal data in the history of the Union. Since it is likely to cover at least all flights to and from the EU and may also involve intra EU and/or domestic flights, millions of non-suspect passengers would potentially be affected by the EU PNR proposal.

The EDPS urges caution before such a scheme is agreed and recalls that the Court of Justice of the European Union defined a high threshold for the untargeted and indiscriminate collection of data in its decision on the Digital Rights Ireland case, which invalidated the data retention Directive. 

The EDPS as well as the group of data protection authorities in Europe, the Article 29 Working Party, do not oppose any measure which is targeted and for a limited period i.e. one that is truly necessary and proportionate.

In this respect, the data protection community continues to offer its support to the legislator in re-assessing the necessity and proportionality of any proposed measure, including EU PNR, to fight the complex issue of terrorism. We too believe that necessity and proportionality do not have fixed values and must be assessed in the context of current events and evidence.

However, these criteria are valuable in ensuring that only effective measures, which are robust enough to withstand judicial scrutiny and offer real protection, are adopted.

However, to apply the necessity and proportionality test, the evidence justifying EU PNR must be made available; so far, it has not been. Such evidence is of course a pre-requisite for its lawfulness and legitimacy.

Fighting crime and terrorism are clearly legitimate objectives, but any measure must respect the rule of law.

The EDPS recognises that the EU legislator is tasked with a difficult mission in the wake of the recent terrorist attacks and of balancing the various interests before adopting any intrusive measure.

However, in our capacity as an independent advisor to the institutions, the EDPS is duty bound to point out the serious impact of EU PNR on the rights to privacy and data protection, as we have already done in our Opinions on EU PNR. Our freedoms cannot be protected by undermining the right to privacy.

A lack of information or ways of collecting data, such as an EU PNR scheme were not key factors in preventing the terrorist attacks carried out by European citizens this year. Information about the perpetrators was already available through airlines, national authorities and others. In this respect there are a number of existing counter-terrorism measures that can be better used and which raise fewer data protection concerns such as access to large-scale IT databases for border control (SIS, VIS etc.) or Advanced Passenger Information (API) records by the border control agency, Frontex and the establishment of a European Counter-Terrorism Centre at Europol. The EDPS therefore urges the EU legislator to address the current weaknesses of information sharing and data analysis.

It’s time for new approaches on data gathering, analysis, cross border cooperation information sharing and use of existing systems among law enforcement bodies.  The EDPS also asks the EU to consider more targeted measures. For example, the EDPS would encourage the legislator to explore whether targeting resources and efforts on known suspects would be more effective than profiling all travellers. We strongly recommend that the legislator analyse ways to improve the use of dynamic, human intelligence rather than the fatally flawed automated intelligence that was relied upon prior to and since the recent attacks.

Such investigative approaches as well as more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries would be more legally robust and useful.

It is evident that terrorism is not a regional problem but a global one and as such it requires a global response. The EDPS calls on the legislator to encourage a consistent approach worldwide to address the unprecedented and serious terrorist threats.