EU Parliament says no to EU PNR system

Today the European Parliament took a stand for fundamental rights. The Civil Liberties Committee (LIBE) rejected a European Commission proposal to allow the use of air travel Passenger Name Record (PNR) data for the investigation of serious crimes and terrorist offences within the E.U.

Under the E.C. proposal, air carriers would have been obliged to collect PNR data from passengers during reservation and check-in procedures for flights entering or leaving the E.U. The agreement would have mandated the collection of personal and sensitive data, such as name, date of birth and nationality, but also address, credit card information, telephone number, email address, and medical data–even meal choices and frequent flyer programme numbers.

Most troublingly, this information would have been retained in a personally identifiable format for 30 days, before being ‘anonymized’ and stored for further five year period. The proposal placed no limitations or prohibitions on the use of that data for profiling, seriously jeopardizing European citizens’ fundamental rights to privacy and free movement.

The proposal, which came to a vote today in the LIBE, was opposed by 30 of the 55 Members of the European Parliament (MEPs), an outcome that surprised many observers and human rights defenders.

Had the proposal passed, the system would have represented a step backward for fundamental rights such as non-discrimination, the right to privacy, and the protection of personal data (Article 8 of the Charter and Article 8 of the ECHR). Most damagingly, this blow would have come at the same time the European Commission is fighting to give European citizens better controls over their personal information through the proposal for a General Data Protection Regulation (DPR).

After the committee vote, proposal rapporteur Timothy Kirkhope (Conservative Party, U.K.) and other MEPs expressed concern about possible consequences for EU counter-terrorism policy, and asked that the matter be referred to the monthly Parliament Plenary sitting in Strasbourg, when all 754 MEPs come together. Other MEPs welcomed the outcome of the Committee vote, proposing that the Commission come up with a new proposal.

The MEPs who voted against the proposal stated they did so because of concerns about infringements on European passengers’ rights to privacy and freedom of movement. Additionally, they were hesitant to put in place a system that would have collected, processed, and retained huge amounts of data for up to 5 years before the Commission was has updated EU privacy standards through the ongoing DPR reform debate.

MEP Sophie in’t Veld (D66, Netherlands), associated with the ALDE bloc, made this argument, pointing out that both the European Data Protection Supervisor and the European Union Agency for Fundamental Rights had also questioned the proposals’ respect for the principles of ‘necessity’ and ‘proportionality’ as outlined in Article 52 of Charter of Fundamental Rights of the European Union.

Surprise about the outcome of the vote was based on last year’s Parliamentary approval of the privacy-invasive U.S. – E.U. PNR Agreement that, in the name of U.S. national security, gave a green light to a massive and indiscriminate collection of personal information. That agreement allowed for the transfer of passengers’ flight data to the US, where it is processed and stored for 15 years, far longer than the 30 days plus potential 5 years retention period of the rejected EU PNR proposal.

What’s the difference this time around? Last year’s U.S.-E.U. Agreement was supported by a strong lobbying effort from the U.S. Department of Homeland Security, backed up by repeated threats by U.S. authorities to suspend visa-free travel by E.U. citizens to the U.S.

The domestic E.U. PNR proposal was subject to no such arm-twisting, enabling the LIBE to do its job and defend the rights of E.U. citizens. It’s a victory for European rights, and bodes well for the prospect of a strong Data Protection Regulation outcome.