European Ombudsman surveillance

Was Passenger Name Record data exploited to kidnap Belarusian journalist? Access Now calls for EU investigation

Update: October 6, 2021 — There is still no sufficient outcome to Access Now’s request for an investigation into the potential role data disclosure between the EU and Belarus played in the grounding of Ryanair flight FR4978, and kidnapping of Belarusian journalist Raman Pratasevich, and partner, Sofia Sapega. 

On September 27, European Commissioner Ylva Johansson partially answered some questions raised in the letter sent on August 25, and indicated that “based on information gathered […] neither have the Belarusian authorities requested [Lithuania and Greece] to provide [PNR] information, nor have these Member States provided any data.”

Access Now welcomes the initial reply, and will continue to follow up with the Commission to understand how this investigation was conducted, and to request answers to the original additional questions regarding the potential sharing of PNR data via other data sharing agreements, including Interpol.

Read the Commission’s answer, and Access Now’s letter asking for complementary information.

August 25, 2021  Access Now is calling on Ylva Johansson, the EU Commissioner for Home Affairs, to investigate the possibility that disclosure of data between the EU and Belarus aided the grounding of Ryanair flight FR4978, and kidnapping of Belarusian journalist Raman Pratasevich, and partner, Sofia Sapega, on May 23, 2021.

The interception of the flight raises serious red flags around the potential exploitation of personal information such as Passenger Name Records (PNR), while also underscoring the lack of sufficient privacy and data protection safeguards in intergovernmental air service agreements — of which Belarus has with 47 states.

“We need to find out how Belarusian authorities knew that Raman Pratasevich and Sofia Sapega were on that flight, and are asking the EU to help shine a light on this disturbing and targeted ambush,” said Anastasiya Zhyrmont, Regional Outreach Coordinator (Eastern Europe & Central Asia) at Access Now. We must expose the ways governments can access and abuse passenger data — especially through air service agreements and Interpol access — and prevent the hands of authoritarian regimes from reaching political dissidents and independent journalists seeking safety in EU countries.”

Under the EU PNR Directive and its national implementing legislations, airlines and relevant Passenger Information Units are obliged to collect, store, and retain the personal travel records of anyone entering, travelling within, or leaving the EU. At the time of adoption of this Directive, Access Now warned EU policymakers that a number of measures were privacy-invasive and inherently disproportionate, and increased the risk of human rights abuses against activists and journalists.

The fact that Belarus has no direct PNR agreement with the EU, or working agreements with Europol and Eurojust, only fuels interest in how Belarusian authorities accessed Raman Pratasevich and Sofia Sapega’s travel itineraries.

“Access Now warned the European Commission of the serious risks Passenger Name Record frameworks pose to human rights when discussions were in their infancy,” said Estelle Massé, Senior Policy Analyst at Access Now. “And we may be witnessing the repercussions today. We must investigate what role, if any, PNRs’ data played in Belarus’ tracking and arrest of two international travellers mid-flight.”

Access Now is asking Commissioner Johansson to help answer a series of questions, including:

  • Did the Lithuanian or Greek Passenger Information Units receive a request from Belarus to transfer PNR data to national authorities? If so, did the authorities agree?
  • Can PNR data from intra-EU flights become available to Interpol, and can this data be reached by national law enforcement agencies?
  • Will the European Commission investigate any potential data sharing between Ryanair, EU authorities, and Belarusian authorities in connection with the incident?
  • Will the European Commission conduct a review of other data sharing schemes that could have been compromised or misused in this situation? 

Read the full letter.