U.S. Congressional briefing

Europe approves privacy-invasive PNR Directive and privacy-protecting GDPR in one day

Today’s contradiction: MEPs vote to ratify a directive that will endanger the privacy of millions, while voting in new data protection laws

Brussels, BE – Earlier today, the European Parliament ratified new data protection rules as envisioned under the General Data Protection Regulation (GDPR), a text that has been under negotiation for over four years. While this should be cause for privacy advocates to celebrate, in the same plenary session, the parliamentarians approved the Passenger Name Record (PNR) Directive, which will allow the creation of massive databases containing personal information about everyone who travels into, across, or out of Europe. This directive will negatively impact the privacy of millions of people, both in Europe and around the world, and open the door to data theft, misuse, abuse, and profiling. Yet no evidence has been shown in the parliament to demonstrate that it will prevent terrorism or stop crime.

“Access Now denounces the approval of this disproportionate pseudo-security measure,” said Estelle Massé, Policy Analyst at Access Now. “The PNR Directive will likely do little to enhance security, instead growing exponentially the collection and retention of individuals’ private data, and exposing them to risks such as identity theft and data misuse and abuse. This will harm the fundamental rights of individuals in Europe and around the world.”

PNR records contain private information such as the flights travellers have booked, the people they are travelling with, their personal credit card details, and so on. Under this new law, this sensitive information will be indiscriminately collected and stored by government authorities for a maximum of five years. Yet history shows that this kind of data collection and retention can lead to profiling, which disproportionately affects vulnerable people and communities.

Since the European Parliament already rejected the PNR proposal only three years ago, today’s approval appears to be no more than a knee-jerk reaction to the current political climate. It runs counter to today’s positive vote on the GDPR, and starkly contradicts the opinion of the European data protection working party, which voiced its discontent earlier this year.

In contrast, the GDPR sets an overall positive precedent for data protection standards across the EU. It provides a mostly harmonised, directly applicable set of rules to be uniformly enforced across the EU, which will benefit individuals and businesses alike. This legislation introduces the welcome concept of data protection by design and by default,  the aim of which is to promote a privacy-friendly approach to the development of new services.

“It is a bittersweet day in the EU. Many of us would like to celebrate the adoption of the GDPR and the assurances it brings, but the ratification of the PNR Directive casts a shadow over civil liberties, stretching well beyond European borders,” added Massé.


Media contact

Estelle Massé, EU Policy Analyst, Access Now

[email protected]