We (probably) know where you’ll be next summer

It’s next summer. You’re about to board a plane to Rome, the famous Eternal City. You’re really looking forward to this holiday escape. But at the gate, the travel agent prevents you from boarding. “I’m sorry, but you’re not allowed to board.”

You’re shocked to the core. How on earth did you end up on a no-flight list to Europe? Perhaps a new law in Europe, the EU Passenger Name Records (PNR) Directive, had something to do with it.

What is the EU PNR?

The EU PNR Directive requires the creation of national databases storing personal information about everyone flying into or out of the European Union. It also allows member states to additionally store data from anyone travelling across the EU. This includes private information about your flight reservations, the people you’re flying with, your final destination, your personal credit card information, and much more.

This is indiscriminate and disproportionate storage of massive amounts of your personal information, and it creates a risk to your right to privacy. The database that this law proposes could be abused or misused, resulting in personal harms ranging from credit card fraud to government profiling.

Profiling is a technique that is used to analyse your personal data in order to make assumptions about you. Here, the range of assumptions can be quite broad. Are you likely to travel next month? Where to? Whom will you meet? History shows that this type of profiling disproportionately affects vulnerable people and communities, such as religious, ethnic, or other minority groups.  Yet this profiling is enabled and authorised under the EU PNR Directive.

Is PNR necessary?

Proponents of the EU PNR try to minimise the risks of this measure, claiming that it will increase security in the EU, at a time when the political context is creating intense pressure to “do something” about terrorism. France, which has suffered three terrorists attacks in 2015, is one of the main proponents of this law.

However, no evidence has been shown to prove that increasing mass surveillance of innocent people will increase security. While the stated objective of the EU PNR Directive is to help the fight terrorism and other undefined “serious crimes”, it appears to be unnecessary for protecting people in the EU. Several databases that track the movements of air passengers already exist. The efficacy of these existing databases remain untested, yet in the most recent attacks, authorities knew when and where terrorists had travelled to foreign countries. In other words, these databases do not appear to have helped prevent the attacks.

EU PNR will not necessarily increase the cooperation between law enforcement authorities in the EU. While the recent attacks on EU soil have demonstrated the need for intelligence agencies to share information about suspects, the EU PNR does not require the sharing of information about potential suspects or even identified suspects between countries.

Europe needs a solution to its security crisis. Sharing evidence on suspects between law enforcement authorities — not increasing mass surveillance of innocent people — would be a first step toward that goal.

The EU PNR Directive would add more hay to the surveillance haystack, piling on the private information of millions of innocent passengers and putting their privacy at risk — and in all likelihood making it harder to find the needle. It is likely to cost EU taxpayers millions, while making it harder for law enforcement to do their jobs.


PNR is not the answer we need. Take a few minutes now to tell Members of the European Parliament to say NO!


Who is saying NO to this PNR approach?

The EU Data Protection Supervisor

The EU Fundamental Rights agency

The Article 29 Data Protection Working Party

European Digital Rights