Wishing “Bon voyage” to PNR agreements in Europe


Yesterday, the European Parliament voted by a large majority to refer the EU-Canada passenger name record agreement (PNR) to the Court of Justice of the EU (CJEU) to assess its compliance with the EU Charter of Fundamental Rights. Ever since CJEU’s landmark ruling invalidating the Data Retention Directive last April, a number of ongoing and proposed agreements that include data retention schemes have been put under the microscope. Yesterday’s vote is the first of many steps to ending indiscriminate and unlawful surveillance programmes in the EU.

You might be asking yourself, what’s PNR data? How does it impact fundamental rights? Why is yesterday’s vote a positive step? And what countries is the EU sharing or proposing to share PNR data with? Keep reading to find out!

What is PNR? 

PNR, or Passenger Name Records, are, in essence, data about your flight details. Every time we travel by plane, either the airline or the travel agent needs a series of data to proceed with our reservation, including itinerary, contact details, forms of payment, accompanying guests, and sometimes food preferences. All this information is stored in airlines’ databases for commercial purposes.

For at least the past ten years, governments have been seeking access to these passenger data and requesting additional information through far-reaching passenger name record (PNR) agreements. As some PNR data are regarded to be useful in some investigations, governments are sharing these personal data with each other, often in the name of the “prevention, detection, investigation or prosecution of terrorist offences or serious transnational crime.”

Currently Europe has negotiated PNR data sharing arrangements with the US, Australia, and Canada, and is looking into developing an internal EU PNR agreement.

Meanwhile, civil society groups, the European Parliament and the EU data protection watchdog, the European Data Protection Supervisor, have repeatedly highlighted the lack of evidence (here, here and here) regarding the necessity and proportionality of this “massive and routine processing of data of non-suspicious passengers for law enforcement purposes.”

Through these agreements, personal data of millions of Europeans are being stored, retained, profiled, and accessed by governments — sometimes outside of the authorised scope — putting the fundamental rights of EU citizens at risk.

EU-Canada agreement

The first agreement with Canada was concluded in 2006, and is currently being renegotiated. Yesterday’s referral of the new draft agreement to the CJEU is a welcome step, and will likely result in greater clarity on the legality of PNR frameworks (or illegality, as the case may be).

This decision to refer the agreement to the CJEU was motivated by the recent decision of the court in April 2014 to invalidate the Data Retention Directive due to severe breaches of fundamental rights to privacy and data protection. This landmark ruling not only put into question the data retention laws in place in EU member states, but also raised doubts regarding the validity of international agreement such as PNR frameworks which require the retention of passengers’ data.

EU PNR Directive

Proposed in 2011 by the Home Affairs department of the EU Commission, the EU Directive on the use of PNR would oblige air carriers operating flights between the EU and third countries to transfer PNR data to the national authorities in the member state of departure or arrival.

Simply put, the proposed agreement fails to comport with fundamental rights protections guaranteed under EU law. Most notably, the proposal would require all passenger data to be retained for five years, which appears to contradict the recent CJEU ruling on data retention. Indeed, the Fundamental Rights Agency, the Article 29 working party on data protection, and the EDPS, have all said the proposal lacks proportionality.

Despite a clear vote by the European Parliament’s Civil Liberties (LIBE) Committee to reject the agreement in April 2013, the proposal was sent back to the LIBE Committee by the European Parliament during a plenary vote in June 2013, and is now back on the Committee’s agenda. Debates on this proposal are expected to be relaunched in the next few weeks.

EU-US PNR agreement

The EU and the US negotiated a first agreement allowing for the exchange of PNR data back in 2004. This agreement was annulled by the CJEU in 2006, as both the decision to conclude this framework and the adequacy mechanism for the protection of personal data were not “founded on an appropriate legal basis.” Following the court ruling, an interim PNR agreement with the US was reached in 2006, and then replaced by a long term agreement agreed to in 2007.

The current agreement in place, a review of the 2007 framework, was adopted in 2011. The protection of E.U. citizens’ personal data under this agreement has been put into question at several occasions since its conclusion, most recently, the European Parliament’s inquiry report into mass surveillance conducted in the wake of the Snowden revelations. As part of this process, several Members of the Parliament raised serious concerns regarding unlawful access of the PNR database by the US government for purposes other than fighting terrorism. A full review of this controversial agreement by the EU and US authorities will take place in early 2015.

EU-Australia agreement

In 2008, the EU reached out an agreement with Australia for exchange of PNR data. This agreement has been renewed in 2012 and is expected to be reviewed by 2019. Considered to be one of the most limited PNR agreement, its validity with the Charter has nevertheless never been tested. Therefore, in light of the recent CJEU ruling on data retention, we retain doubts on whether this agreement would comport with the Charter.

Next steps

For eight years, EU citizens have seen their fundamental rights violated by the Data Retention Directive, which has now been struck down; the EU cannot risk exposing its citizens to such blatant violations once again. We therefore encourage the EU institutions to undertake a thorough review of all existing and proposed PNR agreements to ensure their compliance with the EU Charter of Fundamental Rights.

Access Now will continue to monitor and report on developments of PNR and related EU surveillance programmes. Stay tuned for updates!