The call to build national databases of so-called passenger name records (PNRs) has become louder since the recent terror attacks in Paris in which 17 people were killed. EU countries have argued that storing data about who has flown where, and when, would help law enforcement with the prevention, detection, investigation and prosecution of terrorist offenses and serious transnational crime.
The plan is for airlines to send data collected during reservation and check-in procedures, including travel itineraries, ticket information and contact details, to an authority of the relevant country. That authority would be responsible for analyzing the data and sharing its analysis with other competent authorities, including those in other countries.
While some countries, such as the U.K., already have a PNR database, others don't, and there is no system in place to share that information. EU heads of state and government agreed during an informal meeting on terrorism on Thursday to go ahead with the plans for an EU wide system.
"We have agreed on new priorities in the fight against terrorism. What is needed most is agreement on the exchange of passenger records within the European Union. We need this soon," said Donald Tusk, president of the European Council, the institution that is composed of EU heads of state and governments, in a news release.
The heads of states urged EU legislators to urgently adopt a strong and effective European PNR directive with solid data protection safeguards.
Data protection is a key issue here. An earlier proposal to introduce a system to exchange passenger data between EU countries was rejected by the European Parliament, one of the EU legislative bodies, in 2013 out of concern that it would violate fundamental rights. But since the attacks, the European Commission has been working on a compromise to convince the Parliament to go ahead with the plan, promising better privacy protection.
This seems to be working. Ahead of the Council meeting the Parliament adopted a resolution on Wednesday in which it pledged to work "towards the finalization of an EU PNR directive by the end of the year." The Parliament wants to ensure though that data collection and sharing is based on a coherent data protection framework offering legally binding personal data protection standards across the EU.
Opponents of the flight database plan have questioned its legality since it has a similar law enforcement goal to an EU directive invalidated by the EU Court of Justice (CJEU). The court invalidated the Data Retention Directive, which required communications providers to retain information about the destination and duration of communications, because it interfered with fundamental privacy rights.
The usefulness of a PNR system has also been questioned by opponents, who argue that such a system would not have prevented the Paris attacks.
By pushing for an EU PNR directive,the Parliament is backing plans for more data centralization and more data storage without a cause, while ignoring the jurisprudence of the CJEU, said Alexander Sander managing director of German digital rights group Digitale Gesellschaft, in a Wednesday blog post.
In the Parliament, only the Green party still opposes an EU PNR system. Instead of investing an estimated €500 million in illegal surveillance of air passengers, it wants the money spent on field work and cooperation between police and security authorities.
However, being only a small party, the Greens are likely to lose this battle.
Meanwhile, the EU heads of state also agreed that law enforcement should step up information sharing and operational cooperation, while countries should also deepen cooperation of security services. Additionally, authorities should step up action to trace financial flows and to freeze assets used for financing terrorism. Detecting and removing Internet content promoting terrorism in cooperation with Internet companies is also a priority for the member states.
The next step for the proposals will be in April, when the Commission will present its security plans. The Council will report on the detailed implementation of the proposed measures in June.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com