300 million non-suspects could be caught up in airline passenger info grab, warns privacy chief


European law makers are looking to collect and store information on all airline travelers – a move that breaches EU privacy laws, the data protection supervisor has warned.

The so-called PNR (passenger name record) scheme has again risen from the dead after Members of the European Parliament (MEPs) declined to pass it three times: in 2007, in 2011 and again in 2013.

If it’s passed this time around, airlines would be forced to store all the data about passengers they collect, including sensitive, personal information such as racial or ethnic origin, political opinions, religious beliefs, email addresses, credit card details, phone numbers, and even what meal choices travelers make – be it, for example, halal or kosher.

That data would then be up for grabs by security agencies, who say they need it to prevent, detect, investigate and prosecute “serious crime”.

The PNR rules would apply to air carriers and non-carriers alike, including travel agencies and tour operators of “international flights”, i.e. those to or from the EU, according to amendments added by the parliamentary committee.

Each member state would also potentially be allowed to decide individually to include intra-EU flights.

More than 300 million non-suspect passengers could be caught in the dragnet operation, European Data Protection Supervisor (EDPS) Giovanni Buttarelli said in an opinion issued last week:

The EU PNR scheme as proposed would cover at least all flights from and to the EU, which would concern more than 300 million non-suspect passengers potentially targeted by the EU PNR Proposal.

The EU PNR Proposal entails an interference with the fundamental rights of a very large number of air passengers, without differentiation, limitation or exception being made in the light of the objective of fighting against serious crime and terrorism.

This general and indiscriminate manner to collect the data of the population was already retained by the Court as a basic element for its reasoning in [the European Court of Justice's Digital Rights Ireland judgement of April 2014].

That ruling, referred to as DRI, struck down the controversial Data Retention Directive because it was disproportionate and breached the right to privacy.

The proposed PNR scheme goes too far, the EDPS wrote:

As an independent institution, we are not a priori in favour of or against any measure. However, according to the available information, no elements reasonably substantiate the need for the default collection of massive amounts of the personal information of millions of travellers.

Buttarelli said that the EU needs to justify “why a massive, non-targeted and indiscriminate collection of data of individuals is necessary and why that measure is urgently needed.”

As it is, the PNR scheme was already deemed unnecessary and disproportionate in 2011, and there hasn’t been sufficient evidence put forth since then to change that decision, the EDPS said.

What’s more, the intelligence gaps that have led to incidents such as the Paris terrorist attacks – incidents that spurred lawmakers to try the data-collecting scheme yet again – have nothing to do with airline passengers, he said:

Various recent events in the EU demonstrate intelligence gaps unrelated to air travellers … targeting resources and intensifying efforts on known suspects would in some cases be more effective than profiling by default millions of travellers.

Rather than embracing the massive scale of the PNR collection and storage plan, Buttarelli encouraged lawmakers to optimize the existing platform, database and alert systems, as well as to explore other investigation techniques:

Necessity and proportionality are essential prerequisites for the legitimacy of any intrusive measure. We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries.

As it is, the EU already has PNR agreements with the US and Australia.

MEPs are currently talking with national ministers to finalize the legal text of the PNR plan.

But as The Register notes, the plan could in fact wind up before the courts, as did the Data Retention Directive.

Image of luggage in airport terminal courtesy of Shutterstock.com