Opinion of the European Economic and Social Committee on the ‘Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime’

COM(2011) 32 final — 2011/0023 (COD)

2011/C 218/20

Rapporteur-General: Mr RODRÍGUEZ GARCÍA-CARO

On 2 March 2011, the Council decided to consult the European Economic and Social Committee, under Article 304 of the Treaty on the Functioning of the European Union, on the

Proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

COM(2011) 32 final – 2011/0023 (COD).

On 14 March 2011, the Committee Bureau instructed the Section for Employment, Social Affairs and Citizenship to prepare the Committee's work on the subject.

Given the urgent nature of the work, the European Economic and Social Committee appointed Mr Rodríguez García-Caro as rapporteur-general at its 471st plenary session, held on 4 and 5 May 2011 (meeting of 5 May), and adopted the following opinion by 80 votes to two with seven abstentions.

1.   Conclusions

1.1   In the present opinion, the European Economic and Social Committee expresses some reservations regarding the proposal for a directive, and voices its concern that the often-cited choice between security and freedom or, in more practical terms, stepping up security at the expense of citizens' rights, with regard to personal data, must under no circumstances run counter to the general principles underpinning fundamental personal rights.

1.2   The EESC agrees with the general opinion of the European Data Protection Supervisor, the Article 29 Working Party on Data Protection, the European Fundamental Rights Agency and the European Parliament. Moreover, we do not believe that the proposal provides sufficient evidence of the need for blanket, indiscriminate use of the PNR data of all citizens travelling on international flights. We therefore view the planned measure as disproportionate.

1.3   In particular, the EESC backs the observation made by the European Data Protection Supervisor in its most recent opinion on the proposal to the effect that PNR data should not be used systematically and indiscriminately, but rather on a case-by-case basis.

1.4   The EESC considers that the option of a centralised single Passenger Information Unit, instead of the decentralised Member State-based option as set out in the proposal, could be less costly for airlines and for the Member States themselves, and could allow for better supervision and control of the personal data contained in the PNR, by preventing repeated transmission of such data.

2.   Introduction to the proposal for a directive

2.1   The purpose of the proposal for a directive is to regulate the transfer by air carriers of Passenger Name Record (PNR) data from international flights to or from the Member States, as well as the processing and exchange of such data between the Member States and with third countries. It sets out to harmonise Member States' provisions on data protection with a view to using PNR data to combat terrorism (1) and serious crime (2), as defined by Community law.

2.2   The proposal includes a definition of the ways in which the Member States can use PNR, the data that need to be collected, the purposes for which they may be used, the communication of the data between the Passenger Information Units of the various Member States, and the technical conditions for such communication. Hence the choice of a decentralised system for the collection and processing of PNR by each State.

3.   General comments

3.1   As the legitimate representative of organised civil society, the EESC is ideally placed to express its opinion. It is therefore grateful to the Council for the optional referral to the EESC of the proposal in question.

3.2   The proposal for a directive that the Council has referred to the EESC could be described as representing prior harmonisation of Member State legislation in this area, since the majority of the Member States have no specific rules on the use of PNR data for the purposes set out in the proposal. The EESC therefore considers it appropriate to establish a common legal framework to which the Member States' legislation should be adapted, in such a way that guarantees and certainty of data protection for citizens are identical throughout the Union.

3.3   In the light of the proposal's content, what we are looking at is legislation allowing a wide range of data about millions of citizens who have never committed any of the offences set out in the directive, and who never will, to be processed and analysed. This means that data concerning absolutely normal people will be used to establish the profiles of dangerous criminals. The EESC believes that we face a choice between security and freedom or, in more practical terms, stepping up security at the expense of citizens' rights where personal data are concerned.

3.4   Due to the proposal's lengthy gestation, key stakeholders in this field have been able to express a wide range of qualified opinions on several occasions. Since the Commission's adoption in 2007 of the draft Council Framework Council Decision on the use of PNR data, a predecessor of the proposed directive, comments have been made by the European Data Protection Supervisor (3), which in March of this year issued a further opinion on the new text, the Article 29 Working Party on Data Protection which also published an opinion in April of this year (4), the Fundamental Rights Agency and the European Parliament, which adopted a resolution on the 2007 proposal (5), and is involved in the legislative procedure regarding the present proposal under the terms of the Treaty on the Functioning of the European Union.

3.5   The EESC agrees with the general opinion of all these qualified stakeholders. Moreover, we do not believe that the proposal provides sufficient evidence of the need for blanket, indiscriminate use of the PNR data of all citizens travelling on international flights. We therefore view the planned measure as disproportionate, particularly since in the grounds for the proposal, it is recognised that ‘… at EU level, detailed statistics on the extent to which such data help prevent, detect, investigate and prosecute serious crime and terrorism are not available’ (6). For this reason, the EESC strongly agrees with the comment made by the European Data Protection Supervisor to the effect that PNR data should not be used systematically and indiscriminately, but rather on a case-by-case basis.

3.6   In keeping with the above, and reflecting the EESC's earlier opinions, the present opinion recalls the following recommendation set out in the opinion on the Communication from the Commission to the European Parliament and the Council – An area of freedom, security and justice serving the citizen (7): ‘Security policies must not jeopardise the fundamental values (human rights and public freedoms) or democratic principles (the rule of law) that are shared throughout the Union. Personal freedom must not be curtailed under cover of the objective of collective and state security. Some policy proposals repeat the mistake of earlier times: sacrificing freedom to improve security’.

3.7   In any case, whatever the text that finally emerges from the legislative procedure, it must provide the strongest possible guarantees for the confidentiality and protection of the personal data contained in the PNR, in compliance with the principles enshrined in Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (8) and in Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (9). The exceptional nature of the provisions must under no circumstances run counter to the general principles underpinning fundamental personal rights.

3.8   Nevertheless, and given that the proposal for a directive represents unarguably exceptional use of personal data, the EESC considers that the highly exceptional provisions contained in Articles 6 and 7 should be scaled back as far as possible in order to prevent the improper use of their exceptional nature: requests for data not covered by the general rules set out in Articles 4 and 5 of the proposal must always be reasoned.

3.9   With a view to guaranteeing that data are used only for the purposes contained in the draft directive, and that it is always possible to know who has access to the PNR databases or processed data, the text of the proposal should introduce a compulsory traceability system so that the agents or authorities that have had access to the data, and the data processing or handling that they have been engaged in, can be identified.

4.   Specific comments

4.1   Article 3

In a globalised world, the content of recital (18) is hard to understand, except in terms of justifying the option taken in Article 3 to adopt a decentralised model. The EESC believes that this model may add to the costs of air carriers, as they will have to transfer data to the units of all the states in which an international flight may make a stop-over. Similarly, it will enable personal data to be processed and transferred by a number of units. This system would not appear to be distinguished by its compatibility with the criteria of effectiveness and efficiency that should be sought by all.

4.2   Article 4(1)

The EESC proposes that the following sentence be added at the end of paragraph (1) of the article: ‘… and shall inform the air carrier accordingly so that it no longer transfers such data’. In our view, as soon as an anomaly is detected, immediate instructions should be issued for its correction.

4.3   Articles 4(4) and 5(4)

The EESC considers that there is a discrepancy between the wording of the two articles. Article 4(4) states that the Passenger Information Unit of a Member State is to transfer the processed data to the competent authority on a case-by-case basis. Article 5(4), however, provides that PNR data and the result of the processing of PNR data received from the Passenger Information Unit may be further processed by the competent authority. We consider that this obvious contradiction must be resolved or further clarified so that it does not provide room for interpretation.

4.4   Article 6(1)

As argued in point 4.1, the EESC considers that this system of transferring data to different Passenger Information Units adds to air carriers' administrative burden, just at a time when calls are being made for this burden to be lightened, and increases their operating costs, which could have an impact on consumers through the final price of tickets.

4.5   Article 6(2)

With regard to the security and protection of personal data, the EESC considers that transfer ‘… by any other appropriate means …’ in the event of technical failure of electronic means is not entirely suitable. We urge that clearer details be given of what means of transfer can be used.

4.6   Article 6(3)

We believe that the wording at the beginning of the paragraph would be made more effective by removing the word ‘may’ so that application of the article is not left to the Member States' discretion. The sentence would then begin as follows: ‘Member States shall permit air carriers …’.

4.7   Articles 6(4) and 7

The EESC considers that Article 6(4) and the whole of Article 7 usher in a succession of provisions of a progressively more exceptional nature, moving away from the ‘case-by-case’ transfer of data as set out in Article 4(4) and shifting to virtually universal transfer where all parties are entitled to transfer and receive PNR data information. Article 7 is a compendium of exceptions to the rule.

4.8   Article 8

If the most exceptional possible circumstance – represented by transfer of data to third countries that can, in turn, transfer to them to other third countries – is to be avoided, the article should specify that the transfer is to occur once the data have been processed by the Passenger Information Unit or the competent Member State authority, which is then to transfer them to the third country, and exclusively on a case-by-case basis.

4.9   Article 11(3)

For the same reason as set out with respect to Article 4(1), the EESC proposes that the following sentence be added at the end of the paragraph: ‘… and the Passenger Information Unit shall inform the air carrier accordingly so that it no longer transfers such data’.

4.10   Article 11(4)

It would be logical to place the traceability system, as proposed by the EESC in point 3.9 of the present opinion, in this article, so that those accessing the information at any time are recorded.

(1)  OJ L 164, 22.6.2002, p. 3.

(2)  OJ L 190, 18.7.2002, p. 1.

(3)  OJ C 110, 1.5.2008.

(4)  Opinion 145 of 5.12.2007 and Opinion 10 of 5.4.2011.

(5)  P6_TA (2008) 0561.

(6)  COM(2011) 32 final, p. 6.

(7)  EESC opinion on the Communication from the Commission to the European Parliament and the Council – An area of freedom, security and justice serving the citizen, OJ C 128, 18.5.2010, p. 80.

(8)  OJ L 350, 30.12.2008 p. 60.

(9)  OJ L 281, 23.11.1995 p. 31.