Privacy Platform – Cracking the code: How to balance data security with public security >
Myth 1 – "The centre-left parties in the European Parliament are blocking an EU PNR Directive"
The file is not blocked at all. Negotiations between Parliament, Council and Commission are ongoing. All political groups are participating in the negotiations.
The European Parliament committed to concluding the file before the end of 2015, based on the mandate voted in the LIBE parliamentary committee in July 2015.
An earlier proposal was rejected by Parliament in 2013, as the majority considered there were insufficient safeguards.
However, Parliament and its members have the right, even the democratic duty, to take position, to set conditions, and to amend proposals from the Commission. Some national governments and some political groups in the EP seem to expect Parliament to simply sign a blank cheque. They label any dissenting political view as "blocking".
In addition, in a democracy, policies have to comply with legal standards. Politicians are not free to pass legislation outside the law, including case law. This is what the rule of law is all about. Compliance with the law and ECJ case law cannot be labelled "blocking" either.
We should not repeat the same mistake as in 2005, when the Data Retention Directive was passed in very similar circumstances, under great pressure from certain Member States, just three months after the London bombing. The Data Retention Directive was never properly implemented by the Member States, and it was invalidated by the European Court of Justice. National courts have annulled the national laws based on the Data Retention Directive. So we should not pass legally unsound laws.
Myth 2 – "Our lives are at risk if the EU PNR Directive is not voted immediately"
Data are already available: law enforcement and security forces have access to PNR and API data under other regimes, and they also have several other instruments at their proposal.
PNR data can be accessed in the context of a specific investigation, with a court order, as in any regular police or judicial investigation, or intelligence operation. The EU PNR Directive is only about the mass collection of PNR data, not about accessing individual passenger records in the context of a specific investigation.
In addition, some member states have their own national PNR schemes, or are in the process of setting up a national scheme. 14 Member states have actually received EU funds for the setting up of such a scheme (f.ex: France has received 18 million euro).
For the identification of suspects, the authorities have access to API data (Advance Passenger Information, essentially passport and ticket information, available under EU Directive (2004/82/EC).
There are also other sources, such as the Schengen Information System, the Visa Information System, Eurodac, ECRIS and more.
In practically all terrorist attacks in the past 14 years, the terrorists were already known to the intelligence services and the police. All information on the travels by airplane of those perpetrators was also known. The problem was never that the authorities did not have access to the PNR data of suspects. The real problem is that the available information is not shared between agencies and between countries.
Myth 3 – "Parliament is an obstacle to starting the collection of PNR data immediately"
The Member States and a majority of groups in Parliament insist on a Directive, rather than a Regulation. However, a Directive will have to be transposed and implemented by the 28 Member States. That will take at least two years, probably more. If one or more Member States fail or refuse to implement, as is often the case, the added value of an EU system is undermined.
ALDE had therefore proposed a Regulation, that would enter into force immediately, and that would not require national implementation. It would have the additional advantage of guaranteed sharing of information. But Council and a majority of groups in the EP chose for the Directive, thereby effectively delaying the introduction of an EU PNR system.
Myth 4 – "Privacy concerns are an obstacle to using PNR data"
All political groups recognise that the use of personal data is an important instrument for law enforcement and security. But that is entirely compatible within the limits of the law.
The right to privacy and the right to data protection are fundamental rights. They are not just a social convention, but legally enforceable rights, enshrined in the Treaties, laws and the Charter of Fundamental Rights. They are on a par with, for example, the right to life, freedom of expression or the ban on torture. None of these rights can simply be side-lined.
In the case of PNR, data protection concerns are for example:
- the purposes for which the data may be used must be clearly defined (in a list of crimes)
- the use of personal data must be necessary and proportionate, and based on law
- data should not be retained for longer than necessary. The retention periods must be established on the basis of objective criteria
- sensitive data (like health data, religion or political affiliation, sexual orientation)
- the right of passengers to know what data are being held, and the right to correct those data
- as PNR data will be used largely for profiling, it must be guaranteed that no (adverse) decisions are taken only on the basis of that profiling
- Data must be stored in a secure manner
- There must be clear rules on who will have access to the data
- Data must be masked out or anonymised as soon as possible
Such rules do not prevent or unduly restrict the use of passenger data, but they do ensure adequate protection for the rights of citizens.
Myth 5 – "An EU PNR Directive could have prevented the attacks in Paris"
The perpetrators of the attacks in Paris in January and in November were known to the authorities. Their movements, including travel by plane to places like Syria and Pakistan, were also known. An EU PNR Directive would not have added anything.
What would have made a real difference, is if information had been shared between the French and Belgian authorities. That is why Parliament has repeatedly called for improved information sharing. In the case of the EU PNR Directive, ALDE proposals for mandatory information sharing were endorsed by LIBE. It concerns sharing of the results of data analysis, not sharing of all raw PNR data. But Member States refuse. In view of the repeated intelligence failures from 9/11 onwards, it is incomprehensible that Member States are refusing the clause on mandatory information sharing. That refusal is a big obstacle to reaching an agreement on a Directive.
Myth 6 – "Electronic mass surveillance helps predict terrorist activity"
PNR data are used mainly for behavioural analysis, the analysis of patterns of criminal activity, etc.
That can be very useful for spotting potential drugs traffickers or traffickers in human beings. But it is virtually useless for predicting terrorist activity.
PNR data can be very useful as additional information, once there is already a lead on a suspicious activity or a suspect. It can help "connecting the dots": finding associates of a suspect or getting information on his/her movements and contacts. It may give information about credit cards, addresses or travel patterns.
Myth 7 - "Intra-EU flights must be included"
Intra-EU flights cover roughly 8% of all intra-EU traffic. 92% of travel is by car, train, bus, boat, motorbike, on foot or otherwise. So the added value would be very limited. In the context of specific investigations, such information can be accessed at all times by the authorities, on the basis of the regular procedures.
In the case of the Paris attacks, the terrorists travelled by car from France to Belgium. They were even stopped by the police, but not identified. It is clear that an EU PNR, including intra-EU flights, would not have made the slightest difference, but exchange of information between police forces would!