The personal details of hundreds of millions of passengers travelling in and out of the European Union will soon be routinely logged and stored by airlines for up to five years, under draft rules agreed by the European Parliament.
The new law, which was approved by MEPs last week, is designed to help with the fight against serious transnational crime and terrorism. But critics say it will result in the mass harvesting of innocent people’s data, including everything from their home addresses and credit card details to their dietary requirements and seat numbers.
The necessity of the new scheme has already been questioned by Giovanni Buttarelli, the European Data Protection Supervisor, who said he was uncomfortable with the idea of mass surveillance and that targeting specific categories of flights, passengers and countries may be more effective. He is set to give a formal opinion on the law in September.
“If this summer, if you fly to Sardinia, do you think this information is essential for the prevention of terrorism? I’m still waiting for the relevant evidence to demonstrate, even in terms of the amount of money, and years to implement this system, how much it is essential,” Mr Buttarelli told the EU Observer website.
The new law, known as the EU Passenger Name Record (PNR) directive, has been under discussion since 2011 and has already been rejected by MEPs once. But it was revived following the terrorist attacks in Paris and Copenhagen and was narrowly approved by the European Parliament’s Civil Liberties Committee after numerous safeguards were added.
A rise in the number of Europeans travelling to Syria and Iraq to join the Islamic State terrorist group has increased the pressure on the European Parliament to act. The rules will only apply to passengers booked on flights originating outside the EU, or those departing for countries outside the bloc. The information will only be accessed if a serious crime is suspected, such as human and drug trafficking, child sexual exploitation or money laundering as well as terrorism.
Each passenger’s data will be stored on a central database for 30 days, before being redacted so they are no longer identifiable. However, the information will be retained for up to five years and can be “unmasked” after a request by authorities. After five years, it will be permanently deleted.
Timothy Kirkhope, the Conservative MEP for Yorkshire and The Humber who played a key role in drafting the new rules, told The Independent that the committee had introduced “a hell of a lot” of safeguards to ensure the protection of passenger data, which he was confident would meet the approval of Mr Buttarelli.
“This is a vitally important tool in terms of dealing with the threats we get now, not only from terrorists, but also from major criminals,” he added. “The media has tended to concentrate on the issue of ‘foreign fighters’ or terrorists, which is a relevant factor, but it’s not the only one – it may not even be the major one.”
The UK already operates its own PNR system, which records the details of passengers flying into and out of the country. But Mr Kirkhope said this was “not adequate” to deal with cross-border threats, which may require the rapid exchange of information between police forces.
The EU data collection scheme already has the backing of both David Cameron and Theresa May, the Home Secretary, who are keen to go one step further and make the law apply to all European flights. Talks with national governments will now be held before the EU PNR comes into force, likely to be at the end of the year.
Civil liberties groups raised concerns about the plans. “The indiscriminate collection of sensitive and highly personal details of any individual flying in or out of the EU continues to raise concerns despite the approval of the Civil Liberties and Justice Committee,” said Renate Samson, chief executive of Big Brother Watch.
“That the data of all passengers can be stored for up to five years on a centralised, searchable database continues to run the risk of contradicting EU data retention laws, particularly with regards to the violation of privacy.”
Explainer the EU passenger name record directive
The EU Passenger Name Record directive was approved by the European Parliament’s Civil Liberties Committee last week, after an earlier draft failed to win the support of MEPs. The details of millions of passengers travelling into and out of EU member states – but not between them – will have to be recorded by airlines and stored for up to five years.
As the data collected will come straight from airline bookings, it could include a passenger’s contact information, travel routes, computer IP address, hotel bookings, credit card details and dietary preferences.
After being gathered by airlines and travel agents, the data will be stored on a central database for 30 days, before being redacted so individuals are no longer easily identifiable. But the information will be retained for up to five years and can be “unmasked” upon request by authorities. After five years, it will be permanently deleted.
It is hoped that the information will help Interpol and police forces in EU member states to track criminals and fight terrorism. But civil liberties groups have raised concerns about the mass harvesting of innocent people’s details.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies