December 27, 2011
On 13 December 2011 the Council gave its consent to the signing of a new EU-US agreement on Passenger Name Records (PNR). From the Council’s press release we learn that it will replace the existing one, which has been provisionally applied since 2007, and that now it is the European Parliament that has to give a green light to the PNR agreement. Only then can the Council adopt a decision.
The basic purpose of the transatlantic agreement is to “ensure security and to protect life and safety of the public” (Article 1). From the preamble, we learn that the parties, while recognizing, being mindful of, and acknowledging the obligations to protect fundamental rights agreed on concluding the agreement. This is because they “desire to prevent and combat terrorism effectively as a means of protecting their respective democratic societies and common values.” All available contact information, baggage information, but also for instance meal preferences as trade union membership are supposed to be of much help.
It comes as no surprise that legal measures introduced under the banner of fighting terrorism are scrutinized from the point of view of individual freedoms. Also in the case of the PNR agreement many European bodies expressed discontent with the proposal.
On 9 December 2011 the European Data Protection Supervisor (EDPS) issued an opinion on the subject. The EDPS enumerates a number of provisions that raise doubts. In his view the purpose of the agreement is not specified enough, the list of PNR data is too broad, the retention period is excessive, and finally the procedure concerning data security breaches is not clarified enough.
Also European think tanks raised objections. For example, PANOPTYKON enumerates legal and technical deficiencies of the agreement and underscores that the rights of an individual guaranteed in the agreement do not correlate with the obligations of the state parties (for example, according to PANOPTYKON, while it is stated that individuals should be able to access data that concerns them, the agreement does not create an actual obligation on the side of the airlines or the states to grant such a request).
It is hard to resist the impression that all these objections sound familiar. A couple of months ago, in a different context, the EDPS issued an opinion in which it was pointed out that the Data Retention Directive, introduced in order to increase the security and safety of citizens, does not meet standards concerning the right to privacy and personal data protection. The EDPS highlighted that he had repeatedly pointed out that in the light of guaranteeing the right to privacy and personal data protection he sees no need to retain data in such a wide scope. In this context, the EDPS recalled a need to justify whether data retention is indispensable and proportionate.
The dialogue between institutions representing different interest should be welcome. It is only natural that the EDPS as well as watchdog organizations whose main goal is to critically monitor the state and alert the public whenever there is a chance of breach of fundamental rights, are especially sensitive to all propositions that carry such a risk.
What comes as a surprise, however, is the duality of approach represented by EU institutions themselves. During the same week the Council gave a green light to the PNR agreement, the European Parliament called for a review of EU counter-terrorism policies. The Commission is supposed to evaluate the ten years of counter-terrorism activities. This evaluation should focus on examining whether the measures taken to prevent and combat terrorism in the EU have been evidence-based and not based on assumptions. From this it clearly follows that attempts to regulate the use and transfer of PNR data should be based on a thorough impact assessment. This however has never been done.
On one hand acts adopted by the European Parliament give the impression that the MEPs have the best interest of the citizens in mind and are indeed “mindful” of the right to privacy and their obligation to protect our data, on the other the Council concludes an agreement that clearly (despite all the declarations in the preamble) puts strangely understood safety, which takes the form of the compulsion to collect as much information about citizens as possible, over the obligation to protect their privacy.
One can only hope that the European Parliament’s concern about the protection of EU citizens’ right to privacy will be voiced, and that the MEPs will think twice before giving their consent to the law which will result in yet again loss on the side of privacy protection.
Zuzanna Warso, lawyer at Europe of Human RightsAuthor : Europe of Human Rights