What is the EU PNR Directive?
PNR stands for Passenger Name Records. These are data records about a person who takes a flight. According to the EU PNR Directive ((Directive (EU) 2016/681)), every person who flies to or from the EU must be recorded in a database. In Austria, data on flights within the EU is also recorded. In addition to the flight data, the stay in the host country (e.g. hotel and address) or the rental of a car can also be recorded. Also stored is data on how long one stays in a country and how one has paid for the trip (credit card data). All of this data must be forwarded twice by the airlines to a government agency: once before the flight and once after the arrival. After six months, the data is depersonalised; however, this means only that the passenger's full name is deleted. The data potentially can still be traced back to a certain person, therefore it is not anonymous. The data is then only completely deleted after a full five years.
This data, completely independent of any suspicion, is automatically and constantly filtered by the system algorithmically for "anomalies". Hits are reported to the authorities, who also have manual access to it. A comparison with other databases also takes place. Access to the data is granted to police authorities, secret services and the Office for the Protection of the Constitution of the respective country, as well as Europol. The information can be exchanged within the EU with other member states.
In addition to the EU, there are other countries that store data on air travellers. For example, in the USA these data sets are more comprehensive and are stored for 3.5 years, although there is now a call for an extension of the storage period. Some advocates of passenger data retention even want it to be retained for 30 years.
Why was the PNR Directive introduced?
Following the attacks of September 11th, many measures were taken worldwide to ensure air safety and prevent terrorist attacks with and on aircraft. According to the PNR Directive, not only data from people who fly in and out of one of the EU countries is stored, but also data from stopovers. So if you are on your way from South America via Europe to Asia, your data will be stored in the EU for six months - in the country where the stopover takes place.
Why is the PNR Directive problematic?
Uninitiated stockpile grid searches and mass monitoring without suspicion
The retention of PNR data is another form of data retention, the violation of which has already been established three times by the European Court of Justice, - most recently in 2017, when it was decided that the exchange of PNR data with Canada violated the right to privacy (Art 7 GRC) and the fundamental right to data protection (Art 8 GRC). We therefore consider the PNR Directive to be contrary to fundamental rights. Processing and storage are carried out without cause or suspicion. Every person is treated with suspicion and all are placed under general suspicion.
In Austria, at least 54 million data records per year are to be processed in the final stage of expansion, and in Germany 180 million people are expected to be affected.
With this data, the police will carry out a grid search on stock, i.e. without any suspicion. This is completely new for the Austrian legal system and is a massive constitutional problem because it opens the door to police investigations without any cause.
Mass monitoring is less efficient than expected
Mass surveillance is often postulated to contribute to the prevention or investigation of criminal offences, but it has not been proven successful and is seldom justified by arguments. Even in countries where mass surveillance has existed for many years, terrorist attacks and crimes are neither prevented nor solved. On the contrary, high-ranking officials of secret services tell of the experience that too much data makes analysis more difficult.
Discrimination by non-transparent algorithms
The risk of discrimination and automated misinterpretation of data is not adequately addressed. If a personal record meets certain criteria, it is considered a "hit". The law does not clearly exclude the possibility that individuals may (wrongly) end up as suspects on lists that are then passed on to police authorities in other countries solely on the basis of algorithms./p>
While discriminatory traits may not be part of the criteria being searched for, algorithms often disguise the use of such sensitive traits by relying instead on placeholders, such as the selection of food on the plane as a placeholder for religion.
Moreover, if the algorithms used are not disclosed, it is impossible to verify them. When decisions are made by algorithms (e.g. on the setting of surveillance measures), there is a lack of transparency and accountability, which presents serious problems for democracy and rule-of-law.
False positives
With data sets of enormous size, as is the case with passenger data, a large number of false positives occur, even with high algorithmic accuracy. There is no way around this mathematically, because in a very large data set you search for something that is very rare. All algorithmically generated hits must be individually checked by one person according to the guideline. This should be done, for example, by a comparison with data from other databases. This is a further investigative measure which expressly also affects persons against whom there is no well-founded suspicion, as it is precisely these individuals who will be sorted out by the process. So you start from the bottom up: Everyone is monitored, there are very many hits, and even more of these have to be sorted out manually.
According to an answer by the Austrian Ministry of the Interior to a parliamentary inquiry, currently 490 “alleged hits” appear daily on average, all of which need to be verified. Extrapolated, this would come to about 3,340 hits per week. Contrary to this number, there were only 51 hits that were confirmed and only 36 cases in which, according to the Ministry of the Interior, significant information concerning cases in the areas of “serious crimes” and “counter terrorism” could be transmitted. Further, there were only a mere 30 cases in which officers could intervene directly at the airport. All told, this means that only 0.1 % of hits are actually correct.
What data is stored?
1. Passenger data booking code details, 2. Date of booking and ticket issue, 3. Scheduled departure date or dates, 4. Passenger's surname, maiden name, first name and academic degree, 5. Passenger's address and contact details, including telephone number and e-mail address, 6. All types of payment information, including the billing address, 7. The entire itinerary for certain passenger data, 8. Details of the frequent flyer entry, 9. Details of the travel agency and the clerk, 10. Passenger's travel status, including travel confirmations, check-in status, missed flights, and passengers with a ticket but no reservation, 11. Information on split and split passenger data, 12. General information, including any available information on unaccompanied minors, such as name, sex, age and languages of the minor, name and contact details of the person accompanying the minor on departure and the relationship between that person and the minor, name and contact details of the person collecting the person and the relationship between that person and the minor, accompanying airport staff on departure and arrival, 13. Ticket data, including ticket number, date of issue, single flight and automatic fare display, 14. Seat number and other seat information, 15. Information on code sharing, 16. Complete baggage details, 17. Number and names of passengers in the context of passenger data, 18. Any enhanced passenger information (API data) collected, including type, number, issuing country and expiry date of identity documents, nationality, surname, first name, sex, date of birth, air carrier, flight number, date of departure and arrival, airport of departure and arrival, time of departure and arrival; and 19. all previous changes to the passenger data listed under items 1 to 18.
How far is the implementation of PNR in Austria?
(status 7/15/2019)
Currently in Austria, ten aviation companies are connected to the PNR system. Ultimately, however, all 91 commercial aviation companies with a flight permission in Austria should be connected to it. The data processing is done by the Passenger Information Unit or PIU (in Austria the „nationale Fluggastdatenzentralstelle“), which currently employs 21 people. For 2019 the personnel costs are expected to be 1,840,570 euros, and in 2020 they are projected to be 1.78 million euros according to the Ministry of the Interior. However, this does not at all leave out the possibility that the number of employees will rise when all of the remaining aviation companies connect to the system. In 2018 there were 296,852 starts and landings in Austria, an increase of 5.4 percent in comparison to the year before. Thus, the number of data sets could increase extensively in the future.
The first aviation company connected to the system on February 1st, 2019. During the three-and-a-half-month period from then until the 14th of May, 7,633,867 data sets were transmitted by aviation companies and 38,269 flights were registered and processed. This data is saved on a server architecture in the Ministry of the Interior. Currently 20 employees of the PIU have access to it.
Our main criticisms of the Austrian implementation of the PNR Directive
In Austria, the PNR Act was passed to implement the Directive and has been in force since 16 August 2018. The Act established a Passenger Data Centre at the Federal Criminal Police Office, which is now responsible for data processing.
We have already issued a parliamentary statement on the drafting of the law.
- EXTENSION TO INTERNAL EUROPEAN FLIGHTS: The Minister of the Interior was also authorised to issue an ordinance stipulating that passenger data be stored for intra-European travel, although this is not mandatory. Here, the EU requirements are overfulfilled. The so-called "gold plating", i.e. the over-fulfilment of directives, is particularly inappropriate in the area of personal data.
- INSUFFICIENT DATA PROTECTION: The draft does not comply with the data protection provisions of the directive itself or with the other EU requirements for data protection at police authorities. In Austria, for example, information obligations, the right to information and protection against non-automated hit checks are inadequately designed.
What we are doing about the PNR Directive
We have already successfully challenged the retention of data in connection with communications data and would now also like to tilt passenger data processing by legal means.
Our project partner is the Gesellschaft für Freiheitsrechte (GFF) iin Germany. The GFF is filing both a civil suit against selected airlines and an administrative complaint.
We have a data protection complaint with the data protection authority with the aim of obtaining a referral to the European Court of Justice before the Administrative Court. This complaint has already been rejected, therefore our next step is to file a complaint with the Federal Administrative Court. The complaint to the Federal Administrative Court contains two main criticisms of the PNR legislation: firstly, we consider the Directive itself to be contrary to fundamental rights and, secondly, we consider the Austrian implementation of the Directive, i.e. the PNR Act, to be far too far-reaching. Read here what the complaint contains.
Press mentions on this topic
Title | Date | Publication | Publication details | Type of publication | Mentioned |
---|---|---|---|---|---|
EuGH: Verarbeitung von Fluggastdaten beschränken | 06/21/2022 | Vorarlberg Online | Web | yes | |
EuGH: Verarbeitung von Fluggastdaten beschränken | 06/21/2022 | Salzburger Nachrichten | Web | yes | |
EuGH-Entscheidung zu Flugpassagierdaten rückt näher | 05/16/2021 | FM4 | Web | yes | |
Abkommen zur Datenweitergabe EU-USA wackeln | 09/06/2020 | FM4 | Web | yes | |
Mängel bei der Umsetzung der Richtlinie über die Verwendung von Fluggastdaten | 07/27/2020 | Netzpolitik.org | Web | yes |