What is the EU PNR Directive?
Why is the PNR Directive problematic?
What data is stored?
Our main criticisms of the Austrian implementation of the PNR Directive
What we are doing about the PNR Directive
What can you do about the PNR policy?
PNR stands for Passenger Name Records. These are data records about a person who undertakes a flight. According to the EU PNR Directive ((Directive (EU) 2016/681)), every person who flies to or from the EU must be recorded in a database. In Austria, data on flights within the EU are also recorded. In addition to the flight data, the stay in the host country (e.g. hotel and address) or the rental of a car can also be recorded. Also how long one stays in a country and how one has paid for the trip (credit card data) is stored. All these data must be forwarded twice by the airlines to a government agency: once before the flight and once after the arrival. After six months, the data is depersonalised, but this only means that the full name is deleted. Potentially the data can still be traced back to a certain person, so they are not anonymous. The data are only completely deleted after a full five years.
This data is automatically and constantly filtered by the system algorithmically for "anomalies", completely independent of any suspicion. Hits are reported to the authorities, who also have manual access to them. A comparison with other databases also takes place. Access to the data is granted to police authorities, secret services and the Office for the Protection of the Constitution of the respective country as well as Europol. The information can be exchanged within the EU with other member states.
In addition to the EU, there are other countries that store data on air travellers. In the USA, these data sets are more comprehensive and are stored for 3.5 years, for example, although there is now a call for an extension of the storage period. Some advocates of passenger data retention even want it to be retained for 30 years.
Why was the PNR Directive introduced?
Following the attacks of 11 September, many measures were taken worldwide to ensure air safety and prevent terrorist attacks with and on aircraft. However, not only data from people who fly in and out of one of the EU countries are stored, but also data from stopovers. So if you are on your way from South America via Europe to Asia, your data will be stored in the EU for six months - in the country where the stopover takes place.
Uninitiated stockpile grid searches and mass monitoring without suspicion
The retention of PNR data is another form of data retention, the violation of which has already been established three times by the European Court of Justice, - most recently in 2017, when it was decided that the exchange of PNR data with Canada violated the right to privacy (Art 7 GRC) and the fundamental right to data protection (Art 8 GRC). We therefore consider the PNR Directive to be contrary to fundamental rights. Processing and storage are carried out without cause or suspicion. Every person is treated with suspicion and all are placed under general suspicion.
In Austria, at least 54 million data records per year are to be processed in the final stage of expansion, and in Germany 180 million people are expected to be affected.
In these data, the police will carry out a grid search on stock, i.e. without any suspicion. This is completely new for the Austrian legal system and a massive constitutional problem because it opens the door to police investigations without any cause.
Mass monitoring is less efficient than expected
Mass surveillance is often postulated to contribute to the prevention or investigation of criminal offences, but it has not been proven and is seldom justified by arguments. Even in countries where mass surveillance has existed for many years, terrorist attacks and crimes are no longer prevented or solved. On the contrary, high-ranking officials of secret services tell of the experience that too much data makes analysis more difficult.
Discrimination by non-transparent algorithms
The risk of discrimination and automated misinterpretation of data is not adequately addressed. If a personal record meets certain criteria, it is considered a "hit". The law does not clearly exclude the possibility that individuals may (wrongly) end up as suspects on lists passed on to police authorities in other countries solely on the basis of algorithms./p>
While discriminatory traits may not be part of the criteria being searched for, algorithms often disguise the use of such sensitive traits by relying instead on placeholders, such as the selection of food on the plane as a placeholder for religion.
Moreover, if the algorithms used are not disclosed, it is impossible to verify them. When decisions are made by algorithms (e.g. on the setting of surveillance measures), this lack of transparency is a serious democratic and rule-of-law problem.
With data sets of enormous size, as is the case with passenger data, a large number of false positives occur, even with high accuracy. There is no way around this mathematically, because in a very large data set you search for something that is very rare. All algorithmically generated hits must be individually checked by one person according to the guideline. This should be done, for example, by a comparison with data from other databases. This is a further investigative measure which expressly also affects persons against whom there is no well-founded suspicion, because it is precisely these who are to be sorted out by the process. So you start from the bottom up: Everyone is monitored, there are very many hits, and even more of these have to be sorted out manually. In Germany, a request to the Ministry of the Interior revealed that out of 94,098 hits through the PNR system, only 277 were correct.
1. Passenger data booking code details,
2. Date of booking and ticket issue,
3. scheduled departure date or dates,
4. Passenger's surname, maiden name, first name and academic degree,
5. Passenger's address and contact details, including telephone number and e-mail address,
6. all types of payment information, including the billing address,
7. the entire itinerary for certain passenger data,
8. Details of the frequent flyer entry,
9. Details of the travel agency and the clerk,
10. Passenger's travel status, including travel confirmations, check-in status, missed flights, and passengers with a ticket but no reservation,
11. Information on split and split passenger data,
12. general information, including any available information on unaccompanied minors, such as name, sex, age and languages of the minor, name and contact details of the person accompanying the minor on departure and the relationship between that person and the minor, name and contact details of the person collecting the person and the relationship between that person and the minor, accompanying airport staff on departure and arrival,
13. Ticket data, including ticket number, date of issue, single flight and automatic fare display,
14. Seat number and other seat information,
15. Information on code sharing,
16. complete baggage details,
17. Number and names of passengers in the context of passenger data,
18. any enhanced passenger information (API data) collected, including type, number, issuing country and expiry date of identity documents, nationality, surname, first name, sex, date of birth, air carrier, flight number, date of departure and arrival, airport of departure and arrival, time of departure and arrival; and
19. all previous changes to the passenger data listed under items 1 to 18.
In Austria, the PNR Act was passed to implement the Directive and has been in force since 16 August 2018. The Act established a Passenger Data Centre at the Federal Criminal Police Office, which is now responsible for data processing.
We have already issued a parliamentary statement on the drafting of the law.
- EXTENSION TO INTERNAL EUROPEAN FLIGHTS: The Minister of the Interior was also authorised to issue an ordinance stipulating that passenger data be stored for intra-European travel, although this is not mandatory. Here, the EU requirements are overfulfilled. The so-called "gold plating", i.e. the over-fulfilment of directives, is particularly inappropriate in the area of personal data.
- INSUFFICIENT DATA PROTECTION: The draft does not comply with the data protection provisions of the directive itself or with the other EU requirements for data protection at police authorities. In Austria, for example, information obligations, the right to information and protection against non-automated hit checks are inadequately designed.
We have already successfully challenged the retention of data in connection with communications data and would now also like to tilt passenger data processing by legal means.
Our project partner is the Gesellschaft für Freiheitsrechte (GFF) iin Germany. The GFF is filing both a civil suit against selected airlines and an administrative complaint.
We lodge a data protection complaint with the data protection authority with the aim of obtaining a referral to the European Court of Justice before the Administrative Court.
Make your own complaint!
You can complain about the PNR policy yourself. The only requirement is that you have flown to or from Austria with Austrian Airlines in the last 6 months. All other airlines will be connected gradually in the system.
To do this, you must go through the following steps:
- Let us know that you want to participate. We will be happy to answer any questions you may have.
- Make a request for information. In this way you can see in advance which data will be stored.
- We will publish our complaint here shortly, along with instructions on what you need to do to make a complaint yourself.
There will be neither costs nor time, except for filling out various forms (information requests, etc.). Unfortunately every single step can take some time, so patience is a prerequisite. ;)
Support our campaign!
Support our European campaign on nopnr.eu by sharing our postings, talking and discussing with friends, acquaintances and relatives, etc.!