Czech DPA's opinion on the Commission's PNR directive proposal
The Czech Office for Personal Data Protection has substantial doubts about the usefulness of this project.
Reasons:
- Under the proposal, huge amount of personal information on all passengers flying into and out the EU shall be gathered without respect whether or not they are suspects. Collecting and processing of PNR data in the EU should not enable overall tracking of all travellers.
- So far, supporters have failed to demonstrate the usefulness and necessity of the proposed scheme in accordance with the Article 8(2) of the Council of Europe's Convention on Human Rights, or the Article 52 of the EU's Charter of Fundamental Rights. Furthermore, in the Explanatory Memorandum, there is a discrepancy between the statements on page 4 and the statistics of reported seizures on page 6 (Belgium and Sweden have not introduced PNR system and yet they reported drugs seizures due to processing of PNR data).
- So far, it has not been proven that other than API data are necessary in the action against terrorism and serious crime. Unlike API information, the PNR data are not verified and hence should they be regarded as unreliable.
- Definition of the term “serious crime” based on the specification in the Framework Decision on the European arrest warrant (that includes categories like computer-related crime or xenophobia) is rather wide, if not misleading, since the European arrest warrant has not been created for the PNR-related purposes.
- The data items listed in the Annex to the proposal are specified too generally, many of them implicitly including further subsets of data.
- Pro-active use of PNR data means performing analysis and creating assessment criteria by individual Member States. The criteria are not clear on the basis of which suspects shall be identified.
- The extent of collected data seems to be excessive when taking into account the paragraphs 2 and 3 above. The retention period of 5 years is disproportional even if the data shall be masked out.
- Implications of potential reciprocity requirements have not been considered sufficiently. The European PNR model could result in similar requirements being raised reciprocally by non-democratic, corrupt countries that do not provide adequate level of protection of fundamental rights and freedoms, including personal data. PNR data in possession of such states could pose serious problem.
- Sea and border crossing points will remain unprotected by the PNR measure, a fact leading to the assumption that terrorists and criminals will most likely be using these entries rather than airports. Moreover, after the introduction of the PNR system, probability of bypassing will increase whilst the effectiveness of the system will lower. The Commission as well has expressed this concern in their Impact Assessment.
- With regard to paragraph 5 above, the proposed solution seems to be disproportional also in relation to financial costs and administrative burden for the air carriers as well as the public sector that will have to establish the Passenger Information Units (PIU) and equip them with software, hardware, and qualified staff. Open remains the question of who will cover the expenses of air carriers for installation of the EU PNR push system as well as the annual costs arisen on the airlines side.
- The Czech DPA is strongly opposed to the intention of extending the system on intra-EU flights as being proposed by the UK. Spreading the PNR scheme on flights within the EU would mean processing of yet other loads of personal data. The more in case of this program concrete evidence should be delivered of the necessity and proportionality. Moreover, there are alternative means of transport enabling to bypass simply and at reasonable costs the internal PNR system. Also, we remind of the principle of free movement within the EU.
- It is not clear how the PIU's negotiating mandate shall look in case of PNR data transfers by air carriers established outside the EU.
- Despite critical opinion, the Czech DPA is willing to participate in talks on the directive proposal with striving to minimize negative impacts on the privacy of individuals.
______________________________________________________________
1 Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
Prague, 14 February 2011