The European Parliament yesterday passed an initiative that will enable EU intelligence agencies to collect and share information on airline passengers, as lawmakers move to tighten border security amid concerns over privacy. The Passenger Name Record (PNR) directive, approved by a large majority, aims to facilitate information sharing among EU member states and close some of the intelligence gaps that terrorists have exploited.
Under the directive, European security agencies will have access to information on all passengers traveling in and out of the EU, including their names, email addresses, itineraries, passport data, and how they paid for their tickets. This data is already collected by airlines, but the directive will make it mandatory for them to share it with intelligence agencies. The information will be stored for up to five years, and can be shared with law enforcement upon request.
"an extra means... in the fight against terrorism."
The measure had been fiercely debated for five years, and gained momentum following terror attacks in Brussels last month and Paris last year. It passed on Thursday by a vote of 461 to 179, with nine abstentions. Supporters say the system will allow intelligence agencies to identify suspicious travel patterns in and out of Europe, and to share that information more efficiently. An estimated 6,000 people have already left Europe to join ISIS in Syria and Iraq.
Timothy Kirkhope, a conservative British member of European Parliament who led negotiations on the legislation, told reporters this week that the PNR would "identify the routes used by criminals and terrorists and prevent individuals from reaching their intended destinations or targets." French Prime Minister Manuel Valls, who lobbied lawmakers to act swiftly following the November attacks in Paris, described the PNR as "an extra means we will have to be effective in the fight against terrorism."
The directive is expected to come into force next month, and governments will have two years to set up data collection systems, known as Passenger Information Units (PIUs). The UK already has such a system in place and says it will adhere to the directive immediately, while France, Italy, and other EU countries are implementing similar systems. For flights from Europe to the US, airlines are already required to share passenger information with the Department of Homeland Security.
"Europeans are now going to be subject to constant surveillance just because they travel."
Debate over the PNR directive had been weighed down by concerns over privacy. The EU reached a compromise over data retention in December, agreeing to the five-year limit and moving to anonymize passenger information after a period of six months, though agencies will be able to unmask that data by request for anti-terror investigations. Governments will have the option of sharing passenger data on intra-EU flights, as well.
Privacy groups have expressed alarm over the legislation, raising concerns that it could be used to profile passengers and questioning its effectiveness in combating terrorism or other crime. The EU Agency for Fundamental Rights has called for closer statistical analysis to evaluate the efficiency of the system and prevent discrimination. The European Digital Rights (EDRi) organization has pointed out that authorities were already tracking the travel of those involved in the November attacks in Paris, and has argued that the five-year retention period is excessive. In 2014, the European Court of Justice struck down a directive that had allowed telecoms to retain phone data for up to two years on the grounds that it violated privacy rights.
Dr. Gus Hosein, executive director of the London watchdog organization Privacy International, says the directive will have "massive" implications for bulk data collection in Europe, adding that lawmakers are "looking for quick and easy solutions" to the threat of terrorism. "As one of the most mobile populations, Europeans are now going to be subject to constant surveillance just because they travel," Hosein said in an email. In his view, data collection should be limited to "targets and suspects."
"Europe will be swimming in data on all people, all in response to attacks undertaken by individuals known to authorities," Hosein said.