EU data protection chief: Snaffling all air traveller data goes too far

Europe’s data protection tsar has warned law-makers that collecting and storing information on all airline travellers risks breaching EU privacy laws.

The so-called PNR (passenger name record) scheme is back on the table after being rejected by MEPs in 2013. The plan is to force airline operators to store every scrap of information they collect about passengers – including sensitive and personal information such as email addresses, credit card details, phone numbers, meal choices (halal, kosher, etc) – for use by security agencies.

Yesterday, Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said that the current draft of the law goes too far.

Security agencies say they need the information for the “prevention, detection, investigation and prosecution of terrorist offences and serious crime”, but with the scheme likely to cover at least all flights to and from the EU, and possibly intra-EU and/or domestic flights, more than 300 million non-suspect passengers could be caught in the dragnet operation.

“As an independent institution, we are not a priori in favour of or against any measure. However, according to the available information, no elements reasonably substantiate the need for the default collection of massive amounts of the personal information of millions of travellers,” said Buttarelli.

“Necessity and proportionality are essential prerequisites for the legitimacy of any intrusive measure. We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries,” he continued.

He also referred to the ruling by the European Court of Justice last year, which struck down the controversial Data Retention Directive because is was disproportionate and breached the right to privacy.

The EDPS said he has seen no justification meaning that “the massive, non-targeted and indiscriminate collection of passengers' personal information is necessary”.

The EU already has PNR agreements with the US and Australia. Members of the European Parliament are currently in talks with national ministers to nail down a final version of the legal text. However, like the Data Retention Directive, it could well end up before the courts. ®