A new draft text on an EU system for the use of Passenger Name Record (PNR) data, tabled by lead MEP Timothy Kirkhope (ECR, UK), was discussed in the civil liberties committee on Thursday morning.
An evaluation of the necessity and proportionality of the proposal in the face of current security threats, its scope (list of offences covered), retention periods, the inclusion or exclusion of intra-EU flights, the connection with the on-going data protection reform, as well as the consequences of the EU Court of Justice judgement annulling the 2006 data retention directive, were among the issues discussed by MEPs.
The 2011 Commission proposal would require more systematic collection, use and retention of PNR data on passengers taking “international” flights (those entering the EU from, or leaving it for, a third country), and would therefore have an impact on the rights to privacy and data protection.
The changes proposed by Timothy Kirkhope in the revised draft report include:
- the scope of the proposal is narrowed to cover terror offences and serious “transnational” crime (the list of specific offences includes, for instance, trafficking in human beings, child pornography, trafficking in weapons, munitions and explosives);
- sensitive data to be permanently deleted no later than 30 days from the last receipt of PNR containing such data by competent authorities. Other data will continue to be masked after 30 days;
- the inclusion of intra-EU flights (not initially included by the Commission, but the Council of the European Union favours the inclusion of internal EU flights);
- 100% coverage of flights (the Commission text proposed to reach 100% coverage of international flights in gradual steps);
- access to the PNR data continues to be allowed for five years for terrorism, but is reduced to four years for serious crime;
- each EU member state should appoint a data protection supervisory officer;
- persons who operate security controls, who access and analyse the PNR data, and operate the data logs, must be security cleared, and security trained;
- references are made in the text to the EU Court of Justice judgment on data retention and to the current EU data protection rules;
- the period for member states to transpose the directive is extended from two to three years (given the specific technological and structural demands of setting up an EU PNR system for each member state).
The deadline for MEPs to table amendments to Mr Kirkhope’s text is 18.00 on 25 March.