GDPR and PNR: That’s two massive acronyms in one day, so let’s get this out of the way for those just tuning in. The General Data Protection Regulation (GDPR) is a tangibly positive step for data and privacy protection across the European Union. The Passenger Name Records (PNR) Directive is a violation of that protection and infringes on the fundamental rights of anyone — and everyone — travelling through, in, or out of Europe.
An obvious clash of interests? Onward to more details!
The calm
Earlier today, the European Parliament ratified the GDPR, a regulation aimed at upgrading the EU data-protection rules for the digital age. The GDPR will replace the 1995 Data Protection Directive and harmonise data protection — its terms and conditions — across EU member states. The implementation of this regulation arrives with impeccable timing, given the ongoing EU-US Privacy Shield negotiations and increasingly turbulent data retention debate. It will improve transparency and certainty, and empower individuals; you can read our December post, GDPR – What tidings do ye bring? for an in-depth analysis of what is to come.
The storm
In the same plenary session, the European Parliament has, in the face of mounting political pressure, passed the rights-harming, disproportionate PNR Directive.
Passenger Name Records data is the information you provide to air carriers and booking agencies when you make reservations and check in for a flight. These records have several different types of personal information about you, such as your travel dates, travel itinerary, ticket information, contact details, baggage information, credit cards details, information about the people you are travelling with, and so on. Every bit of this private information will be indiscriminately stored by government authorities for a maximum of five years. This makes everyone who travels in Europe vulnerable to data theft, misuse, or abuse — with potential personal harms ranging from credit card fraud to government profiling and surveillance.
The PNR Directive is supposed to be a tool to prevent serious crimes and terrorism, yet there is no evidence to show that mass collection and retention of our personal data will help catch criminals or keep anyone safe. Indeed, the European Parliament previously rejected the PNR proposal. Today’s decision to move forward with it amounts to no more than a knee-jerk reaction to the political climate after the terrorist attacks in Paris and Brussels. It runs counter to today’s positive vote on the GDPR and stands in stark contradiction to the opinion of the European data protection working party.
The splash: EU-Canada PNR case before the CJEU
The adoption of the PNR Directive is taking place at a time when the EU Court is currently considering the validity of another PNR framework: the EU-Canada PNR. Since 2014, the EU has been working to renew its PNR agreement with Canada, which has been in place since 2006. Like its European counterpart, this agreement has been in turbulent political and legal waters. The European Parliament has sent the agreement in front of the Court of Justice of the European Union, which will decide whether it is compatible with or violates broader EU law.
The hearing for this case took place earlier this month and judges from the CJEU raised significant concerns about the necessity and proportionality of the PNR mechanism and possible interference with the fundamental right to data protection. The Advocate General in the case is set to issue an opinion on 30th June 2016. There is hope for sunny skies yet!
What’s the damage, Captain?
The GDPR brings clarity regarding data and privacy protection for individuals across the EU. And although the PNR Directive was passed today, it has met with clear-eyed opposition throughout its legislative journey. Voices of discontent have come from the EU Data Protection Supervisor, the EU Fundamental Rights agency, Article 29 Data Protection Working Party, and European Digital Rights. Why the facts that these groups have highlighted have not served as a huge red flag for our lawmakers remains a mystery. We can only conclude that the current political climate is creating a distracting fog — one that we very much hope will lift.
If by now you are wondering how the EU can both strengthen and weaken its privacy on the same day, well, we are too. It appears that, once again, our lawmakers are partly failing to protect our fundamental rights. Will the sun come out tomorrow? The only hope now rests with the EU Court of Justice. We will see in you in Luxembourg, PNR.