EU dispatch: new EDPS opinion on airline passenger data addresses privacy and cross-border crime concerns Dispatches
dmncwndrlch / Pixabay
EU dispatch: new EDPS opinion on airline passenger data addresses privacy and cross-border crime concerns

Law students from the European Union are reporting for JURIST on law-related events in and affecting the European Union and its member states. Tara O’Sullivan is a law student at Maastricht University. She files this dispatch from Maastricht, Netherlands.

The European Data Protection Supervisor (EDPS) has issued an Opinion on two legislative proposals from the European Commission that relate to the collection and transfer of advance passenger information (API). API is airline passengers’ data and personal information, often collected during airport check-in. The Opinion issued February 8 refers to such data being transferred to Member States’ law enforcement authorities.

The assurance of quality border control and the prevention of terrorism is key in the safekeeping of the EU’s so-called ‘open border system’. EU travelers are essentially able to travel between Member State countries freely. The right to freedom of movement is guaranteed by Article 21 of the Treaty of the Functioning of the European Union (TFEU). Due to war and similar crises, migrants sometime flee to nearby EU Member States in hopes of support and finding a place to rebuild their livelihoods. EU Member States aim to support neighbouring countries and often support immigrants, whether their arrival into a Member State was legal or not. But these situations naturally result in illegal smuggling of persons, goods, and weapons across Member State Borders. API is therefore gathered to keep tabs on people entering and exiting Member States.

Specifically, the EDPS assesses in the Opinion if the use of personal data is in accordance with the EU’s Passenger Name Record Directive (PNR). This directive contains rules on the collection of passenger data and how that can be used in the battle against terrorism and cross-border crime. It also includes the ruling of the recent CJEU case ‘Ligue des droits des humains’. This case required that the PNR be limited to what is necessary only.

Data resulting from flights in between EU countries are highlighted in this opinion. The EDPS assesses the necessity and proportionality of collecting and transferring such information.  But the Opinion, provides more explicit recommendations. It suggests that the Proposals should clarify that, in the case of technical difficulties when transferring API data, that data must be deleted from all information systems.

Overall, the EDPS recommends the co-legislators harmonise the criteria for the selection of EU flights that API data is collected from. Secondly, the EDPS recommends that the API Law enforcement Proposal ensures safety of API data collected for crime prevention and anti-terrorist purposes, or that the API Border management Proposal refers to security and safety rules. Finally, the Opinion recommends clarification in the API Border Management Proposal, specifically on the obligation of transferring API data, when a flight code is shared across many air carriers.

Wojciech Wiewiórowski, Supervisor, said in an EDPS, press release following the opinion: “API data may not be as intrusive for the right to private life and protection of personal data as the full PNR datasets considered by the Court in its ruling. However, in line with the fundamental rights guaranteed in the EU Charter of Fundamental Rights, including the right to free movement, processing of API data must also be limited to what is strictly necessary…. Therefore, I call for harmonised criteria for the selection of intra-EU flights, from which API data should be collected, to avoid divergent practices amongst EU countries.”

The European Data Protection Supervisor (EPDS) is an independent institution of the EU. It is responsible under Article 52(2) of Regulation 2018/1725 for ‘ensuring that the fundamental rights and freedoms of natural persons and in particular their right to data protection are respected by Union institutes and bodies’, and under Article 52(3) for ‘advising Union institutions and bodies and data subjects on all matters concerning the processing of personal data’. The EPDS aims to raise awareness of risks and protect people’s rights and freedoms when it comes to the collection, transfer, and process of their personal information.

Wojciech Wiewiórowski began his five-year term as Supervisor on December 6th 2019. He was appointed by a joint decision of the European Parliament and the Council.

The two legislative proposals in question are the API Border Management Proposal which aims to facilitate effective border checks and combats illegal immigration. The second, namely the API Law Enforcement Proposal focuses on the prevention, detection, investigation and prosecution of terrorist offences and serious crimes. Both of these protocols were issued by the European Commission on December 13th 2022.

Proposals must be reviewed and consulted by the EDPS, as per Article 42(1) of Regulation 2018/1725, which states that the Commission shall ‘following the adoption of proposals for a legislative act, of recommendations or of proposals to the Council pursuant to Article 218 TFEU or when preparing delegated acts or implementing acts, consult the EDPS where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data’.

Hopefully, the EPDS Opinion will be considered by legislators working on the makeup of these Proposals. I think that the EDPS’s suggestions will highly benefit the value of both the API Border Management Proposal and the API Law enforcement Directive. As for the API Border Management Proposal, I believe the Opinion will furthermore enhance the effectiveness of border control, battling illegal immigration. It will provide much more clarification and completely eradicate the current “API Directive” (Council Directive 2004/82/EC). Equally, with the use of the Opinion, the API Law enforcement Directive I hope will again be clarified. Also, I expect the inclusion of new customs when dealing with more technical situations as mentioned and recommended by the EDPS. Moreover, this proposal aims to complement the existing “PNR Directive” (EU Directive 2016/681).

I feel confident about the EDPS’s recent opinion and its impact on passenger security. With the inclusion of these proposals in EU legislation, I predict that frequency of cross border crimes, illegal smuggling and terrorism will be curtailed. The future of data information safety looks like a positive one.