The European PNR framework and the changing landscape of EU-security

1. Travel information for security risk profiling

Since May 2018, travelers booking or embarking on a flight to, from or within the European Union are classified into risk categories in order to assess the likelihood of their involvement in criminal or terrorist activity. The legal basis for the assessment is provided by the Directive (EU) 2016/681 on the use of passenger name record data, in short: the PNR-Directive, and is carried out in Member States by national Passenger Information Units (PIUs), usually run by Law Enforcement Agencies (LEAs, in Germany the BKA). A crucial aspect of the PNR directive is that the data processed in order to assess the individual risk of each traveler do not rely on criminalistic information, nor originate from LEAs criminalistic databases. Instead, the raw data processed to generate the risk assessment consist of travel-related information provided by travelers to travel agencies and air carriers while booking a flight ticket or as part of the check-in procedures. These data include name, address and contact information such as telephone and email, itinerary, payment details like form of payment and billing address, the travel agency who performed the booking, seat number, baggage information, other accompanying persons and a free-text field for additional and general information. The risk assessment is not targeted to selected travelers (who, for instance, have a criminal record), but is performed for all travelers. Indeed, the very ambition of the PNR framework is to identify potential suspects previously unknown to the authorities.

The PNR Directive has thus introduced important changes into existing EU approaches to security that could expand in the years to come. This shift in security conceptions and practices has the potential to redefine core societal values such as privacy, fairness and human autonomy.

2. The collection and processing of flight passenger data in the aftermath of 9/11

The introduction of the PNR Directive is part of the transformations of security practices that have taken place since 9/11. In 2004, on the initiative of the USA and as part of their counter-terrorism measures, the EU concluded an agreement with the USA on the transfer of PNR data. After this was declared null and void by the ECJ due to its incorrect legal basis, two new agreements were concluded. The last of them, dating back to 2011, is still in force. It regulates the transfer of data of passengers traveling from the EU to the US authorities, but not vice versa, so that authorities in EU countries who want access to the data must submit a request to the relevant U.S. authority.¹⁾ The non-reciprocity of the data transfer has been one prominent argument for the introduction of an EU-own PNR regime.

Already in 2007, thus, the EU Commission adopted a proposal for the introduction of a EU PNR framework (COM(2007) 654 final, 06.11.2007), which was reworked and presented anew in 2011 (COM(2011) 32 final, 02.02.2011). Both proposals were met with criticism from the EU Parliament and other EU institutional representatives. In 2013, the Parliament formally rejected the 2011 proposal and the legislative process was thus at first put on hold (Dok. A7-0150/2013).  The terrorist attacks of January 2015 in Paris, however, created a political climate more favorable for the resumption of the negotiations, which in April 2016 led to the adoption of the PNR-Directive.²⁾ Since then, all EU Member States with the only exception of Denmark, and with addition of the United Kingdom, have implemented the Directive.

Concerns regarding the potential incompatibility with the Charter of Fundamental Rights of the EU, however, are not definitively off the table. In 2017, the ECJ already declared that a then envisaged PNR agreement with Canada could not be concluded because of the incompatibility of several provisions with the EU fundamental rights (Opinion 1/15 of 26.07.2017). The question whether and to what extent the reasoning of the previous ECJ decision also applies to the EU-PNR framework has not yet been fully clarified, nor has the question about potential fundamental rights infringements originating specifically from the PNR-Directive. Several requests for a preliminary ruling on the compatibility of the PNR directive with fundamental rights, and especially the rights to respect for private and family life and to data protection, have been submitted to the ECJ (C-817/19, C-148/20 to C-150/20, C-215/20, C-222/20 and C486-20), whose decision is still pending.

3. The novelty of the PNR directive and its ethical implications

In the EU, the link between mobility control and the prevention and prosecution of crime is at least as old as the Schengen treaties. Indeed, the oldest EU criminal database, the SIS, was created in the aftermath of the Schengen Agreements as a “compensatory measure” to the perceived loss of security in connection with the relaxation and abolishment of border checks within the Schengen area. Since then, EU databases and information exchange among Member States have increased steadily.³⁾

The PNR Directive nevertheless determines a shift within the EU security landscape. First of all, the PNR framework goes beyond establishing a connection between mobility and criminality control and makes mobility-related data the very source of indicators for criminal or terrorist behavior or intent. This loose link between the risk criteria and criminal or terroristic activity is a second aspect distinguishing the PNR approach from previous security initiatives at the EU level. By contrast to the SIS and other existing databases for information exchange between EU-LEAs, the information considered relevant for security purposes does not directly pertain to criminally relevant or prohibited behavior, but is extracted from ordinary travel-related data. Third, the PNR framework also distinguishes itself from known national risk-based approaches used in EU states for assessing the likelihood that certain individuals are involved in criminal or terrorist activity (see for instance the BKA’s RADAR-iTE risk-assessment tool). Compared to such instruments, the PNR is unique because it applies indiscriminately to all passengers booking a flight ticket or entering a flight journey to/from the EU and between EU member States.⁴⁾

Although the indicators used for risk assessment purposes are not by default publicly known, some insight on the functioning of the PNR framework can be derived from the documentation submitted to the ECJ in the context of one of the mentioned requests for a preliminary ruling, as well as from the documentation attached to first biennial review Report on the PNR Directive published by the European Commission in July 2020.⁵⁾ The former reports that flight destinations in Turkey are used as indicators for the identification of so-called “foreign fighters” (p. 16). The Commission’s report mentions additional criteria potentially leading to a higher risk classification, such as mismatches between the length of stay and luggage, as well as the choice of unusual travel routes.⁶⁾ Additional pre-determined criteria include payment by cash and last-minute bookings.⁷⁾ These actions, consisting in fully legal behavior, are considered to be relevant indicators because they overlap with behavioral patterns derived from historical data or with criminalistic hypotheses about the conduct of criminal subjects or terrorists.

From an ethical point of view, the use of such information for risk profiling raises a number of questions. To begin, the PNR framework poses profound challenges to the core value of privacy. As the philosopher Helen Nissenbaum has pointed out, this very core consists in the integrity of the social contexts in which personal information are exchanged.⁸⁾ We exchange information in very disparate contexts, each of them having its own rules about the way information circulates and about the contents that are appropriate for it. The protection of privacy depends on the reliability and integrity of the norms regulating the information exchange in each context. The PNR framework, by systematically and indiscriminately drawing on information pertaining to travelling and exploiting them in the context of security, infringes upon existing societal contextual norms protecting privacy.

Moreover, the mentioned examples for risk indicators show that risk profiling implies a high likelihood of leading to biased results and discrimination. Although the collection and processing of “sensitive” data is prohibited by the PNR-Directive, other information can serve as proxies for ethnicity, religious and cultural background and can therefore lead to indirect discrimination. A clear example of such risks is provided by the mentioned criteria of flight destinations as risk indicators. It is indeed apparent that considering destinations in Turkey as a risk indicator implies drawing increased attention to German citizens with familiar or cultural connections to Turkey as compared to German citizens with no such connections.

Finally, the rationale of the PNR directive affects the way we conceive human autonomy. Within the PNR framework, subjects are classified and evaluated on the basis of profiles as relational identities. Their risk classification depends indeed on the overlapping of some selected behavioural items with behavioural patterns attributed to specific classes of people (“criminals” and “terrorists”). The PNR framework systematically draws attention to individuals not by virtue of their own illegal or “dangerous” actions, but as a result of their being attributed to a given class of people. There is a sort of determinism lying behind this conception that human beings pose a security risk because they share non-security-related characteristics with prototypical profiles of “criminals” or “terrorists”.

4. The PNR Directive: a “Trojan horse” for risk-based approaches to EU-security?

Current developments in the EU security policy indicate that the approach introduced by the PNR directive could be expanded and extended to other areas in future. Hence, the PNR-Directive could turn out to be a sort of “Trojan Horse” introducing a risk-based approach to EU security policy. For instance, in 2018 the Regulation (EU) 2018/1240 established a European Travel Information and Authorisation System (ETIAS), currently under development by the European Agency for large IT-systems in the Area of Freedom, Security and Justice (eu-LISA) and which should be operative from 2022 on. The ETIAS system adopts a risk-based approach similar to the one implemented by the PNR directive. Once the ETIAS system will be in place, citizens of third countries who are currently exempted from a visa application will be required to submit an application for travel authorization. The data provided as part of the application process will then be processed in order to assess the individual security risk of each applicant (Art. 4) which should support the decision whether to grant the travel authorization or not (Nr. 24). Moreover, since the introduction of the PNR Directive, options regarding the extension of the PNR regime to maritime and road traffic have been discussed (COM(2020) 305 final, 24.07.2020, p. 10). Although these options have been temporarily discarded, also in consideration of the pending decision by the ECJ, it is not excluded that they will regain consideration in future.

The future developments will be critical in (re)shaping the way we consider the relationship between the individual and public powers as well as our conceptions of core values such as privacy, fairness and autonomy. Will conceptions of privacy be redefined so that the systematic use of mundane information for security purpose will become a current and broadly accepted practice? How much potential for discrimination will be tolerated in the name of security? And will the conception of human beings as able to self-direct their behavior become a relic of the past?