The European Commission is reportedly revving up the engines on a controversial plan to retain passenger flight data across the EU, although a prior attempt got its wings clipped due to privacy concerns.
The new plan calls for a database with personal flight data such as travel dates, itineraries, ticket information and baggage information, according to a document published by Statewatch on Wednesday and described as a leaked and legitimate EC document.
The plan is being fast-tracked by the Commission in the wake of the shootings at French satirical magazine Charlie Hebdo earlier this month.
Critics say such a database could violate fundamental human rights, but the Commission argues that it would help law enforcement with the prevention, detection, investigation and prosecution of terrorist offenses and serious transnational crime.
An earlier proposal was shelved in 2013, when the European Parliament rejected the plans out of concern that they would violate fundamental rights. But since then, calls for such a database have become louder, and they are reaching a crescendo after the Paris attacks.
The Commission is now proposing a "workable compromise" to overcome political differences with the European Parliament, according to the published document.
The revised plan for a Passenger Name Record (PNR) database for EU flights aims "to strengthen the data protection safeguards, while preserving the operational effectiveness of the PNR proposal to fight terrorism and serious transnational crime," the document reads.
A Commission spokeswoman declined to comment on the authenticity of the document. She did say that the Commission is working "on all possible options," and that those need to be carefully assessed to reach a quick and effective result on the EU PNR proposal, fully in line with fundamental rights.
According to the leaked document, the Commission for example wants to narrow law enforcement access to the database for the purposes of fighting terrorism and "serious transnational crime", leaving out "serious crime." It also wants to reduce the retention period of the full PNR data to 7 days from 30 days. After that period, the data would be "depersonalized" and remain available for a period of four years -- instead of the original five years -- for investigations of transnational crimes. However, authorities investigating terrorism would get access to five years worth of data.
The leaked document also reveals that the EC wants stricter conditions for access to PNR data, so a Data Protection Officer would be appointed within national Passenger Information Units to be responsible for the processing of the data. Optionally, such transfers could also be overseen by a country's judicial authority, the Commission is proposing, adding that passenger rights should also be spelled out in order to explain how they could access their data and how to request the modification or erasure of their data.
The proposal, leaked ahead of an informal EU ministerial meeting in Riga where anti-terror measures will be discussed, is "a re-heated version of the existing, stalled proposal," Philipp Albrecht, vice-chairman of the Parliament's Committee on Civil Liberties, said in a statement.
"Following the crystal clear judgement by the European Court of Justice last year, which declared blanket mass surveillance measures as incompatible with EU fundamental rights, it is unthinkable that the Commission would try and bulldoze through a PNR scheme based on blanket data collection," he said, adding that instead of creating a vast data dragnet, targeted surveillance would be a better solution.
However, Albrecht might have a tough sell in the civil liberties committee after the Paris attacks. The European Parliament's rapporteur on the PNR proposal, Timothy Kirkhope, and a small subgroup of the committee are set to meet with Commission officials and national experts on Feb. 4 to discuss how to go ahead with the plan, according to one of his office's staffers.
"PNR has been proven as vital in the fight against terrorism," Kirkhope said earlier this month, adding that he wants an agreement that safeguards lives and liberties by offering stronger data protection rules.
"EU heads of government and home affairs ministers would not ask for this agreement unless there were a clear and present need for it," he said, vowing to work with the committee to get the broadest agreement as possible. "There are a few people in the committee who will never be convinced, but I believe there is a majority that can be found for a revised proposal."
According to information on the Parliament's website, the use of PNR data is not currently regulated at the EU level, but some member states have a PNR system, including the U.K., while other member states have either passed laws or are testing PNR data systems. An EU-wide PNR system would centralize the collection and processing of the data.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.