The PNR (Use of Passenger Data to Combat Terrorist and Serious Crimes) Act is perhaps one of the unacknowledged laws that allows the processing of personal data on a very large scale. At the same time, the law's legality is in question. What is at stake? Editor Hanneke van den Bogerd talks about it with information lawyer Kristina Irion, who was commissioned by the WODC (Scientific Research and Documentation Center), the knowledge institute for the Ministry of Justice and Security, to evaluate the effectiveness of the PNR law.
The PNR Act has regulated since 2019 that airlines must share data of all passengers flying to and from the Netherlands with the Passenger Information Unit of the Netherlands (Pi-NL). The Pi-NL is an independent organization that implements the PNR Act on behalf of the Ministry of Justice and Security. Its task is to process and analyze passenger data, with the aim of combating terrorist and serious crimes.
Where necessary, the data is provided to authorized authorities such as the Police and the Prosecutor's Office, but intelligence and security agencies are also authorized to access it. As of 2019, the Pi-NL has already processed data from more than 61 million passenger records (1). These include name and address information, e-mail addresses, payment information, baggage information and, where available, nationality (2). This data may be stored for five years, which is exceptionally long by EU legal standards, according to Kristina Irion, associate professor at the Institute for Information Law at the University of Amsterdam (IViR). So that makes proper compliance with privacy safeguards extra important. How well are those safeguards currently complied with?
Irion, along with It's public, a public sector social consulting firm, conducted independent research on the effectiveness of the PNR Act. As a result of the research, a report was published that addresses the use, effectiveness and impact of the PNR Act in practice. The report also pays attention to compliance with privacy safeguards (3). At the same time, several interest groups believe that the EU directive (4) underlying the law violates European fundamental rights to privacy and protection of personal data. In both Belgium and Germany, data subjects and organizations have filed lawsuits. This spring, we can probably expect a decisive ruling from the European Court of Justice (ECJ-EU).
Meanwhile, Justice and Security Minister Dilan Yesilgöz-Zegerius (VVD) is actually taking steps to ensure the applicability of the PNR law to intra-EU flights. This is because the legal basis for processing intra-EU flights expires June 18, 2022, unless the law is amended. Critical questions have been raised about this from the Lower House, prompted by the findings of the IViR report, the imminent decision of the ECJ and the advice of the Personal Data Authority to wait for the ECJ decision (5).
The report concludes that the Pi-NL is broadly compliant with data processing standards (6). Yet the report also highlights notable areas for improvement. For example, personal data are now sometimes stored that should not be processed. Irion: "For example, if you also book a train or bus trip with your flight, that data may end up among the PNR data, which is against the law. This is such a large collection of data that its processing is automated and that makes it difficult to filter out unwanted data." The same applies to the ban on collecting certain special personal data. For example, airline personnel may post comments in free text fields that contain special personal data. "It cannot be ruled out at the moment that special or sensitive personal data will not end up in there that reveal information about religion or ethnicity, for example. This data should not be stored at all," Irion said. It is not known how often this goes wrong, but according to the report, the ministry could conduct specific research to identify this (7).
The IViR report further notes that the ministry needs to better assume its role as a data controller. Irion believes that there is too little focus on the ministry's obligations and that it is not yet sufficiently accountable for them. "We have been asked to investigate whether the Pi-NL is coloring within the lines, but the Pi-NL is an executive body. Then you miss an important part of the responsibility that lies precisely with the ministry. We felt that more attention should be paid to that and therefore also involved the ministry in the study." When asked if she expects the ministry to do anything with the findings of the report regarding its own role, she does not dare answer at this time.
However, Irion does stress that the ministry takes the legality of data processing seriously. Thus, in accordance with the law, the data are depersonalized after six months and the provision of the data to the competent authorities is also carried out according to the rules (8). Unfortunately, however, the extent of intelligence agencies' access to passenger data is currently unclear. For them, there is no policy or retention period regarding the data. Irion: "The PNR system was set up precisely to provide privacy safeguards, but those safeguards fall away as soon as, for example, a copy of the passenger data is shared with the intelligence agencies. It is now unknown whether this happens and how often. That is worrisome."
In addition, Irion warns of the attraction that large data sets have for investigative agencies. "Anytime a large data set is constructed, the risk is high that it will be used for other purposes anyway. We have seen this, for example, with automatic license plate recognition along highways."
Regarding the obligation to inform those involved, the mention of this could be a lot more visible and specific. At the moment, passengers are not actively informed enough according to the civil society organizations Irion interviewed for the study (9). Irion: "I suspect that the average airline passenger has no idea what is happening, because the only information that exists about it is on the central government website. That is available in English and Dutch, but if you don't read that, you don't know what is happening." In that regard, Irion says the provision of information at airports could also be improved. "It is now stated in small print in the general conditions of the airline, but actually sound information should also be provided at an airport. It should not be the case that people hardly know anything about this."
Either way, the PNR system is up for debate. It now depends on the ruling of the ECJ whether and in what way the PNR law will continue to exist. If the Court follows the opinion of Advocate General (A-G) G. Pitruzzella, the PNR law will remain in place. The A-G conducts independent research for courts and issues an opinion on it. The Court usually follows his opinion.
"For Pitruzzella, the interests of security weigh heavily. He considers the PNR law an appropriate instrument for this purpose that is both necessary and proportionate. However, he is critical of the five-year retention period and believes that data should only be retained if there is a clear link to a suspect or an investigation," Irion said. As far as data storage and retention periods are concerned, a change in the law is therefore in the offing.
While all eyes are on the Court's ruling, the minister concludes in a response to the report that "the report shows a positive picture of the effects and effectiveness of the PNR law (10)." It is therefore not surprising that she wants to prevent the expiration on June 18, 2022, of the legally permissible ability to process passenger data for flights within the EU. Yet that seems a bit premature given the question marks we can currently place on the PNR law.
Irion finds it unfortunate that politicians are pushing the boundaries of justice. "Politics is now taking steps without having a brake in it itself. It continues until a judge says 'up to here and no further.' With this you send the wrong signal. It would be nice if politicians themselves would instead do everything they can to stay within the normative framework and the constitution."
2) https://wetten.overheid.nl/jci1.3:c:BWBR0042301&bijlage=1&z=2021-07-17&g=2021-07-17
3) 6) 7) 8) 9) https://repository.wodc.nl/bitstream/handle/20.500.12832/3118/3181-evaluatie-pnr-wet-volledige%20tekst.pdf?sequence=7&isAllowed=y
4) https://eur-lex.europa.eu/legal-content/NL/TXT/PDF/?uri=CELEX:32016L0681&from=es
5) https://www.tweedekamer.nl/kamerstukken/detail?id=2022Z01145&did=2022D02416