Criminal Justice & the Rule of Law Cybersecurity & Tech

An EU PNR System -- Oh, the Irony ...

Paul Rosenzweig
Friday, April 15, 2016, 3:04 PM

For more than a decade the US and the European Union have been arguing about a Passanger Name Record system. PNR is the data and information collected by airlines when they sell you a ticket. It includes, naturally enough, your name, and your flight information. For international flights it, of course, includes your passport information.

Published by The Lawfare Institute
in Cooperation With
Brookings

For more than a decade the US and the European Union have been arguing about a Passanger Name Record system. PNR is the data and information collected by airlines when they sell you a ticket. It includes, naturally enough, your name, and your flight information. For international flights it, of course, includes your passport information. PNR also includes a host of other personal information about a traveler – address, cell phone number, credit card number, frequent flier number and the like.

Begining even before 9/11 and more so afterwards, the United States thought that this rich trove of information was useful for identifying and targeting potential terrorist threats. DHS has developed sophisticated targeting mechanism that use this data to assess risk and allocate inspection resources accordingly. But the collection of this personal data was perceived by the EU as a potential threat to the privacy and civil liberties of Europeans. They had concerns about how much was being collected; how long the data would be retained; and the uses to which it would be put. At the risk of simplifying a very complex topic, the US favored broad collection for any lawful criminal or counter-terrorism purpose and a lengthy period of data retention, while the EU took the opposite tack. And so, from 2003 to 2011, the US and the EU had three separate, contentious negotiations to square the circle -- and allow PNR collection in a way that tried to satisfy EU concerns with privacy.

How times have changed. The recent uptick in terrorist incidents in Europe, combined with growing fears about terrorist travel to Europe from the Middle East has led to a rethink. In the wake of the Charlie Hebdo attacks, Europe began to consider building its own PNR system. Yesterday (after Paris and Brussels) it took the near final step of approval within the European Parliament. The vote was 461-179 -- an overwhelming majority. According to the New York Times:

Under the scheme, law enforcement agencies in all 28 nations would have access to traveler details gathered by airlines, including names, travel dates, itineraries, and credit card details. . . . The data will be collected on any flights entering or leaving the EU and on flights between member countries. The information will be kept for five years, but identifying details like name, address and contact details will be masked out after six months to protect people's identities.

As I said, the irony of this step is rather deep -- especially for one who (like me) spent more than 2 years of my life arguing about this with the Europeans.


Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare