Ready, steady, go… Clock countdown formally starts for the reform of three major pieces of EU data legislation!

It’s finally final – three separate pieces of data privacy-related legislation in the EU will be coming into effect soon:

1. As anticipated by Sophie last month here, the final version of the General Data Protection Regulation (GDPR) has been adopted, translated into the EU’s official languages, and published in the 4th May edition of the Official Journal (OJ) of the EU (OJ 2016, L119/1, Vol 59, on page 1), officially entitled ‘Regulation 2016/679’.
2. Also published in the same edition is the Directive for the police and criminal justice sector, governing the handling of data in law enforcement situations (officially ‘Directive 2016/680’, on page 29). For background to this Directive, see Sophie and my previous posts here and here.
3. And to make up the set … in yet again the same edition is the new Passenger Name Record (PNR) Directive, on the use of such data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, (officially ‘Directive 2016/681’, on page 132).

Publication in the OJ marks the formal end of each legislative process in respect of these instruments and creates a countdown clock:

1. As the GDPR comes into effect 20 days following publications in the OJ (on 24 May), and there is a 2-year grace period for organisations to prepare for mandatory compliance with its new provisions, it will formally replace the current EU Data Protection Directive (and national data protection legislation that implemented its provisions, including the UK’s Data Protection Act 1998) to apply in all EU Member States from 25 May 2018.
2. The Directive for the police and criminal justice sector, which is twinned to the GDPR as the other part of the much heralded EU data protection reform package, meanwhile, came into force on 5 May. EU Member States must implement it into national law by 6 May 2018.
3. The PNR Directive, in turn, must be transposed by EU Member States [save Denmark, which has opted out] into domestic law also by 25 May 2018 (this is portending to be a significant date in the calendars of EU privacy specialists!).

I turn my attention in this post to the PNR Directive and its new provisions to protect air passenger data, as its arrival has been foreshadowed somewhat by the adoption of the other two instruments.

I wrote a post last year about the PNR Directive as it was passing through the EU legislative process. As a reminder, it provides for the collection by air carriers of PNR data for all extra-EU flights entering or departing from the EU, as well as the transfer of such data to EU Member States and sharing mechanisms across borders. (To note, the PNR framework could also extend to intra-EU flights in the future under Article 2). In addition, Member States will be able to choose to collect and process PNR data from domestic non-air carriers – such as travel agencies and tour operators – where they manage flight bookings. Such data may then be used for risk assessment purposes by relevant authorities.

So, what type of data are we talking about? PNR data means a record of each passenger’s travel requirements. This could encompass not just passenger name, but many other types of information provided by air passengers to their chosen carrier during reservation and check-in procedure for each journey they make. Examples are dates of travel and travel itinerary, ticket information, address and phone numbers, means of payment used, credit card number, travel agent, seat number, and baggage details.

To facilitate these provisions, EU Member States will be required to comply with the following main obligations under the PNR Directive in its finalised form:

• Appoint a data protection officer responsible for monitoring the processing of PNR data and implementing relevant safeguards (Article 5).
• Adopt the necessary measures to ensure that air carriers transfer the PNR data listed in Annex I of the directive [this enumerates a list of PNR data elements, as far as these are collected by air carriers] (Article 8).
• Provide rules so that “effective, proportionate and dissuasive” penalties, including financial ones, can be imposed against air carriers which do not transmit PNR data, or do not do so in the required format (Article 14).
• Establish a national authority competent for the prevention, detection, investigation or prosecution of terrorist offences and of serious crime [serious crime offences are listed in Annex II to the Directive], or a branch of such an authority, to act as its passenger information unit (PIU) (Article 4).
• Ensure that all relevant and necessary PNR data or the result of processing those data is transmitted by a relevant PIU to the corresponding PIUs of other Member States (Article 9).
• Ensure that the PNR data provided by the air carriers to the PIU are retained in a database at the PIU for a period of five years after their transfer to the PIU of the Member State on whose territory the flight is landing or departing (Article 12).

In my previous post, I had pointed out that during the legislative process the EU Parliament had voiced concerns about what it perceived to be an omission of adequate privacy and data protection passenger safeguards in previous drafts. In particular, doubts were raised about the proportionality of a scheme – whereby all data that qualifies as PNR data will be systematically collected and analysed – to the attainment of legitimate objectives. (See, e.g. the references to data protection in the LIBE Committee’s draft report on the PNR Directive prepared by its rapporteur and adopted in February 2015. See also the Parliament’s Resolution from the same month urging the Commission to see independent expert views in connection with such concerns. To this end, the Parliament had also called upon the Council last summer to finalise the data protection reform package as soon as possible to provide a sound foundation of coherent data protection standards for the new PNR framework).

Have these concerns been met? To a great extent, it appears so… in particular, the new rules to come into force include provisions on:

• The mandatory appointment of a data protection officer in each PIU (as mentioned above, in Article 5). These would act as a single contact point for passengers with PNR data concerns and ensure that data protection rules are being complied with. These include oversight of the logging of the processing of all PNR data, as well as ensuring that passengers are provided with clear and precise information about PNR data collection and their rights.
• The purposes for which PNR data can be processed by PIUs in the context of law enforcement (pre-arrival assessment of passengers against pre-determined risk criteria or in order to identify specific persons; the use in specific investigations/prosecutions; or, input in the development of risk assessment criteria) (Article 6(2)(a-c) and (3)). To such ends, Article 6(4) also stipulates that, “Any assessment of passengers prior to their scheduled arrival in or departure from the Member State carried out under point (b) of paragraph 3 against pre-determined criteria shall be carried out in a non-discriminatory manner. Those pre-determined criteria must be targeted, proportionate and specific. Member States shall ensure that those criteria are set and regularly reviewed by the PIU in cooperation with the competent authorities referred to in Article 7. The criteria shall in no circumstances be based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation”
• Storage – all data will initially be stored for 6 months, after which data elements “which could serve to identify directly the passenger to whom the PNR relate” will be ‘masked out’ [these elements are listed as names, address and contact information, payment information, frequent flyer information, “general remarks to the extent that they contain any information which could serve to identify directly the passenger to whom the PNR relate”, and “any API data that has been collected”]. This so-termed “depersonalised” data could be stored for another period of no longer than four years and a half, with a strict procedure to access the full data (Article 12). [To note, the terms ‘depersonalisation” and “depersonalised data” appear to be new phrases in the EU’s anonymisation terminology dictionary – see Sophie’s recent post here around this issue. Although data so depersonalised would remain personal data under the GDPR definition if indirect identifiers (/identifiability of a particular individual from the data) remain, depersonalisation as a process so envisaged could come close to satisfying the GDPR’s new definition of ‘pseudonymisation’ in practice (see, Article 4 of the GDPR)].
• Furthermore, the whole of Article 13 is dedicated explicitly to the issue of the protection of personal data. In particular, it refers to compliance with the Council Framework Decision 2008/977/JHA of 27 November 2008, which lays down minimum measures that must be taken in respect of data processing, data transmission, rights of data subjects, and data security in the area of police and judicial cooperation in criminal matters. Significantly, it also mandates the keeping of all requests for and transfers of data to other Member States by the national PIUs, which should be available upon request to designated national supervisory authorities (those competent national authorities that currently oversee compliance with Council Framework Decision 2008/977/JHA). These should show, as far as possible, a granularity of detail including “the purpose, data and time of such operations and, as far as possible, the identity of the person who consulted or disclosed the PNR data and the identity of recipients of those data”. Member States should also ensure that their PIU implement a “high level of security appropriate to the risks represented by the processing and the nature of the PNR data”, as well as issuing breach notifications to data subjects “without undue delay” when adverse privacy effects for them are likely to follow.

In summary, the PNR Directive in final form incorporates sound necessity and proportionality safeguards as regards protection of privacy and personal data. These for the main part – save around longer duration of data retention (e.g. the Parliament recommended data depersonalisation after 30 days only, and remember the CJEU Digital Rights Ireland judgement specifically concerned the proportionality of data retention periods!) – reflect requirements that the European Parliament had previously stipulated as necessary to guarantee the lawfulness of any storage, analysis, transfer and use of PNR data.

As mentioned in my last post, what effect the PNR Directive will have in practice remains to be seen. This is because many Member States have already established their own national PNR systems based on recent new domestic laws. However, any stricter conditions that would govern especially transfer of data to third countries departing from the EU is to be welcomed (in particular, in light of criticisms about the lack of privacy safeguards within international agreements between the EU and third parties, such as the USA). This includes, in particular, requirements that facilitate demonstrations of the relationship between use and result in all circumstances where PNR data is shared. (But what about effective and directly enforceable rights of data subjects against supervisory authorities where they are based outside the EU? How would data subjects know when any such rights would become relevant? A similar criticism by EU citizens could be launched against the US Judicial Redress Act 2015, which I discussed here and here).

Notably, the UK has opted into the PNR Directive. So, as with the Directive for the police and criminal justice sector, all eyes will be on to what extent the UK (and other EU Member States) will offer at least the same level of protection in these areas as under – not only the DPA and its set of exceptions, such as s.29 covering personal data processed for crime and tax investigation purposes – but the GDPR! And, to note, the Commission is required to conduct a review and report on all the elements of the Directive by 25 May 2020.

For now, affected organisations in the public and private sectors will be keeping a sharp eye on the clock as it ticks down to mandatory compliance…particularly in the light of increased stakes (significant monetary fines) if they are found to fall short of new requirements from May 2018 onwards.

Alison Knight