PNR: every airline passenger as a potential suspect

Privacy First has strong objections to this and sent the letter below to the House of Representatives late last week. This afternoon's parliamentary debate was previously scheduled for 14 May 2018, but was then (after a similar letter from Privacy First) cancelled until further notice. After a new round of written questions, the debate will now take place. Below is the full text of our topical letter:

Honourable MPs,

On Monday afternoon, 11 March, you will debate with Minister Grapperhaus (Justice and Security) the Dutch implementation of the European Passenger Name Records (PNR) Directive. Both the European PNR Directive and the intended Dutch implementation law are, in Privacy First's view, legally untenable. Below, we briefly set this out for you.

Holiday register

Under the minister's PNR bill, numerous data of all air passengers departing or arriving in the Netherlands will be stored for 5 years in a central government database at the new Passenger Information Unit and used for prevention, detection, investigation and prosecution of crimes and terrorism. Sensitive personal data (including name and address details, telephone numbers, email addresses, dates of birth, travel dates, ID document numbers, destinations, fellow passengers and payment details) of many millions of passengers will therefore be available for many years for the benefit of... data mining and profiling. Essentially, this treats every airline passenger as a potential criminal or terrorist. However, in 99.99% of cases, they are completely innocent citizens, mainly holidaymakers and business travellers. This constitutes a flagrant violation of their right to privacy and freedom of movement. Last year, Privacy First already argued this in the Volkskrant and at BNR News Radio. Due to privacy concerns, there was a lot of political opposition to such mass PNR storage in recent years and it was rejected several times by both the Dutch parliament and the European Parliament since 2010. In 2015, even the Dutch governing parties VVD and PvdA were still adamantly opposed. At the time, VVD and PvdA spoke of a "holiday register" and threatened to go to the European Court of Justice themselves if the European PNR directive was adopted. However, after the Paris and Brussels attacks, many political objections seemed to vanish like snow in the sun and the PNR Directive became a reality in 2016. To date, however, the legally required social necessity and proportionality of this directive have still not been demonstrated.

European Court

In summer 2017, the European Court of Justice issued an important ruling on the similar PNR treaty between the EU and Canada. The Court declared this treaty invalid for violating the right to privacy. In doing so, the Court stated, among other things, that "data of an air passenger may only be retained after his departure if it can be assumed on the basis of objective criteria that this air passenger may pose a risk in the context of the fight against terrorism and serious transnational crime." (See Opinion 1/15 (26 July 2017), para 207.) This ruling has since put the European PNR Directive in legal doubt. The Dutch government therefore has legitimate "concerns about the future-proofing of the PNR Directive" (see Note on report, p. 23). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for review and declared unlawful. Thereafter, the same situation will arise as a few years ago with the European telecom retention obligation: once this European directive is declared invalid, the Dutch implementing legislation will be set aside in summary proceedings.

Mass surveillance

The current Dutch PNR bill seems a priori illegitimate due to lack of demonstrable necessity, proportionality and subsidiarity. The bill amounts to mass surveillance of largely innocent citizens; already in the Tele2 case (2016), the European Court declared this type of legislation illegal. At the UN Human Rights Council, the Netherlands subsequently made the general commitment "to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons." The Netherlands now seems to be breaking that promise. After all, countless completely superfluous data are stored with every passenger that can be used for years by all kinds of Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has never been demonstrated to date, according to even the minister himself: "statistical evidence is not available" (see Note on report, p. 8). The risk of unjustified suspicion and discrimination (due to fallible algorithms at profiling) is life-threatening under the proposed PNR system, which also increases the likelihood of delays and missed flights among innocent passengers. At the same time, wanted persons will often remain under the radar and choose alternative travel routes. Furthermore, the bill makes no mention of the role and capabilities of secret services, whereas under the new Intelligence and Security Services Act they will have direct, protected access to the central PNR database. Most objectionable aspect of the Dutch PNR bill, however, is that it goes two steps further than the PNR Directive itself: after all, the Netherlands itself chooses to also store passenger data on all intra-EU flights. Under the PNR Directive, this is not mandatory, and moreover, the Netherlands could have limited this to only pre-selected (at-risk) flights. This would have been in line with the advice of most experts in the field: targeted instead of mass surveillance, as targeted as possible, i.e. targeted only at those individuals on whom there is reasonable suspicion, in accordance with the principles of our democratic rule of law.

Opinion Privacy First

Privacy First hereby strongly advises you to reject the current bill and replace it with a privacy-friendly version if desired. Should this result in the Netherlands being taken to the EU Court of Justice by the European Commission for lack of implementation of the current European PNR Directive, Privacy First expects the Netherlands to win the case handsomely. After all, EU member states cannot be expected to implement privacy-infringing EU rules. The same applies to national implementation of relevant UN Security Council resolutions (in this case, UNSC Res. 2396 (2017)) that are at odds with international human rights. Privacy First has already warned in this regard for abuse of the Dutch TRIP system (also used for PNR) by other UN member states. The Netherlands has its own constitutional and international law responsibility in this regard.

For further information or questions regarding the above, Privacy First can be reached at any time on telephone number 020-8100279 or by email: info@privacyfirst.nl.

Sincerely,

Privacy First Foundation

Update 19 March 2019

Today, the Lower House unfortunately passed the bill almost unchanged; only GroenLinks, SP, PvdD and Denk voted against it. A fundamental motion by the Green Left and SP to provoke a lawsuit by the European Commission against the Dutch government over the European PNR Directive was unfortunately rejected. The only bright spot is the widely passed motion for legal reassessment and possible revision of the PNR Directive at the European political level. (Only PVV and FvD voted against this motion.) Next stop: Upper House.

Update 4 June 2019

Despite recent reiteration of the above letter and other critical input from Privacy First, the Senate unfortunately passed the bill today adopted. Only Green Left, Party for the Animals and SP voted against. This also despite the huge error rates recently shown in Germany (in the comparable German PNR system) ("false positives") of as much as 99.7%, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Large-scale court cases have now been launched in Germany and Austria to have the European PNR Directive declared unlawful by the European Court of Justice for violating the right to privacy, see German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. Once the European Court declares the PNR Directive unlawful in these cases, Privacy First will seek interim injunctive relief against the Dutch PNR law. Also yesterday, Privacy First has put Dutch PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1-2 July next, the overall Dutch human rights situation (including Dutch violations of the right to privacy) will be critically scrutinised by this Committee.