Monday, April 04, 2011

GreenBkk.com Tourism | 'Big Brother' passenger database under fire

'Big Brother' passenger database under fire

Published: 4/04/2011 at 12:00 AM

Efforts by security agencies to get blanket access to airline passenger name records (PNR) to protect Europe from terrorism and serious crime have come under scathing attack by the European Data Protection Supervisor (EDPS).

"The development of such a system on a European scale, involving the collection of data on all passengers and the taking of decisions on the basis of unknown and evolving assessment criteria, raises serious transparency and proportionality issues," wrote Peter Hustinx, the EDPS, on March 25.

The only purpose that would be compliant with the requirements of transparency and proportionality would be the use of PNR data on a case-by-case basis .... but only in case of a serious and concrete threat established by concrete indicators."

European security agencies are helping to draft a directive that would require international flights operating between the EU and third countries to transmit PNR data of all passengers to them "for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crimes".

The data, which could include home address, mobile phone number, frequent flyer information, e-mail address and credit card information, would be centralised and analysed by Passenger Information Units and the results transmitted to competent national authorities in each EU member state.

But the EDPS vigorously opposes this sweeping, one-size-fits-all system. It says the draft is vaguely worded, fails to establish why it is necessary in such a blanket format, and is open to abuse, with virtually no built-in checks and balances on those who will have access to the data.

Mr Hustinx has been fighting a battle to ensure that the fundamental tenets of democratic rights in a free society take precedence over efforts to undermine them in the name of safety and security.

In a speech last December, he said: "The retention of traffic and location data of all persons in the EU, whenever they use the telephone or the internet, is a huge interference with the right to privacy of all citizens. As such, the EDPS regards the directive as the most privacy-invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.

"Such a massive invasion of privacy needs profound justification."

He called on the European Commission to conduct an evaluation to actually prove the necessity of the directive.

"Concrete facts and figures should also make it possible to assess whether the results presented in the evaluation could have been achieved with other less privacy-invasive means. ... Without such proof, the directive should be withdrawn or replaced by a less privacy-invasive instrument that meets the requirements of necessity and proportionality."Mr Hustinx says the personal data demands seem to be more in line with those being adopted by the US government whereas they would be better aligned with those in Australia.

The development of an EU-PNR scheme, along with the negotiation of PNR agreements with third countries, has been a long, drawn-out project, he notes, while acknowledging "visible improvements" over a draft prepared in 2007.

However, he maintains that even the latest proposal fails to meet "necessity and proportionality" principles.

"PNR data could certainly be necessary for law enforcement purposes in specific cases and meet data protection requirements. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns."

His report expressed further concern about the following aspects:

- The scope of application should be much more limited with regard to the types of crimes involved. He questions the inclusion of serious crimes that have no link with terrorism. In any case, minor crimes should be explicitly defined and ruled out.

- The nature of the different threats allowing for exchange of data between Passenger Information Units or with member states has not sufficiently been defined;

- No data should be kept beyond 30 days in an identifiable form, except in cases warranting further investigation.

He also notes the need to avoid duplication with other ongoing regulatory changes being planned in the field of information exchange management at a broader level, including telecommunications.

Credit: Bangkok Post (www.bangkokpost.com)

No comments:

Post a Comment