A few weeks ago, Access Now received a response from the European Commission to our notification in November that Belgium’s plan for a Passenger Name Record (PNR) system breaches EU law. Since then the Belgian Parliament has adopted its proposed PNR law, despite the lack of evidence to show it will help stop crime or terrorism. This has set in motion what is essentially a rights-harming exercise in security theatre.

Before getting into the nitty gritty of the matter, let’s first explain what “PNR” is. Passenger Name Records are comprised of the data for your flight. Every time you travel by plane, the airline or travel agent needs information from you to proceed with your reservation, including details such as your itinerary, your contact details, your forms of payment, your fellow travelers, your hotel reservation, and more.

Under the EU PNR Directive, everyone’s PNR information — whether or not you are a suspect for any crime — is indiscriminately collected and shared with local enforcement authorities, and then stored for five years just in case it later becomes relevant to vaguely defined “serious” crime and terrorism. Nothing has been presented to show this will do anything to help catch criminals or terrorists, and with more than 900 millions air passengers travelling in the EU every year, the sheer volume of personal information gathered and retained is well beyond what is necessary or proportionate. The directive therefore stands in violation of your fundamental rights to privacy and data protection.

More security theatre: a PNR “success” story

If stockpiling your air travel data were not enough for Belgian authorities, in December the Belgian Parliament extended the proposed collection and retention of PNR information to travel by boat, bus, and train, for everyone entering, leaving, or travelling across Belgium. For rail travel to and from Belgium alone, this would mean gathering information from more than 230 million passengers every year.

The Belgian government pushed for a rapid adoption of this law. The proposal was temporarily put on hold because the EU Commission and those opposing adoption (some of Belgium’s neighbouring countries) raised concerns about its impact on EU citizens’ freedom of movement. Prior to the set vote, Access Now also urged the Commission to look into its potential breach of EU law.

Unfortunately, the day after the attack in Berlin, the Belgian Parliament moved forward anyway, and adopted the law. This is not surprising when we consider that EU member states, in particular Belgium and France, used the 2016 Brussels attacks to push the EU Parliament into adopting the EU PNR Directive with almost no debate. Why use facts when fear is easier for pushing through policies you want?

Of course, just because these PNR plans have been adopted, it does not mean they are either wise or lawful.

To be or not to be in breach of EU law? That is the question.

While the Belgian government considers that it has sufficiently reassured neighbouring countries and the Commission that its PNR law is workable, it’s really too early to tell. First, it is unclear how France, Germany, the Netherlands, the UK, or any other country that has trains, boats, or buses going to (or through) Belgium will work together to share data about passengers. The Belgian law requires all passenger data to be sent in advance to a new unit that will have 24 hours to assess the validity of the information and authorise the travel. It is unclear how this measure can function within the Schengen area.

In its response to Access Now, the Commission indicated that while it shares Belgium’s concern for security “in principle”, it will continue to monitor the issue closely as it is currently “impossible to fully assess the effect [of the Belgian implementation of PNR] and any possible breach of EU legislation”. We consider the excessive scope of the law grounds enough to launch an infringement procedure, but we welcome the Commission’s commitment to looking into the matter, and we will continue to follow developments closely.

Finally, whether the PNR is lawful as a whole is currently in question, and the EU Court of Justice (CJEU) could very soon provide an answer. Since December 2014, the CJEU has been looking into the validity of the EU-Canada PNR agreement, which would require the retention of data for everyone travelling from the EU to Canada for a minimum of 4 years, made accessible to Canadian authorities. The ruling is expected to come mid-next month.

What’s next? Let’s talk.

As you can see, the next few months (and years?) will give us plenty to discuss when it comes to PNR systems. We’ll be tackling the issue at RightsCon Brussels in a session called, Every plane you take, I’ll be watching you. Wait, you’re on a train?

The conference is right around the corner, on March 29-31. Will you join us?