The idea of obliging railway and ferry companies to transfer passengers' personal data to national authorities in the EU, as reported this week by EUobserver, shows that Europe is "trying to outdo" former US president George W. Bush, a privacy watchdog has warned.

Documents revealed that a majority of EU member states are open to the idea of expanding the scope of the 2016 passenger name record (PNR) directive, which requires air carriers to provide authorities with passenger data, such as name, address, date of travel, seat number, and baggage information.

Student or retired? Then this plan is for you.

A 2014 protest in Berlin against international mass surveillance by the US. The initial PNR for air passengers was brought in by the EU after president George W. Bush, but extending it to trains and ferries was called 'premature' (Photo: mw238)

Bush, president from 2001 to 2009, introduced far-reaching surveillance measures in the US in response to the 11 September terrorist attack on the US in 2001.

"The Bush Administration used the 9/11 attacks to push PNR on a reluctant Europe," Gus Hosein, executive director of Privacy International told EUobserver by email, after this website's report on the plans on Tuesday (6 August).

"Are we surprised that with its current politics, Europe is now trying to outdo the Bush Administration. Is there anything more 2019 than using migration as the crisis now," he said.

The anti-terrorism bill PNR only applies to flights, but EU member states are having discussions about including other modes of transport as well.

The reasons given in documents summarising the debates, were not only terrorism, but also migrant smuggling, drugs smuggling, and other crime.

"After 9/11, we were told that this would only ever be for airline travel," noted Hosein.

"This is proof that once a surveillance system is built, even in response to crisis, it will forever be expanded until all to build a near constant surveillance of all movement across Europe and the world, based on permissions and vetting."

"This policy plays well with intelligence agencies and governments running scared on immigration," added Hosein.

"As we said to the Bush Administration then, and we say to all governments now, this does not end well."

EUobserver asked the European Commission, which is the only EU institution that can propose legislation or amendments to it, whether it had a view on widening the application of the PNR directive to other modes of traffic.

A spokeswoman said that the commission did not comment on internal documents of the Council of the EU - the EU institution where diplomats and ministers representing the 28 national governments meet.

She merely pointed out that the commission is required to carry out a review of how the directive worked in practice.

That review is due by 25 May 2020, less than 10 months away.

Previously seen as 'disproportionate'

When the commission proposed the PNR directive back in 2011, it was not in favour of widening the scope beyond air travel, calling it "disproportionate".

At the time, the commission made an impact assessment, which is still available online.

The assessment compared the options of applying the directive only to air carriers (D1), and to applying them to air, sea, and rail carriers (D2).

Basically, D2 would lead to more security, but at "substantially" higher costs and privacy intrusion.

"Regarding the options in relation to the modes of transport that should be covered by any future measure, policy option D2 whereby the proposed measure would be extended to air, sea and rail carriers presents some advantages for security compared with policy option D1 as it would cover more modes of transport and more passengers," said the commission.

"However, it involves substantially more interference with data protection and more costs for the public authorities and the carriers than policy option D1 under which the measure would be applied exclusively to air carriers."

The impact assessment pointed out that unlike airline carriers, most sea and railway carriers do not collect PNR data.

"For example, some rail and sea carriers collect PNR-like data for instance the Eurostar and Thalys collect some data when the reservation is made online and cruise ships collect some PNR-like data as well," it said.

"On the other hand, ferries and trains other than the Thalys and the Eurostar do not have computerised reservation systems which are similar to those of air carriers."

The commission noted that "the idea behind using PNR data [was] simply to obtain access to the data that is already collected by carriers".

"Since most train and ships/ferry carriers do not normally collect such data, it would be disproportionate at this stage to require them to transmit data to public authorities."

But the commission assessment did not rule out completely that this could change, merely saying that to add sea and rail travel "seems to be premature, at least at this stage."

"Such an extension to sea and rail travel could be considered in the future, once we will have learned from the experiences with PNR collection from air travel," it added.

Individual member states are already allowed to introduce national laws on the collection of passenger data for other modes of transport, as long as those national laws are in line with EU law. At least France and the UK have made provision to do so.