EU 
API, PNR,
threat assessments, and data-mining: Member States push for access
to travellers' personal data for customs authorities
22.02.2013
EU Member States are seeking access
to Advanced Passenger Information and Passenger Name Record data
for customs authorities, even though it appears that only a minority
feel that such access is necessary and despite the fact that
there is not yet an EU-wide legal basis for the collection and
use of PNR data by law enforcement authorities. A project investigating
the possibilities for greater use of travellers' personal data
by customs authorities, initiated last year by the Cypriot delegation
in the Customs Cooperation Working Party, is now being supported
by a study started at the beginning of February by the Irish
Presidency following international agreements adopted by the
World Customs Organisation.
"Threat assessments"
A project initiated by
the Cypriot delegation to the Council of the EU's Customs Cooperation
Working Party (CCWP) is seeking to "obtain a wider knowledge
and overview of the situation in the air transit sector and the
resulting threats for the European Union" and "to achieve
a better knowledge of the risks linked to transit passengers,
and to better identify the transit routes and the modalities
of travelling." It is expected that by October this year
a draft of the final "threat assessment on air transit passengers"
will be presented to the CCWP.
"Air transit"
refers to goods and persons who are present in an airport solely
for the purpose of transferring from one flight to another. The
"threats" in question include illicit smuggling, with
cocaine "considered to be the highest risk area, followed
by tobacco products and synthetic drugs." [1]
Customs access to PNR
and API
Part of the project, which
aims to create a threat assessment that can be used by customs
authorities throughout the EU, will see the group "further
analyse the possibilities of obtaining access to the Passengers
Name Records (PNR) [sic] and to the Advance Passenger Information."
[2]
The document argues that
a questionnaire issued last year, to which it received 25 responses,
identifies a need for a study into access for customs authorities
to PNR and API data. [3]
But notes from a meeting
of the Customs Cooperation Working Party appear to indicate otherwise.
"The majority of the Member States" - of the 24 that
responded to the questionnaire, along with Croatia, making 25
- "indicated that the current legal instruments for the
control of air transit passengers are sufficient."
"However, several
MS indicated the need for a legal basis that will enable customs
authorities to have access to the Passenger Name Record (PNR),"
say the minutes from the meeting. [4]
The authorities in Cyprus
appear to have a particular interest in airports and air travel
- last October, during the Cypriot Presidency of the EU, the
country hosted a conference on 'Aviation Security Against Terrorist
Threats'.
Summing up the conference's
proceedings, EU Counter-Terrorism Coordinator Gilles de Kerchove
said that it is "not possible to determine" whether
the implementation of new measures on aviation security "have
improved security as such," but "it is clear that the
process was effective in bringing together the key aviation and
security actors at national and EU level, enabling the joint
elaboration of intelligence-based security measures."
"What could the next
step be?" asked de Kerchove. "Perhaps the EU should
focus on the passenger - analysing all the security risks
which relate to passengers so as to elaborate security measures
which maximise aviation security while optimising control measures."
(emphasis in original) [5]
API and PNR - what
is it, who wants it, and why?
Law enforcement authorities
have taken increasing interest in both PNR and API data over
the past decade, arguing that it can be used in particular to
detect evidence of terrorism and serious crime.
PNR data is generated
during the booking or buying of an air or other travel ticket
and can contain significant amounts of personal data, including
full name, addresses, phone numbers and email addresses, travel
itinerary, and more. [5] All EU Member States transfer PNR data
to Australian, Canadian and US authorities following a series
of legal agreements that have attracted significant criticism
from MEPs and privacy advocates.
The data contained in
API files is less controversial than PNR, and is generated when
passengers check in for a flight. It consists of the traveller's
full name, gender, date of birth, nationality, country of residence,
type of travel document, and the travel document's number. Legislation
from 2004, enacted for counter-terrorism purposes and "in
order to combat illegal immigration effectively and to improve
border control," mandates the transfer of API from passengers
entering EU territory to Member State law enforcement authorities.
[6]
Extending surveillance
Currently under discussion
is a proposal for an EU PNR system, which would see Member States
gathering and processing personal data on everyone entering the
EU by plane, and possibly in the future by boat or land (railways
and vehicles). Some Member States have called for the legislation
to cover travel within the EU, as well as that entering the EU.
Statewatch revealed last month that the Commission
has made €50 million available to fund the development of
PNR databases in the Member States, despite the European Parliament
not yet voting on whether to agree to the legislation or not.
[7]
Many argue that there
is no objective proof that the data obtained from PNR and API
records is useful for addressing terrorism or crime. The Article
29 Working Party, made up of national data protection authorities,
argued in response to a proposal on sharing PNR data with third
countries that the European Commission "still has not presented
objective proof or statistics that PNR data are valuable when
combating terrorism or transnational crime." [8]
Green MEP Jan Philipp
Albrecht has warned of the "the potential of using the data
for the profiling of individuals," arguing that PNR agreements
are part of "the ever-creeping drive for more pervasive
retention and analysis of private data and big brother-style
surveillance." [9]
Edward Hasbrouck, an American
who campaigns on issues related to identity documents and free
movement, argues that because of the way in which PNR data transfer
from the EU to the US operates, the information is freely available
to state authorities and marketing companies with a complete
lack of oversight: "nobody knows who has accessed your PNR,
or from what countries." His presentation, 'PNR in Practice',
shows the web of private and public computer systems and databases
through which travellers' personal data flows and the numerous
public and private organisations to which it is available. [10]
The Commission's own proposal
for an EU PNR scheme - which, if agreed by the European Parliament,
would allow for its use in relation to terrorist offences and
serious crimes - did not provide any statistics on the usefulness
of the data. It argued that: "more systematic collection,
use and retention of PNR data with respect to international flights,
subject to strict data protection guarantees, would strengthen
the prevention, detection, investigation and prosecution of terrorist
offences and serious crime." [11]
Mystery minority
An analysis of the responses
to the Cypriot delegation's questionnaire is contained within
the paper outlining the proposed project mandate, but has been
removed from the publicly-available version. Statewatch
is awaiting the outcome of a request for access to Member States'
responses to the questionnaire.
While it is currently
unknown which Member States believe access to PNR and API data
for customs authorities is necessary, Austria, Belgium, Bulgaria,
Finland, Hungary and Portugal had "indicated interest in
participating to [sic] the project group" by the original
deadline of 4 January. [12]
The Cypriot delegation
to the CCWP has also sought the involvement of the European Commission
and Europol and at the end of January, during a meeting at which
the mandate for the "threat assessment on air transit passengers"
project was approved, said that "participation by other
Member States would also be welcome." [13]
The Irish Presidency
takes an interest
The project group is due
to meet for the first time in either March or April this year,
and its work is likely to be boosted by a recent study launched
by the Irish Presidency which seeks to find "a clear perspective
of the Union-wide position" on the issue of the use of API
and PNR data by customs authorities "to meet the challenge
posed by transnational crime." [14]
"Furthermore, the
Presidency believes that the outcome of this survey could be
of interest to the project group led by Cyprus regarding air
transit passengers and thus add value to the ongoing and evolving
work in this important area of activity," says the document
announcing the study.
A questionnaire issued
by the Presidency asks a number of questions to Member States,
including whether customs authorities currently have access to
API and PNR "for the risk assessment of travellers"
and what they are able to do with it - for example, whether they
are able to "transfer, use and store" the data and
if not, whether there are national proposals in place to provide
them with a legal basis to do so.
The questionnaire also
asks for what purposes customs authorities are able to access
API and PNR data - "risk assessment for customs law only";
"risk assessment for other criminal law also"; or "data-mining
for general anti-crime purposes."
Data-mining is defined
as:
"The automatic
or semi-automatic analysis of large amounts of data to extract
previously unknown interesting patterns such as groups of data
records (cluster analysis), unusual records (anomaly detection)
and dependencies (association rule mining)."
Going global
The Irish Presidency's
study follows the adoption by a June 2012 meeting of the World
Customs Organisation's Council of a recommendation "concerning
the use of Advance Passenger Information (API) and Passenger
Name Record (PNR) for efficient and effective customs control."
[15]
The World Customs Organisation
(WCO) is an "independent intergovernmental body whose mission
is to enhance the effectiveness and efficiency of Customs administrations."
It has 179 member states which are together responsible for managing
98% of world trade and, along with the International Civil Aviation
Organisation (ICAO) and International Air Transport Association
(IATA), has developed global standards for the format and use
of API and PNR data by state authorities.
The WCO Council's recommendation
states that "the proper balance between the needs of Customs
enforcement and the facilitation of legitimate travel can best
be achieved if Customs enforcement is intelligence-based."
Therefore, "the use
of API and/or PNR for risk assessment would greatly assist Customs
administrations in developing and exploiting the best possible
intelligence for the control of travellers."
It is recommended that
members of the WCO or of customs or economic unions should "utilise
advance information, namely API and/or PNR, for the risk assessment
of travellers."
However, the extent to
which these standards represent a global consensus is unknown.
An ICAO document from October last year on changes to the "message
standard for the transfer of PNR data from aircraft operators
to Contracting States" was "presented by Australia
on behalf of Australia, Canada, United Kingdom, United States."
[16]
Sources
[1] Customs Cooperation
Working Party, Summary
of discussions on 11-12 December 2012, 17977/12, 19 December
2012
[2] Cyprus delegation, Threat
assessment on air transit passengers - Mandate for the project
group, 5208/13, 11 January 2013
[3] Ibid.
[4] Ibid. at [1]
[5] Presidency, Aviation
Security against Terrorist Threats - Conclusions of the conference
of 31 October 2012, Nicosia, Cyprus, 165252/12, 16 November
2012
[6] ICAO, Guidelines
on Passenger Name Record (PNR) data, April 2006
[7] Council
Directive 2004/82/EC of 29 April 2004 on the obligation of carriers
to communicate passenger data
[8] Commission
makes €50 million available for the development of "big
brother" PNR databases - before legislation has even been
agreed, Statewatch News Online, 11 January 2013
[9] Article
29 Data Protection Working Party press release, 15 November
2010
[10] Jan Philipp Albrecht, EU
plans for big brother data analysis must be nipped in the bud,
EUobserver, 24 April 2012
[11] European Commission, Proposal
for a Directive of the European Parliament on the use of Passenger
Name Record data for the prevention, detection, investigation
and prosecution of terrorist offences and serious crime,
2 February 2011
[12] Edward Hasbrouck, PNR
in Practice, April 2010
[13] Ibid. at [2]
[14] Customs Cooperation Working Party, Summary
of discussions on 16-17 January 2013, 5635/13, 25 January
2013
[15] Presidency, Study
by the Presidency on Advanced Passenger Information and Passenger
Name Records, 5947/13, 6 February 2013
[16] Ibid.
[17] ICAO, Developments
on Advance Passenger Information (API) and Passenger Name Record
(PNR) data, 18 October 2012