13 December 2022
The Council is set to approve a decision that will allow the UK's continued derogation from safeguards for the automated surveillance and profiling of all air passengers arriving from the EU. The UK-EU Trade and Cooperation Agreement allows the UK to derogate from applying those safeguards while it tries to align its systems with the requirements of Court of Justice jurisprudence. This is the final derogation permitted; it will expire on 31 December 2023.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: Damien Walmsley, CC BY-NC 2.0
Under the UK-EU Trade and Cooperation Agreement (TCA) agreed at the end of 2020, air travel companies are obliged to send data on all air passengers heading from the EU to the UK for processing by law enforcement authorities.
In the UK, the surveillance and profiling function is carried out by the UK's National Border Targeting Centre.
Equally, data on all passengers travelling from the UK to the EU has to be transmitted to EU member states' Passenger Information Units, in accordance with the 2016 Passenger Name Record Directive.
The TCA allows PNR data to be used for “preventing, detecting, investigating or prosecuting terrorism or serious crime," and, unlike the EU Directive, lets the UK process PNR data for other purposes in “exceptional cases” when it is “necessary to protect the vital interests of any person.”
Supposed safeguards
The TCA requires certain safeguards be applied to that processing. These stem from Court of Justice jurisprudence on the processing of PNR data by non-EU states and were introduced following a challenge to the EU-Canada PNR deal.
The problem for the UK was set out clearly by a Home Office report submitted to the UK-EU Specialised Committee on Law Enforcement and Judicial Cooperation last year. The country has to transform:
"...a PNR data processing system configured for compliance with EU law as it applies to the Member States into a system configured to meet the requirements of EU case law as it relates to the international transfer of PNR data from the EU to third countries."
Because of this, the TCA allows the UK to temporarily derogate from the safeguards it includes. In the words of a UK government explanatory memorandum (pdf):
"The TCA provides for a temporary derogation to this requirement pending the implementation by the UK of necessary technical adjustments to its systems for processing PNR data. These adjustments were necessary as UK systems had been configured to process PNR data in accordance with the EU PNR Directive."
Now, the Council is set to approve a further, final derogation (pdf):
"...the United Kingdom has demonstrated that it has made substantial progress to transform its PNR processing systems into systems which would enable PNR data to be deleted in accordance with Article 552(4) of the TCA, although it has not yet been possible to transform them fully to that effect. Therefore... the Partnership Council should extend the interim period... by one final year, until 31 December 2023."
Unique circumstances
The Home Office's October 2021 report highlighted that while the PNR Directive allows the retention of data on all passengers for five years, deals with non-EU states require that the authorities "delete the PNR data of passengers after their departure from the country unless a risk assessment indicates the need to retain such PNR."
That risk assessment must be based on "objective evidence from which it may be inferred that certain passengers present the existence of a risk in terms of the fight against terrorism and serious crime," the report noted.
It went on to say:
"3.8 These special circumstances are unique. No PNR data processing system currently in operation anywhere in the world functions in the way required by Article 552(4). The UK knows of no other country actively working to develop such capability. This means the UK is alone in working through the technical implications and challenges of implementing a PNR data processing system to conform with such requirements.
3.9 There is no readymade commercial solution and no apparent market for one. No systems developer has been identified as having a suite of off-the-shelf capabilities to process PNR data in the way envisaged in the TCA: processing PNR data against departure confirmation information, nationality and residence information; then processing specific PNR data against a dynamic multi-criteria risk assessment tool and then deleting or retaining specific PNR data on the basis of that assessment.
3.10 In summary, the UK has agreed to make technical adjustments to transform its systems for processing PNR data to meet the requirements of Article 552(4). However, these requirements and the necessary technical adjustments are without precedent. They require new technical capabilities to be scoped, designed, built, and implemented."
In short, the system as it stands is incompatible with the rule of law, and it is going to be extremely difficult to fix it.
This situation may already have affected plans for an EU-Japan PNR deal. The European Commission told Left MEP Cornelia Ernst last year:
"While Japanese counterparts have reiterated Japan’s interest in receiving Passenger Name Record data from EU air carriers for combating serious crime and terrorism, they have also expressed concerns as regards the operational implications of certain EU legal requirements for transfers to third countries."
As of October last year, the UK's "Technical Adjustment Project" was "at the technical design stage." The TCA does not allow for any further extension of the derogations - though of course some new form of agreement is possible. Given the UK government's history with complex IT projects, few would bet against that possibility.
Documentation
<p>The UK government's domestic programme seeks to crack down on dissent and to abolish or severely limit ways for the public to hold the state to account. This report shows that those ambitions also play a role in the post-Brexit agreement with the EU. The treaty makes it possible for the UK to opt in to intrusive EU surveillance schemes with no explicit need for parliamentary scrutiny or debate, and establishes a number of new joint institutions without sufficient transparency and accountability measures.</p>
In June this year the the Court of Justice ruled that the rules governing the EU's system for travel surveillance and passenger profiling, set out in the Passenger Name Record (PNR) Directive, must be "interpreted restrictively" to conform with fundamental rights standards. The ruling requires substantial changes to member state practices - but the Council, in time-honoured fashion, is looking at how to circumvent it, and to ensure the greatest possible freedom of manouevre for law enforcement authorities.
The mass travel surveillance and profiling of air passengers carried out under the EU's Passenger Name Record Directive does not breach fundamental rights standards, says an opinion published yesterday by the Court of Justice in Strasbourg. Opinions precede the verdict of the court, and often set the tone for rulings.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.