Several governments see in the mass-surveillance of passenger data the key tool of counter-terrorism. These data are generally known as PNR – Passenger Name Records, and their potential for law enforcement has been discussed at least since the 1990s. Now European Union (EU) debates about the creation of a European PNR scheme seem settled once and for all. Others have already provided legal analyses of the measure to come. Here the goal is different: I aim to show how urgent it is to start researching the political dimensions of this security program right when all politics fade away.
While PNR were part of my PhD research and as such a big chunk of my everyday world, I often have quite a hard time to explain what PNR are beyond a quite small circle of geeks. It was even difficult to explain colleagues how this kind of topic may be relevant for international and EU studies. Blame it on my lack of training or competence in the vulgarization of scientific research. Blame it on my choice of a theme considered either a technicality or something for ‘legal scholars only’.
Since November 2015, things (might) have changed. The surveillance of air passengers has become a trumpeted European priority in the revamped War on Terror, while before it was largely considered an expert-only business. Several political declarations voice the need to create a system able to identify potential ‘returning jihadists’ and better track their travels within and outside of Europe, and the EU institutions seem closer than ever to adopt legislation on the matter. But, what are we speaking about when we speak about PNR? And what are the challenges ahead for researchers, advocates and institutions alike?
The many lives of PNR
First things first: PNR are a set of information that is generated at the booking of a travel, especially when it comes to flights (for a more critical presentation: here). PNRs include widely different data, from the name of the passenger and the method of payment used, to frequent flyer numbers and travel itineraries. PNRs can also show whether the reservation includes other persons, where the ticket was bought and which changes have occurred. In other words, every time you fly – better: every time you or somebody else books a flight for you – chances are that you get a PNR.
Through the last decades, PNR have become the backbone of airline reservation systems and, to make a long story short, are now presented as a key element for carrying out intelligence-led policing. Following the Paris attacks in January and November 2015, several institutional actors, from the French Interior Minister to the EU Counter-Terrorism Coordinator, have insisted on the need for the EU to set up a PNR scheme. Actually the idea was looming around since a while, and the Commission had already tabled twice a legislative proposal, in 2007 and in 2009. However, the draft had been put on hold after a negative vote in the European Parliament (EP) Committee for Civil Liberties, Justice and Home Affairs (LIBE) in April 2013.
Some countries have already developed quite comprehensive security systems that rely on the processing of PNR, notably the United States (US) and Canada, but also the UK within the EU. Generally speaking, PNR systems could be used for both more traditional investigative work and for profiling-based surveillance. It is mostly this second aspect that has attracted the attention of critical security researchers and law scholars, and it is this profiling potential that makes it a very tempting security measure for its proponents. So, when we speak about PNR we speak about many controversial topics: the deployment of mass-surveillance measures, a far-reaching interference into the private life of millions of passengers, the potential risk of discrimination, a shift towards pre-emptive security, the role of private actors in the creation of security measures, etc. Hence, PNR is also the name of the new concerns that surveillance raises in contemporary liberal societies.
At EU level, most of the debates revolve(d) around the impact on privacy and, notably, the possible role for data protection. Actually, the text that was recently agreed among representatives of the Commission, the Council and the Parliament – the new ‘EU PNR directive’ as it is called in EU jargon – abounds of references to data protection law, principles, and organizational tools. It seems to have a two-fold purpose: to facilitate the processing of passenger data and to protect the same data. Notably, the Members of the European Parliament made compulsory the appointment of Data Protection Officers within each of the national units that will collect, store and process data, and the powers of national data protection authorities have been further clarified. From this perspective, the PNR is the name of the tentative efforts to govern big data.
Les jeux sont faits (?)
Taking into account both these safeguards and the perceived need to use PNR as a crucial means in the fight against terrorism, the LIBE Committee has green-lighted the compromise version of the EU PNR Directive. The next legislative step is a vote in a plenary, then the adoption from the Council and a few other ‘technical’ steps. All resistance is coming to an end: controversies seem settled and the EU will have its common EU PNR scheme. After close to 8 years of debates among EU institutions, and more than a decade at international level, EU countries will finally have their own PNR-based security systems, and stop gazing with envy at other countries’ systems (notably the mighty US program). From this perspective, PNR is the name of a properly working EU – which delivers what is a needed at the right time – and will be remembered as a milestone in the creation of a common policy response in the field of counter-terrorism.
Then, what does remain to be done now that institutional politics are settled? Research-wise, the next step is just taking the time to submit a paper to a major peer-reviewed journal – now with the EU PNR Directive written down in the EU Official Journal and no more surprises and twists. Let’s finally call PNR with its due research name: one more case study to show the added-value of one or another theory of EU studies.
Then I read the leaked text. I read also the tough criticism by the European Data Protection Supervisor (EDPS – an EU institution focusing on data protection). And I started to think again about all of the above.
The EU PNR Directive foresees the capture of PNR of all passengers on EU-bound flights, departing or arriving from a third country. As the EDPS notes, this measure introduces mass-surveillance by security authorities on European scale. A huge amount of data will be stored for 5 years: 6 months with all personal information immediately available, and 4.5 years partially “masked”, in a depersonalized format that can be still reversed into the original in specific cases. All these data will be processed by run against given databases or specific lists, against specific profiling criteria, and in response to specific queries of security services. These data will also be used to create or update new profiling benchmarks. Not even the Data Retention Directive had such an outreach, because in that case traffic and location data of telecommunication remained stored with the providers, and not automatically and systematically transmitted to law enforcement authorities. As such, PNR is also the name of big data surveillance coming to Europe.
The future of PNR
Surely, the EU PNR Directive sounds quite robust in terms of data protection safeguards. As discussed elsewhere, I kind of ‘love’ data protection and I am confident that data protection safeguards and institutions will contribute to the governing of PNR. And yet, there is still too much of passenger data, despite all guarantees provided by data protection. From this troubling perspective, PNR is also the name of the limits of data protection.
Moreover, despite the fact we’ve seen so much of PNR for so long, there are very few PNR security systems already operational in Europe. Apparently, only the UK eBorders system is up and running (and has recently gone through a storm of criticism), and few others have been slowly launched but not fully implemented. Experience is that this kind of large-scale high-tech systems will be difficult to set up in Europe. For example, this has been the case with the new Schengen Information System (SIS2), whose difficult implementation even delayed for several member states the full enjoyment of a series of Schengen related advantages. The political impact of high-tech security systems was generally discussed – mostly in terms of respect of privacy, data protection and other fundamental rights – until their adoption, but then politics always seem to fade away. PNR becomes the name of the already obliterated future of the politics of high-tech security.
Keeping the pace of PNR
Yet, I believe that it is worth speaking of PNR today and keep looking for the upcoming controversies precisely because of this tendency to obliterate the future political implications of high-tech security. Unless popular TV series decides to show fewer drones and more passenger data, the current attention on PNR is probably the biggest societal exposure that the theme will ever get.
The challenge now is to keep the pace of so much of PNR. To follow how the EU PNR scheme will be set in place – how this mass-surveillance measure will be implemented, which kinds of problems will emerge and how actors will fix them. Notably, the challenge is to keep feel interested in PNR (and other very diverse security systems, such the EUROSUR program for border controls, the European Cybercrime Centre at EUROPOL, etc.) and better understand the ways in which national or European institutions, private companies, individuals or collectives may find leverages of political action through, or against, them.
This is a challenge for research, and in particular for the kind of research approach I tend to ascribe myself to. Several voices within studies on critical security and governmentality have emphasized the need to get closer to the everyday making of security and surveillance. But this is also a challenge for policy makers as well as concerned users and advocates. The deployment of a technology is not a linear process of implementation, but rather a successive enchainment of controversies and arrangements.