Read the German version of the article here.
According to the PNR Directive, which was adopted in 2016, all European member states must oblige airlines to forward passenger name records (PNR) to a central authority. In Austria, the Passenger Data Centre at the Federal Criminal Police Office has been installed for this purpose. These data are very extensive: In addition to the route and time of a flight, data on accompanying persons, luggage, seat reservation, choice of food, payment data and IP address are also stored, and many more. It is also possible to store "general information", which means that the categories do not have a limit at all.
It is mandatory to process data on all persons flying to and from the EU. There is also an option in the Directive for Member States to extend this to intra-European flights. Twenty Member States have made use of this option, including Austria. As soon as you fly to or out of Austria, your data is processed too. The government has thus gone beyond what is mandatory in this EU directive.
The data are transmitted twice to the Passenger Data Centre, once before departure and once after arrival. They are stored and processed for six months with your real name. They are then stored and processed depersonalised for a total of five years. However, depersonalisation is not anonymisation but pseudonymisation, i.e. the personal reference can be restored.
In order to fulfil the purpose of the Directive to prosecute and prevent certain serious criminal offences, these data are analysed according to certain "criteria", i.e. they are scanned by algorithms. They can also be cross-checked with other police databases. Essentially, this is equivalent to a dragnet.
INTRANSPARENCY AND DISCRIMINATION
These criteria are not verifiable by the persons concerned (all passengers). They can be based on criminological experience, but do not have to be. They can also be developed from the large data set, potentially from correlations that are arbitrary and misleading. This lack of transparency also entails the danger that discrimination cannot be recognised as such by the system and is thus concealed.
What is completely new about this measure for the Austrian legal system is that it leads to criminal investigations before there even is an initial suspicion of a crime. All passenger data are processed indiscriminately for the purpose of criminal prosecution and prevention. This would not be possible under the Austrian Code of Criminal Procedure.
It is accepted that the vast majority of those affected by these police investigations have absolutely nothing to do with criminal offences. It is also accepted that there will be suspects found without there being a criminal offence, based on pure probabilities and correlations. This is a method called predictive policing. It's a grid search, without cause. This goes much further than data retention, which is itself contrary to fundamental rights.
INCOMPATIBLE WITH OUR RULE OF LAW
The fact that a preliminary investigation has so far only been able to begin when there is a concrete initial suspicion of an offence that has been committed or is planned is regulated in § 1 of the Code of Criminal Procedure. In the parliamentary explanation to the StPO (Austrian Code of Criminal Procedure) reform 2004, the condition that there must be an initial suspicion before an investigation is carried out "to protect persons from becoming the object of investigations without good cause". The PNR Act diametrically contradicts these principles. Therefore, this type of passenger data processing is incompatible with our rule of law and our fundamental rights and freedoms.
It is no coincidence that these developments are happening now. There is more and more data about people and their behaviour and new, faster methods of analysis. Algorithms used for analysis are beginning to make significant decisions about human lives. In the case of the PNR Directive, a decision on whether further investigation steps will be taken, perhaps whether you will be placed on a list of "dangerous people" or a"no-fly list", whether you will be taken aside at the airport and questioned for hours.
AT THE MERCY OF THE ALGORITHM
The passenger data processing system poses very fundamental societal questions to us, the decision on the PNR Directive is a social crossroad. We must ask ourselves: Who is responsible for the decisions on algorithms? How can those affected and how can the public be sure of the justice of the algorithms? How can I as a person affected defend myself against the decisions of algorithms? In the PNR Directive and the PNR Act, themeasures of control and redress are insufficient.
The PNR Directive, as well as the EU Directive on Data Protection for Police and Justice, stipulates that any automatic decision to the detriment of people, must be reviewed by a person. In Germany, 40 civil servants are working shifts around the clock to carry out these checks. This regulation is important, because only people can take responsibility for decisions. Computers cannot bear responsibility. But how can these decision-makers, who check algorithmic hits, bear responsibility if it is not transparent and clear what the algorithm does? It is impossible. This transparency must therefore be guaranteed if this regulation is to have any significance.
US Professor of Law Daniel J. Solove writes that the dystopia we need to protect ourselves from is not so much like George Orwell's "1984" dystopia, where Big Brother watches over everything and observes everything, but more like Kafka's "The Trial" of being delivered to a system that you can't see through, that makes decisions about you that you can't question and understand, that you have no power in, because you don't know on what basis, for what reason they were made. This should not be our future.
EVERYONE CAN JOIN IN
In Austria, the PNR Directive was implemented by the PNR Act, which has been in force since 17 August 2018. At the beginning of March 2019, the Passenger Data Centre reported that it had started its work. In March, it was reported that only Austrian Airlines transmitted data, which represents 50% of air traffic to and from Austria. The Passenger Data Centre expects 54 million data records per year.
Not only does the Directive have serious shortcomings in terms of fundamental rights and the rule of law, but its implementation in Austria, i.e. the PNR Act, is also in itself contrary to fundamental rights. This concerns: the scope of the law, its applicabilty to intra-EU flight, the insufficient right of access and protection against automated decisions. We have already issued a written opinion on the introduction of the law.
Our procedure begins with a request for information to the Passenger Data Centre. Any person can do this, the form is online at nopnr.eu. So far we have made about ten requests for information. In two cases we have received incomplete information and we have lodged complaints in both cases.
The strategic complaint is addressed to the data protection authority. We assume that the DPA will confirm the data processing because it is carried out according to the law. We will appeal against this to the Federal Administrative Court and expect the Court to submit questions on the legality of the PNR Directive to the European Court of Justice.
In 2017, the European Court of Justice declared an agreement on the exchange of passenger data between the EU and Canada to be contrary to fundamental rights, specifically a violation of Article 7 of the Charter of Fundamental Rights, Right to Privacy and Article 8 of the Charter of Fundamental Rights, the Right to Data Protection. Although almost all of these arguments also apply to the PNR Directive, it has been implemented. That this was even possible leads to a situation where civil society once again having to take it into its own hands to enforce our fundamental rights.
Our German partner organisation, the Gesellschaft für Freiheitsrechte (Society for Liberty Rights), takes legal action under both private and administrative law. You can find out more on the website nopnr.eu.