Read the German version of the article here.
According to the PNR Directive, which was adopted in 2016, all European member states must oblige airlines to forward passenger name records (PNR) to a central authority. In Austria, the Passenger Data Centre at the Federal Criminal Police Office has been installed for this purpose. This data is very extensive: in addition to the route and time of a flight, data on accompanying persons, luggage, seat reservation, choice of food, payment information and IP address, and much more is also stored. It is also possible to store "general information", meaning that these categories do not have a limit at all.
It is mandatory to process data on all persons flying to and from the EU. There is an additional option in the Directive for Member States to extend this to intra-European flights. Twenty Member States have made use of this option, including Austria. This means that as soon as you fly to or out of Austria, your data is processed too. The government has thus gone beyond what is mandatory in this EU directive.
Collected data is transmitted twice to the Passenger Data Centre -- once before departure and once after arrival. It is stored and processed for six months with your real name. After these first six months, the data is depersonalised, stored, and processed for a total of five years. Depersonalisation is not, however, anonymisation. Depersonalisation is pseudonymisation, meaning that the personal reference can be restored.
In order to fulfil the purpose of the Directive to prosecute and prevent certain serious criminal offences, this data is analysed according to certain "criteria", i.e. they are scanned by algorithms. They can also be cross-checked with other police databases. Essentially, this is equivalent to a dragnet.
INTRANSPARENCY AND DISCRIMINATION
These criteria are not verifiable by the persons concerned (all passengers). They can be based on criminological experience, but do not have to be. They can also be developed from the large data set, potentially from correlations that are arbitrary and misleading. This lack of transparency entails also the danger that discrimination cannot be recognised by the system itself, and is thus concealed.
What is completely new about this measure for the Austrian legal system is that it leads to criminal investigations before there is even an initial suspicion of a crime. All passenger data is processed indiscriminately for the purpose of criminal prosecution and prevention. This would not be possible under the Austrian Code of Criminal Procedure.
It is accepted that the vast majority of those affected by these police investigations have absolutely nothing to do with criminal offences. It is also accepted that, based on pure probabilities and correlations, there will be suspects found without their having committed a criminal offence. This is a method called predictive policing. It's a grid search, without cause. This practice goes much further than data retention, which is itself contrary to fundamental rights.
INCOMPATIBLE WITH OUR RULE OF LAW
As regulated in § 1 of the Code of Criminal Procedure, a preliminary investigation has so far only been able to begin when there is a concrete initial suspicion that an offence has been committed, or that an offence is planned. In the parliamentary explanation to the StPO (Austrian Code of Criminal Procedure) reform in 2004, the condition that there must be an initial suspicion before an investigation is carried out "to protect persons from becoming the object of investigations without good cause". The PNR Act diametrically contradicts these principles. Thus, this type of passenger data processing is incompatible with our rule of law, our fundamental rights, and our freedoms.
It is no coincidence that these developments are happening now. There is more and more data about people and their behaviours, as well as new, faster methods of analysis. Algorithms used for analysis are beginning to make significant decisions about human lives. In the case of the PNR Directive, this includes decisions on whether further investigative steps will be taken, whether perhaps you will be placed on a list of "dangerous people" or a"no-fly list", or whether you will be taken aside at the airport and questioned for hours.
AT THE MERCY OF THE ALGORITHM
The passenger data processing system poses very fundamental societal questions to us, and the decision on the PNR Directive is a social crossroad. We must ask ourselves: Who is responsible for the decisions on algorithms? How can those affected and how can the public be sure of the justice of the algorithms in use? How can I, as a person affected, defend myself against the decisions of algorithms? In the PNR Directive and the PNR Act, the measures of control and redress are insufficient.
The PNR Directive, as well as the EU Directive on Data Protection for Police and Justice, stipulates that any automatic decision to the detriment of people must be reviewed by a person. In Germany, 40 civil servants are working shifts around the clock to carry out these checks. This regulation is important because only people can take responsibility for decisions -- computers cannot bear responsibility. But how can these decision-makers, people working to check algorithmic hits, bear responsibility if it is not transparent and clear what the algorithm does? It is impossible. Greater transparency must be guaranteed if this regulation is to have any significance.
US Professor of Law Daniel J. Solove writes that the dystopia we need to protect ourselves from is not like that in George Orwell's 1984, where Big Brother watches over and observes everything, but more like Kafka's The Trial. This dystopia exists in being part of a system that you can't see through, that makes decisions about you that you can't question and understand, that you have no power in because you don't know on what basis or for what reason decisions were made. This should not be our future.
EVERYONE CAN JOIN IN
In Austria, the PNR Directive was implemented by the PNR Act, which has been in force since 17 August 2018. At the beginning of March 2019, the Passenger Data Centre reported that it had started its work. In March, it was reported that only Austrian Airlines transmitted data, which represents 50% of air traffic to and from Austria. The Passenger Data Centre expects 54 million data records per year.
Not only does the Directive have serious shortcomings in terms of fundamental rights and the rule of law, but its implementation in Austria, i.e. the PNR Act, is in itself contrary to fundamental rights. This concerns: the scope of the law, its applicabilty to intra-EU flight, and the insufficient right of access and protection against automated decisions. We have already issued a written opinion on the introduction of the law.
Our procedure begins with a request for information to the Passenger Data Centre. Any person can do this, the form is online at nopnr.eu. So far we have made about ten requests for information. In two cases we have received incomplete information and we have lodged complaints in both cases.
The strategic complaint is addressed to the data protection authority. We assume that the DPA will confirm the data processing because it is carried out according to the law. We will appeal against this to the Federal Administrative Court and expect the Court to submit questions on the legality of the PNR Directive to the European Court of Justice.
In 2017, the European Court of Justice declared an agreement on the exchange of passenger data between the EU and Canada to be contrary to fundamental rights, specifically a violation of Article 7 of the Charter of Fundamental Rights, the Right to Privacy and Article 8 of the Charter of Fundamental Rights, the Right to Data Protection. Although almost all of these arguments also apply to the PNR Directive as it has been implemented. That this was even possible leads to a situation where civil society, once again, has to take matters into its own hands to enforce our fundamental rights.
Our German partner organisation, the Gesellschaft für Freiheitsrechte (Society for Liberty Rights), takes legal action under both private and administrative law. You can find out more on the website nopnr.eu.