Unexpected Visitors: European Security Politics and the Passenger Name Record Directive

Mark Goldberg
J.D. Candidate, Columbia Law School, 2015


Over the last two years, a vicious terror organization called Daesh (sometimes known as “Islamic State,” “ISIS,” or “ISIL”) arose amidst societal collapses in Iraq and Syria. Originally an al-Qaeda splinter group, Daesh has proven its resiliency and tenacity in many strategic campaigns. Daesh infamously uses social media to an unprecedented extent for a terror group. Daesh relies on the Internet to propagandize and recruit new jihadis. Its tactics continue to succeed: Gilles de Kerchove, the EU Counter-Terrorism Coordinator, estimates that at least 3,000 European nationals, swayed by recruiters, left the EU to fight for Daesh.[1] Many of them come back. Unless EU institutions act rapidly to provide law enforcement with the tools it needs, namely the Passenger Name Record, Daesh returnees will take European lives.

These 3,000 individuals pose one of Europe’s most acute security concerns. They originate from many EU countries, and travel freely within the Union when they return. In particular, more foreign fighters are from France than any other EU Member State.[2] France is far from alone, however—one-quarter of European jihadis in Syria are believed to be from the UK, and Belgium “is believed to have the highest per capita rate in the EU of fighters in Syria.”[3] The EU currently lacks a coordinated strategy to deal with returning militants. Union-wide systems for flagging, interdicting, apprehending, and trying these terrorists remain nascent. Burkhard Freier, the head of Germany’s domestic intelligence service, noted that returning foreign fighters “are able to travel and we can do nothing to prevent them.”[4] It is difficult to prove in court that someone returning to Europe left with the intent to fight for Daesh, a showing typically required for a court case.[5] At least one politician has proposed criminalizing recruitment for terror organizations,[6] but that solution will proceed only on a state-by-state basis (and slowly at that, subject to Member State politics).

Daesh benefits from Europe’s unpreparedness. When Daesh fighters return, they bring conflict, terrorist tactics, and radical Islam with them. They do not respect borders between Member States. An estimated 120 fighters have returned to France, 13 of which are considered serious terrorist threats.[7] Of these, one—Mehdi Nemmouche—murdered three individuals and injured a fourth in a machine-gun attack on the Jewish Museum in Brussels.[8] Nemmouche was apprehended during a random drug search in Marseille—and only because he still had the AK-47 he used to commit the crime in his baggage.[9] Other plots with French,[10] British,[11] and Belgian targets (or with the aim of recruiting additional Europeans for Daesh) have been interdicted before fruition or while in progress.[12] It bears mentioning that PNR data collection could help in the fight against all terror suspects, not just Daesh. This includes other Islamic terror networks, such as the al-Qaeda affiliates responsible for the infamous attack on the French satirical magazine Charlie Hebdo, resulting in seventeen deaths.[13] Hebdo threw the “foreign fighters” issue into sharp relief, and left many Europeans wondering what could be done to forestall similar attacks in the future. Casting about the legislature’s halls for weapons to fight back, they seized upon a Commission proposal for a Passenger Name Records system.

I. The Passenger Name Records Directive—A Possible Solution

 Daesh’s plots are international; facilitated by visa-free travel throughout much of the Union, they require an internationally coordinated solution. The European Council recognizes as much, highlighting the needs to improve “judicial response” and “information exchange” at a recent meeting.[14] The Italian Presidency of the JHA Council proposed some solutions, including deeper coordination with Europol,[15] but the Council repeatedly urged the Parliament to take a position on the Passenger Name Record (PNR) Directive.[16] This directive has languished in the legislative procedure since 2011, when the Commission first proposed it.[17] The PNR Directive would require airlines flying international routes into or out of the EU to transmit certain types of data about passengers to Member States.[18] The data collected would include addresses, names, itineraries, and how passengers purchased their tickets.[19] The UK is the only EU Member State with a mature PNR system, although five others (France, Denmark, Sweden, Belgium, and the Netherlands) have pilot PNR programs.[20]

The PNR Directive requires Member States to establish Passenger Information Units (PIUs) to receive, process, and retain this information, then anonymize it and store it for up to five years.[21] These data are critical for foiling terrorist plans. Analyzing them would lead to identifying previously unknown individuals (such as fellow travelers or travel agents working with Daesh associates) or patterns of behavior (particular airports or codesharing arrangements preferred by Daesh). This analysis would enhance European law enforcement’s intelligence and operations. As noted by the Council, PNR data plug holes in existing systems because the data “are used in advance of a border crossing and not at the border crossing itself.”[22] The PNR Directive requires PIUs to collect statistics including “the number of subsequent law enforcement actions that were taken involving the use of PNR data.”[23] Accurate statistics would fight Daesh by helping all Member States understand the seriousness of the problem, and provide a source of reliable information showing enforcement successes. Estimates vary on both how many EU citizens have left to fight abroad and how many of them have returned. Independently produced statistics create negative feedback: low estimates might cause policymakers to doubt that an entirely new data collection system would be proportional, while high estimates might make legislators more willing to abrogate civil liberties. Solid numbers are critical.

Existing systems include the Schengen Information System (SIS), to which the UK does not have access; intelligence agencies cite security concerns for being unwilling to share information with SIS, which undercuts its utility.[24] SIS checks occur at the border, precluding comprehensive data analysis. Member States also have access to the Visa Information System, which also only checks at the border and detects immigration issues, not persons of interest to law enforcement or security. Additionally, the EU does currently collect biographical information about passengers through the Advanced Passenger Information (API), controlled by the API Directive.[25] API data is very sensitive, and its uses are highly restricted. It is also complementary to, and—importantly—not a substitute for PNR data. API collection does not capture full itineraries, seat numbers, or baggage information—all of which are crucial to real-time operations. Law enforcement cannot arrest a terrorist on the tarmac because they know his eye color; they can arrest him when they know his face and where he is sitting on the airplane.

The Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE) originally rejected the proposal in 2013 by a vote of 30 to 25.[26] The Parliament, in plenary session, referred the draft back to LIBE in June 2013.[27] Daesh security threats have undoubtedly increased since then. LIBE members claim that the PNR directive needs evaluation following the April 2014 ruling from the Court of Justice of the European Union (CJEU) overturning the Data Retention Directive.[28] In November 2014, it referred the EU–Canada PNR agreement (related to Canadian PNR requirements) to the CJEU.[29] Post-Charlie Hebdo, some parliamentarians have changed their positions on the PNR Directive, but concerns still persist among the most privacy-conscious legislators.[30] MEPs have publicly announced that they hope to pass the Directive by the end of 2015.[31] Indeed, the Parliament passed a resolution to this effect, seemingly eschewing its threat of making reference in favor of political engagement with the Commission on the current draft.[32]

In the last weeks of February 2015, Timothy Kirkhope, a conservative British MEP and Rapporteur for the proposal, issued a new report.[33] The Kirkhope Report includes several changes designed to assuage privacy hawks’ fears.[34] Opponents remain unsatisfied, calling Kirkhope’s changes “cosmetic.”[35] The hawks have some reason to worry about some of the Rapporteur’s modifications, such as including intra-EU flights in the scheme.[36]

 A. Proportionality Review—PNR Directive versus the Data Retention Directive

Long debates would be an unnecessary and dangerous delay. The PNR Directive complies with the standards set out by the CJEU for responsible collection and processing of data in Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources. The PNR Directive has a more limited scope and greater protections than the Data Retention Directive. The PNR Directive’s structure, drafted in 2011, undoubtedly resulted from the privacy politicking that occurred after the Data Retention Directive’s 2006 passage. The Data Retention Directive was overturned because the CJEU ruled it disproportionate—in other words, a more limited scope and more robust protections could have saved it. To the extent that LIBE or the Parliament still have concerns, those institutions should articulate them in their common position and move the legislative process along. Every month of delay sees more flights with more Daesh passengers, each plotting more attacks, landing in Europe. The incoming Latvian Counsel Presidency named “reinforcing the data protection framework”[37] as one of its priorities in Justice and Home Affairs, which could present a political obstacle to getting the PNR passed after they take over.

The legislation overturned in Digital Rights Ireland required Member States to collect dozens of types of data about telephone and Internet subscribers, ranging from name and address to IP addresses, the type of equipment they used, and the length of a connection.[38] The scope of the data allowed for:

very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.[39]

The CJEU acknowledged that public security, including the fight against international terrorism and serious crime (the grounds justifying the PNR Directive), was “an objective of general interest”[40] which justifies interfering with fundamental rights in a proportionate manner. The Data Retention Directive’s depth of surveillance offended the right to private life and privacy enshrined in Articles 7 and 8 of the Charter of Fundamental Rights. The court took issue with the fact that data was automatically processed under the Data Retention Directive,[41] and that it did not require “any relationship between the data whose retention is provided for and a threat to public security.”[42] The CJEU extrapolated on the directive’s failure because it did not “expressly provide that … access and the subsequent use of the data … must be strictly restricted to the purpose of preventing and detecting precisely defined serious offences,”[43] and that the directive did not require judicial review before law enforcement queried a database.[44] Finally, the court noted that the directive did not “require the data in question to be retained within the European Union,” which interfered with Charter Article 8(3)’s requirement that data collection be supervised by independent authorities. All of these failings meant that “the EU legislature … exceeded the limits imposed by compliance with the principle of proportionality [with respect to] Articles 7, 8, and 52(1) of the Charter.”[45]

The PNR Directive ameliorates most, though not all, of the problems in the Data Retention Directive. Its dramatically narrower scope is a difference in kind, not only in degree. Restrained collection considerably diminishes whatever failings the PNR Directive might share with the Data Retention Directive.

The PNR Directive would only collect information directly related to air travel, not the galaxy of electronic and telephonic communications authorized by the Data Retention Directive. It explicitly looks to privacy protection instruments and the Charter to guide its application.[46] Although PNR data would show a passenger’s address and reveal some of her movements, it would not let the Member State officials ascertain her “habits of daily life,” her “daily … movements,” her activities, or her social relations, all of which caused the CJEU consternation in Digital Rights Ireland.

The PNR Directive limits processing as much as it restrains collection. Airlines already collect PNR data for internal purposes,[47] and the PNR Directive only authorizes very specific queries by Passenger Information Units against those records. The Directive mandates that data be “pushed” from an air carrier in response to a specific request, controlling which records are released.[48] It explicitly does not permit PIUs to have broad access to carriers’ databases, letting them “pull” information at will.[49] PNR data can only be “pushed” if they relate to terrorist offenses under Council Framework Decision 2002/475/JHA or serious crimes under Framework Decision 2002/584/JHA. The latter instrument provides that serious crimes are only those which result in custodial sentences or detention for a maximum of three years or more.[50] This structure gives Member States flexibility—some could preclude PNR requests for recruitment or propagandizing crimes by not criminalizing such behavior, while other countries could remain free to do punish it harshly.[51]

Article 1(2) of the PNR Directive includes a purpose limitation, providing that PNR data can only be processed in relation to terrorist offenses or serious crimes.[52] Paragraph 2 of the draft directive’s “Background” section says that Article 1(2)’s “clear and strict purpose limitation is important in order to safeguard the proportionality of the Directive.”[53] Finally, the PNR Directive’s Background section specifically instructs that “the scope of this Directive is as limited as possible.”[54] Article 1(2), the disclaimer in the Directive Background, and the reliance on 2002/475/JHA and 2002/584/JHA all provide more rigorous proportionality guarantees than the Data Retention Directive. That instrument’s purpose aimed to “ensure that the [collected] data are available for the purpose of the investigation, detection, and prosecution of serious crime.”[55] The Data Retention Directive aimed to ensure the data’s availability for law enforcement, but did not limit its use to investigation and prosecution. The PNR Directive’s Article 1(2) does restrict PNR data to law enforcement.

B. Proportionality Review—The Kirkhope Report

 As discussed above, the PNR Directive was proportional before the amendments made by the Kirkhope Report. If the European Parliament accepted it without a glance at Kirkhope’s changes, it would likely survive judicial review. The rapporteur’s document reflects changes in Europeans’ thoughts on privacy after Charlie Hebdo, and it provides for a more robust PNR system than the initial proposal. One particular element may even overcorrect in the face of surging grassroots energy to protect Europe from attack. Expansions beyond what the Parliament already rejected (in the Proposal’s earlier versions) may endanger the scheme’s proportionality. Alternatively, overcorrection may be a strategic gambit by Kirkhope, a member of the European Conservatives and Reformists group. The opposition may focus its resources on killing Kirkhope’s new additions, settling into consensus around the core (original) proposal.

Many of the amendments are uncontroversial or cosmetic. For example, Amendment 32 requires Member States to inform one another of national legislation that affects implementation of the Directive.[56] Such provisions are boilerplate in EU Directives, and achieve valuable information-sharing goals. Amendment 12 provides that states, by consent, may share a PIU and jointly administer it. For smaller countries whose residents share major airports, such as the Benelux states, Amendment 12 streamlines PNR Directive implementation.[57]

Amendment 5 is the Kirkhope report’s first major change. In it, the Rapporteur suggests changing language authorizing PNR processing for “the following purposes [including prevention, detection, and investigation of serious crimes]”[58] to new authority stating that PNR data may be processed “only for the purposes of prevention, detection, investigation, and prosecution of terrorist offences.”[59] This change enhances the Directive’s proportionality by removing ambiguity. Arguably, the old language provides fighting serious crime as an example a possible legitimate use of PNR data. The new language precludes such an interpretation. The Report is filled with purpose limitations, such as Amendment 11 (exhaustively listing “serious transnational crimes” for which law enforcement could request PNR data),[60] Amendments 14–15 (clarifying that PNR can only be compared with other records in accordance with the Directive’s purpose limitations on processing PNR data),[61] Amendment 19 (reaffirming that law enforcement entities empowered by Member States to request information from PIUs must do so for the “specific purpose” of the Directive),[62] and Amendment 33 (extending purpose limitations to transfers of PNR between Member States and third countries).[63]

Amendment 22 expands the Directive’s protected categories. The original text prohibited authorities from using automated PNR data to make decisions based on “race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual life”;[64] the rapporteur added, inter alia, “social origin, genetic features, language … political or other opinion, age, and disability.”[65] Amendment 22 adds a new deletion requirement for data indicating an individual’s status with respect to these protected categories: 30 days after receipt (the original text had no deletion requirement at all).[66]

Article 13 animates the same sensibility. If an airline ever sends a PIU information beyond standard PNR data (such as sending API data in response to a PNR request), Amendment 13 mandates that the PIU “delete such data immediately and permanently upon receipt,”[67] while the original Commission Proposal only said the word “immediately.” A PIU would arguably be misbehaving under the old wording if it deleted it “immediately” but not “permanently,” perhaps by erasing the data but retaining a file number on the subject. This change clarifies PIUs’ responsibility to behave in good faith. Permanent deletion protects erroneously surveilled passengers.

Amendments 37 and 42–44 collectively enhance the PNR Directive’s proportionality. They respond directly to political concerns over privacy. They establish extensive private rights enforceable by individuals against their Member State. No such mechanism existed in the original proposal. These rights include rights to access, rectification, erasure and blocking, compensation, and judicial redress.[68] Amendment 37 requires states to report data breaches to affected individuals within their jurisdiction, coordinate with other Member States when a breach affects their citizens, and imposes a legal duty to protect the data with “security accredited computer system[s],” a “[national] statutory code of practice,” and appoint a “data protection supervisory officer”[69] to protect PNR data. Amendment 42 empowers Member States to discipline employees responsible for data breaches.[70] Amendments 43 and 44 respectively establish robust independent review of PNR processing and review by the EU institutions.[71] The institutions include the Parliament, of course. MEPs who question PNR would be able to keep a watchful eye over its implementation in the future.

Liberal MEPs very well might identify private rights as a flash in the pan. Privately enforceable rights are meaningless in the decidedly proactive environment in which law enforcement could violate them. The right to access PNR data does not help the innocent civilian when police are radioing up to her airplane and forcing it to land early to arrest her. The provision strikes a balance between ex ante rights protection and giving law enforcement the initiative, and pro-privacy politicians may claim that the balance disproportionately favors law enforcement. Criminal law disproportionately favors the police in many situations besides PNR; and as with other contexts, ex post rights vindication plays a decisive role at the criminal trial. Judges frequently release defendants illegally arrested by the police. The Kirkhope Report expressly provides a right for judicial redress. If police improperly processed a passenger’s PNR data—for example, using it to arrest him for an insufficiently serious crime—the Report clearly empowers him to entreat the judge to release him. He may even seek compensation against the state. PNR data might be disturbing in an age of mechanized collection, but criminal due process protects PNR defendants the as well as it does any other defendant.

These Amendments offer substantial, meaningful protection. They represent an acknowledgment by the Rapporteur and others that privacy rights are an ongoing, evolving conversation which will need supervision from powerful actors, both private and public. By contrast, the provisions of the Data Retention Directive seem downright primitive. That Directive’s provisions made only cursory reference to “fundamental rights” or the ECHR privacy right, without specifically articulating the rights to access and erasure, and other rights that the PNR Directive describes.[72] The Data Retention Directive required Member States to designate authorities for monitoring its application in “complete independence;”[73] it does not provide for independent EU institution review, nor does it set specific requirements for such authorities (such as security-accredited computer systems, a specific data protection officer, or a statutory standard of protection). The Kirkhope Report does all of these things, reflecting the amendments’ maturity and thoughtfulness.

Amendment 6 deserves special mention. It extends the Directive’s coverage to “passenger flights within the territory of the Union.”[74] Nothing in the previous draft authorized such broad jurisdiction for the PNR system. Amendment 6 massively increases the reach and power of the PNR system, implicitly requiring more resources to be committed to make it function effectively. Amendment 6 is the most controversial. It risks unnecessary surveillance, potential misuse or mishandling of data, and cost overruns. Passengers traveling between EU airports are less likely foreign fighters than those entering the EU, since a “foreign fighter” must have returned from outside the EU. PIUs would demand far more resources to track the thousands of flights within the EU (including flights within individual Member States). More data will lead to more false positives; false positives often result in misdirected investigatory efforts and infringements on Europeans’ civil liberties. More data also makes it more likely that bad actors in PIUs or law enforcement will misuse the records or fail to protect them.

It is likely that terrorists do not commit their crimes in the EU cities where they first arrive. An operative may land in Paris, spend a few days there, and then fly to Florence on a separate ticket to attack Italian targets. Importantly, the unamended Directive would capture his PNR data if he booked his entire itinerary at once (for example, connecting in Paris for hours or even days on the same ticket). Undoubtedly, Amendment 6 would help trace plots relying on a series of individual tickets. Nevertheless, nefarious organizations already benefit from free movement within the EU. The hypothetical terrorist could just as easily have driven or taken buses from Paris to Florence. An intra-EU PNR regime could draw terrorists, sophisticated in countersurveillance, away from flights and into cars or alternative means of transit. If anything, this could detract from security overall, since passing through airport security on intra-EU flights puts terrorists directly in contact with government surveillance within the airport (as opposed to a bus terminal or car rental station) The Rapporteur’s change thus adds little if any marginal benefit over the unamended Directive text. Amendment 6 presents a classic case study in proportionality. Assuredly, it might help achieve the Directive’s objective of marshaling PNR data to identify and interdict suspected terrorists. However, Amendment 6 provides few added benefits in the face of enormous costs: more surveillance as a per se liberties violation, greater chances of data abuse, and a more costly system to manage.

On its own, Amendment 6 undermines the whole Kirkhope Report’s proportionality. If privacy hawks hope to undermine the Report specifically or the PNR Directive in general, they would be well-advised to take aim at Amendment 6. Should it fall, the resulting text (either the Kirkhope Report without it or the underlying draft proposal) would pass CJEU proportionality review post-Digital Rights Ireland. Amendment 6 may very well be a bargaining chip or a whipping-boy provision, designed by a conservative legislator to give liberal colleagues something to excise in plenary session. Amendment 6 may be political cover. This conclusion is obviously speculative, but the Kirkhope Report’s overall structure supports it. Other than that one provision, the Kirkhope Report universally moves the Commission’s proposal to the left on data privacy: it suggests rigorous purpose limitations for accessing PNR data, establishes privately enforceable rights against PIUs, expands protected categories of identifier information, and otherwise incorporates important post-Digital Ireland debates over privacy. Additionally, the Kirkhope Report shortened data retention periods in Amendment 34 (from five years for all crimes to four years for serious transnational crimes and five years for terrorism)[75] and lengthened Directive’s implementation deadline in Amendment 45 (from two years to three).[76] Amendment 6 is the sole major area where Kirkhope shifted right. After the Hebdo massacres, PNR rapidly ascended in popularity. Liberals in the European Parliament would be foolhardy to reject PNR’s power, but blind consent might be seen as a betrayal to their leftwing electorates. A dramatic fight over monitoring intra-EU flights, combined with liberal constraints on the PIUs and law enforcement (as well as shorter retention periods in Amendment 35 and purpose limitations throughout the Directive) would guarantee liberal satisfaction with the proposal.

The PNR Directive is the first step in crafting a centralized response to the ongoing and invidious Daesh threat. Analyzing Daesh operatives’ patterns of behavior and tracking individual fighters before they reach EU borders would enable proactive law enforcement operations, stopping terror plots before they start. The Directive does not offend the Charter of Fundamental Rights, and the Parliament should resolve its disagreements with the Council and Commission politically, not judicially. The Kirkhope report largely strengthens the Directive’s viability, but it includes one provision which could potentially endanger the law’s proportionality. Amendment 6 excepted, the Parliament should pass the Directive as amended, then use the Directive’s grant of oversight to monitor PIUs. European security hangs in the balance.

Featured image source: http://fra.europa.eu/sites/default/files/fra_images/shutterstock_45736984.jpg

[1] Islamic State Crisis: ‘3,000 European Jihadists Join Fight’, BBC News (Sept. 26, 2014, 7:46 AM), http://www.bbc.com/news/world-middle-east-29372494/.

[2] Matthew Dalton and Margaret Coker, How Belgium Became a Jihadist-Recruiting Hub, The Wall Street Journal (Sept. 28, 2014, 10:38 PM), http://www.wsj.com/articles/how-belgium-became-a-jihadist-recruiting-hub-1411958283.

[3] Ian Traynor, Major Terrorist Attack is ‘Inevitable’ as Isis Fighters Return, Say EU Officials, The Guardian (Sept. 25, 2014, 1:30 PM), http://www.theguardian.com/world/2014/sep/25/major-terrorist-attack-inevitable-isis-eu.

[4] Jeannette Seiffert, EU Searches for an Anti-Terror Strategy, Deutsche Welle (Sept. 27, 2014), http://www.dw.de/eu-searches-for-an-anti-terror-strategy/a-17958769.

[5] Id.

[6] Id.

[7] Traynor, supra note 3. See also Seiffert, supra note 4 (estimating the number of French returnees at 180).

[8] Brussels Jewish Museum Killings: Suspect ‘Admitted Attack’, BBC News (June 1, 2014, 4:28 PM) http://www.bbc.com/news/world-europe-27654505.

[9] Id.

[10] Terrorisme: Un Projet d’Attentat Déjoué cet Été en Ile-de-France, Metronews.fr (Nov. 3, 2014, 3:20 AM), http://www.metronews.fr/paris/terrorisme-un-projet-d-attentat-dejoue-cet-ete-en-ile-de-france/mnkc!vqyRCTMTPFwAY/ (regarding the plot of Mohamed Ouharani to attack Paris or Creteil); Damien Delseny, Plusieurs Projets d’Attentats Terroristes Déjoués en France, Selon une Note de la DGSI, RTL (Nov. 3, 2014, 1:44 AM), http://www.rtl.fr/actu/societe-faits-divers/un-attentat-terroriste-dejoue-lors-du-dernier-carnaval-de-nice-7775148816 (regarding plot to attack Carnival in Nice, and apprehension of Lyles Darani in Lille in 2013).

[11] Raffaello Pantucci, The British Foreign Fighter Contingent in Syria, CTC Sentinel, May 2014, at 17, available at https://www.ctc.usma.edu/v2/wp-content/uploads/2014/05/CTCSentinel-Vol7Iss5.pdf.

[12] Georg Matthes, ‘Sharia4Belgium’ Jihadist Terror Trial Begins in Antwerp, Deutsche Welle (Oct. 10, 2014), http://www.dw.de/sharia4belgium-jihadist-terror-trial-begins-in-antwerp/a-17986464; Dalton, supra note 2. (46 defendants prosecuted for Daesh recruitment, which included exhortations to attack the Brussels Atomium).

[13] Al-Qaeda in Yemen Claims Charlie Hebdo Attack, Al Jazeera (Jan. 14, 2015 19:31 GMT), http://www.aljazeera.com/news/middleeast/2015/01/al-qaeda-yemen-charlie-hebdo-paris-attacks-201511410323361511.html; Victims of the Terror Attacks in Paris, New York Times (Jan. 11, 2015) http://www.nytimes.com/2015/01/12/world/europe/terror-attacks-in-paris-the-victims.html.

[14] Press Release, Council of the European Union, 3354th Council Meeting- Justice and Home Affairs (Dec. 4–5, 2014), at 3, available at http://www.consilium.europa.eu/uedocs/cms_Data/docs/pressdata/en/jha/146049.pdf.

[15] Id. at 16.

[16] Id. at 3, 17–18.

[17] Commission Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, COM (2011) 32 final (Feb. 2, 2011), available at http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%
[hereinafter, Proposed Directive].

[18] Id. at 12 (Article 1(1)).

[19] Id. at 31 (Article 18(2)).

[20] Rapporteur of the Committee on Civil Liberties, Justice and Home Affairs, Draft Report on the Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, at 40, COM (2011) 0032 (Feb. 17, 2015), available at

[21] Proposed Directive, supra note 17, at 3.

[22] Id. at 4.

[23] Id. at 30 (Article 18).

[24] Traynor, supra note 3.

[25] Parliament and Council Directive 2004/82/EC, On the Obligation of Carriers to Communicate Passenger Data, 2004 O.J. (L 261).

[26] Press Release, European Parliament, MEPs Debate Plans to Use EU Passenger Name Record (PNR) Data to Fight Terrorism (Nov. 11, 2014), available at http://www.europarl.europa.eu/pdfs/news/expert/infopress/20141110IPR78121/20141110IPR78121_en.pdf.

[27] Id.

[28] Id.

[29] Press Release, European Parliament, MEPs Refer EU–Canada Air Passenger Data Deal to the EU Court of Justice (Nov. 25, 2014), available at http://www.europarl.europa.eu/news/en/news-room/content/20141121IPR79818/

[30] Press Release, European Parliament, Passenger Name and Data Protection Talks Should Go Hand in Hand, MEPs Say (Feb. 2, 2015), available at http://www.europarl.europa.eu/news/en/news-room/content/20150206IPR21217
; Interview with Roberta Metsola, Maltese Member of European Parliament, in Brussels, Belg. (Jan. 19, 2015).

[31] EP This Week: Passenger Name Records, Emissions Trading, US Trade Deal, Greece, European Parliament News (Feb. 23, 2015, 12:35), http://www.europarl.europa.eu/news/en/news-room/content/20150220STO24364/html/

[32] Resolution on Anti-Terrorism Measures, Eur. Parl. Doc 2530(RSP) (2015), available at http://www.europarl.

[33] See Rapporteur of the Committee on Civil Liberties, Justice and Home Affairs, Draft Report on the Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, COM (2011) 0032 (Feb. 17, 2015), available at https://digitalegesellschaft.de/wp-content/uploads/2015/02/EU-PNR-EP-draft.pdf [hereinafter, Kirkhope Report].

[34] E.g., id. at 42 (addressing de-centralized system of collection, shortening retention period for non-terrorism crimes from five years to four).

[35] Negotiator Urges Backing for PNR Law, BBC Democracy Live (Feb. 26, 2015, 15:58), http://www.bbc.co.uk/

[36] Kirkhope Report, supra note 33, at 42.

[37] Press Release, supra note 14.

[38] Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd. v. Minister for Communications, Marine, and Natural Resources and Seitlinger and Others, at 5, available at http://curia.europa.eu/juris/document/document.jsf?text=

[39] Id. at 8.

[40] Id. at 10.

[41] Id. at 11.

[42] Id.

[43] Id.

[44] Id.

[45] Id. at 12.

[46] Id. at 16.

[47] Id. at 15.

[48] Id. at 16.

[49] Id.

[50] Framework Decision of 13 June 2002 on the European Arrest Warrant and the Surrender Procedures Between Member States, art. 2(2), 2002 O.J. (L 190) 1.

[51] See Seiffert, supra note 4.

[52] Proposed Directive, supra note 17, at 12.

[53] Id. at 2.

[54] Id. at 18.

[55] Parliament and Council Directive 2006/24/EC, On the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, art. 1, 2006 O.J. (L 105) 54 [hereinafter, Data Retention Directive].

[56] Kirkhope Report, supra note 33, at 24.

[57] Id. at 13.

[58] Id. at 8.

[59] Id. (emphasis added).

[60] Id. at 11.

[61] Id. at 14–15.

[62] Id. at 17 (emphasis in original).

[63] Id. at 25.

[64] Id. at 19 (emphasis removed).

[65] Id.

[66] Id.

[67] Id. at 13–14 (emphasis in original).

[68] Id. at 30.

[69] Id. at 30–31.

[70] Id. at 34.

[71] Id. at 36–37.

[72] E.g., Data Retention Directive, supra note 55, at 55 (implementing measures must ensure retained data is processed “in full respect of the fundamental rights of the persons concerned”); but see id. at 55 (paragraph 19 specifies right of compensation; this is the only specifically enumerated right of a data subject).

[73] Data Retention Directive, supra note 55, at 6 (Article 9).

[74] Kirkhope Report, supra note 33, at 9.

[75] Id. at 27–28.

[76] Id. at 36.