On the website of the Federal Criminal Police Office there is an information video about the practice of passenger data storage at a central office in the Federal Criminal Police Office (BKA) since 2018. It is explained how helpful the collection facility introduced on the basis of an EU directive is in combating organized crime and terrorism. Every year, 200 million people fly to and from Germany – travel that would also offer heavenly prospects for criminals. Shortly before the end, one more important question: “Why does the passenger data of all travelers have to be recorded and processed?”
The answer in the pictogram film is short. It is said that this is the only way to guarantee a “non-discriminatory approach”. A logic that is difficult to understand. That’s probably why it’s not explained any further. But some things need to be explained now: Last week, the European Court of Justice (ECJ) shaved off the so-called PNR directive of the EU (“Passenger Name Record”) in such a way that one wonders how it can actually continue to apply. Accordingly, passenger data may only be collected and stored on EU flights if there is a real and current or foreseeable terrorist threat to a member state (Case C-817/19).
The PNR directive stipulates that passenger data must be systematically stored when crossing an external EU border and evaluated by comparison with international search databases. In Germany, their implementation has also been extended to intra-European flights. The data includes address, luggage details, telephone number, names of fellow passengers, frequent flyer entries, payment information, travel history. A Belgian human rights organization had complained to the Luxembourg ECJ because the rules violated respect for private life and the protection of personal data.
The ECJ is now calling for data collection to be limited to what is “absolutely necessary”. The state using them must face a real and current or foreseeable terrorist threat. If this is not the case, only data that relates to certain travel patterns, connections or airports that can typically be attributed to criminal infrastructures may be stored. An example would be drug trafficking routes.
The judgment only applies directly to the case from Belgium, which must now be heard again in Belgian courts. However, the restrictions are also new for the Federal Criminal Police Office. In addition, the underlying German law will probably have to be amended. According to the judgment, the storage period of five years alone is clearly too long.
With its decision on passenger data, the ECJ is taking the same path that it has already taken with the collection of telecommunications connection data (“data retention”). It may not be stored without reason, but in manageable areas in the event of – possibly also ongoing – threat situations or certain crime-specific contexts.
So it looks like a compromise between those positions that ritually warn of surveillance scenarios and the needs of the security authorities, who hope for unlimited search success with unlimited data access. State action must be proportionate. This is not the case if the data of all passengers to all destinations is collected in a “non-discriminatory” manner. Non-suspects have a right to be treated as non-suspects.
