JOINT COMMITTEE ON EUROPEAN SCRUTINY debate -
Tuesday, 1 Jul 2008

I am a principal officer and the head of the Crime 3 division at the Department of Justice, Equality and Law Reform. I am accompanied by Mr. Denis Byrne, who is an assistant principal officer in the international policy division of the Department.

I will begin by outlining some of the background factors that led to the development of the proposals in the draft framework decision on the use of passenger name records, PNRs, for law enforcement purposes. According to the impact assessment carried out by the EU Commission in advance of publishing its proposal for a framework decision, terrorism constitutes one of the greatest threats to security, peace, stability, democracy and fundamental rights and these are precisely the values on which the European Union itself is founded. Added to this is the fact that free movement of people, goods and services brings with it the inevitable exploitation of opportunities by terrorist and criminal groups to carry on their illegal activities.

Against this background, the European Union's commitment to create an area of freedom, security and justice brings with it the responsibility to meet the challenges presented by the threat from terrorism and serious criminality. The question is how this can be achieved. First, it is necessary to recognise that some challenges cannot be overcome by any one member state acting alone. It makes perfect sense, therefore, for the member states to co-operate and act together to find solutions to particular common problems.

Sharing information is a key element in enabling effective action to be taken against terrorist threats or illegality affecting two or more member states. One source of valuable information is the passenger name record which is collected in respect of individuals undertaking international air travel.

The benefit of sharing and processing PNR data for law enforcement purposes is that they can be checked against watch lists and identify individuals who are known terrorists or criminals, and their associates, who are entering the territory of the European Union. In this way the citizens of the European Union and its member states can be better protected from harm by these groups.

I will outline the provisions of the proposed framework decision and rather than go through each article of the framework decision, I propose to deal with it under the following headings: What is the objective of the proposal? What does it involve? How are the rights of individuals protected?

The objective of the proposal is set out clearly in Article 1. It states that the objective is to make available passenger name record data of flights scheduled to enter or leave the territory of at least one member state of the EU for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime. What does this involve? Each member state will have to designate what is called a passenger information unit. Its function will be to collect the PNR from the air carriers, analyse it for the purpose of risk assessment and share it with the competent authorities in other member states as appropriate. This sharing will only be for the purpose of preventing, detecting, investigating or prosecuting terrorist offences and serious crime. The elements of PNR data to be made available by air carriers are set out in the annex to the draft proposal. However, air carriers will not be required to collect additional data to that which they collect at present. Therefore, even where they collect less data to that set out in the annex, this proposal does not impose an obligation to amend their procedures and collect the additional data.

To enable the objective of the framework decision to be achieved, there will be an obligation on carriers to make the PNR available to the passenger information unit of the member state the flight is entering, departing or even transiting. The information is to be made available 24 hours before scheduled departure and immediately after flight closure. In certain cases the passenger information unit may require an air carrier to make the information available prior to the 24 hours stipulated. Such circumstances could arise in response to a specific and actual threat. PNR data and analytical information may be transmitted to third countries in certain limited circumstances for the purpose of preventing, detecting, investigating or prosecuting terrorist offences and serious crime.

Under the framework decision, PNR data provided to a passenger information unit may be retained for a period of five years. Thereafter, the data must be moved to an inactive database, with restricted access, for a further period of eight years. These time periods are the subject of a number of reservations, of which Ireland has one. They will require more consideration. In deciding on the eventual periods for retention it will be necessary to consider the proportionality of the specified time having regard to the aim sought to be achieved.

The third point is the question of how the rights of individuals are to be protected. The framework decision contains stringent data protection provisions and protection for individuals whose data is transmitted or processed under it. The framework decision makes it clear that any data received by the passenger information unit which would reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health or sexual orientation of the person concerned will be deleted immediately upon receipt. No decision which produces an adverse legal effect concerning any person or significantly affecting that person will be taken based solely on the automated processing of the PNR data.

The recitals make it clear that the transfer and processing of PNR data between passenger information units will be subject to the data protection safeguards in the framework decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. The recitals also stipulate that more stringent rules on the possible use of the PNR data are contained in the present instrument.

These rules are set out in Chapter III. It provides that data received by passenger information units can be processed only for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime. It excludes processing based on a person's race or ethnic origin, religious or philosophical belief, political opinion, trade union membership, health or sexual orientation.

There is a requirement for the passenger information unit to log all transmissions of PNR data. These logs are to be made available to member states' data protection supervisory authorities.

Air carriers will have to inform passengers on international flights that PNR data are being provided to passenger information units and the purpose for which this is being done. Individuals whose data is transmitted will receive the following protection: the right to know if data related to them has been transmitted to an authority responsible for the prevention, detection, investigation or prosecution of terrorist offences or serious crime; that all necessary verification has taken place; the right to have incorrect data rectified; the right to have data which was wrongfully received by a passenger information unit deleted; the right to compensation where data is unlawfully processed; and the right to seek judicial remedy for any breach of member states' data protection rules. Member states are also obliged to ensure that their measures implementing the framework decision are subject to monitoring by an independent supervisory authority.

The framework decision requires member states to ensure that the passenger information units adopt the necessary security measures to prevent unauthorised access, reading, copying, inputting or modification of data and that persons with access to the data have access only to the level necessary to carry out their duties. Systems must also be in place to verify which personnel have inputted the data and for proper back-up in the event of faults arising. The provisions in Chapter III, therefore, provide a high level of data protection for individuals and security of the data itself.

The remainder of the framework decision deals with such matters as common protocols and encryption standards for the transmission of data. These protocols and encryption standards will be adopted by the Commission, assisted by a committee of member states' representatives. There are also standard provisions concerning implementation — two years after adoption — and review of its operation after three years.

When this proposal was initially presented by the Commission, the advice of the Attorney General was sought. That advice, based on the first draft of the framework decision, indicated prior approval of the Oireachtas will be required in accordance with Article 29.4.6° of the Constitution before Ireland can agree to adopt the proposal. Several articles will require legislation. The measures in the proposal are proportionate to the aim sought to be achieved. When the final draft of the proposal emerges it will be necessary to consult further with the Attorney General on the full implications for Irish law and what legislative measures will be necessary to implement it.

The proposal aims to ensure a common standard is put in place for the transmission of PNR data to the relevant member states' authorities for the purpose of preventing, detecting, investigating or prosecuting terrorism and serious crime. The objectives of the proposal are based on the premise that terrorism and serious crime constitute serious threats to security, peace, stability, democracy and fundamental rights. Certain challenges are of a scale or type which makes it necessary to adopt an EU-wide approach. The objectives of this framework decision are such that they cannot be effectively achieved by the member states acting alone.

The framework decision represents an important addition to the wider aim among EU member states of maximising the sharing of relevant, available, information to ensure effective law enforcement action against all forms of criminality. It recognises that this involves some interference with individual rights and freedom. However, taking into account the provisions for the protection of the data that are shared under the proposal, it represents a proportionate response to the threats intended to be countered. The incoming French Presidency has indicated that further discussion will take place with the European Parliament. There will also be discussions with the airline industry on the possible implications of the proposal for them. It is likely that there will be consultation with relevant data protection and supervisory authorities. The outcome of this process will probably result in a revised draft being prepared, which will then have to be considered fully in a working group. No time frame has been proposed for this process.

If committee members have any questions on my presentation, I will be happy to try to answer them.

I thank the Chairman for inviting me to give my views on the European Commission's proposal for a Council framework decision on the use of passenger name records for law enforcement purposes. I have provided the committee with a copy of the opinion on the proposal that was adopted in December 2007 by the data protection authorities of all EU member states. I fully endorse this opinion and my presentation will reflect the main points in it.

We all support reasonable and proportionate measures to counter violence perpetrated against innocent people, but such measures should represent a proper balance between the need to combat such illegality and the rights of the innocent majority to go about their daily lives without undue interference by the State. In my opinion, and that of my EU colleagues, the Commission proposal fails this test. The proposal involves an obligation on air carriers to transmit to a state authority, called a "passenger information unit", the PNR information that the passenger has provided to the air carrier in respect of any journey by air into or out of the European Union. The information typically includes contact details, such as address, phone number and e-mail, as well as payment information, such as credit card details. Under the proposal, the information has to be retained by the passenger information unit for a total of 13 years.

Such information is given by a passenger for the purpose of the provision of a service, namely air travel. The Commission proposal is that this information should be transmitted to state authorities for a totally different purpose, the combating of what is described as terrorism and organised crime. It is a basic data protection principle that information collected for one purpose should not be used for another purpose and should be deleted when no longer required for the purpose for which it was collected. The Commission proposal offends against this basic principle. Under the proposal, air carriers will have no choice but to hand over a complete record of an individual's movements in and out of the European Union to a state entity that will retain it for 13 years, and not only a record of travel, but also of contact and payment information.

Many regular travellers would have difficulty recalling where they had travelled to, even in the past year. With this proposal, the state will have a detailed record of all such travel in and out of the European Union, and for a period going back 13 years. Therefore, whether it is a business trip to Singapore, a shopping trip to New York or a holiday in Morocco, the state will have full details. Can this invasion of individual privacy be considered a proportionate response to threats from the small number who may be tempted to engage in terrorism or organised crime?

One must also have concern for the ability of the state to protect the confidentiality of such information. Recent cases investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different.

The proposal follows hard on the steps of the 2004 advance passenger information directive, which is already in force in most member states. Under this measure, passport and other details of passengers coming into the European Union must be provided in advance. There are already concerns about the proportionality of this measure. It seems strange that, even before any evidence is available on the usefulness of the API directive, we now have this further measure involving a more serious encroachment on privacy.

There is little hard evidence of the actual usefulness of PNR passenger data in combating terrorism or organised crime. All we are presented with is general comments that such information is useful, with a small number of examples. There is even less evidence of the additional utility of PNR data over the more reliable API data that is already being collected. The result is that a key test under European law — that of proportionality — does not seem to be met. Even if one were to accept the case presented for this proposal — I do not — the protection provided for the innocent majority who have nothing to do with terrorism or organised crime is vague and inadequate. These deficiencies are spelled out in the written opinion my EU colleagues have already delivered and which has been provided to the committee.

If this proposal is implemented, we will have taken a further step to what has been called the surveillance society, where our day-to-day activities are constantly monitored and our private space is more and more restricted. We already have a situation, under data retention law, where the details of who we communicate with electronically is compulsorily stored, in case it would be useful for the investigation of crime. With this proposal, our international travel movements will be monitored by the State for the same reason. Can it only be a matter of time before this is extended to all of our movements? The proposal is also part of a continuum of measures which, in the name of the fight against illegal activity, involve extensive collection of personal information. Such proposals include further collection of information from international travellers and monitoring of their movements, including through the so-called e-borders project.

I understand the airline companies have made written submissions to the committee, as opposed to making a presentation here. I imagine those submissions point out the costs the proposal will impose on such commercial entities, which again is a continuation of a State practice to impose costs on commercial entities in pursuit of a State objective. I hope the committee will consider carefully whether this is a proposal that merits Ireland's support at EU level.

I thank Mr. Hawkes for his comprehensive report. On the question of the submissions of the airline companies, they sent in detailed submissions, but we are disappointed they are not in attendance. Having listened to the submissions of Mr. Power and Mr. Hawkes and their concerns, it is clear this proposal will have a significant impact.

Mr. Hawkes mentioned recording information on passengers moving into and out of Europe. I assumed data was only being recorded on people travelling out of Europe, but it appears to cover all movement.

With regard to the passenger information unit, how does Mr. Power see that operating? Will commercial information from competing airlines be shared among everybody in the trade? Information will be stored for 13 years, including credit card and transaction details. Will the unit recording that information be run separately within the State or is there one database to which the information will go? How will the information be validated? If somebody provides incorrect information, is it possible the unit would then store the incorrect information?

There will be cost implications. I envisage that what will happen in Ireland's case is that the passenger information unit will be established within the Garda Síochána. Its role will be to receive the data, analyse it and carry out risk assessments under the framework decision for the purpose of identifying potential threats from terrorism or serious crime. The retention period is still a matter of discussion. Ireland indicated at EU working group level that the five-year initial term and the eight-year subsequent term in an inactive database are issues about which we have concerns. The matter will, therefore, require further consideration. The French Presidency has indicated that it will carry out some further consultations, including with the data protection supervisors. I expect that is one issue that will be on the agenda. The issue comes down to a question of proportionality, whether it is proportionate to the risk that it seeks to offset.

With regard to——

It seems to at first. The initial five-year period is a primary retention period during which the data will be accessed and used for the purpose of risk assessment, profiling and so on. The second period of eight years is in an inactive database. Access to that database is only on specific grounds, where it is shown that access to the data is necessary in relation to a specific threat.

It is a matter for others to decide eventually whether it is proportionate. It is a matter for further discussion. Ireland is not necessarily happy with a five-year and an eight-year period.

I have one final question before I call on Deputy Costello. In regard to the appendices at the back where there are a number of different categories Mr. Power said it would not be mandatory to qualify on those to process the different subsections, that it would be based only on the information currently being recorded. Is that not a contradiction?

The information set out in the annexe is what is described as basic information that most airlines probably collect anyway. Where it is not mandatory to fill in a field on a reservation form, one is entitled to leave it blank. For the sake of argument, if the booking form requires one to set out, say, a seat preference, one does not have to provide that information so it is not, therefore, transmitted. If an airline does not collect certain of the data set out in that form, the airline is not obliged to change its procedures to collect it to conform with the framework decision. In so far as that data is collected by an airline at the moment, it will transmit the information to the passenger information unit. If it does not currently collect that data, it does not have to change its procedures to do so.

On a point of record, when one goes through the data for all passengers one has up to 25 different categories. There is the PNR record, date of reservation, date of intended travel, name address and contact information, all forms of payment information, all travel itineraries, frequent flyer information, travel agent, travel status of passengers, general remarks, ticketing, seat number, coach hire information, all baggage information, number and other names of travellers, all collected advanced passenger information, all historical changes to the PNR and so on. There is additional information in regard to unaccompanied minors, the name and gender of the child, age, language, contact details. There is an enormous amount of information involved.

API data gives basic biographical information. That API data is only collected at the point of checking in for one's flight, and it is the data that is collected from machine readable passports. It is only provided at the point at which one boards the aircraft. PNR data under this framework is required to be provided up to 24 hours before departure time and that allows more time for profiling. Taken together with API data, it can help to identify patterns, risks and so on.

That is the PNR data provided up to 24 hours beforehand. The API data is collected only when passengers are boarding the aircraft or when they check in at the airport. API data is essentially used as a border control and immigration mechanism. The PNR data is intended to be used for the purpose of terrorist profiling and serious crime.

The reference to organised crime was thought not to be specific enough. Organised crime can be any one of a number of things. It can be just two people conspiring to rob a shop. Serious crime is now defined by reference to the Europol directive and the European Arrest Warrant Framework Decision which sets our a list of offences — I understand there are 30 such offences — categorised as serious crime. They are specified now under this revised draft of the framework decision by reference to the two earlier decisions. It is now a fixed list of what serious crime constitutes.

No. It is referenced back to the Europol convention and the European Arrest Warrant Framework Decision. In article 2 of the European Arrest Warrant Framework Decision there is a list of offences described as serious offences. Those are the same offences that apply here. The include participation in a criminal organisation, terrorism, trafficking in human beings, sexual exploitation of children and child pornography, illicit trafficking in narcotic drugs. There is a list of approximately 30 offences. Those are now serious offences for the purpose of this PNR decision.

I welcome officials from the Department of Justice, Equality and Law Reform and the Data Protection Commissioner and I thank them for their presentations. We are all concerned about serious crime and terrorism and part and parcel of our role as legislators is to ensure adequate legislation is in place to protect our citizens against them.

We are discussing certain measures that are justified in the context of the need for protection against terrorism and serious crime. However, the first question that comes to mind is whether these measures are likely to be effective. It seems strange that the measures are only proposed for one mechanism of transport, namely air carrier transport. The vast bulk of transport between countries is not by air but by land, sea, train, road and bus, both inside and outside the European Union. If this is to be an effective mechanism in combating terrorism and serious crime why is it not applied to the whole range of transport modes, by which vastly greater quantities of people commute? If a mechanism of this nature was put in place anybody who was involved in terrorism and had a little bit of common sense would quickly shift to another mode of transport to avoid aviation, were it to be effective. Can the delegates justify the measure in that context? On the other side of the coin there are questions about proportionality and interference with privacy and the rights of citizens of various countries.

Is the measure feasible in operational terms or is it likely to be too unwieldy? There are 27 different states with 27 different systems and 27 different sets of security measures and related services. I do not trust some of the new accession countries with large quantities of personalised and commercial data.

Among the major requirements imposed on the new accession countries were greater justice provisions and anti-corruption mechanisms and there were delays in Bulgaria and Romania because their measures were inadequate. Do we have a proper assessment of these issues or a model that would be secure in that context? As the Data Protection Commissioner said:

Recent cases which have been investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different.

In such circumstances, why is there not a centralised mechanism, rather than discrete mechanisms? Could quality control be better with a centralised mechanism? Is there any quality control in regard to individual member states? There is an assertion that there will be an independent monitoring operation but are the existing security mechanisms sufficient? What is an independent monitoring operation?

The representative of the Department of Justice, Equality and Law Reform stated that legislation would be required. Does that mean primary legislation, requiring a transposition of the framework document, or simply approval by the Houses of the Oireachtas, with certain articles requiring legislation? Will the entire framework be transposed into Irish legislation and the Bill come before the Dáil for all its provisions to be debated? I ask Mr. Power to clarify this point.

The committee received submissions from Aer Lingus and from Ryanair. Aer Lingus was particularly concerned about the requirement that not only had it to produce the information but it had to verify and validate this information. This seems nonsensical for an air carrier. I do not understand how any commercial business would be able to collect information on the literally millions of people who travel every year and verify that the information supplied was correct. This concern on the part of Aer Lingus seems to be reasonable as is its concern about the lack of a centralised retention base for this data. Ryanair's consideration seems to me to be absolutely valid, that the low cost carriers were not consulted and that approximately 50% of the people who would be affected in that respect were not regarded as relevant stakeholders. Is there any reason a huge operation such as Ryanair should not be fully consulted on a framework document of this nature?

The advance passenger directive may not be as streamlined as the PNR but there is a significant flaw in its presentation in that there has been no state by state assessment of the value of that measure in fighting crime and terrorism before the further step is taken up the ladder towards a further reduction in individual privacy and a further encroachment on the civil liberties of member states and in implementing the new mechanism. I would have expected some concrete evidence to have been presented to us as legislators regarding a measure as substantial as this, with all its ramifications and implications.

If I understood it correctly, the first question was why this measure only applies to airlines and not to other forms of transport, such as rail, road and so on. The primary reason is that airlines have a structured system for collecting the kind of data, passenger information record, which rail and certainly road would not gather. There is some gathering of PNR data by sea carriers, I understand. For example, the United Kingdom looked to have it extended beyond airline information to information collected by rail operators and sea carriers. However, the main reason is that the airlines have a system in place for collecting this data in a systematic way and it is available through the PNR system. Not all rail carriers would adopt such a system——

Surely the response to that is if there is no system in place, then one should be put in place? The system is only in place for air transport because there is an existing mechanism in place which permits it but this does not answer the question about the effectiveness of the system, if the majority of commuters do not travel by air between countries but by a variety of other transports. It is full of loopholes.

Part of the answer is that road, rail and sea traffic is monitored in other ways. The use of PNR data in this context is new but it is not as though the relevant authorities who have responsibility for combating terrorism and serious crime are not already making efforts to prevent people using air traffic or air transport to move between countries and to bring equipment and other people into countries, in the same way as they might do by road or rail. These transport areas are being monitored, as far as I am aware; I am sure they are being monitored by authorities responsible for combating these forms of criminality.

The difference here is that data is available which is admittedly collected in a commercial environment. They can be used by the authorities concerned to carry out better profiling and risk assessment. If data are available for one form of transport but not for another, it is better to use them for that form. If data come on stream for other forms of transport, they can be examined in the same context.

One aspect about this framework decision is that it is not imposing an obligation, in this case on airlines, to collect data which they are not currently collecting. If an airline is operating a system under which it is collecting only two or three pieces of information, the framework decision does not require them to collect all 19 pieces set out in it. If they do collect all 19 pieces, they will be required to transmit them. It seems a little odd to inform rail and sea carriers to collect this data if they do not currently collect it. That is the reason the framework decision is concentrating on air transport. For example, the United Kingdom wanted to have it extended to cover sea and rail travel, in so far as such carriers do collect data similar to PNR data. It is not necessarily excluded; it is just not mentioned in the framework decision.

As to whether there will be 27 different systems for transmitting and processing data, part of the purpose of the framework decision is to ensure harmonisation in this regard. Chapter IV on comitology states there will be common protocols and encryption systems. The reason for this is to get over the issue identified by Deputy Costello of member states and airlines using different systems. The framework decision attempts to secure a common agreement across all 27 member states that data will be collected in a certain way and transmitted to the passenger information units under particular protocols and encryption systems. It means a common system instead of 27 different ones.

The framework decision will require primary legislation from the Oireachtas. Article 5 imposes an obligation on the carriers to provide data. If this is to be implemented correctly, it will require primary legislation. The final form of the framework decision, when it emerges following further discussions, will determine the extent of that legislation. I do not know what this will entail but it will require further consideration by the Attorney General.

I do not know, for example, why small airlines may not have been consulted directly.

Ryanair is a stakeholder in this process. My understanding from the impact assessment and prior documentation is that the Commission consulted the umbrella organisations for airlines, including the International Civil Aviation Organisation. I presume it would be normal for it to consult some specific airlines which are larger operators.

Deputy Costello's point is correct. The questionnaire was sent to the data protection authorities of all member states, the European Data Protection Supervisor, the Association of European Airlines, the Air Transport Association of America, the International Air Carriers Association, the European Regional Airlines Association and the International Air Transport Association. The association of low fares airlines, ELFAA, is not listed on this circular and this is extraordinary.

My last question was about the issue of the advance passenger directive which has not been assessed to show whether it has been effective in the fight against terrorism and serious crime. What prior assessment has been done to justify the effectiveness of this particular measure? Are there similar measures already in place and have they been assessed?

The advance passenger initiative, API, is essentially data related to an individual and is supplied prior to that person's arrival at the border of the other member state. It is collected only when the passenger is embarking the flight. This data is taken from the passenger's machine-readable passport and includes name, date of birth, the passport issuing authority and the port of embarkation and disembarkation. The primary purpose of API is to combat illegal immigration and to improve border control. The PNR data is collected from a different source and its primary purpose is not necessarily border control or immigration but rather to combat terrorism and serious crime. Furthermore, it is available up to 24 hours before departure, the purpose of which is to allow for some risk assessment to take place.

Taken together with API, ultimately the two sources of data can be checked against each other to see whether there are risks posed by particular passengers or individuals travelling with passengers. The two work in tandem in that way. PNR would give a wider basis for risk assessment. In the case of API, one is dealing with an identified individual and one knows the person either is or is not a terrorist threat and this is also the case regarding serious crime involvement. By using API, one is trying to discern patterns in travel, patterns in booking methods, which might reveal potential risks posed by individuals who are either operating in serious crime or terrorism.

We are only now implementing PNR as a method of detecting terrorism and serious crime. It is not currently done and this framework decision will be an attempt to do that. A review mechanism is included which allows for a post-implementation review of how it might operate in that regard. The review mechanism is intended to indicate how effective or otherwise the risk assessment has been.

My question follows on from Deputy Costello's questions. It seems that Ryanair is left out of the negotiations. This company and low-cost airlines have done more for European integration than anybody else and it really is time they were engaged with properly on new legislation and new directives. This issue is regularly before this committee and it is regrettable. It happens in Ireland as well.

Maybe so, but there is a common theme emerging that is never denied by those introducing the laws. The committee needs to comment on this because it is ridiculous that this will keep happening.

It is proposed that airlines will have to transmit this information only if they are collecting it already. If the proposal is so good, would it not make sense that they do it regardless? If I were an airline executive, to save hassle I would decide to stop collecting the specific data before the proposal is implemented. I am not convinced about the merits of this proposal. I accept criminology techniques for profiling are advanced but it is not convincing if the proposal is not enforced for every airline. Can an airline currently collecting all the data opt out at a later stage or will it be locked into the directive? Is there any cost assessment for airlines or the passenger information units? Any costs will have an impact on customers. Air travel costs are already going up for other reasons. Europe must stop adding more costs.

Deputy Costello argued for one centralised passenger information unit. There are two benefits to this. Ireland is small country and people are upset that their privacy is regularly encroached upon. There is a fear that personal information can be passed around. Confidentiality is an issue in a small country and it might be better to have a centralised unit to protect it. It also seems to be an unnecessary cost to have a passenger information unit in every country. Out of 27 member states, I cannot understand why there cannot be just the one unit. It is like having a purchasing department in every section of the health service. With modern technology it must be easier to centralise services.

Mr. Billy Hawkes said some countries are getting it right with secure information storage but there are question marks over others. The experience in other EU member states is similar to that in Ireland. Are there any countries getting it right from which Ireland can learn?

Passenger information must be given in advance as laid down in the API directive. Can the laws be changed so the information is given at an earlier date? I do not understand why it is not changed before the directive's review. Is it expected that the review will not agree with this framework decision?

It was stated the data can be used to identify known terrorists and criminals. Is that not done with existing data from passenger information?

We were asked why we should not impose the obligation to collect the data on airlines, whether airlines might stop collecting it to avoid having to implement the directive and whether airlines could opt out subsequently. My understanding is that the collection of data is for a commercial purpose. Aer Lingus collects it for a commercial purpose, part of which is to know who will fly. Some of the information is collected as part of a marketing process so that the airline can then target the customer and offer frequent flyers special deals and so on. To the extent the airline collects the information, it shares it under this framework decision. My understanding — this is not a legal interpretation — is that if the airline does not collect the data, it has no obligation to transmit what it does not have. Therefore, it could opt out in theory. The question is whether it is feasible to do so, but that is a commercial decision for the airline to make.

On whether it will cost airlines money, it will. This is one of the primary reasons the incoming Presidency has decided it will consult further on the directive. The question of costs arose. It will clearly be an extra cost for airlines to have to set up systems and agree protocols and encryption systems to transmit the data. This is one of the reasons for further consultation.

The question of a centralised unit arose and some member states are in favour of it. One of the arguments in favour of the current system of a decentralised unit where national units carry out their own analysis is that countries only analyse data transmitted to them on people arriving in their country. In that case we would not have a unit carrying out an analysis of every passenger entering the European Union centrally and then filtering out who needed to see or get the information. We would deal with it on a national basis so that, for example, Ireland would be aware of who entered Ireland and could process the data for its own security purposes. If it seemed there was a link with other countries, it could share the information, but the primary analysis would be, as it were, for the purpose of protecting Ireland.

This would involve a cost because every member state must set up a unit to collect the data. In most countries there is probably a unit already in existence working on risk assessment and analysis. It would be opportune to link into those units rather than establish brand new ones. The framework decision states that countries will designate a unit and then call it a passenger information unit, but that does not mean it must be a new unit.

On the question of whether API can be transmitted earlier, perhaps it could. The problem I perceive in that regard is that API information is taken from a passport. I am not sure at what stage in the process of booking a flight that information is collected. For example, if a person books a flight in January for a holiday in August, is it appropriate then to present one's passport for the purpose of having the API data extracted? Currently, this is done at check-in, because that is the point at which the passenger presents himself or herself to the airline authority and declares he or she will board the flight. That is the point at which it is appropriate for the airline to send the information, because it now has a passenger who will travel on the flight. That is the reason API is transmitted at that time.

Watch lists are available on known individuals and API data would pick up on those. However, with regard to unknown individuals or procedures that might be adopted for people to commit serious crimes or terrorism, such as trafficking and so on, certain patterns can be discerned from PNR data or reservations systems that may lead to identifying risk or identifying people at risk of being involved in serious crime or terrorism. That is the basis on which PNR would be analysed, for the purpose of checking against watch lists.

Mr. Power mentioned there would be additional costs and implications for passengers, which is quite obvious. One of the additional implications for passengers is that if the data must be provided 24 hours in advance, it will rule out stand-by flights and what are called domestic flights in Nordic countries, namely, flights between Norway and Sweden and Norway and Denmark. In those countries it is usual for people to go to the airport and get on a plane to Denmark, Oslo or wherever. The case would be similar with regard to flights from Austria or elsewhere to Switzerland, which is outside the European Union. This has significant implications for air travel within the broader Europe, so to speak, because according to this measure, everybody would be required to book flights 24 hours in advance. I do not have great sympathy for Ryanair which has thrived on offering cheap flights and EasyJet offer stand-by flights. This measure will have implications for such carriers.

With regard to the data retention period, the timeframe suggested is five years plus another eight years on stand-by and I have not noted this time frame being used before. This would make a total of 13 years rather than five years. In this computerised age one need only press a button and the information becomes active again. I have major concerns about this and the fact that one of the articles allows for this data to be shared with a third country. It is up to the passenger information unit to ensure the third country has the proper protocols and data protection measures but we have seen in the past year that even with data protection, data is misused or lost or found on tube trains. These are my concerns in this regard.

Article 3(2) states that the passenger information unit must immediately delete information that would reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual orientation. This is to be welcomed. I do not see why they would need to send such information in any case and it is bizarre that airlines are gathering such information. In contrast, Article 11(a) lists the criteria for processing by the passenger information units of PNR data. This is a slight contradiction because the information is supposed to be deleted once it is received. One cannot have it both ways. Who will ensure that this information is deleted upon receipt? Why not delete it before it is sent? The burden of cost is already being put on the airlines as already they must do some processing prior to sending this material.

The other aspect that should be borne in mind is the storage of a huge amount of data over a period of 13 years. Those whose data is being stored have rights and some of these are covered in Article 11, sections (c) to (g). Article 11(c) suggests that data subjects have access to some way of ensuring that the data is accurate. This article should be amended to ensure that data subjects are informed if their data is forwarded. It could be the case that everyone knows that in the future all data will be forwarded.

I recommend the deletion of a line in Article 11(d), paragraph 3. It states that this communication may be waived where a reason pursuant to paragraphs 2(a) to (e) exists. Those subsections are quite broad. It would allow for somebody who has the data to transmit it. The excuse would be national security and I can see that sentence being used in the face of every request for information.

Article 11(d) on the right to access, stipulates that member states may adopt legislative measures restricting access to information for the following reasons: to avoid obstructing official or legal inquiries, investigations or procedures; to avoid prejudicing the prevention, detection, investigation and prosecution of criminal offences or for the execution of criminal penalties; for protecting public security; for protecting national security; and for protection of the data subject or of the rights and freedoms of others. That makes it more difficult for an individual to get any information held on him or her.

Article 11(e) deals with the right to rectification. I have often raised the case of wrong data. How does the individual ensure his or her data is correct not only in the holding country but in the other member states' passenger information units and other third parties? Members may remember one of the McBrearty family was prevented from travelling to the US because the data on him held by the US authorities was not corrected. Recently, an elderly British national was detained in an African state because the American authorities had confused him with someone else and supplied wrong information to that state.

No proper analysis has been done on existing PNR regimes. In 2006 when dealing with PNR legislation, I recall it was revealed that ten flights that were diverted because of PNR data were actually false alarms because of inaccurate data. The existing API directive should be reviewed so it can be determined if the aims of the framework decision are proportional. Is there another mechanism that can be used to gain the same data and give the same level of security which is what is behind this?

Deputy Ó Snodaigh may be right that there may be a cost for the traveller. I do not know if that is the case and I did not say it is. I suspect there will be a cost element for the carrier. Whether this is passed on to the traveller is another matter.

I do not believe the measure prevents stand-by passenger systems from operating. The data will be transferred 24 hours beforehand, in so far as it is available. However, the provision states the data will also be transferred immediately after flight closure. That allows for passengers on stand-by to take a flight.

That may be a drafting issue. During the discussions on the decision, it was clear that it did not preclude passengers on stand-by. PNR data will be transmitted twice in respect of passengers for whom the data is available 24 hours beforehand. In respect of some passengers who catch late flights, they are transmitted at the time of flight closure. They are transmitted only once for those passengers, at the last minute. Therefore, stand-by passengers are not precluded from taking flights.

In so far as passengers have booked and their data were provided up to 24 hours before the flight — that data will have been analysed and, presumably, not have changed in the last 24 hours. However, for passengers who might not have booked and whose data were not available 24 hours in advance, the data can be processed after flight closure because——

Yes. The data would not be transferred a second time in those circumstances. Therefore, the people concerned would be excluded. I hope this clarifies the issue, to some extent, with regard to travel between Switzerland and Norway and EU countries. Norway, Switzerland and Iceland normally opt in to these kinds of EU provisions and it is possible they will do so again. It is possible the European Economic Area will cover these proposals.

As I said, from the discussions with the working group, it appears those on stand-by are not precluded. The Deputy may well be correct that this should be reflected by the use of the word "or" instead of "and". We are also concerned about the retention period of up to 13 years mentioned by the Deputy. This is an issue that must be considered further. In the end, the proportionality aspect will decide what is the correct period.

On data protection and sharing information with third countries, the data protection standards provided for in the framework decision will apply for those persons whose data are shared with third countries which will be required to have in place systems and procedures with at least the minimum level of data protection required under EU legislation. Therefore, one should have a right to have data corrected or deleted and have access to them for their one's own purpose and some form of redress in the event of a wrong. These standards will apply to third countries to which it is proposed PNR data may be transferred.

It is intended that any sensitive data which could identify an individual from a certain perspective will be deleted and not used for processing for the purpose of arriving at an assessment of the individual concerned. Perhaps Article 11a could be clarified further. It is an issue we may have to look at to ensure the purpose for which Article 11a is included does not mean this sensitive information can be processed in some circumstances.

I shall be brief because many of my questions have been answered. I am primarily concerned about whether the proposal is a proportionate response. Mr. Power has addressed this concern to some extent. I am concerned about how the information will be used. Is it possible that insurance companies could get hold of it when assessing the level of risk when an individual seeks insurance? I am sure at this stage the answer is no, but we have seen circumstances where data have been lost or transported and misused in that way in other countries.

If it is Mr. Power's view that the proposal is a proportionate response that will lead to a safer environment, why has he not considered transferring data in respect of travel within Europe, particularly if it is believed the sending of PNR data will have a greater impact than what has been achieved through API? We seem to be slipping down a steep slope in the shadow of the events of 11 September 2001, following which API emerged as a method of preventing the use of aeroplanes as weapons of destruction and murder. We have now moved considerably further and are considering profiling. If we take this to its ultimate conclusion, will we end up capturing data from a roadside intercept by members of the police force at routine checkpoints? If one believes the capacity of one's back-end intelligence systems is good enough to prevent crime or terrorist attacks, and believes the way to resolve such criminal intentions is through profiling, why not take the ultimate step and stop everybody in the street and collect their personal data? Mr. Power has suggested this is being applied in the case of air travel because the data already exists. The data exists for the Eazy Pass tag people have on their cars and for the telephone calls they make on their cell phones. Is this the beginning of a slippery slope into a nanny-state Europe?

As the Deputy said, there is data from all sorts of sources that may be used eventually for all kinds of purposes. In this context, we are dealing only with airline reservation information that will be collected and shared for the purpose mentioned. I do not know anything about using information from people's mobile phones or Eazy Pass tags. The proposal we are discussing has to do with international travel, where there may be a danger of people crossing the borders of the European Union in furtherance of some terrorist or serious criminal enterprise. That is what the provision is intended to counter. It is limited to an extent because it relies on PNR data. At present, the proposal does not intend to seek data on all types of international transport. I do not know whether other data will be used eventually, but under this proposal we are only talking about the use of PNR data for two specific purposes, namely, counter terrorism and preventing serious crime.

The Deputy asked why it is not being applied to travel within the European Union. The decision was made in respect of where the bigger threat lay. There are co-operation measures within the European Union between various police forces and other authorities that are intended to counter all types of criminal activity. The view is that when people are travelling within the European Union, it makes little difference whether they travel by road, rail, sea or aircraft. They are free to travel among the EU member states. Whatever methods exist currently for checking on those who might be engaged in terrorist or serious criminal enterprise stand. This proposal is aimed at catching people travelling to or from the European Union, an area that seems to pose a particular danger.

I know that and would like to take up that point. The notion of getting the data in advance suggests there is an immediate threat. That is why API was introduced. Was there somebody on board a flight who had the capacity to take over the flight and repeat what happened on 11 September 2001? The directive seems to suggest that by having the data in advance, there is a better chance of ensuring there is no hijacker on board. However, there is no need for all the PNR information and it is certainly unnecessary to retain it for 13 years. Whatever chance one has of identifying a perpetrator a week in advance, which would be welcome, it is unnecessary to retain the data afterwards.

The retention of the data leads me to be suspicious of the proposal. The directive is masked under the 11 September 2001 situation, in the guise that it is necessary to identify a potential hijacker in advance in order to prevent him or her from getting on board or prevent the aircraft getting to its destination. However, when we consider the length of time for which data will be retained, it is clear they are being collected for a reason other than preventing an immediate threat. We must, therefore, consider whether the proposal is a proportionate response. I believe the reason it is not being applied to other modes of transport is that there would be a greater outcry if it was suggested they should be used as a means of profiling criminal activity. In such a situation information would be gathered using various mechanisms such as tolls to record people's movements. I am concerned about the directive because it is being introduced under the guise of a response to the events of 11 September 2001 and that it is only the beginning of a procedure, through the use of which, ultimately, significantly more data will be captured. That in my mind will mean we will have a nanny state.

I would like to clarify a point about API. It is not used for the purpose of countering terrorism or serious crime, but as a border control mechanism only. That is the reason it is only necessary to transmit information at the point of embarkation. The provision of PNR data has the other objective.

On why information is retained for five years, if we are to produce risk assessments and analyses, we must have data available that will allow us to identify certain risk parameters. I am not a policeman, but let us take as an example the provision included in the annex, item No. 9, which deals with a travel agency or travel agent. It is possible an agency could come under suspicion because a number of people who have booked flights through it have been arrested or found to be involved in illegal or criminal activity or terrorism. In such a situation PNR data would highlight the fact that a number of other passengers have used the agency and are travelling on a particular flight. Taken together with other PNR data, this information might allow the relevant authorities to carry out an assessment and say whether a higher risk attaches to that situation. That is the basis on which PNR data will be of benefit, by enabling a reasonable risk assessment to take place. As I mentioned, API is a border control mechanism only and required at the last minute for that purpose. PNR data are required at an earlier stage because a risk analysis has to be carried out prior to a flight's departure.

My concern is that the provision emerges from the events of 11 September 2001 when the threat was identified at the point of entry into a particular country. On the storage of information for a longer period, I accept the necessity to generate a risk pattern. However, the downside far outweighs the potential upside, particularly when one considers the inability of member states to protect data or how they might be used against citizens later, particularly with reference to the impact on life assurance or other insurance products.

As I said in my initial statement, I have concerns about the capacity of State agencies to protect the data they hold. My office has carried out investigations which have revealed, unfortunately, that there have been leaks in the recent past from within the State system. I think it was Deputy Ó Snodaigh who stated that as we are a small country, the chances are that people know one another and inferences can be drawn from a pattern of travel that could be quite wrong, including inferences not necessarily relating to criminality but to other matters.

Let me give an example that will lighten things a bit. Earlier this week I was travelling with a female colleague to a conference — obviously in the future if it is outside the EU this will be recorded as travel I undertook — and we stayed in the same hotel. I am just wondering if my neighbour was in the passenger information unit what interesting inferences could be drawn from that — quite inaccurate ones I might say. More seriously I think the concern is, and I think this has been emphasised by Deputy Dooley, that the inferences drawn can be wrong.

We have been talking about profiling without thinking about what it means. It is in fact attempting to draw inferences from very vague clues. There is a very high possibility that the inferences will be entirely wrong. Deputy Ó Snodaigh referred to cases where aircraft have been recalled because of concerns about passengers on board and where it had turned out that the information was wrong. Unfortunately we have evidence from the United States which is using PNR of many people having been wrongly accused and picked up because of incorrect inferences being drawn from this collection of data. I have had the experience, perhaps others have too, in the States of being pulled aside for special screening and wondering on what basis have I been picked out for it. Again, one will not know. The chances of getting things wrong are quite high. People from this country will recall up to ten years ago what profiling could mean in terms of how you might be treated. I think we should be very careful about accepting profiling.

What profiling means, and I think Mr. Power has been quite clear about it, is attempting to draw inferences from very vague information with a high possibility that those inferences will be wrong and innocent people will suffer. It comes down to an issue of proportionality. As Deputy Dooley has made clear, I think this measure is not essentially about the safety of air travel because that has been taken care of by the physical screening that is in place. It is about allowing police forces to analyse people's travel with a view to figuring out if a person is a possible terrorist suspect or a serious crime suspect because he or she has travelled from a particular place or he or she is using a particular travel agency. That is why the data is being collected for such a long period, as it allows analysis over a long time. Members are correct to raise the issue of the proportionality of this measure. Again, as I said in my opening statement, we have very little evidence of the effectiveness of such profiling methods. The evidence from the US is not encouraging in terms of how easy it is to get it wrong.

It is right to question the proportionality of this measure. I was surprised when Mr. Power said that our passenger information unit will be the Garda Síochána. The force will get all the information, including the sensitive information, so it reinforces a point made by my European colleagues, because in their opinion the filtering out of the sensitive data should be done by the air carriers, not by a central unit. That is particularly important if our central unit is the Garda Síochána.

I have been very encouraged by the questions that have been raised by members. It is correct that the proportionality of this measure should be probed and if it is to go through it should be accompanied by far more safeguards than are in place at present. I am afraid that I do not share Mr. Power's view that the data protection safeguards in this are significant. They are very weak in fact. The data protection framework decision, which is not yet in effect, has been considerably watered down and only applies to date to transfers between countries. Furthermore, our experience with the US shows that it is extremely difficult to get a big country such as the United States to accept European data protection standards. I would have serious concerns, as do my colleagues, about the protections afforded to the data that is already transferred to the US.

I thank the members of the joint committee for their attention to this subject. They have raised the key questions in terms of the proportionality of this measure.

No. We are fortunate in Europe to have a good, strong data protection regime right across the board. Most other countries do not have the benefit of a good data protection regime. If this measure goes forward — and I sincerely hope it does not — we will inevitably face pressure on a reciprocity basis to give other states the same access. Those countries will not have the same quality of data protection as we have in Europe and it will be extremely difficult, if not impossible, to insist they adopt similar measures, the US being an example of that.

The dangers are quite significant. Once the data are collected it is clear they can be provided to third countries and those countries will apply pressure on us to provide the data to them, leading to all the dangers we have seen in the US in terms of misprofiling and getting things wrong. These are serious dangers that are not sufficiently addressed in this measure.

I thank Mr. Hawkes for his clarity on this very important issue. I have two final questions for Mr. Power. The Schengen information system has been assessed with regard to effectiveness in responding to crime. How effective has the Schengen information system been? Will people have the right to apply for a list of the data held on them?

Deputy Dooley made the point that we are not reinventing the wheel in this matter. Could we not expand the existing systems, such as the Schengen Agreement and others, instead of coming up with a new system? There seems to be duplication and, although Ireland is not part of the Schengen information system, there also seems to be an overlap.

There may be some overlap but if this was a matter for members of the Schengen Agreement alone, the fact that Ireland is not a member of the Schengen Agreement would mean we would not be participating in it. The intention is to get all 27 member states to participate in this framework decision so as to harmonise its systems. The Schengen Agreement may well deal with some aspects of this measure but, because Ireland does not participate in that agreement at the moment, we would be excluded.

That may well be an issue that has to be looked at. Only if sensitive information is received by the passenger information unit must it be deleted. Because of the way the information is to be transmitted, it may well be that additional costs will be incurred by an airline in filtering out sensitive information before transmission. If it turns out to be a major concern, the airlines may be expected to filter out the information before transmitting it but I suspect that will increase the costs to the airline.

As the questions today show, this issue is of concern to this committee. We will certainly incorporate the statement from air carriers and other submissions into our final report. I thank Mr. Power, Mr. Byrne and Mr. Hawkes for their presentations and for answering our questions, which have enabled us to carry out an in-depth analysis. Briefings we have taken in the past few days, however, have shown there is a significant level of concern over the issue. The discussion has been very informative and will help the committee in finalising its scrutiny report on the proposal. Holding this meeting at such an early stage will address any democratic deficit arising. We will have a very detailed report on this. Any observations would be welcome before the report is finalised in the next number of weeks. We will also contact the airlines. We will forward your submission, Mr. Power, and that of Mr. Hawkes to the airlines concerned before the committee makes its final submission. We will then ask the airlines for further evaluation. The report will then be very inclusive.

I thank Mr. Power, Mr. Byrne and Mr. Hawkes for their impressive submissions to the joint committee.