Category: epicenter.works

The EU Passenger Name Record (PNR) Directive obliges airlines to collect personal, and sometimes potentially sensitive, data of travellers and share it with government authorities. The data is mined and processed, including by algorithmic systems, to profile and categorise travellers on the basis of whether they might be involved in a terrorist offence or serious crime. The potential bias and inaccuracy of the data processing means the number of actual criminals caught is disproportionately low compared to the much larger number of innocent people who are wrongly flagged and detained.

GFF and epicenter.works argue that this data collection amounts to mass surveillance and could lead to discrimination and violations of the right to privacy. They seek to have the PNR Directive struck down on this basis.

In the first half of 2020, the German courts agreed with GFF’s request to refer questions to the Court of Justice of the European Union to examine the legality of the directive. If it’s ruled illegal, the practice will have to stop across the EU.

In 2019, epicenter.works made a complaint to the Austrian data protection authority, which was rejected because the authority did not have the power to rule on the directive. epicenter.works have since taken their case to the domestic courts, but it was put on hold while the courts wait to see how the Court of Justice responds to the questions from the German courts.

In December 2022, GFF received a positive decision from an administrative court in Germany related to the directive, with the court declaring mass processing of flight passengers’ data illegal. This followed the June 2022 ruling from the EU’s Court of Justice that found the directive compatible with the European Charter of Human Rights, leaving it up to domestic courts to apply domestic laws. The German government is appealing the administrative court decisions.