The EU Passenger Name Record (PNR) Directive obliges airlines to collect personal, and sometimes potentially sensitive, data of travellers and share it with government authorities. The data is mined and processed, including by algorithmic systems, to profile and categorise travellers on the basis of whether they might be involved in a terrorist offence or serious crime. The potential bias and inaccuracy of the data processing means the number of actual criminals caught is disproportionately low compared to the much larger number of innocent people who are wrongly flagged and detained.
GFF and epicenter.works argue that this data collection amounts to mass surveillance and could lead to discrimination and violations of the right to privacy. They seek to have the PNR Directive struck down on this basis.
In the first half of 2020, the German courts agreed with GFF’s request to refer questions to the Court of Justice of the European Union to examine the legality of the directive. If it’s ruled illegal, the practice will have to stop across the EU.
In 2019, epicenter.works made a complaint to the Austrian data protection authority, which was rejected because the authority did not have the power to rule on the directive. epicenter.works have since taken their case to the domestic courts, but it has been put on hold while the courts wait to see how the Court of Justice responds to the questions from the German courts.