Lithuania Wants to Collect Air Passengers' Data Before EU Decision

The government's desire to collect air passengers' data ahead of an EU ruling on the matter has invited strong criticism and warnings that such a move could violate national and European law.
The Lithuanian government is considering "unilaterally" enacting the law allowing PNR (passenger name record) data collection and retention from the beginning of 2016.

Prime Minister Algirdas Butkevičius announced that national legislation is underway to enforce PNR procedures in Lithuania without waiting for the final EU say on the matter. The announcement came after the government’s meeting in response to increased security threats.

Tickets, please

The law would allow collecting and retaining air passengers’ personal data for the purposes of prevention, investigation and prosecution of terrorism offenses and other serious crimes. This would include personal and contact information, travel, flight, ticket and luggage information, as well as credit card and card holders’ data.

All air carriers would be obliged to transfer this information to police authorities no later than 48 hours before each flight. The police would be allowed to retain it for up to five years, but the draft law is silent on how the retained data will be protected – it merely states that the data "shall not be public."

'Hopelessly stuck'

"We speak of advance registration of persons who purchase tickets to enter the European Union’s airspace, and provision of this information to special services. Furthermore, we believe the same mechanism should apply to internal flights too," said Minister of the Interior Saulius Skvernelis, adding that the PNR question is "hopelessly stuck" in the European Parliament. "We believe such a law would not contradict anything, because those directives are not even adopted yet."

According to the minister, Lithuania already has necessary technical equipment to create the PNR system for internal EU flights, and could start enforcing PNR procedures from the beginning of 2016.

Lithuania was among 14 EU member states that in 2012 received EU funding to set up the PNR system. In 2013, however, the draft EU PNR directive was rejected by the LIBE Committee of the European Parliament. In 2015, after "numerous calls from EU member states," the Parliament committed to finalizing the directive by the end of the year.

'We shouldn’t hurry'

The head of the Lithuanian data protection office, Algirdas Kunčinas, urges the government to wait for the outcome of EU trialogues to make sure the national legislation is in line with the upcoming EU regulation.

According to him, the directive should set out clear responsibilities for the protection of retained data, which the proposed draft law fails to do. "In this situation, apparently, it would be most reasonable to reconsider," said Kunčinas.

Is PNR data retention lawful?

In July 2015, LIBE approved the draft directive for further negotiations, but proposed extensive amendments to the original text, introducing safeguards against unnecessary and disproportionate collection and retention of PNR data.

In light of similar concerns, in 2014 the European Parliament referred the EU-Canada PNR agreement to the EU Court of Justice to clarify if the agreement is in line with EU law. In 2014, that same court invalidated the EU Data Retention Directive, declaring it to be in violation of EU law and fundamental rights.

The draft EU PNR directive attracts heavy criticism from civil liberties groups. European Digital Rights (EDRi), an association of civil and human rights organisations from across Europe, claims that the necessity and effectiveness of mass surveillance in terrorism prevention is yet to be proved, whereas in light of the 2014 Court of Justice judgment, blanket PNR data retention can hardly be considered lawful.

Unconstitutional?

The Lithuanian government’s moves to introduce its own PNR data retention law were met with criticism from the Ministry of Justice, which stated that the law is potentially unconstitutional. The Lithuanian Constitution allows the transfer of private data only under court order, whereas exceptions can be permitted only in cases of war or emergency.

The Ministry draws attention to the fact that the draft law would allow the collection of personal data without linking passengers to specific criminal activities, and instead merely on the grounds of increased risk, which does not fall under any of the constitutional exemptions.