EU states want to keep hoarding passenger data, despite ECJ ruling

The 2016 EU law emboldened national authorities to start sweeping up everyone's passenger flight data, including people with no links to crime.

Part of the idea was to keep tabs on people for five years in case they commit a terrorist offence in the future, including those who were taking internal EU flights.

But the European Court of Justice over the summer decided that such tactics risk violating fundamental rights.

The court said that data processing and retention practices must be limited to what is strictly necessary to fight terrorism and serious crime.

It means national authorities can only collect data on flights within the EU if there is a real terror related threat.

EU states are not happy and are now debating how to interpret the ruling as widely as possible, including finding new ways to determine an objective evidence of a terror risk.

In September, the EU presidency under the Czech Republic, circulated an internal document among EU states.

The paper, leaked by London-based Statewatch, sought for possible ways around the requirements laid down by the judgment.

EUobserver has since reviewed those responses in a 100-page internal document, dated 26 October, also from the EU presidency.

Their responses paint a picture of widespread backlash against the court ruling.

In some cases, EU states appear to suggest that the PNR law could be used to predict future crimes.

Capitals' complaints

"It is very difficult to point out a logical methodology for removing data from a pool in which unforeseen future events have yet to play out," says Denmark.

Estonia makes similar remarks.

"Due to our geographical location we don't see the possibility to exclude even partial collection of regular intra-EU flights," they say.

Austria says it has processed some 66-percent less data since the ruling.

"We would highlight that the use of PNR data is an important prevention tool to identify terrorist attacks before the happen," they say.

Portugal says intra-EU flights represents more than 50 percent of its PNR data.

And Finland says it represents 81 percent so far this year alone.

"Needs for all intra Schengen PNR data is critical for Finland," it says.

Finland also appears to introduce a loophole into the EU court judgement.

It notes that while the EU court ruling sets clear requirements on processing PNR data, it "does not prescribe to the member states how they must ensure these goals in law or practice."

Others, like Greece, complain that the judgement requires each EU state to justify why they need to process data, instead of everyone using the same approach.

Athens is demanding EU funding in order to filter and delete data that is of no use.

It also says a six-month retention period creates a "security hole" because criminal gangs do not operate in six-month intervals.

Greece also wants to take the lead of any new EU working level group, first floated by Belgium and supported by Finland and Ireland, to create common risk-analysis model.

Meanwhile, Hungary has described as unrealistic the court's decision that requires evidence of any wrongdoing before data can be collected.

And Spain says that it will grudgingly accept any automated system that intends to filter out innocent people.

But such automated systems also have their problems.

An impact assessment by the European Commission found that five-out-of-six individuals are falsely identified in the automated analysis of PNR data.

"Indeed, predicting crime does not appear to work outside movie plots like 'Minority Report'," said the European Digital Rights (EDRi), a Brussels-based umbrella group, in a blog entry.