Air passengers entering or leaving the European Union will have their movements kept on file by police authorities from 2018 under draft legislation approved by the European Parliament.
Critics, however, say a lack of provisions to share the data severely limits the plan's usefulness.
Airlines running flights into or out of the EU must hand over the data to national Passenger Information Units (PIUs) that will hold the data for law enforcers. Member states may choose to gather data from travel agencies and to retain information about passengers on flights within the EU too.
However, there will be no centralized EU database of arriving and departing passengers, and no automatic sharing of data between the various national PIUs. With open land borders between countries in the Schengen Area, and no mandatory collection of information on intra-EU flights, it will be difficult for investigators to use the data to determine whether a person of interest is in the EU.
That calls the usefulness of the whole system into question, according to Joe McNamee, executive director of lobby group European Digital Rights (EDRi), who is no fan of the legislation.
"It is absurd that we are being told that these huge databases are hugely valuable to law enforcement, yet we are also told that member states rejected mandatory sharing of this allegedly valuable data."
Beyond those practical restrictions on the usefulness of the databases, there will also be some legal restrictions on what law enforcers can do with the collected data.
It may be processed "only for the purposes of prevention, detection, investigation and prosecution of terrorist offenses and serious crime." Police forces won't get to choose what constitutes a serious crime in their book: There is a list. It includes trafficking in weapons, munitions and explosives, and human beings, participation in a criminal organization, and child pornography.
Curiously for an offense that needn't involve physically visiting a country, cybercrime is also considered serious enough to make the list.
The Passenger Name Record (PNR) Directive still requires the approval of the EU Council of Ministers, but this is expected to be a mere formality since the text voted by the Parliament on Thursday has already been agreed with the national governments the ministers represent.
Once approved by the Council, EU member states will have two years in which to transpose the directive into national law.
After that date, PIUs will retain the data for five years. After the first six months, though, parts of it will be "masked out" so that users of the database can't see passenger names, addresses or contact information. This is supposed to protect passengers' privacy. Accessing or searching on the hidden information will still be possible, but only upon application to the national data protection authorities charged with enforcing privacy rules.
Sign up for Computerworld eNewsletters.