Abstract

The Passenger Name Record (PNR) Directive has introduced a pre-emptive, risk-based approach in the landscape of European databases and information exchange for security purposes. The article contributes to ongoing debates on algorithmic security and data-driven decision-making by fleshing out the specific way in which the EU PNR-based approach to security substantiates core characteristics of algorithmic regulation. The EU PNR framework appropriates data produced in the commercial sector for generating security-related behavioural predictions and does so in a way that gives rise to a paradoxical normativity directly dependent on empirical states. Its ‘securitisation move’ is moreover characterised by an inherent tendence to expand. As a result, the PNR Directive poses challenges for existing check and balance mechanisms and for human autonomy. These challenges could be partially addressed by strengthening ex-post control procedures and independent auditing. Yet in the decision to adopt a risk-based security model, something more fundamental seems to be at stake, namely, the preservation of the idea of human beings as moral agents able to direct and modify their behaviour in accordance with an intelligible, reliable and predictable normative order.