The Article 29 Working Party, which is made up of the data protection watchdogs from the EU's 27 member states, has also said that the measures proposed are disproportionate to the threat posed by terrorism and serious crime.
"We consider that [the Commission's plans do] not provide a proper evaluation of the use of PNR and [do] not demonstrate the necessity of what is being proposed," the working party said in formal opinion (9 page / 49KB PDF)."
"Collecting and processing PNR [Passenger Name Record] data for the fight against terrorism and serious crime should not enable mass tracking and surveillance of all travellers," it said.
The Commission has proposed a Passenger Name Record (PNR) Directive, which will extend the passenger-tracking systems already in use in the UK and US to all flights to and from countries outside the EU for the first time.
PNR data may include personal information such as home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details.
The Commission has not shown it has properly considered the fundamental rights passengers have to the privacy of their personal information, the working party said.
"The legal precondition for interfering with these rights is that it is 'necessary in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others' as well as being 'necessary in a democratic society' and 'subject to the principle of proportionality'," the Working Party said in its opinion.
"The fact that the purpose of the proposal is the prevention of terrorism and serious crime does not mean it clearly complies with these requirements; the necessity and proportionality have still to be proven," it said.
Security gaps in processing PNR may still arise, the working party said. The data protection advisors urged the Commission to explore established laws to plug existing security holes before drafting its PNR Directive.
All processing of personal data should be logged, and existing national data protection authorities monitor the access, to verify its lawfulness, the working party said. How national data protection authorities monitor the accessing of data in practice needs to be explained, the working party said.
The term 'serious crime' needs to be made clear so the precise offences that the information will be used to combat are known, the working party said. The group also wants the Commission to ensure countries are consistent in what crimes national law enforcers can investigate using the information.
Masking the data after 30 days does not give travellers anonymity as it could still be possible to identify someone using a part of the information, the working party said. The data protection regulators also proposed that data on all "non-suspect" passengers be deleted immediately. Concerns were also raised on proposals to retain masked data on all travellers for five years.
The Commission should define the purpose of the PNR Directive in its draft as it currently does not explain how the data collected would be used in practice, the working party said.
The Directive should also explain to member states how to classify the databases they will create, the working party said, adding that national law within these countries must explicitly state the restrictions on using the information stored.
The Commission should use the PNR agreements between the EU and US and the EU and Canada to establish what data has actually helped in the investigation of crime, and remove the option for 'general remarks' to be listed beside passenger data. This will help eradicate the collection of overtly intrusive information, the working party said.
The working party was set up under the EU Data Protection Directive and comprises data protection regulators from EU countries, the European Commission and the European Data Protection Supervisor (EDPS).
Its latest opinion expands on EDPS Peter Hustinx's recent call that any PNR Directive should force data-gatherers to delete the information after 30 days.
Other opinions on the subject of PNR are divided. The UK Home Office has expressed concern that the draft PNR Directive does not go far enough, and indicated its support to broaden a passenger-tracking system to include flights within the EU and those from the EU to elsewhere.
The European Parliament has previously questioned the PNR agreement between the EU and the US and refused a transfer of information to US authorities.
The European Commission expects to finalise the PNR Directive later this year.