Latest update 14/12/2016: please see below for more details.
Air Passenger Data include Advance Passenger Information (API), which refers to a passenger’s identity such as full name, date of birth and nationality typically obtained from travel documents such as passports (“interactive API”); and Passenger Name Records (PNR), that are collected by airlines from passengers solely for their business purposes. PNRs normally contain several different types of information, such as travel dates, travel itinerary, ticket information, contact details, travel agent at which the flight was booked, means of payment used, seat number and baggage information. The data is stored in the airlines' reservation and departure control.
Many states access PNR data for the purpose of fighting serious crime and terrorism and technology developments have made it possible to use PNR data more systematically for law enforcement purposes. Whereas it generally agreed that it is an airlines responsibility to advise Government agencies regarding who is on board a flight, a consistent level of data protection across EU member states is not being fulfilled yet.
API and PNR are located in different systems and their transmission requires programming by the airlines, which can take 3 to 6 months for a standard API request and 6 to12 months for a standard PNR request. They also provide different benefits, meaning that a State should carefully assess its needs before embarking upon a data exchange program.
In February 2011 the European Commission published a legislative proposal for an EU PNR Directive as part of the wider agenda to better protect European citizens against security threats, such as terrorism or serious crime. A copy of the proposal can be found via the useful links below.
ERA acknowledges passengers’ fear of data misuse, therefore it calls for airlines to keep their passengers fully informed and reassured that such data (after being transmitted to the relevant agencies) is then deleted.
Airlines also need to be aware of certain state legislations on the use of personal information due to the different and diverging requirements imposed by certain member states. This presents an additional problem for airlines whereby they may be requested to supply PNR data to a country without the required legislation. Any reluctance to pass such information on could result in the country preventing access to its airspace by that particular airline. As a result ERA urges all Governments in the EU to build and agree an affordable and workable passenger data system that crosses all legislative boundaries. However, any future development costs for such a system must not be imposed on the airlines (and passengers) by the implementing state(s).
ERA has been working closely with IATA to make sure that the following key instances are adopted in the revision process at EU level:
- Scope of the Directive: ERA is against the inclusion of intra-EU flights in the scope of the EU PNR Directive. A comprehensive impact assessment analysis should be provided by the EU Institutions to show that the collection and processing of PNR data concerning intra-EU flights is compliant with the principle of proportionality. Moreover, it is unclear whether the initial legal questions, notably the impact on the Schengen acquis (freedom of movement and lack of border and customs control within Schengen prohibit systematic checks and surveillance of EU citizens on the move, which is precisely what the draft EU PNR seems now to propose), as highlighted in a note issued by the European Parliament’s Legal Service on 20 October 2010, have been answered. The new PNR Directive should be compliant with the principles of proportionality and necessity, limited in scope, respect fundamental rights and include strict data protection safeguards, as emphasized by the European Parliament’s Civil Liberties Committee.
- Cost of new PNR-related requirements: ERA supports any further clarifications by the trilogue negotiators regarding the issue of cost allocation. It must be recognised that while aviation is likely to remain a high profile terrorist ‘target’, in all cases, the state is the real target of the terrorist not the operators, therefore States should accept their responsibilities in the field of anti-terrorist security and, in particular, for funding. Any PNR data provision requirement should limit cost and administrative burden on the industry, bearing in mind the proportionately much higher cost imposed on smaller regional carriers for adapting their IT systems to the new PNR legislation.
- International standards and fair competition: ERA maintains that PNR request should be based upon international data transfer standards as adopted by ICAO and the World Customs Organization (WCO). Any national patchwork on data requirements and transmission standards would result in confusion, potential inconsistencies between States and, ultimately, higher costs to airlines. Requirements should also be applied to all modes of transportation and without discrimination, in order to avoid distortion to intermodal competition and to ensure a higher level of security.
- Consultation with stakeholders: it must be ensured that before any decisions are taken to deploy ‘new IT technology’ or data transfer requirements, a full business case (including a robust cost benefit analysis) for implementation should be carried out; security regulations must be supplemented by the application of ‘risk-based’ measures and regulation must not be used as the sole means of ensuring the security of the industry.
Latest update 14/12/2016: The recent terrorist attacks in Paris and Brussels had a dramatic impact on the EU agenda which resulted in a decisive acceleration to the negotiations between the European Parliament and the Council on the adoption of a new Directive on PNR data.
The “EU directive regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime”, was ultimately adopted on 21 April 2016.
The new directive (EU) 2016/681 aims to regulate the transfer of such PNR data to member states' law enforcement authorities and their processing for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.
It will also oblige airlines to hand national authorities passengers' data for all flights from third countries to the EU and vice versa.
Member states will have to set up "Passenger Information Units" (PIUs) to manage the PNR data collected by air carriers. This information will have to be retained for a period of five years, but after six months, the data will be “masked out”, i.e., stripped of the elements, such as name, address and contact details that may lead to the identification of individuals.
PIUs will be responsible for collecting, storing and processing PNR data, for transferring them to the competent authorities and for exchanging them with the PIUs of other member states and with Europol. The directive states that such transfers shall only be made “on a case-by-case basis” and exclusively for the specific purposes of “preventing, detecting, investigating or prosecuting terrorist offences or serious crime”.
Airlines will have to provide PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PRN data concerning selected intra-EU flights, provided that they notify the EU Commission.
EU countries may also choose to collect and process PNR data from travel agencies and tour operators (non-carrier economic operators), since they also manage flight bookings.
To protect the fundamental rights to protection of personal data, to privacy and to non-discrimination, the directive includes a series of other limitations for the transfer, processing and retention of PNR data:
- the directive prohibits the collection and use of sensitive data;
- member states must ensure that passengers are clearly informed about the collection of PNR data and of their rights;
- transfer of PNR data to third countries can only take place in very limited circumstances and on a case-by-case basis;
- explicit prohibition of processing personal data revealing a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation;
- all processing of PNR data should be logged or documented;
- access to the full PNR data set, which enables users to immediately identify the data subject, should be granted only under very strict and limited conditions after the initial retention period.
Member states will have two years to bring into force the laws, regulations and administrative provisions necessary to comply with this directive.
The EU Commission will also carry out a revision of the EU PNR directive two years after its transposition into national laws, paying special attention to compliance with personal data protection standards, the necessity and proportionality of collecting and processing PNR data for each of the stated purposes, the length of the data retention period, and also "the effectiveness of the sharing of data between the member states".
The ERA Industry Affairs Group (IAG) meetings held in London on 21 June 2016 and in Brussels on 2 December 2016 extensively covered the subject of the EU PNR Directive and the impact of the new legislation on member airlines. Further information about the IAG and the presentations discussed at the meeting can be found here: http://www.eraa.org/events/era-groups
ERA is also monitoring the next steps by the European Commission to make sure that the PNR common protocols and supported data formats - which will have to be published by the Commission and applied by all Member States - are in line with existing international standards and best practices.
Due to the complexity and potential for divergent application of the new EU PNR Directive, in November 2016 the Commission published a Better Regulation Implementation document to provide preliminary guidance to EU members.
For further assistance please contact email@example.com