The PNR directive obliges air carriers to collect a whole host of data and pass it on to the border authorities in advance of all flights. This information includes registration data, seat and flight numbers, along with food preferences, credit card details or IP addresses. PNR passenger information units (PIUs) in the Member States then analyse the information to identify “suspects and anomalous travel patterns”.
On 27 April, the European Parliament and the Council adopted the Directive on the use of passenger name record (PNR) data. Information collected at the booking stage can now be used by police forces and intelligence services to “prevent, detect, investigate and prosecute” terrorist offences or serious crime. For flights from and to the EU, up to 60 individual pieces of data on passengers are collected and stored for five years. These include registration data, seat and flight numbers, along with food preferences, credit card details or IP addresses.
The collection of PNR data not only applies to airlines, but also to travel agencies, tour operators or other service providers who book flights. In the future, the plan is for European PNR data to also be exchanged with third countries or international organisations.
All EU Member States now also store passenger data for inner-European flights
The idea was for information to be processed only on flights from or to third countries. Yet Article 2 of the PNR directive allows the Member States to “voluntarily” apply the directive to flights within the EU. This provision is a farce and is merely intended to pacify the European Parliament which had opposed the directive for years. In a statement issued later, all Member States announced that “considering the current security situation in Europe”, they want to take full advantage of this opportunity to “voluntarily” apply the directive.
This week, the Justice and Home Affairs Council will discuss progress in implementing the PNR directive. At the end of November, the European Commission will present an implementation plan for the directive. The directive must be transposed into national law by 25 May 2018. By then, all EU Member States need to have established a passenger information unit, responsible for processing passenger data provided by the airlines. Other Member States which are affected or believed to have relevant information will also be informed via the network of PIUs. The European policy agency Europol is linked into the network; Article 10 of the PNR directive describes the important role foreseen for the agency in supporting the passenger information units. Several Member States, including Sweden and the Netherlands, already process PNR data and have a passenger information unit. The directive also allows for Member States to coordinate their efforts and establish or nominate a joint PIU.
Hungary is leading a PNR pilot project
In order to allow cross-border processing, the formats of the PNR and API data must be compatible and be supported by the systems of the national PIUs. In this context, Hungary is currently leading an EU project entitled “Pilot Programme for Data Exchange of the Passenger Information Units” (PNRDEP). This project, which is to be completed before the end of the year, involves Bulgaria, Lithuania, Portugal, Romania, Spain and Europol. At that point, decisions on data formats and protocols for the transfer of data will be taken. Similar procedures for the interoperability of European data bases are also being led by the German Federal Criminal Police Office (BKA).
The European Commission has set up an informal PNR working group which supports all Member States in establishing the necessary procedures. The focus is on enhancing “national detection capacities” through the PIUs. They are intended to identify “suspects and anomalous travel patterns” when, for example, noticeable detours are undertaken for flights to and from “high-risk destinations”. Europol is currently developing criteria for such “travel patterns”. No details have so far been provided. It seems likely that, as with the use of API data, no details will be published.
The PNR data is analysed by carrying out profile-based searches in relevant European databases, including the Schengen Information System (SIS II) and the Visa Information System (VIS), along with the Interpol database for stolen or missing travel documents. Europol carries out further queries. This profiling is described in EU documents as “layering of travel information with other sources of intelligence”.