EU police show little interest in processing passenger data

Once called for as an indispensable tool in the fight against terrorism, the implementation of the EU directive on the use of passenger data is slow.

The „Passenger Name Records“ (PNR) package adopted over two years ago should have been transposed into national law by all Member States by 25 May this year. However, a considerable number of governments have not yet reported this to the Commission. This was confirmed by EU Internal Affairs Commissioner Julian King at a hearing in the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE). Previously, the civil rights organisation Statewatch had also reported on this.

According to the Directive, airlines, travel agencies and other operators have to transmit extensive personal data of their customers to the competent authorities before each trip. They are stored there for five years. These approximately 60 individual data fields include information on the itinerary, passengers, stopovers, hotels booked or rental cars. All booking information is processed, including e-mail address, billing address, travel agent responsible, languages of minors on the flight, food preferences or a doctorate.

According to a joint declaration by all Member States, only domestic flights will be exempted from the Directive. The PNR data will be transmitted up to 24 hours before the scheduled time of departure and a second time when the doors of the departing aircraft have finally closed. This will make it possible to find out if a person has not boarded the flight booked.

Member States must adopt passenger data legislation

All information is cross-checked with databases and risk profiles established on the basis of previous experience. Criteria for such a pattern are age, gender, nationality and country of destination. If anomalies are found, the responsible authorities are informed and can then initiate „follow-up measures“, such as the examination, arrest or further observation of the person. The secret services can also be involved.

In order to implement the Directive, the governments of the Member States must enact their own Passenger Data Law. In July, the EU Commission issued warnings to 14 countries, including Austria, France, Greece, the Netherlands, Romania and Spain, due to the slow pace of implementation. However, at least five governments have now made up for this connection. This is what it says in a register of the European Union. However, according to the Security Commissioner, two of the laggards only reported partial implementation.

In France, where the PNR system is already operational, it is said to have led to the detection of 13 people. In Belgium, according to a report, 834 „wanted criminals“ have already been identified. Crime areas included terrorism, drug trafficking, child abduction and theft. The German Federal Ministry of the Interior (BMI) expects „follow-up measures“ in 0.07 percent of passenger data records.

Working group lists usable standards 

Member States should also set up a Passenger Information Unit (PIU). There the PNR data will be cross-checked with other databases. The aim is, for example, to identify wanted offenders, person likely to threaten public safety or those reported missing. In the case of the German Passenger Data Act, the central office is located at the Federal Criminal Police Office (BKA). Unlike many other Member States, however, the Federal Government has not yet officially registered its function. It is therefore unclear to the passenger data centres of the other EU Member States where any information can be reported.

The German Federal Administration Office also chaired a working group set up by the International Air Transport Association (IATA), the umbrella organisation of airlines. One of its tasks was to draw up a list of all usable standards for PNR data. Airlines must select from this list the protocol and format they wish to use and communicate this to the other Member States. Most companies use the commercial transfer protocol „IBM MQ“ from IBM Corporation.

German Federal Criminal Police Office supports latecomers

In order to make it easier for slow Member States to join the PNR system, their competent authorities participated in an informal working group. This group was chaired by the BKA until 1 September. The German Ministry of the Interior mentions as one of the Presidency’s priorities the coordination of a „standard communication channel“ between passenger data centres.

The „Internal Security Fund – Police Orientation“ (ISF Police) provides financial support to Member States in the implementation of EU decisions. According to the EUobserver information service, the Commission has allocated more than 70 million euros for the establishment of Passenger Information Centres. The defaulting Member States also received several million euros each from the Fund. The EU subsidy for the German PNR system, which cost at least 30 million euros, is not known. Nor has the ministry specified the monthly personnel costs and the expenditure for licences.

The official operation of the German Passenger Data Centre is to begin at the end of September. The BKA is already collecting „passenger data for some flight connections“ for test operations. These data originate from airlines operating in Germany, which are „gradually“ connected to the BKA. According to the Ministry of the Interior, however, these personal data would be „immediately anonymised“ and deleted after 72 hours at the latest.

Image: Manchester Airport sky walk, CC-BY 2.0, Terry Whalebone

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.