EU-wide surveillance of air travellers is gathering pace. In the first year, the German BKA manually inspected tens of thousands of passengers after the automated screening. The authorities ordered follow-up measures for 277 passengers. These include arrests, open or discreet checks.
German authorities continue to look for personnel to implement the retention of passenger data. Of the more than 500 posts planned for the new system, around one third are currently occupied. This was written by the German Federal Ministry of the Interior in response to questions on the EU Passenger Name Record (PNR) Directive.
The law passed in 2016 is intended to ensure comprehensive monitoring of air passengers. Airlines, travel agencies and other travel providers must transmit several dozen Passenger Name Records (PNR) to the responsible Passenger Information Unit (PIU) before each international flight. There they are stored and analysed in a Passenger Data Information System. The routinely processed information includes individual data, including name, address, flight connection, seat, meal requests or IP addresses.
Most of the 500 jobs are created at the Federal Administration Office (BVA), which is responsible for receiving and storing the data. Of the 256 staff members, technicians and senior executives who will be employed there, around half are currently employed. The BVA has concluded a contract with the new Federal Information Technology Centre for the storage of data in a computer centre.
Manual inspection at the PIU
The Passenger Data Information System is now connected to 20 airlines, half of which are in test operation. Half a year ago, three companies were initially part of the system, but the data they supplied was only used to test it.
The passenger data now arriving in routine mode are rasterised using a “comparison processing system” of the Federal Criminal Police Office (BKA) with the German INPOL police database and the Schengen Information System. It would also be possible to query Interpol databases, but there is no agreement between the international police organisation and the EU Commission on this yet.
In 94,098 cases, the “comparison processing system” found a hit and informed the German Passenger Information Unit. 41 officials of the BKA, the Federal Police and the Customs Criminal Investigation Office have access to the sensitive personal data via the BKA Transaction Processing System .
According to the German Air Passenger Data Act, the hits found may not be automatically checked against other databases. For this reason, every suspicious person is checked manually at the Passenger Information Unit. Before this, a software called “complex search procedure” searches for duplicate data records or matches.
Almost all hits turn out to be data waste
According to the Ministry’s response, the system produces large amounts of data waste. Of the 94,098 hits, only 277 withstood manual review. The BKA then hands over such “technically positively checked hits” to the “PNR follow-up measures control centre” at the Federal Police. Those affected are then specially checked, questioned or arrested. According to the Schengen Borders Code, checks can also be carried out discreetly.
In the future, the Federal Government expects a considerable increase in expenditure for controls of persons and objects in connection with travel monitoring. A total of 210 positions are planned for the federal police, another 41 for the customs administration. Because the training of the new task forces to be hired takes up to three years, this task is currently being taken over from the existing staff. According to the Ministry of the Interior, this is “at the expense of other tasks”.
Not all Member States implement Directive
As an EU Directive, a law must be enacted in each Member State to implement the PNR system. 24 governments have notified this to the EU Commission, but only 19 of them have started to store and process the data. The national systems must use uniform data formats and protocols which the German Federal Administration Office was involved in defining.
To create uniform standards, the German authority participates in working groups of the European Union and the International Air Transport Association (IATA). They are to advise both the member states and the airlines on the delivery of passenger data. According to an implementation decision of the EU Commission, the companies can choose between a free transfer protocol or a system marketed by the IBM Corporation.
Expansion planned
The German Passenger Data Information System is still under construction. Gradually, all airlines are to be connected, and the authorities involved expect data volumes of 180 million passengers per year. The system is still a long way from achieving this goal. Since the start of “limited effective operation”, the airlines have transmitted around 3.5 million passenger data records to the system. Because this information is processed several times, for example during booking and boarding, the actual number of passengers screened in Germany is currently around 1.2 million.
The implementation of the Passenger Data Directive in the EU member states will result in a day-to-day dragnet investigation. The EU Commission and some Member States are also considering extending the directive to other means of transport, including ferry connections or high-speed trains on certain routes.
Given the scale of this data retention, the number of requests for information from citizens is negligible. To date, 149 personal queries have been received by the BKA, which is responsible for this, regarding the storage of passenger data in the Passenger Data Information System.