An EU-wide Passenger Name Record (PNR) system is being implemented alongside the ETIAS and the EES to further improve security within the European Union.
The PNR was first introduced in 2007 but legislators initially had trouble passing the regulation due to privacy concerns. Issues were resolved using common high standards on data exchanges and privacy throughout all 28 participating EU states.
Several European countries, including the UK, France, and Italy already have their operational data-collection systems. In 2013, the European Commission provided €50 million to 14 European Union countries to fund the new PNR system.
WHY IS PNR COLLECTED?
In the past, PNR data has already helped thwart some terrorist activities. It has also been fundamental in capturing collaborators of terrorist attacks.
Setting up a joint system for European Union police and justice officials to access airline and other travel carriers’ passenger data, covering all trajectories to and from the EU will further help prevent terrorism and other types of crime.
Besides terrorism, other serious crimes that PNR will help prevent include:
- Trafficking in drugs
- Human trafficking
- Trafficking of weapons
- Cybercrime
- Sexual exploitation of children
- Child abduction
- Theft
Aside from PNR, the EU is also working on the development of a travel authorization system with mandatory registration for travelers from over 50 countries —the ETIAS— which will also help fight terrorism in Europe.
PNR AND THE ETIAS TRAVEL AUTHORIZATION FOR EUROPE
The rules adopted on 27 April 2016 by the European Parliament and the Council regulate the use of passenger name record (PNR) data and apply to flights arriving from third countries to the European Union Member States.
The Member States must adopt passenger data legislation and decide whether to also apply these measures to intra-EU flights — that is, flights departing from and arriving in an EU Member State.
Both the ETIAS, and the PNR are being implemented with common goals — the prevention, detection, investigation, and prosecution of terrorist offenses and serious crime.
Similarly, both security systems cross-check all the data collected with databases and the Passenger Name Records are also compared to risk profiles established on the basis of previous experience.
The ETIAS collects data provided by travelers from eligible countries and verifies it before they depart towards the Schengen Area, denying the travel authorization to individuals considered a risk to the EU.
The PNR, on the other hand, gathers data provided by third-country passengers to airlines or other carriers such as trains or buses, and tour operators. The PNR data will be transferred up to 24 hours before the scheduled time of departure.
The PNR data will be transmitted a second time once the doors of the departing carrier have finally closed. This will help authorities know whether a traveler has boarded the flight or train they booked or not.
The PNR and the ETIAS go hand in hand as added layers of security since the ETIAS can deny a third-country national the authorization to enter Europe while the PNR can let authorities know whether the individual has booked and boarded a carrier headed towards the EU.
WHAT KIND OF INFORMATION DOES A PNR CONTAIN?
Passenger Name Record data is collected when a citizen books a trip in the normal course of the tourism and transportation business. This is initially done, for enabling reservations and carrying out the check-in process, this could include details such as:
- Name
- Contact details
- Address
- Travel itinerary including flights, seats, connections, and meal requests
- Travel dates
- Travel agent
- Seat number
- Ticket information
- Payment data (credit or debit card information)
- Baggage information
- Passport details (known as the Advance Passenger Information, or API)
- Age
- Gender
- Nationality
- Country of destination
In practice, travel carriers send PNR data to EU authorities, the data is initially processed for commercial purposes but "Passenger Information Units" (PIUs) are being set up in each EU Member State, where PNR data will be stored.
Should anomalies be found in the data, the competent authorities would be informed so they can initiate follow-up measures, such as the examination, detention or additional observation of the traveler.
PNR data will not be automatically transferred from PIUs. This is in order to comply with European Union data protection legislation.
Security processing of PNR data for crime prevention will be the responsibility of the new units, not travel carriers. The EU Member State Units will only pass the data on to EU authorities in specific cases.
UK Conservative MEP Timothy Kirkhope, the European Parliament's lead negotiator on the PNR issue stated the amount of information gathered per traveler was "much less than, say, when you open a club card account with a local supermarket".
The PNR regulations rule out any processing of data revealing a citizen's:
- Race
- Ethnic origin
- Religion
- Political opinion
- Trade union membership
- Health
- Sexual life
PIUs will be obliged to delete any data that infringes EU anti-discrimination law, should they receive any.
PNR data protection safeguards include:
- Deleting data after 5 years
- Depersonalizing, anonymizing or masking information after 6 months
- Designating a Data Protection Officer as well as an Independent National Supervisory Authority within the PIU
During the five-year period in which PIUs can keep PNRs, investigators in serious criminal cases will be able to "unmask" the data should they need to reveal a suspect's details.
The European Union is actively developing its security systems through the PNR, the EES, and the ETIAS, which is part of the Common EU Intelligence Agency.
