Passenger Name Records and EU Crime Prevention

To increase security inside the European Union, an EU-wide Passenger Name Record (PNR) system is being established alongside the ETIAS and the EES.

The PNR was first proposed in 2007, but lawmakers had difficulty enacting the bill owing to privacy concerns. All 28 participating EU states used common high standards for data exchanges and privacy to resolve issues.

Several European countries, including the United Kingdom, France, and Italy, have operational data-collection systems. The European Commission allocated €50 million to 14 European Union countries in 2013 to fund the new PNR system.

WHY IS PNR COLLECTED?

PNR data has already been used to stop some terrorist actions. It has also been critical in apprehending terrorist attack collaborators.

Setting up a joint system for European Union police and justice officials to access passenger data from airlines and other travel carriers covering all trajectories to and from the EU will aid in the prevention of terrorism and other types of crime.

Aside from terrorism, PNR will aid in the prevention of the following significant crimes:

• Trafficking in drugs
• Human trafficking
• Trafficking of weapons
• Cybercrime
• Sexual exploitation of children
• Child abduction
• Theft

Aside from PNR, the EU is working on the ETIAS, a travel authorization system with mandatory registration for travellers from over 60 countries that will aid in the fight against terrorism in Europe.

PNR AND THE ETIAS TRAVEL AUTHORIZATION FOR EUROPE

The European Parliament and Council enacted guidelines on the use of passenger name record (PNR) data on April 27, 2016, which apply to planes coming from third countries to European Union Member States.

The Member States must approve passenger data laws and determine whether to extend these safeguards to intra-EU flights, that is, flights departing and arriving in an EU Member State.

Both the ETIAS and the PNR are being implemented with the same aims in mind: to prevent, identify, investigate, and prosecute terrorist and severe criminal acts.

Similarly, both security systems cross-check all data acquired with databases, and Passenger Name Records are compared to risk profiles developed based on prior experience.

The ETIAS gathers and validates data submitted by passengers from qualified countries before they embark for the Schengen Area, refusing travel authorisation to people deemed a risk to the EU.

The PNR, on the other hand, collects data from third-country passengers submitted to airlines or other carriers such as railways or buses, as well as tour operators. The PNR information will be transmitted up to 24 hours before the scheduled departure time.

Once the doors of the departing carrier have been closed, the PNR data will be transmitted a second time. This will assist authorities in determining whether or not a traveller has boarded the aircraft or train that they booked.

The PNR and the ETIAS work together as additional levels of security since the ETIAS can prohibit a third-country national entry into Europe while the PNR can inform authorities if the individual has booked and boarded a flight bound for the EU.

WHAT KIND OF INFORMATION DOES A PNR CONTAIN?

When a citizen books a trip in the usual course of the tourist and transportation sector, Passenger Name Record data is acquired. This is done initially in order to enable bookings and carry out the check-in procedure; details such as:

• Name
• Contact details
• Address
• Travel itinerary including flights, seats, connections, and meal requests
• Travel dates
• Travel agent
• Seat number
• Ticket information
• Payment data (credit or debit card information)
• Baggage information
• Passport details (known as the Advance Passenger Information, or API)
• Age
• Gender
• Nationality
• Country of destination

In reality, travel carriers provide PNR data to EU authorities, where it is initially processed for commercial purposes before being kept in “Passenger Information Units” (PIUs) in each EU Member State.

If abnormalities are discovered in the data, the appropriate authorities will be notified so that they can take appropriate action, such as investigation, detention, or continued monitoring of the passenger.

PNR data will not be sent automatically from PIUs. This is done in accordance with European Union data protection regulations.

The new units will be responsible for the security processing of PNR data for crime prevention, not the travel carriers. The data will only be passed on to EU authorities in particular instances by EU Member State Units.

The quantity of information obtained per traveller was “far less than, instance, when you register a club card account with a local supermarket,” according to UK Conservative MEP Timothy Kirkhope, the European Parliament’s principal negotiator on the PNR issue.

The PNR laws prohibit any data processing that reveals a citizen’s:

• Race
• Ethnic origin
• Religion
• Political opinion
• Trade union membership
• Health
• Sexual life

PIUs will be required to erase any data received that violates EU anti-discrimination law.

PNR data protection precautions include the following:

• Deleting data after 5 years
• Depersonalizing, anonymizing or masking information after 6 months
• Designating a Data Protection Officer as well as an Independent National Supervisory Authority within the PIU

Investigators in serious criminal cases will be able to “unmask” the data during the five-year period in which PIUs can keep PNRs if they need to reveal a suspect’s details.

Through the PNR, the EES, and the ETIAS, which is part of the Common EU Intelligence Agency, the European Union is actively developing its security systems.