Passenger Name Record Data to be shared under proposed EU rules

What we say - Article

Contact


Passenger Name Record Data to be shared under proposed EU rules

On the 17 July 2015, the Civil Liberties Committee approved draft EU rules relating to the protection and sharing of Passenger Name Record (PNR) data for passengers travelling on international flights to and from the EU, with a starting point or an end destination outside of the EU. The draft EU rules would therefore not apply to flights within the EU.

The collection and sharing of PNR data assists law enforcement authorities in the fight against serious organised crime and terrorism.

What is PNR data?

PNR data is data that is collected by air carriers during the booking, reservation and check-in procedures. PNR data includes:

  • Travel dates;
  • Travel itinerary;
  • Ticket information;
  • Contact details;
  • Baggage information; and
  • Payment information.

From an analysis of the PNR data, authorities within a Member State would be able to identify information which may assist in the identification of individuals involved in serious organised crime and terrorism.

Impact of collection of PNR data on the UK

Some Member States within the EU (including the UK) already collect data similar to that proposed under the draft EU rules. To this end, those air carriers operating within those countries already collecting such data are likely to be less affected by the introduction of the draft EU rules.

Nevertheless, air carriers should be aware of the intention of these draft EU rules, the purpose of which is to harmonise the rules and regulations across the EU that govern the collection of passenger information data. The introduction of these rules would provide a standardised EU-wide approach to the collection of PNR data, allowing for easier compliance by air carriers.

How would the system work?

The collection of PNR data would only apply to passengers travelling on international flights to and from the EU, with a starting point or an end destination outside the EU. Any air carriers operating on these routes would be expected to ‘push’ the PNR data to the Passenger Information Unit (PIU) for the Member State where the flight arrives or departs. By utilising a push system of PNR data collection, the PIUs of each Member State would not have direct access to the IT system of the air carriers.

The collection and processing of the PNR data would then be completed by the PIU of the Member State within the limits of the safeguards set out within the draft EU rules (as outlined below). The PNR data collected by the PIU would then be used for the prevention, detection, investigation and prosecution of terrorism and serious organised crimes.

All PNR data collected by a PIU would be retained by them for an initial period of 30 days. After the 30 days has elapsed, any information which could serve to identify a passenger would need to be redacted / ‘masked – out’.

Any redacted / ‘masked out’ data would then only be accessible by a select number of PIU staff with appropriate security training and would be retained for:

  • 4 years for data relating to serious organised crime; and
  • 5 years for data relating to terrorism.

After 5 years have passed from the date that the PNR data was collected, the PNR data should then be permanently deleted, unless the data is being used by competent authorities in relation to ongoing investigations and/or prosecutions. At which point, such data would then be protected by the laws of that Member State.

Safeguards

Included within the draft EU rules are a number of safeguards which ensure that any PNR data is dealt with lawfully. The safeguards within the draft EU rules include the following:

  • A Member State’s PIU would be entitled to process PNR data only for limited purposes, such as identifying a passenger who may be involved in a terrorist offence or serious transnational crime;
  • PIUs would have to appoint a data protection officer (similar to those appointed under UK data protection law) to monitor the processing of the PNR data and ensure that the safeguards are met. The data protection officer would also act as a single contact point for passengers with PNR data concerns;
  • Whenever any PNR data is processed by a PIU it would need to be recorded and logged;
  • Whenever PNR data is being collected the passengers must be clearly and accurately informed about the collection of such data and their respective rights; and
  • In the event that PNR data is transferred to a third country strict conditions would need to be in place to govern such a transfer


Alina Nosek, Partner, AviationFor more information on aviation law or related enquiries, contact Alina Nosek, Head of Aviation.

View Alina's profile email Alina now

Published: 30 Jul 2015


Subscribe to all articles and news:
Email: