For several years, throughout European territory, solid progress has been made towards increasing air transport security. On Thursday, September 17, 2020 the Law (1) that regulates the transfer of passenger and crew data from international commercial and private flights to prevent terrorism and serious crimes was published in Spain’s Official State Bulletin (B.O.E. in Spanish).
The Passenger Name Record, which has just taken effect, is a new step forward in air transport security, especially for international flights.
This legislation is inspired by an initiative foreseen in the “Stockholm Program: an open and safe Europe that serves and protects citizens” (May 4, 2012), which urged the Commission to present a proposal on the use of data from the Passenger Name Record (PNR) to prevent, detect, investigate and prosecute terrorism offences and serious crimes.
The road has been long, since the Passenger Name Record Directive – which is part of police and judicial cooperation in crime matters – emerged in December 2009. It went through various negotiations before being approved by a great majority in April 2016 when the Commission and the European Parliament reached an agreement.
During this period, the United Kingdom moved forward to require its use during the 2012 Olympic Games. France’s role is also very important as it pre-empted the PNR Directive by including its project in the country’s military planning law for the years 2014-19. France was a pioneer in the deployment of its Unité Information Passagers (UIP) in operation since 2016.
Now Spain is the country incorporating everything necessary into its legislation to be in tune with the rest of European countries. Among the provisions of this law, some key aspects stand out. For example, the scope of the application includes all international flights – both private and commercial – that have Spain as their origin, destination or point of transit. Furthermore, exceptionally, as an extraordinary measure, data can be requested for domestic flights.
Some information must also be submitted for the crew, corresponding to Advanced Passenger Information (API) data. Likewise, in the case of private flights, this data must be submitted for both passengers and crew members.
While this might seem like a novelty, this type of operation was more or less common in many countries, such as the United States. Voluntary submission of information by airlines became mandatory in many countries from the year 2000. The United States Customs and Border Control website, APIS: Advance Passenger Information System, provides ample information about this system. Therefore, all companies operating flights in the United States or other countries that request this information will have no problem activating the submission of this data to the government once they have configured their systems to do so.
PNR data is created when a reservation is made, with the airline itself, a travel agency or directly by reserving a ticket online. The use of a shared database containing itineraries for passengers or groups of passengers travelling together allows an exchange of reservation information in the case that passengers require flights from various airlines to reach their destination. At the same time, it facilitates simultaneous sales of seats preventing or reducing overbooking.
To that end, IATA and ATA defined standards for the exchange of PNR messages, although there is no industry standard regarding availability and content which is why Spain’s new law also includes the list of data that must be sent to the authorities. The data will be kept for five years. Airlines and reservation companies must transfer the data to the Secretary of State for Security’s Treatment Unit. To maintain data protection rights, six months after reception the data will be made anonymous and full access will only be allowed after approval by the judicial authority.
Among the data to be included there is a detailed list in “Article 5. Chapter 1 Passenger Name Record Data” highlighting: PNR record locator, date of reservation and ticket issuance, expected dates of travel, first and last names, address, contact details (phone number, email), all payment details, including invoice address.
Within the framework of this law, the Passenger Information Unit (UIP) has also been created, and organically integrated into the Intelligence Centre for Counterterrorism and Organised Crime (CITCO), an agency dependent on the Secretariat of State for Security of the Ministry of the Interior. This unit is responsible for collecting PNR data, as well as storing, processing and, where appropriate, transferring PNR data and processing results to the competent authorities. The UIP is also responsible for collaborating through exchange, of both PNR data and the result of its processing, with other EU member states’ Passenger Information Units, Europol and with third countries. Since this law was published on September 17, taking effect two months later, as of November 17, 2020 it must be fully operational.
(1) Organic Law 1/2020, September 16, 2020, on the use of Passenger Name Record.