For a number of years now, Europe as a whole has been making steady progress towards increasing safety in air transport. Last Thursday, 17 September 2020, the Spanish Official State Gazette published the law (1) regulating the transfer of passenger and crew data of international commercial and private flights to prevent terrorism and serious crime.
The Passenger Name Record, which has just entered into force, is a new step in the security of air transport, especially on international flights.
This legislation builds on the initiative foreseen in the «The Stockholm Programme: An open and secure Europe serving and protecting the citizen».», of 4 May 2010, which called on the Commission to submit a proposal on the use of Passenger Name Record (PNR) data to prevent, detect, investigate and prosecute terrorist offences and serious crime.
It has been a long road, since the Passenger Name Record Directive came into being as part of police and judicial cooperation on crime in December 2009. It went through several negotiations until it was approved by a large majority in April 2016 when an agreement was reached between the European Commission and the European Parliament.
During this period, the UK went ahead to require their use during the 2012 Olympic Games. Also very important is the role of France, which pre-empted the PNR Directive by including its project in the country's military planning law for the years 2014 to 2019. France pioneered the deployment of its Unité Information Passagers (UIP), operational since 2016.
Now it is Spain that is incorporating into its legislation everything necessary to be in line with the rest of the European countries. Among the provisions of this law, some key aspects can be highlighted. For example, The scope of application includes all international flights. origin, destination or transit in Spain, both commercial and private. In addition, exceptionally, as an extraordinary measure, data may be requested on domestic flights.
Certain crew information corresponding to the Advance Passenger Information (API) data must also be submitted. In addition, for private flights such data must be sent for both passengers and crew.
This may seem like a novelty was already a more or less common type of management in many countries., such as in the United States. This information submission was voluntary on the part of the companies but became mandatory in some countries in 2000. On the website of the US Customs and Border Service there is a lot of information on this system: APIS: Advance Passenger Information System (APIS).see here)
Therefore, all airlines operating flights to the US or other countries that request this information will have no problem activating the submission of this data to the government once they set up their systems to do so.
This PNR data originates when a booking is made at the airline, travel agency or directly when booking a ticket online. The use of a shared database containing the itinerary of a passenger, or a group of passengers travelling together, allows the exchange of booking information in case passengers require flights from several airlines to reach their destination and at the same time facilitates the simultaneous sale of seats avoiding or reducing overbooking.
To this end, IATA and ATA defined standards for the exchange of PNR messages. although there is no general industry standard for layout and content so this new law published in Spain also includes the list of data to be sent to the authorities.
The data will be retained for 5 years. The companies and booking companies must transfer the data to the Processing Unit of the Secretariat of State for Security. In order to keep the data protection rights after 6 months from receipt, the data will be depersonalised and full access shall only be allowed after approval by the judicial authority.
Among the data to be included there is a detailed list in «Article 5. Chapter I Passenger Name Record Data», highlighting: PNR record locator, Date of booking and ticketing, Expected dates of travel, First and last names, Address and contact details (telephone number, e-mail address), All payment details, including billing address, etc.
Within the framework of this law, it also created the Passenger Information Unit (PIU) which is organically integrated into the Centre for Intelligence against Terrorism and Organised Crime, which is part of the State Secretariat for Security of the Ministry of the Interior.
In addition to collecting PNR data, its tasks shall include storing, processing and, where appropriate, transferring such data or the result of their processing to the competent authorities. In addition to collaboration through the exchange of PNR data and the result of their processing with the Passenger Information Units of other Member States of the European Union, with Europol and with third countries.
Given that this law was published on 17 September, coming into force in two months, it should be fully operational as of 17 November 2020.
(1) Organic Law 1/2020 of 16 September on the use of Passenger Name Record data.
