By BROOKS TIGNER
BRUSSELS – The collection, dissemination and cross-border exchange of aviation passenger name record (PNR) data is crucial for law enforcement authorities to combat terrorism and organised crime across Europe. Rapidly approaching is the deadline for national governments to implement the EU’s PNR directive (2016/681).
While it legally applies only to flights entering or departing from the EU’s territory, there are strong indications it will apply de facto to all intra-EU flights as well. That is an encouraging sign.
Far less encouraging, however, is whether the member states as a group will be ready to push the button on 25 May 2018. Not only are they supposed to have transposed the EU legislation into national law by then, but each is also obliged to create a passenger information unit (PIU), or technical centre, to receive airline PNR data. Very few member states are ready for this, according to industry sources.
In its PNR progress report from December 2017, the European Commission noted that only seven member states are well advanced, 13 in a middling state of preparation and that the balance of seven are lagging far behind. (Denmark is not included since it exercised its opt-out on the legislation.) For the time being, only Germany, Belgium and Hungary have fully transposed the directive.
The more difficult deadline challenge, however, revolves around the PUIs and the directive’s pre-defined set of data formats and protocols from which each member state must choose and require of its territory’s airlines in order to receive PNR data from the latter.
Europe’s airlines have insisted all along that that they need the earliest possible advance notice of the formats and protocols they should use for each member states, and sufficient pre-launch time to work out any related technical, legal and administrative issues.
“We are only two months away from the May deadline, and it takes six months for the airlines to conduct all their testing with a member state. Our concern is that we’ll be asked by all the laggard countries to hook up and start testing, but to do that the PIUs first have to be in place. And most of them aren’t,” one airline industry official told SECURITY EUROPE just prior to in mid-March.
“The risk is that we’ll find ourselves in a situation where we are blamed for not transferring PNR data on 26 May, even though we’ve said all along that we need predictability, sufficient time and advance technical information. This has not been done the right way for the past year and a half,” said the industry official.
Meanwhile, Denmark’s opt-out poses a quandary for the airlines. Similar to the UK, it has its own PNR system and will shadow what the other EU countries do. The quandary puts Denmark and the directive’s provisions about PNR transfers to third countries almost in the same basket. Third-country transfers will take only place on a case-by-case basis and, of course, cannot be tested until the directive is fully implemented.
In the meantime, however, Europe’s airlines are unsure how they should transfer their PNR data to Denmark – as an EU member or a third-country? They have lobbed the issue over to the Commission for clarification, but so far there has been no legal response from the latter.
Interestingly, it will consider expanding the directive’s PNR-transfer scope to include travel agencies and tour operators that engage in travel-related services. It may also widen the scope to include intra-EU flights, though by that time such a decision would merely be a reflection of reality.
The directive allows each member state, as an option, to require all or just selected intra-EU flights to transfer PNR data as well. All the member states have indicated they intend to do that anyway. Thus, it would make sense two years hence for the Commission to simply embed that in an amendment to the directive.