The European Commission last week proposed rules for the use of enhanced passenger information to increase border security.
As Interior Commissioner Ylva Johansson explained during a press conference, travel to and from the Schengen zone – the 26 European countries between which passengers can travel without a visa – involves the obligation to give personal name records (PNR) to border authorities. This is just the minimum information that passengers provide to airlines when booking tickets.
Airlines, she said, are sharing enhanced passenger information in a less formal way [PDF] – Flight details and passenger passport details collected by airlines at check-in. It is made available to the border authorities as a passenger list.
“With this proposal we are making it mandatory to share the extended passenger information for all flights entering and leaving Schengen, but also for intra-Schengen flights, which are the same as those required for the PNR,” explained Johansson. “This will go a long way in preparing border guards’ readiness – what kind of people they expect – but of course also in tracking down key criminals.”
According to Johansson, sharing PNRs alone is not enough to catch criminals, as they often book multiple tickets with airlines at the same time, making it difficult for authorities to know where they are actually traveling to. By adding mandatory, standardized API data, authorities should be able to better determine who is traveling where and when.
Johansson said the proposed rules – which will not apply until 2028 – will be enforced using a central “router” managed by an EU agency called eu-LISA. This agency receives data from departure points and sends it to arrival points without storing it.
“Broadcasting API data through the router will reduce costs for the airline industry and ensure that border guards have [fast and seamless] Access… to API data they need to perform in the context of enhanced border controls,” according to the proposal [PDF] explained. “This approach will drastically reduce the number of connections to be made and maintained from a member state perspective. In turn, this will reduce the complexity for airlines to maintain links with the relevant border authorities and bring economies of scale.”
eu-LISA must comply with EU data protection obligations and is considered a processor of personal data under EU law. Air carriers and relevant authorities will monitor themselves to ensure they comply with the law.
The router is not expected to be developed before 2026, after which two years will be allowed for adjustment and testing. The projected cost is 45 million euros ($47.6 million) for development and 9 million euros ($9.5 million) for operations from 2029. Member States are expected to spend 27 million euros (28.6 million dollars) to make existing systems compatible, plus 5 million euros ($5.3 million) per year in operating costs from 2028.
(Member States contribute €8 million (US$8.4 million) annually to the current system under the current multiannual financial framework.)
The revised data-sharing requirement – part of the EU strategy for a security union – aims to harmonize the rules for collecting API data. Previously, PNR records were governed by a separate legal framework – the 2016 PNR Directive.
The rule change is also intended to ensure that the data collected is accurate, complete and of high quality – airlines must use automated data collection methods so that problems with manual data entry can be avoided.
People traveling to, from and within the EU – over a billion passengers annually – will be affected. ®
https://www.theregister.com/2022/12/20/europe_plans_to_standardize_passenger/ Eurozone formalizes passenger data to improve security • The register