Why the EU’s PNR law is problematic in practice

By Hélène Dubos | PNR & Security Border

Jul 08

EU directive 2016/681, which came into effect on 25 May 2018, was designed in response to calls for better information sharing between national police forces and crime-fighting agencies to help prevent serious crime and terrorism. Before the directive was introduced, EU countries were, at best, patchy when it came to detecting terrorists and criminals entering their territory from outside the EU or even from other countries within the bloc.

A crucial part of this information sharing requires airlines to send passenger name records (PNR) to Passenger Information Units (PIU) in the country they are flying to – these are monitored by the authorities to check for suspicious travelers. In theory, this is a smart idea. The trouble is, making it happen in reality has been a serious challenge for both airlines and security forces.

Today, Greece is the only EU country not to have begun the PIU implementation, although legally speaking, some other countries have not yet transposed the directive – these are Finland, the Netherlands, Slovenia and Spain. All other EU members are ready to start or have already started data collection from airlines.

What the PNR directive requires

On a practical level, the directive should work as follows: all airlines generate a PNR whenever a customer books a flight ticket. For any airline ticket booked, the airline is expected to send an electronically defined set of data, called PNR data, to the PIU of the destination country. All PNR information is sent on a per flight basis, in batches, on three separate occasions – 48 hours before departure, at the time of departure and 30 minutes after the gate has been closed, depending on the local state’s rules.

Even before the EU directive was introduced, some countries had begun developing such systems; and, after the 9/11 attacks in the USA, American authorities demanded that airlines share their PNRs with the police. Nevertheless, the 2016/681 directive is by far the largest and most comprehensive such undertaking. In fact, the USA, Canada, Australia and in the future Mexico, have agreed to work with the EU on this project.

Far from easy to implement

The EU’s PNR legislation should certainly be welcomed. However, many EU members have only partially begun their journey to compliance. At the same time, airlines are struggling to respond to the different ways EU countries are implementing the legislation. This makes compliance for airlines especially challenging.

Here are six broad reasons:

1. Problems with PNR data itself

A basic PNR need only contains the passenger’s name and itinerary. This is all that’s needed to functionally get people from A to B. However, the EU now requires that airlines share PNRs that contain 19 separate pieces of information. These include the passenger name and itinerary, but also other information, including luggage (number of bags and weight), nationality, payment method, ticket currency and so on. It’s clear that some of this information could be useful for law enforcement to spot possible threats but collecting and processing that data on time could be challenging for incumbent airlines with standardised processes and systems due mainly to IT constraints. Additionally, when it comes to specific types of flights, such as charter or business jet, it could be simply impossible. Much of the requested data is not part of the information collected at the time of booking (or even after). 

2. Quality problems

Another challenge arises from providing accurate data. Consider the realities of ticket booking. The PNR might be generated after someone books offline (such as through partner airlines, travel agencies or call centres) or online (internet booking sites), or through one of many other intermediaries over which the airline has no influence.

What’s more, PNR data often goes unverified. There will not necessarily be name checks, or any other checks on data provided by the passenger and/or travel agent for the reservation. PNRs also contain both structured and free format text depending on the internal processes of each of the stakeholders. To make matters murkier, business jet airlines or charter airlines and network carriers providing charter flights have methods of recording passenger data and apply processes that make compliance with the regulation difficult to sustain. For instance, the collection of name and passport data only happens at the airport a few hours before the flight for a charter flight and baggage information for business jet flights is not collected. Those compliance challenges oblige those airlines to engage in individual negotiations with each EU state to obtain exemptions.

3. Communication problems

Besides problems collecting the data itself, there are also challenges when it comes to communicating this data between the airline and the member state’s PIU. Airlines have received non-industry standards requests, while other PIUs are not leaving the choice of protocols or formats to the airlines, which really changes how they structure their data files before sending them. All this means that airlines are forced to engage in technology development which results in increased implementation costs.

4. Airline IT resources

Since the introduction of the law, many airlines’ IT resources have been seriously stretched. The PIU’s in different EU countries have been demanding they follow their specific requirements, and this has resulted in bottlenecks and delays as airlines struggle to adapt to the needs of 28 member states. 

5. IT implementation timeframes

Many airlines have also complained about the unrealistic timeframes for compliance with the regulation. Consider the enormous complexity of these projects, with airlines which fly from anywhere in the world into the EU having to securely send sensitive passenger data to 28 different PIUs in different formats. Making this happen in just a couple of years is a huge project.

6. IT costs

Airlines have also complained about the costs involved in implementing PNR programmes. Besides the actual implementation, they must also cover continuous data transmission costs and maintenance.

Compliance is not optional

Despite these challenges, airlines are keenly aware of the need to comply with the regulation. There could be heavy fines for non-compliance, and Poland has already begun penalising airlines who have fallen foul of the law. There is an even bigger risk too – airlines that don’t comply may be completely barred from flying to destination countries.

So what should airlines do? Going it alone can be costly and confusing, so it’s definitely worth working with PNR project experts who will be able to manage IT projects, negotiate implementation plans and obtain exemptions to regulation for some types of carriers, such as charter flights. Airlines can of course also seek advice about PNR strategy from airline associations.

It’s also worth looking to the market for off-the-shelf IT solutions that can help. Conztanz’s EU PNR gateway, for instance, is currently being used by various airlines and the state of Luxembourg for its PNR data collection. While the PNR directive is problematic in practice, it could help law enforcement detect and prevent crime and terrorism. And there are now a growing number of options that make it easier for airlines and member states to comply too.