Passenger data collection regulation : what says the EU PNR directive ?

EU directive 2016/681, which came into effect on 25 May 2018, was designed in response to calls for better information sharing between national police forces and crime-fighting agencies to help prevent serious crime and terrorism. Before the directive was introduced, EU countries were, at best, patchy when it came to detecting terrorists and criminals entering their territory from outside the EU or even from other countries within the bloc.

A crucial part of this information sharing requires airlines to send passenger name records (PNR) to Passenger Information Units (PIU) in the country they are flying to – these are monitored by the authorities to check for suspicious travellers. In theory, this is a smart idea. The trouble is, making it happen in reality has been a serious challenge for both airlines and security forces.

Today, all EU countries have begun the PIU implementation.

What the PNR directive requires

On a practical level, the directive work as follows : for any passenger booked, the airline is expected to send electronically a defined set of data, called PNR data, to the PIU of the origin and destination countries. All PNR information is sent on a per flight basis, in batches, on three separate occasions – 48 hours before departure, 24hours before departure, at the time of departure after the gate has been closed. The format of messages sent depends of the state requirement but is usually expected as shown on the illustration below : PNRGOV for the first two messages and PAXLST for the last message H0.