On 21 June 2022, the European Court of Justice ruled that Passenger Information Units’ (PIUs) use of PNR data must be restricted. This will have far-reaching implications for how carriers send PNR data, and how PIUs process it.

Key takeaways:

  • PIUs will need to restrict how much PNR data they collect and how long they store it for
  • This will require a major change in processes for PIUs and airlines
  • PIUs have made major investments of time and money to comply with the original 2016 PNR Directive
  • Learn about a solution that makes complying with this new judgment significantly easier

The European Union’s PNR Directive is a highly sophisticated piece of legislation aimed at tackling transnational crime and terrorism. The Directive allows EU member states to request that airlines send them passenger name records (PNR) to help with the identification of malicious actors crossing borders.

However, since its introduction in 2016, the Directive has come in for criticism from human rights organizations and privacy campaigners. They have long argued that it conflicts with people’s fundamental rights to privacy. It allows law enforcement to gather vast amounts of data on millions of passengers who are traveling perfectly innocently, and potentially to profile certain types of people.

In June 2022, the European Court of Justice (ECJ) published its judgment (C-817/19) on a case brought by the Ligue des droits humains, a Belgian human rights association, who wanted the Directive to be repealed. The ECJ’s judgment seemed to fall somewhere between the two positions – not canceling the PNR Directive entirely, but curtailing PIUs’ current powers.

This judgment will have important implications for both PIUs and airlines, and will significantly affect their processes. Let’s learn more about the judgment, what it means for the sector, and how PIUs can adapt.

Background to the PNR Directive

The EU’s PNR Directive, (EU) 2016/681, regulates the transfer of data between international transport carriers and EU member states. Most airlines collect ‘Passenger Name Records’ when customers book tickets. This information includes their name, passport number, gender, date of birth, and seat number, and potentially other things like dietary requirements, credit card details and home address.

The PNR Directive requires airlines to send this information to the relevant authorities (a Passenger Information Unit, or PIU) in each member state for flights from or to the EU. States also have the option of requesting airlines to send the data for intra-EU travel too and in practice they all do this. The Directive defined what states could and couldn’t do with the data, and set storage limits for holding the information (of five years).

For further detail, read our article on the PNR Directive.

Privacy concerns about PNR data

Privacy campaigners have long been concerned about the potential for overreach with this directive. Concerns include:

  • For some critics, the Directive implies that mass-surveillance is acceptable, with people’s everyday lives subject to observation by the state.
  • Critics also argue that the Directive is overly trusting, assuming that states will only use the data for the fight against crime and terrorism – but there are few checks to ensure they are limiting themselves to this. One particular concern is the use of ‘profiling’, where certain types of people are identified as suspicious based on their travel patterns, even if they’ve done nothing wrong.
  • The use of automated analysis of data by some states means that there is a risk of false positives.

What did the European Court of Justice say about PNR data collection?

In its 2022 judgment on the case, the ECJ made several recommendations about how the PNR Directive needs to be restricted. These include.

  • Clear link to crime or terrorism needed

The ECJ stated that PIUs can only screen PNR data when there is an “objective link” connecting a passenger on an airplane with terrorist activity or serious crime. 

  • Present and foreseeable threats

PIUs can only analyze PNR data when there is a present or foreseeable threat of a terrorist attack. They cannot simply screen all passengers and flights, ‘just in case’. Rather, they must have a specific reason to believe there’s a danger. 

  • Limited screening

State PIUs can monitor for specific travel patterns, airports or routes, but only if this is justified. For example, if they have reason to believe that criminals are using a specific route to transport trafficking victims, then they can monitor all flights on the route. But they can’t monitor all flights everywhere. 

  • Restricted use of automation

Artificial intelligence should not be used to automatically analyze PNR data to identify potentially ‘risky’ travelers without any human input. 

  • Most PNR data must be deleted after six months

At present, the PNR Directive allows PIUs to hold passenger data for up to five years. But the ECJ’s judgment says it should be limited to six months, unless there is a compelling reason to hold it for longer.

A big change for how PIUs manage PNR data

Over the last seven years, PIUs across Europe have made major investments of time and money into building API-PNR data management systems. To comply with the PNR Directive, they have had to connect their systems with numerous airlines from around the world, manage data flows, deploy software, and train staff to use it.

Complying with this judgment presents multiple challenges:

  • It would require carriers to filter the data they send to the PIU, depending on frequently changing criteria. This would add an enormous burden to the work of airlines.
  • The kinds of routes or individuals that each EU member state is focused on are very different. In some countries the focus is terrorism, in others it is trafficking, or sanctioned individuals. Asking airlines to shift the parameters of what they send to each country is extremely challenging.
  • Most PIUs currently only have a message reception system where API PNR data gets sent to. These systems are unable to filter incoming data, which makes it very hard for PIUs to comply with the judgment.

Related: 5 common data quality problems facing PIUs

Streamlane’s API-PNR gateway: an immediate solution

Our gateway technology provides a simple, direct method to comply with the ECJ’s judgment on PNR data. The platform sits at the interface between airlines and PIUs, and filters what data gets sent to each PIU for each flight.

If the PIU has no reason to collect data from a flight, then Streamlane’s gateway filters out PNR data from the message, and deletes it. But if they do need to collect the data, they can quickly change the parameters in the gateway to collect the information they need. Airlines don’t need to change their processes either – they continue sending PNR data as they currently do, and our gateway does the filtering for them.

By using Streamlane’s technology, PIUs can immediately comply with the ECJ’s judgment without requesting any unfeasible changes from the air transport community, while ensuring flexibility for future changes too. Streamlane’s easy-to-use interface means that operators can change the filters in just a few clicks, and achieve compliance in moments.

To learn more about how Streamlane’s API-PNR gateway can help your Passenger Information Unit to receive the right data, read about our solution, or contact us for a demo today.