EU directive 2016/681, which came into effect on 25 May 2018, was designed in response to calls for better information sharing between national police forces and crime-fighting agencies to help prevent serious crime and terrorism. Before the directive was introduced, EU countries were, at best, patchy when it came to detecting terrorists and criminals entering their territory from outside the EU or even from other countries within the bloc.

A crucial part of this information sharing requires airlines to send passenger name records (PNR) to Passenger Information Units (PIU) in the country they are flying to – these are monitored by the authorities to check for suspicious travellers. In theory, this is a smart idea. The trouble is, making it happen in reality has been a serious challenge for both airlines and security forces.

Today, all EU countries have begun the PIU implementation.

What the PNR directive requires

On a practical level, the directive should work as follows : all airlines generate a PNR whenever a customer books a flight ticket. For any airline ticket booked, the airline is expected to send an electronically defined set of data, called PNR data, to the PIU of the destination country. All PNR information is sent on a per flight basis, in batches, on three separate occasions – 48 hours before departure, 24hours before departure, at the time of departure after the gate has been closed.

API-PNR data transmission requirements

Even before the EU directive was introduced, some countries had begun developing such systems; and, after the 9/11 attacks in the USA, American authorities demanded that airlines share their PNRs with the police. Nevertheless, the 2016/681 directive is by far the largest and most comprehensive such undertaking. In fact, the USA, Canada, Australia and in the future Mexico, have agreed to work with the EU on this project.