European Union (EU) Directive 2016/681 on the use of Passenger Name Record (PNR) data was adopted on 27 April 2016. It requires EU Member States to collect and use both PNR data and Advanced Passenger Information (API) “for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.” The Member States have two years to transpose the Directive into their national law, by which time it must be ready for implementation.

The Directive stipulates that a Passenger Information Unit (PIU) responsible for collecting, storing and processing data should be set up in each Member State. According to the text, any hits or positive results must be sent by the PIU to the operational units referred to as “competent authorities.” In addition, the Directive also covers data exchange between PIUs and with EUROPOL, as well as with third countries on a case by case basis.

Moreover, the Directive also stipulates that implementing acts should be drafted and adopted in order to ensure that the International Civil Aviation Organization (ICAO) Guidelines are followed when it comes to the format of the data and the protocols applicable to the transfer of data from the aviation sector.

Without waiting for the Directive to be adopted, France established a set of national legal measures, authorizing the collection, storage and processing of API-PNR data on air passengers and crew. The system was established by the law of 18 December 2013, which created Article L232-7 of the ‘Code de la Sécurité Intérieur’ (internal security code).

Two implementing decrees were adopted in order to get the API-PNR France system up and running: the decree of 26 September 2014, which provides for data processing; and the decree of 22 December 2014, which establishes a PIU. Article L232-7 was then amended, by the law of 28 July 2015, to broaden the scope of data collection to include ‘non-carrier economic operators’ (travel agencies, tour operators) that charter all or part of an aircraft, and by the law of 20 June 2016, to include shipping lines.

France will transpose the Directive into national legislation in 2017 in order to ensure that its national provisions on PNR are fully in line with EU legislation: for example, a data protection officer (DPO) must be appointed at the PIU; and the amount of time that data can be stored before personal information is masked out will be reduced from two years to six months.

The 26 September 2014 decree provides for the collection of data on air passengers and crew on all flights into and out of France, except domestic flights, as of 1 January 2015. The data collection process has been introduced gradually, starting with the four airlines (Air France, Delta Airlines, Ethiad Airways and ASL Airlines France) that helped develop the API-PNR France programme, and later expanding to include other airlines from 1 January 2016.

To begin with, only flights to and from countries outside of the EU will be covered (around 55 million passengers per year out of a total of 110 million). Just over 40 airlines are connected to the system as France enters 2017, covering around 70% of all non-EU passengers. In the future, all 250 airlines operating international flights into or out of France (including intra-EU and French overseas territories) will send data on the passengers they are carrying.

The API-PNR system will have a number of search, targeting and sorting functionalities designed to:

• obtain information from the passenger database;
• identify persons representing a risk from pre-tested standard profiles;
• compare passenger data collected with data from national, EU or international data bases concerning people who are known or wanted, and stolen or lost documents;
• put one or more people or targets under surveillance for a given period.

With respect to French Customs, the analysis of the data enables it to identify, on a large-scale basis and very rapidly, sensitive or illogical routes, return flights at unduly close intervals in light of the weight of a passenger’s luggage, unusual forms of payment, suspect travel agencies, etc., or a combination of these different criteria.

The API-PNR France project entered a test phase in June 2016: the list of operational units now designated as ‘competent authorities’ was established; and a plan was devised for phasing in the new information technology (IT) system within these units. This is currently being rolled-out across all Customs units based at main international airports in France. The system is also becoming increasingly powerful as more and more airlines connect to it.

The French PIU is based near Roissy Charles de Gaulle airport, and is made up of staff from four partner administrations (Interior, Defence, Transport and Customs). It is now up and running, and is open from 07.00 until 19.30, from Monday to Friday. It should be open on weekends and public holidays by May 2017. By the end of 2017, the PIU will be staffed by more than 70 people, ensuring a 24/7 service.

A training plan for staff from the PIU and ‘competent authorities’ has been put in place, and over 100 people have already received training. The training strategy focuses on training trainers so as to increase each unit’s training capacities. The PIU has equally been supporting users throughout the current test phase.

The main purposes of processing data are for the prevention and detection of acts of terrorism, the offences referred to in Article 695-23 of the Code of Criminal Procedure – participation in a criminal organization, trafficking in human beings, illicit trafficking in arms or drugs, etc. – and acts which violate the fundamental interests of the Nation.

Thanks to the new data collection and analysis system, Customs has brought to light a number of matters linked to attacks on EU financial interests and money laundering, and has also made a number of seizures of cigarettes and tobacco. For the police, positive screening results have led to cases being handed over to the criminal prosecution authorities as well as to the detention of a number of ‘flagged’ individuals. Intelligence services too reported having identified several individuals whose movements were being monitored.

Over and above the results already mentioned, the system has proven its worth to intelligence services in detecting ‘weak signals’ (the term used in the prevention of terrorism to refer to the faint/limited signals given out by an individual that presents a risk), has been of use in investigations and handling evidence, and simplifies investigative procedures (PNR data can be attached to reports and it is no longer necessary to issue a warrant in order to gain access to airline data).

Given that, by its very nature, such a system involves giving access to huge amounts of personal data, any PNR system must be used on the basis of a principle of proportionality, meaning that any use of personal data must be commensurate with the specific security objectives set out by law in accordance with personal freedom requirements and personal data protection guarantees.

The French Administration presented its guarantees before the national data protection authority, and was met with approval. The French Administration has undertaken to:

• secure data collection;
• limit its collection of PNR data to the 19 authorized categories;
• limit the storage of data to five years, and to mask out data revealing an individual’s identity after two years (to be reduced to six months after the Directive has been transposed);
• set up an automatic data filter to remove and destroy any sensitive data;
• give the ‘competent authorities’ access to the data once it has been checked, and set up a system to track any communication;
• stick to the list of authorized units (and related functions) set down in the December 2014 decree;
• guarantee passengers’ rights to information;
• undergo audits and receive visits from the national data protection authority, and to draft a report on the test phase by the end of 2017.

Furthermore, once the EU Directive is transposed into national law, a DPO will be appointed at the French PIU. The DPO will have access to all the data processed by the PIU, and if the officer feels that this is not being done in line with the law, then he/she is responsible for reporting non-compliance to the national data protection authority. Passengers can also contact the DPO, who acts as a single contact point within the PIU for any data protection issues. The DPO will also be informed of any PNR data shared with a third country.

From the very beginning of the project, the choice was made to use the complementarity of API and PNR data (i.e. to marry the API data, which is limited in quality, with the PNR data, which is declarative and not verified, but potentially richer in information), and to respect international standards and examples of best practice.

For data produced by departure control systems (API data), a standard computer message (called the PAXLST) was developed to transmit information related to the identity of passengers, usually during the scanning of the machine readable zone (MRZ) of travel documents. The message, which has been used in the airline industry for many years, is quite short and can be sent easily via the carriers’ traditional communication networks.

As for the collection and processing of booking information (PNR data), an internationally standardized message format (called the PNRGOV) allows this data to be sent to governments. Since 2013, France has been participating in the work to develop the PNRGOV standard, led by the WCO, ICAO and the International Air Transport Association (IATA).

While the PNRGOV message structure is now well-established, the standard leaves some room for manoeuvre for those in the aviation sector: the private sector and governments are still in the learning stages. The French API-PNR system, therefore, had to be made more flexible in order to make it possible to accept certain messages.

It should also be noted that PNR data is commercial data which is collected primarily by the industry for the industry. Consequently, only data collected for commercial purposes will be transmitted as stipulated in ICAO document 9944. This explains why the quantity, type and quality of PNR data varies considerably from one airline to the next, and from one passenger to the next.

Yet, ensuring the quality of the data is, of course, essential: the IT data processing system must include all data received in order to (a) filter out any sensitive data, and (b) ensure that risk analysis results are as reliable as possible, thereby enabling unnecessary inspections to be avoided.

This issue was raised by France before the spring 2016 meeting of the PNRGOV Working Group, which brought together government and private sector representatives. The governments represented at the meeting identified the priority issues as being the lack of compliance with industry documentation, and the poor quality of third-party data (from traders, other airlines operating the same flight, etc.). A working group facilitated by the United Kingdom was set up in order to address these issues and come up with medium-term solutions.

France advises States that are looking to set up their own API-PNR programme to take part in the discussions of the PNRGOV Working Group, which are held twice a year in spring and autumn, as well as in those held at the WCO during the API-PNR Contact Committee, which meets in autumn.

Two WCO-supported initiatives that came out of the meeting are worth noting: the creation of Guidelines on how to use API-PNR data; and, more recently, the draft Guidance on how to build API-PNR systems.

More information
christophe.hypolite@douane.finances.gouv.fr