Faculty of law blogs / UNIVERSITY OF OXFORD

Connecting the Dots? PNR and Air Passenger Surveillance in Europe



Time to read

6 Minutes

Guest post by Rocco Bellanova. Rocco is a Post-Doctoral researcher at the University of Amsterdam (UvA) in the framework of the ERC project FOLLOW: Following the Money From Transaction to Trial, led by Prof. Marieke de Goede. His research focuses on European data-driven security practices and the role played by data protection in their governance. His work sits at the intersection of politics, law and science & technology studies. He has co-edited the book Surveillance, Privacy and Security: Citizens’ Perspectives (Routledge, 2017). This is the third post of Border Criminologies’ themed series ‘Migrant Digitalities and the Politics of Dispersal’, organised by Glenda Garelli and Martina Tazzioli.

Air passenger surveillance works more or less like this. You book a flight. This transaction generates a Passenger Name Record (PNR). Air carriers use this data-set to manage their operations and optimize their business. No matter whether you are a potential threat or not, your data are transferred to a governmental agency. They are run against existing databases or risk profiles. Your PNR may raise a flag, and if you are identified as a suspect you undergo secondary controls. You may be denied boarding or arrested. Most probably nothing happens to you, and you are barely aware of this pre-screening procedure. Meanwhile, all the personal data on the PNR are stored, then anonymized and - several years later - erased. Once in the governmental database, PNR feed advanced algorithmic systems. Acting as yeast, they contribute to refining risk assessment criteria. There is little if any direct intervention by security and border agencies, nor any obligation for passengers to act in a certain way. Rather, a gentle steering of human mobility, achieved through a carefully organized circulation of digital data.

The PNR Directive

By May 25, 2018, the PNR Directive should be implemented across the European Union (EU). It requires all air carriers to transfer to national law enforcement authorities the passenger name records (PNR) of travelers flying between the EU and a third country. These data-sets include a wide range of information: from the name of the passenger and the method of payment used, to frequent flyer numbers and travel itineraries. The PNR Directive also provides for the creation of the recipient authorities, the Passenger Information Units (PIUs). These units will be responsible for storing, processing and exchanging PNR. In their everyday operations, PIUs will also be in charge of protecting personal data; thus guaranteeing the fundamental rights of travelers.

Still image from Passenger Name Record (PNR), a video made available by IATA as part of their Passenger Data Toolkit

PNR security systems are complex and controversial projects. When it was adopted in April 2016, the PNR Directive seemed to bring closure to more than a decade of political conflicts and institutional recalcitrance. Two years later, its implementation remains partial at best. In the words of the Commission, ‘significant disparities remain between Member States’ in the transposition of the European legislation. The debates about how PNR security systems will integrate and respect fundamental rights are re-emerging. In July 2017, the EU Court of Justice delivered its opinion concerning the proposal for a new PNR agreement between the EU and Canada. The Grand Chamber stated that the proposed text of the agreement is ‘incompatible’ with the EU Charter. Among other things, the Court questions the necessity and proportionality of storing and automatically processing PNR after travelers have been cleared for entry at the border. Following from the Court’s opinion, the Article 29 Working Party argues that the Commission should propose a substantial revision of the PNR Directive rules concerning data retention.

Human mobility and data circulation

The PNR Directive introduces a quite unique system for controlling human mobility. According to the European Data Protection Supervisor, this is ‘the first large-scale and indiscriminate collection of personal data in the history of the Union’, and it may affect ‘millions of non-suspect passengers.’ Indeed, PIUs will continuously receive vast amounts of travelers’ data initially collected for a commercial reason. Then, they will analyze this information for a different purpose, i.e. counter-terrorism and organized crime prevention. While the PNR Directive is not, legally speaking, a form of border or immigration controls, some national authorities are bound to use PNR for these purposes. When the ‘security’ processing of a given PNR raises a flag, the PIU analyst will decide whether to suggest frontline officers to carry out secondary controls or not.

It is not surprising that air passenger surveillance has raised manifold legal and political concerns. From a data protection perspective, massive retention and further processing of data are in principle problematic. Still, several European institutions have heralded the PNR Directive as the way forward to reconcile security and fundamental rights. The PNR Directive organizes part of the data circulation through data protection principles such as the erasure of sensitive data, progressive data anonymization and the introduction of oversight mechanisms.

The PNR Directive invites us to widen the academic conversation about the mobility/security nexus. Critical approaches to security have already engaged with (European) data-driven measures, and discussed at length the political effects of creating a social order based on pre-emption. Surveillance Studies scholars have unraveled the politics of social sorting underpinning many of these technological systems highlighting the potential for discrimination and the shift towards a regime where people’s movements are constrained in advance or at a distance.

Digitalization and algorithms produce and require the organization of another mobility—that of data. This is particularly evident in the case of PNR. For instance, the creation of an automated system for transferring data from reservation systems to national authorities required the development of an ad hoc messaging standard. The format now endorsed by several countries and companies, PNRGOV, has been developed by a private-public working group led by the International Air Transport Association (IATA). So far, critical literature has paid less attention to these efforts of disciplining data circulation.

Still image from Passenger Name Record (PNR), a video made available by IATA as part of their Passenger Data Toolkit

Big data security in practice

The ambition to surveil air passengers through their PNR is an instance of big data security. Big data can be understood as a knowledge practice resting on the belief that we can know more about the world we inhabit if we let the data speak. The introduction of big data security has already attracted scholarly attention, inviting us to retrace its development as historically situated and fairly complex socio-technical assemblages. To let data speak requires the technical ability to handle data from various sources, the adequate computing infrastructure to process them and the expertise to make sense of them. Furthermore, data protection legislation obliges authorities to clarify and justify for what purposes they process data. In other words, data protection requires to decide about what data are expected to speak.

Big data security seems to address the often-invoked need of connecting the dots. Suspect profiles would eventually emerge out of data points parsed across (too) many databases. This form of knowledge production tends to be at odds with criminal justice rationales and the principles of due process. Surely, PNR data can and will be accessed and processed upon demand of judicial authorities. But the PNR Directive conceptualizes other uses of data for law enforcement. The meaning of a given data-set may become evident only at a later stage, when new patterns or relations emerge, or when further information is included in the system. From this “epistemic” perspective, no complete deletion of PNR should be hurried. Besides, data are essential to the training of the machines and the analysts tasked with recognizing and connecting the dots.

The implementation of the PNR Directive highlights the challenges of big data security in practice. Despite political momentum and consequent funding, the set-up of the EU PNR scheme remains slow. Some countries have already established PIUs, but many still lack the legislation needed to start the processing operations. Other member states are lagging further behind. Overall, the Commission notes that the system to exchange PNR among PIUs and forward them to Europol is still not in place. This slow process is surprising when compared to the discourse of urgency accompanying the political negotiation of many large-scale IT systems. Yet, it reminds us that the control of human mobility increasingly presupposes the capacity to muster data (infrastructure), data analytics and appropriate legal tools. The dilemmas faced at this stage and the choices made during implementation are not only of technical or juridical nature, but ultimately of political salience.

Beyond Europe

The surveillance of air passengers is becoming a global security practice. A few countries have already developed comprehensive security systems that rely on the processing of PNR, notably the United States, Canada, Australia and the UK. In December 2017, the United Nations Security Council adopted Resolution 2396, in which it ‘[d]ecides that Member States shall develop the capability to collect, process and analyse […] passenger name record (PNR) data and to ensure PNR data is used by and shared with all their competent national authorities […] detecting and investigating terrorist offenses and related travel.’ From this viewpoint, the on-going implementation of the PNR Directive may have effects at a global scale. In particular, two facets of this process deserve attention. How will the protection of fundamental rights be translated into the everyday processing and retention of PNR? And, how will the knowledge practices of big data security be reconciled within criminal justice systems?

Any comments about this post? Get in touch with us! Send us an email, or post a comment here or on Facebook. You can also tweet us.


How to cite this blog post (Harvard style) 

Bellanova, R. (2018) Connecting the Dots? PNR and Air Passenger Surveillance in Europe. Available at: https://www.law.ox.ac.uk/research-subject-groups/centre-criminology/centreborder-criminologies/blog/2018/05/connecting-dots (Accessed [date]).

With the support of