ALMOST a year ago, on 4 May 2016, Directive (EU) 2016/681 of 27 April 2016 was published in the Official Gazette of the European Union (here below referred to as the “Directive”), which contained provisions on the use of passenger name record (PNR) data for purposes of prevention, verification, investigation and criminal prosecution of crimes of terrorism and other serious crimes.
The data recorded in the PNR (Passenger Name Record) is the information provided by passengers and collected by airlines during the booking of flights and check-in procedures, such as: trip data, itineraries, information associated with the ticket, address and particulars, information associated with the method of payment. The scope of application is for “extra-E.U.” flights and for scheduled and unscheduled air services operated by an aerial carrier coming from a third country to land in the territory of a member state or departing from a member state to land in a third country, including in both cases flights with layovers in the territory of member states or third countries (see art. 3 no. 2 of the Directive).
Moreover, the Directive leaves open the possibility that each member state can apply it to “intra-E.U.” flights, as well (in general considered to be those so-called selected “intra- E.U.” flights, as described in art. 2 no. 3 of the Directive), and to scheduled or unscheduled air services operated by an aerial carrier coming from the territory of a member state and to land in the territory of one or more other member states, without any layover in the territory of a third country (see art. 3 no. 3 of the Directive). However, this extension to include “intra-E.U.” (or selected “intra-E.U.”) flights can come only by notification to the European Commission in writing, such notification being modifiable or revocable at any time.
The airlines collect and already process the data present in the PNRs for their passengers for the execution of the transportation contract. The Directive states that the PNR data collected in this manner could additionally be processed only for the prevention, verification, investigation and criminal prosecution of crimes of terrorism and other serious crimes; therefore each member state must designate its own “Passenger Information Units” (PIUs) to collect the PNR data transferred by the airlines.
The Directive, furthermore, aims to regulate the transfer of said data from the airlines to the member states, as well as from the competent authorities, without requiring the airlines to provide supplementary data, nor requiring passengers to provide more data than what they have already provided.
This data must be retained for a period of five years, but six months after their transfer to the PIU, they will be rendered anonymous through the masking of some items, such as name, address and contact information, therefore data that could serve to directly identify the passenger.
The PIU will be responsible for the collection, retention and processing of the PNR data, as well as transferring them to the competent authorities and exchanging them with Passenger
Information Units in other member states and with Europol. The PIU must also appoint a chief of data protection who is responsible for monitoring the processing of PNR data and applying the pertinent guarantees; access to the entire series of PNR data, which allows the direct identification of the passenger, should be granted only under very strict and limited conditions after the initial period of retention; all processing of PNR data must be recorded and documented; the member states must forbid processing of PNR data that reveals the racial or ethnic origin, political opinions, religion or philosophical convictions, union membership, state of health, life or sexual orientation of the person concerned.
E.U. countries can furthermore decide to proceed with the collection and processing of PNR data from economic operators other than airlines, such as travel agencies and tour operators, which provide flight booking services in the same manner. Once published in the Official Gazette of the E.U., the member states have a period of two years to recognise the Directive in their national legislation, in other words, by 25 May 2018.
Concerning the recognition of the Directive, on 3 March 2017, the Council of Ministers, on the proposal of Paolo Gentiloni, approved a draft law that authorises the government to recognise the European Directives and execute the other acts of the European Union (“European Delegation Law of 2016”), including the Directive itself. The text of this draft law, before its definitive approval by the Council of Ministers, will be transmitted to the Permanent Conference for Relations between the State, the Regions and the Autonomous Provinces of Trento and Bolzano, convoked in the European session, for the issuance of its required opinion.
Moreover, the provisions of the Directive were already anticipated at the national level with the approval of the automatic system for the collection of passenger lists, known as the Border Control System Italia (B.C.S.); this complies with what is set forth by D.Lgs no. 144/2007 (implemented by Directive EC no. 2004/82), as well as the provision in D.M. no. 302/2010.
In particular, the previously mentioned D.Lgs no. 144/2007 introduced the requirement for airlines to communicate the data associated with persons travelling into the Schengen area from third countries considered “at risk” and indicated in a special list, the airlines being required to arrange for all the measures and technical computer procedures in preparation for the subsequent transmission of the data, according to what is set forth in the regulation cited above. However, even before being recognised, the Directive has received harsh criticism from particularly authoritative sources. In fact, Giovanni Buttarelli, in his capacity as the European Data Protection Supervisor, emphasised the risks to the privacy of millions of passengers who are European citizens (and others) with the indiscriminate application of the rules contained in the Directive itself. Not even after the most recent terrorist attacks, the Data Protection Supervisor insisted, would there be reason and proof to justify the creation of a database that is unprecedented in Europe given that the application of the Directive would imply indiscriminate collection of data on all the passenger traffic coming into or out of airports located in the territory of the member states.
Maurizio Corain & Caterina Papalia