The term Passenger Name Records, or ‘passenger data’ appears periodically in the media, not infrequently to scare people about their data being collected. Although this article will only deal with issues relating to air passenger data, there are also cases of data being collected and transferred on passengers using other means of public transport – for example, trains[1] .
1. What is PNR
In the Polish legal system, the issue of PNR is covered by the Act of 9 May 2018 on the Processing of Passenger Name Record Data[2] (hereinafter the “PNR Act”). Pursuant to Article 2(1) of the PNR Act, PNR data are data relating to a passenger’s flight, including personal data, which are processed in connection with the conduct of business by air carriers for the purpose of booking or carrying out a flight in the context of air carriage, subject to transmission by the air carrier to the PIE, i.e. the National Unit for I nformation on Passengers.
What data are collected? Article 4 of the PNR Act sets out the full catalogue of data that must be collected and then transmitted by the air carrier organising the PNR flight to the PIE. These include:
1) PNR identification code;
2) the date on which the PNR flight was booked or ticketed;
3) date of intended flight;
4) name of passenger;
5) address, telephone number and e-mail address of the passenger;
6) ticket payment information, including payment card number, cash payment information, information found on the invoice or other proof of payment for the ticket and information contained in the transfer order: bank account numbers of the sender and the recipient, the names of the sender and the recipient, the amount and the currency of the transfer, the date and time of the transfer and its title;
7) the passenger’s route;
8) information on loyalty programmes;
9) name, telephone number, e-mail address and address of the travel agency or travel agency;
10) data on the passenger’s travel status including:
- confirmations of booking stages,
- state of check-in,
- information on whether the passenger appeared in person at that check-in counter or purchased a ticket at the check-in counter without prior reservation;
11) information on:
- split PNR data, including rebooking information for more than one person as regards the indication of a new flight direction for at least one of them, or
- split PNR, including information on the change of a reservation made for more than one person as regards the indication of a new flight direction for all the persons concerned;
12) information concerning a minor travelling unaccompanied in an aircraft, including:
- the minor’s name, gender, age and languages spoken,
- the name of the minor’s guardian at the time of the launch, his/her address, telephone number, e-mail address, type and number of identity document and the nature of the bond between him/her and the minor,
- the name of the minor’s guardian at the time of landing, his/her address, telephone number, e-mail address, type and number of identity document and the nature of the relationship between him/her and the minor,
- the name of the air carrier representative present on departure and arrival;
13) ticket number, date of issue and whether issued one-way, and information on the automatically calculated fare used to determine the ticket price;
14) the aircraft seat number and other information concerning that seat;
15) information on joint call handling;
16) information on the number, type and weight of baggage;
17) the number and names of other passengers as listed in the PNR for the reservation made;
18) information concerning the passenger’s flight, provided by the air carrier prior to travel, including:
- type, number, country of issue and expiry date of the identity document,
- citizenship,
- name,
- gender,
- date of birth,
- name of airline, PNR flight number and date and time of take-off and landing of the aircraft,
- name of the airport at which take-off and landing have taken place
– hereinafter referred to as ‘API data’;
19) changes to the PNR data contained in the categories referred to in points 1 to 18.
An air carrier that organises a PNR flight, i.e. a flight that crosses a national border and takes off or lands on the territory of the Republic of Poland, shall transmit PNR data concerning the passengers of that flight to the PIE from among the categories of PNR data it collects in the course of its activities for the purpose of booking or carrying out air transport. No fee may be charged to state authorities for the collection and transfer of data. The PNR Act also sets deadlines for the transfer of data – this is between 48 and 24 hours before the scheduled start of the PNR flight and immediately after the completion of check-in and boarding of passengers, when they can no longer leave the aircraft before take-off and other passengers cannot board. However, in the event of an imminent and actual threat of crime or offence, the competent authority authorised to process PNR data may request the PIE to transmit PNR data from the air carrier within timescales other than those set out above. The competent authority may make the request orally and then promptly confirm it in writing in paper or electronic form.
2. Who receives the PNR
As already indicated above, the authority that receives PNR data is the PIE, or Passenger Information Unit. In Poland, the function of the PIE is performed by an organisational unit of the Border Guard created by the Commander-in-Chief of the Border Guard.
In addition to the PIE, competent authorities, a closed catalogue of which is set out in Article 36 of the PNR Act, are entitled to receive PNR data upon request:
1) General Inspector of Financial Information;
2) Chief of Police;
3) Commander-in-Chief of the Border Guard;
4) Commander-in-Chief of the Military Police;
4a) Commander of the State Protection Service;
5) National Prosecutor;
6) Head of the Internal Security Agency;
7) Head of the Intelligence Agency;
8) Head of the Central Anti-Corruption Bureau;
9) Head of the National Fiscal Administration;
10) Head of the Military Counterintelligence Service;
11) Head of the Military Intelligence Service.
3. What are the uses of PNR – Purposes of processing
The PNR Act clearly defines for what purpose PNR data may be used, with the aim of preventing possible breaches. It is worth emphasising that so-called ‘sensitive data’, i.e. data revealing a person’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status, sexual life or sexual orientation, may not be collected in the context of PNR.
So what is the purpose of the processing? It is to prevent, detect, combat and prosecute the perpetrators of the following categories of crime:
1) offences of a terrorist nature;
2) criminal or fiscal offences :
- participation in an organised group or association with the aim of committing offences or fiscal offences,
- human trafficking,
- against sexual freedom or morality to the detriment of a minor,
- the illicit manufacture, processing, smuggling or trafficking of narcotic drugs, precursors, substitutes or psychotropic substances,
- illicit trafficking in arms, ammunition or explosives,
- bribery and paid patronage,
- fraud, including fraud against the financial interests of the European Union,
- introducing into financial transactions property of illegal or undisclosed origin, counterfeiting and dealing in counterfeit money or other means of payment,
- against the protection of data collected, stored, processed or transmitted in a computer system,
- against the environment, including illegal trade in endangered animal and plant species,
- to assist in the illegal crossing of a State border or stay,
- murder, causing grievous bodily harm,
- illegal trade in human organs and tissues,
- unlawful deprivation of liberty of a person, abduction of a person for ransom, taking or holding of a hostage,
- robbery by means of a firearm or threat thereof, extortion by means of a firearm or threat thereof,
- illicit trafficking in cultural goods,
- counterfeiting and trade in counterfeit products,
- forgery and the circulation of forged documents,
- illicit traffic in hormones or similar substances,
- illegal trade in radioactive materials,
- rape,
- falling within the jurisdiction of the International Criminal Court,
- hijacking of a ship or aircraft,
- sabotage,
- circulation of stolen motor vehicles,
- industrial espionage
– of which the upper limit of the statutory threat is at least 3 years’ imprisonment.
With the establishment of the PNR system, national law enforcement authorities in the Schengen States have their duties facilitated by allowing the earlier identification of persons not previously suspected of having links to crime or terrorism, before a detailed analysis of the data reveals that they have such links[3] . As part of law enforcement activities, PRN data can be used to assess passengers prior to arrival or departure, to develop flight risk criteria for suspected criminals, and in the course of pre-trial or court proceedings against them.
4. Deletion of data
In order to further limit possible breaches of personal data, the storage of PNR data has been subject to appropriate limitations[4] . PIEs are not allowed to store data indefinitely; after five years they must be permanently deleted. Permanent erasure is understood to be an operation on the data that involves an action that makes it impossible to recover the data from computer memory or the cloud.
In addition to the obligation to delete PNR data, PIEs are also required to anonymise the data six months after receipt, which means that the following information will become invisible to data processors:
1) the name(s) of the passenger as well as the number and names of other passengers listed in the PNR for the reservation made;
2) address, telephone number and e-mail address of the passenger;
3) payment information including payment card number, cash payment information, information on the invoice or other proof of payment for the ticket and the following information contained in the transfer order: bank account numbers of the sender and the recipient, the sender’s and the recipient’s names and surnames, the amount and the currency of the transfer, the date and time of the transfer and its title;
4) information on loyalty programmes;
5) information concerning a minor travelling unaccompanied in an aircraft, including:
- name(s), sex, age, languages spoken by the minor,
- the name(s) of the minor’s guardian at the time of the launch, his/her address, telephone number, e-mail address, type and number of identity document and the nature of the bond between him/her and the minor,
- the name(s) of the minor’s guardian at the time of the landing of that craft, his/her address, telephone number, e-mail address, type and number of identity document and the nature of the bond between him/her and the minor,
- the name(s) of the air carrier’s representative present on departure and arrival;
- API data.
Disclosure of PNR data that has been anonymised is possible only after obtaining the consent of the court conducting the proceedings, the prosecutor conducting or supervising the pre-trial proceedings, the district prosecutor – in the case of operational and recognition activities. At the same time, the use of PNR data after anonymisation is limited only to situations in which it is necessary for the purpose of detecting and combating, preventing and prosecuting terrorist offences and other crimes or fiscal offences, as well as entities competent in these matters.
5. Non-transmission of PNR data
As indicated, the transfer of PNR data is an obligation for air carriers organising PNR flights. But what if this obligation is not fulfilled? The PNR Act, in Chapter 8, contains a number of provisions on administrative fines that may be imposed on carriers. According to section 64 of the PNR Act, an air carrier that:
- fails to transmit PNR data to the PIE in a timely manner shall be subject to an administrative fine of PLN 20,000,
- shall not transfer to the PIE all elements of the PNR data categories referred to in Article 10(1)(4) which he was obliged to transfer pursuant to Article 5(1), collected for the purpose of making a reservation or performing a PNR flight, and which he was obliged to transfer pursuant to Article 5(1), shall be subject to an administrative fine of PLN 12 000
– for each PNR flight in which such a breach occurred.
Additional penalties are imposed on air carriers that do not comply with the specified PNR data formats, the method of transmission by electronic means – in the amount of PLN 16,000 per PNR flight.
Any administrative penalty as defined above may be reduced by the administration if the infringement has been remedied by the carrier within the time limit specified in section 65 of the PNR Act.
Administrative penalties shall not be imposed on a carrier which has failed to fulfil its statutory obligations as a result of force majeure, failure of the PRN CIS , i.e. the IT system in which the PIE processes PNR data or the results of their processing, or failure on the part of the air carrier through no fault of the air carrier, provided that the PIE is informed of the failure before the deadline for the transfer of PNR data.
6. PNR and API
PNR data is not the only air passenger data that is collected and transferred. In accordance with Article 4(18) (as discussed above in section 1 of this article), API data is also collected as part of PRN data.
API data differ from PNR data both in terms of their scope (API data have a narrower scope), the purpose of the processing, the legal basis, and the basis set out in international law.
The PNR Act was introduced into the Polish legal system through the transposition of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime[5] . The basis for the collection and processing of API data is Articles 202a, 202b, 202c and 202d of the Act of 3 July 2002. – Aviation Law[6] , while at international level these provisions are set out in Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data[7] , as well as Annex 9 to the Convention on International Civil Aviation[8] .
The purpose of the processing is also different – according to the PNR Act, the purpose of processing PNR data is to prevent, detect, combat and prosecute the perpetrators of the following categories of terrorist offences and certain criminal offences or fiscal offences, while the purpose of Council Directive 2004/82/EC is to combat illegal immigration and improve border controls through the advance transmission of passenger data by carriers to the competent national authorities.
7. Summary
The collection and processing of air passenger data is a valuable tool that can actually translate into an increased level of security on the territory of EU Member States. At the same time, through the use of restrictions to define the purposes of the processing and obligations to anonymise and erase data – the possibility of processing violations is reduced.
M.O.
[1] Cf. Information on the Ombudsman’s intervention on the collection of data on train passengers going to a protest: https://bip.brpo.gov.pl/pl/content/rpo-interweniuje-w-pkp-intercity-w-sprawie-zbierania-danych-o-pasazerach-protest-przedsiebiorcow (accessed 14.10.2023).
[2] i.e. Dz. U. of 2022, item 1441
[3] https://www.consilium.europa.eu/pl/policies/fight-against-terrorism/passenger-name-record/
[4] Sections 32-33 of the PNR Act
[5] OJ. EU. L. 2016. No. 119, p. 132
[6] i.e. Dz. U. of 2023, item 2110
[7] OJ. EU. L. of 2004. No. 261, p. 24
[8] Published in the Official Journal of the President of the Civil Aviation Authority: https://ulc.gov.pl/_download/prawo/prawo_miedzynarodowe/konwencje/Za%C5%82._9_ICAO.pdf.
