The European Union’s highest court issued a ruling in June that significantly curtails the use of Passenger Name Record (PNR) data in protecting air travel and border security. PNR is passenger information that airlines must provide to government authorities before each plane flies. The high court’s decision specifically limits how European Union member states examine, archive, and share PNR among themselves, but it will also have a negative impact outside of Europe. PNR opponents in Europe have successfully used the courts to restrict what foreign countries can do with the passenger records of EU citizens. Their efforts are targeting PNR cooperation with the United States, which collects, examines, and archives passenger records in advancing safe air travel and border security.
At stake is not only the U.S.-EU PNR agreement, but well-established procedures for monitoring passenger records to counter terrorism and serious criminal activity that are used by border security officials in most advanced countries. European NGO activists and politicians have resorted to the courts to restrict PNR use for travel security in the name of protecting the data privacy of EU citizens. Given the heft of Europe in international travel, these EU limitations will cause serious setbacks in the established standards for global PNR use.
What PNR Contains and Why It Is Important
When travelers book a flight, they create a PNR reservation code in a computer system, widely used in the airline industry, that contains the passenger’s complete personal identity information, travel dates, contact details, itinerary, seat number, flight meal preferences, baggage, and means of payment, including credit card information. Practically all travelers today who make their own flight arrangements fill out a version of these data sets when they book an online ticket.
Airlines are required by law in Europe, the U.S., and many other countries to transmit PNR to security authorities before takeoff (including in some cases domestic flights). Having this information on incoming travelers available for analysis and screening before they even reach immigration control is a significant security tool. Archiving these records provides a treasure chest of travel history highly valuable in connecting the dots in the fight against terrorist and criminal movement. Currently, border officials around the world systematically collect and examine PNR in this way.
European Court Ruling Limits PNR and Harms Counter-Terrorism Efforts
In a June 21 decision, Europe’s highest court (known as the Court of Justice of the European Union — CJEU) placed significant limitations on the European Union’s PNR law, called a “directive”. The plaintiffs advocated an absolutist position on data privacy, trying to overturn the established concept that individuals traveling on public transport carriers, often across international frontiers, rightly have a lesser privacy expectation than when undertaking other digital activities. Most reasonable observers distinguish the data-privacy expectation in creating a PNR record to undertake air travel from, say, making an online purchase at home.
The CJEU split the difference, but in the process imposed severe limitations on PNR use that cripple its security value. In a long and complicated opinion, the court ruled that the current use of PNR by border-security authorities infringed upon the EU Charter rights to a “private life”, of data privacy and free movement. The CJEU’s decision not to completely strike down the PNR directive, while a step in the right direction, was in fact, in light of the new restrictions the court decreed, only a token recognition of the long-established lesser privacy expectation. Above all, the court failed to appreciate the indispensable role that long-term PNR archiving plays in the fight against international terrorism and serious crime.
The Court Shortsightedly Ends Five-Year Archiving of PNR
In the EU, member states manage PNR through special security offices, often adjuncts of national police or border guards, known as “Passenger Information Units” (PIUs). One overarching aspect of the CJEU’s decision is to restrict PIUs to focusing only on immediate, confirmed threats, curtailing the ability of security authorities to retain records for future analysis.
In the court’s words, PIUs must be limited to combating terrorist offenses and serious crime threats that are shown to be “genuine and present or foreseeable.” Other post-travel evaluation of passenger records, in the court’s narrow view, runs into the activity of “state surveillance” even though such security research is supervised by independent “data protection” ombudsman officers in all PIUs.
Thus, the CJEU ruled that PIUs could not archive PNR for longer than six months, ending the legal authority authorized in most EU member states to retain data for up to five years. Only in cases in which security officials are thwarting or pursuing an actual terrorist or criminal suspect can they hold passenger records for longer time.
Using PNR Is More Than Matching a Name to a Watchlist
In its quest to protect data privacy and thwart state surveillance, the court failed to appreciate that effectively harnessing PNR is much more than simply matching a traveler’s name to a suspect watchlist at the time of travel. Security officials draw on other law enforcement sources and intelligence to identify suspects, and the ability to consult archived passenger records plays an indispensable supporting role in connecting law enforcement dots through reconstructing movement, often uncovering links to unknown networks and co-conspirators years after the original travel.
Reports on successful U.S. counter-terrorist operations, made public years ago, have revealed this crucial function of archived PNR. Sometimes highly significant but unsung contributions come from examining past records to simply confirm that a suspect has not traveled.
Yet, the CJEU was unmoved by such history, even as the court’s written opinion acknowledged the PNR directive was rooted in hard lessons learned from
“the terrorist attacks in the United States in 2001, the aborted terrorist attack in August 2006 aimed at blowing up a number of aircraft on their way from the United Kingdom to the United States, and the attempted terrorist attack on board a flight from Amsterdam to Detroit in December 2009 [that] showed the ability of terrorists to mount attacks, targeting international flights, in any country” and that “most terrorist activities are transnational in character and involve international travel, inter alia to training camps outside the [European Union]”. [See paragraph 155.]
Even with the presence of data protection ombudsmen and other safeguards to ensure that rogue PIU officials do not abuse passenger records, the court invented its own new sense of “proportionality”, and thus imposed new limits on PIU authority to share PNR with law enforcement and intelligence for surveilling persons of concern. Sharing is restricted to active cases of wanted terrorists and criminals.
The Court Curtails PNR Screening of Intra-EU Air Travel
The court also forbade PIUs from routinely screening all intra-EU flights, incredibly deeming such security reviews as unwarranted restrictions on travel within the Schengen zone. PIUs can only screen flights within the EU on routes where officials have previously identified active terrorist or criminal threats. Forbidding routine screening on all intra-EU air travel is another serious setback for member states like France, Germany, and the Netherlands, which are major destination and transit countries for many European flights.
The Court Fears Targeting Models Can Be Discriminatory
Not surprisingly, the court in particular bashed algorithmic models and “artificial technology” employed by some PIUs to automatically identify potentially suspect passengers. The CJEU was understandably concerned that the application of such technologies could unfairly discriminate against some travelers (e.g., Muslims) and that such practices contribute to bringing about many “false positives” that trigger unwarranted scrutiny of innocent passengers. Such practices, however, could have been limited without upending the vital need for long-term data storage and review.
In short, as the court has ruled in adjudicating other PNR matters (as we will see), the CJEU has shortsightedly restricted the use of passenger records to immediate threats that help respond to a match on a watchlist or what is — in American parlance — an emerging probable-cause situation. In the name of extreme data-privacy protection, the CJEU has foolishly turned a blind eye to the role that PNR plays in fostering long-term and strategic assistance to security services in foiling terrorists and serious criminals.
To give the CJEU’s decision better context and understand the havoc it will cause in international border screening, let’s briefly take stock of how PNR became a basic travel-security tool in the United States and Europe, analyze the European political opposition to using passenger records, and examine some options for the U.S. in light of what Brussels is doing.
PNR Is a Vital Tool for U.S. Border-Security Screening
As a post-9/11 security enhancement, Washington began requiring airlines by law to provide PNR and passenger manifests to U.S. Customs and Border Protection (CBP) before their flights landed or departed. CBP established its much-respected “National Targeting Center” in 2001 and the agency became a trailblazer in collecting, retaining, and analyzing PNR.
NTC pioneered how best to harness PNR and airline passenger manifests to screen travelers, making passenger records the vital ingredient of information fed into CBP’s “Automated Targeting System” (ATS) that vets all travelers (and cargo) coming into and departing the country. Today, ATS analytical results are screened against law enforcement and intelligence databases to identify which travelers merit additional scrutiny, making the system a U.S. government touchstone in vetting for terrorists and criminals.
Passenger records are also a basic building block in managing the Electronic System for Travel Authorization (ESTA) that CBP began implementing in 2008. ESTA requires foreign passengers to apply online, before traveling, for an electronic permission to enter the U.S., making possible the Visa Waiver Program (VWP). Airline carriers do not board VWP foreign travelers without confirmation of an ESTA authorization. ESTA has become the bedrock for all visa-free travel into the country with currently some 40 governments enrolled in VWP, enabling millions of foreigners to enter the U.S. each year. Under current U.S. regulations, foreign governments incapable of managing and analyzing PNR cannot qualify for or keep their VWP status.
U.S. Diplomacy Advanced Global PNR Use
Washington also quietly and effectively promoted widespread use of PNR with all our key security allies. The “Five-Eye” allies — U.S., Canada, the UK, Australia, New Zealand — were all pioneering partners in developing and expanding the examination of passenger records to foil terrorists and criminals. Beyond the Five Eyes, the U.S. has advised partner governments in many countries just beginning to develop border screening tools, with CBP offering foreign governments a version of the ATS targeting system, with technical support, to collect and archive PNR data for many years, so as to maximize the value of targeting tools and other algorithms.
U.S. diplomacy also successfully engaged and won support from multilateral organizations like the International Civil Aviation Organization (ICAO) and the International Air Transport Association (IATA) on the crucial role PNR could play in enhancing security in air travel. Even the United Nations Office of Counter-Terrorism (UNOCT), often skeptical of security initiatives sourced back to Washington, joined up in making PNR a crucial screening tool in the global battle against terrorism.
EU Commission Supports PNR Against Terrorism, but Opponents Undermine It
Leaders in the European Commission, the EU’s executive branch in Brussels, also joined up in support of the PNR strategy and welcomed the U.S. experience to help guide EU member states in developing their national capacity to counter terrorist threats. In 2016, in response to vicious terrorist attacks in Europe, the EU approved the PNR directive that required all member states to establish PIUs and compel airlines to provide PNR. Since member states must codify EU directives into their national law, after several years most had managed to put in place effective PIUs backed up with PNR statutes.
Many PIUs closely modeled the NTC, and they often received technical support and advice from CBP officials. PIUs not only collected PNR on all inbound airline travel originating from outside the Schengen zone, but many also screened intra-EU air flights. While operational practices varied considerably, some PIUs developed and applied targeting algorithms. Most also archived passenger records for five years and shared suspect information with national agencies and foreign partners such as the U.S.
At the same time, however, in the name of data-privacy protection, resistance to PNR grew in the European Parliament, with many NGOs and activists specifically targeting this issue. While PNR was not exactly a household word in Europe, it became a cause célèbre for many data-privacy activists. Their opposition was also fueled by a heavy dose of Euro-skepticism vis-à-vis all security measures associated with the U.S. Interestingly, these European activists have not, so far, been able to mobilize many political allies in the United States to join them in their PNR fight.
Brussels Is All About Data Privacy — Not a Good Political Environment for PNR
An extreme data-privacy zeitgeist has dominated Brussels for many years. One huge political outcome of that debate was the enactment of the General Data Protection Regulation (GDPR), the flagship EU regulation that is remaking how, in the digital age, governments and the private sector manage personal data they collect on individuals. Pushing back against widespread digital business practices that hoover up and market such digital information, GDPR proponents say the regulation was designed to give EU citizens control of their personal data — or standing to go to sympathetic courts to sue for such control.
GDPR has brought about major transatlantic bones of contention between Washington and Brussels, overturning the EU-U.S. Privacy Shield Framework as the transatlantic legal mechanism used for the daily transfer of massive amounts of digital personal data from the EU to the United States. PNR is only a small subset of this very large hornet’s nest that involves U.S. digital giants such as Google, Amazon, Apple, and Facebook, but awareness of the larger political climate helps American border-security advocates understand the context of the struggle over passenger records.
Limits on the U.S.-EU PNR Agreement
One result of the data-privacy political fury in Brussels was that the U.S.-EU PNR agreement, first concluded in 2004, was forced through a series of tweaks, refinements, and challenges raised by the Europeans. Chipping away at the CBP model, the Commission insisted that the U.S. government accept limits on how EU citizen passenger records were archived and shared with other security agencies. For the most part, Washington grudgingly accommodated EU demands, most importantly agreeing to a five-year data-retention standard (after a five-year period, records would then be deep archived for 10 more years in a “masked” or “depersonalized” status, making access not routine but still possible).
The CJEU Emasculates the Canada-EU PNR Agreement
The complicated transatlantic diplomatic dance began to get completely out of step after the CJEU ruled in 2017 on the draft Canada-EU PNR agreement, which was closely modeled on the U.S. accord. American officials were floored when they learned the EU high court ordered that Ottawa security authorities must delete all passenger records after EU citizens departed Canadian territory. According to the court, Canadian officials could only retain passenger records that were linked to actual terrorist or criminal suspects. The court also placed unworkable limitations on how Canadian authorities could share the PNR records of EU citizens with other security services.
Since the stunning Canada decision, Commission authorities have walked a tightrope for several years between outspoken critics in the European Parliament, on the one hand, and DHS officials on the other, who insisted the U.S. agreement would not be renegotiated. In dealing with Washington, Commission officials always argued their lawyers did their best to defend PNR before the CJEU, but the court was simply not receptive to the security point of view. American experts, who were never party to any of the litigation, were often skeptical, but in fairness to the Commission it is unlikely that any U.S. arguments would have swayed the CJEU.
In any event, Commission officials, after having lost both the Canada litigation in 2017 and now the June 21 decision, will inevitably contend they must renegotiate the U.S. agreement, which they have already formally conceded is not “in line” with the CJEU Canada decision. EU authorities have long stressed to their U.S. counterparts that a CJEU ruling is the equivalent for them of a U.S. Supreme Court decision that they must respect.
EU Limitations Poised to Challenge the PNR Global Standard
The CJEU decision on June 21 further undermines all international PNR agreements the European Commission has in place or was negotiating. No matter how Washington and Brussels maneuver through this latest round of PNR tension, it would appear going forward that the Europeans hold the stronger cards.
First, the Biden administration has little incentive to escalate this technical dispute with Brussels as it has other political fish to fry with the Europeans, and open-border advocates in DHS leadership and the White House will not be energized by this complex issue. They will not want to further upset transatlantic air travel, gradually returning to normal after the disastrous Covid pandemic, with another major crisis. This is particularly true since all the CJEU rulings cleverly still permit airlines to transmit PNR — as required by U.S. law — because the court imposes all its limitations on how authorities use those records.
Second, under the existing U.S.-EU agreement both sides monitor technical compliance by the other. Thus, Commission officials regularly travel to Washington to oversee how the passenger records of EU citizens are used and archived by CBP and shared with other U.S. and third-country authorities. This monitoring standard is part of all Brussels PNR agreements, meaning that it will give the Commission extra leverage when negotiating with current or potential PNR partners, such as Canada, Japan, the U.K., Australia, and Mexico, which must accept the CJEU limitations or obtain no agreement at all.
Recognizing the PNR Deadlock
The U.S.-inspired PNR global vetting system has helped keep us safe, and it will be regrettable to see its effectiveness cut back on the EU’s data-privacy chopping block. Presumably, CBP can undertake technical adjustments, such as segregating the passenger records of EU citizens in a different database from the agency’s holdings of all other foreign nationals. However, such measures are costly and reduce the easy interoperability of all databases.
CBP could also engineer a pre-travel system requesting privacy waivers from EU citizen travelers, or some kind of individual electronic authorization, to allow collecting and archiving their PNR. Such a move is not only legally and technically complicated, but will encourage other non-EU nationals, including American citizens, to ask for similar waiver rights. Such a U.S. pivot would also be an accommodation of the data-privacy absolutists in Brussels and set a new legal framework with regard to all passenger records collected in all public transportation. It should be noted that PNR is also collected on cruise ships, as well as some public rail and bus carriers.
No matter what, PNR will continue to be a global border-security pillar because it provides officials vital data before a flight departs, and its electronic format, widely used in the airline industry, produces uniform data sets that facilitate analysis, sharing, and storage. At the same time, however, this continuing deadlock with Brussels is also a moment to recognize PNR limitations. Most sophisticated terrorists and criminals have — simply based on widespread public information — long understood their passenger records can be turned against them and exercise caution as a result. Except for a few valuable data sets — such as credit card records — PNR is very similar to information government officials can gather directly during a visa or ESTA application, or immigration control interview. Information collected directly by U.S. government officials is effectively outside the purview of the CJEU.
Collect Biometrics in a New “Enhanced” ESTA
One good option available to Washington is to enhance the information directly collected in the ESTA pre-authorization process, which could easily be accomplished by expanding the electronic questionnaire applicants must answer. A more fundamental enhancement would be to collect biometrics on ESTA applicants, a move that would overcome many of the limitations imposed on PNR storage because even the most determined data-privacy über alles extremists know they have no recourse over data that travelers voluntarily provide to the U.S. government.
Photos and fingerprints for ESTA applicants could be gathered at the existing off-site locations (known as “Offsite Facilitation Centers”) U.S. embassies and consulates run to collect photos and fingerprints on visa applicants before their interviews. The new costs to do this for ESTA travelers would be paid by the applicants themselves. Since ESTA is not a visa, the biometric enhancement remains consistent with visa-free travel to the U.S. currently in place for most EU member states.
This enhancement would also give new impetus for DHS to finish implementation of exit controls so that CBP can gather its own data and biometrics directly on foreign travelers who depart the U.S. (instead of relying on PNR or passenger manifests for exit data) and make possible the immediate electronic linkage of all entry-exit records. With time, the power of these entry-exit records archived in modern biometric databases would greatly exceed the security currently provided through PNR, in view of the coming EU limitations. Ironically, this step is also where the Europeans themselves are headed as Frontex is putting in place a biometric entry-exist biometric record collection system for the Schengen zone.
Only a Terrorist Calamity Will Change the Brussels Data-Privacy Mindset
Arguably, the CJEU’s ruling on June 21 does not represent what average Europeans actually think about PNR, travel security, and personal data privacy, but instead is a reflection of the activists advancing their extreme agenda before a sympathetic judiciary. While EU citizens greatly value unfettered travel within the Schengen zone, it is debatable just how much they in fact object to their PNR being analyzed and archived to keep everyone safe during air travel. Unfortunately, the current dominant data-privacy mentality in the EU will not easily change. Only another horrific terrorist event related to air travel, tragically, would begin to bring about a fresh rebalancing in Brussels.