Blog

Analysis of Passenger Data

ACT OF 25 DECEMBER 2016 on the processing of passenger name records (Belgian Official Journal 25 January 2017) (PNR Act)

The Belgian ‘PNR Act’ (Passenger Name Record) requires carriers and tour operators in the various transport sectors (air, rail, road and maritime transport) to forward the data on their passengers to a central database – ‘the passenger name record database’ – so it can be analysed in the context of terrorism, violent radicalisation and other forms of serious crime such as fraud, people smuggling and the illegal trade in drugs and arms. The intent is to compare the collected data with pre-determined criteria to identify new trends and phenomena, and to determine which passengers could endanger our public order.

PIU
There are still many hurdles to clear before Belgium can effectively start with the analyses. First, a ‘Passenger Information Unit’ or PIU must be established within FPS Home Affairs.

This unit will collect, store and process the data that is transmitted by the carriers and tour operators. In other words, it is here that the data is analysed and stored in the ‘Passenger Name Record Database’. Crucial to this is the cooperation with the PIUs of other EU Member States, with Europol and with third countries, with a focus on the exchange of passenger data as well as the results of its processing.

It will soon become clear who exactly will work in the department. A Royal Decree will soon regulate its composition and functioning. In any case, a ‘senior civil servant’ will lead the unit. He or she will be assisted by a ‘support department’. In addition to its ‘own staff’, the PIU will include staff seconded from the federal police, customs, state security and the Directorate General for Intelligence and Security.

Moreover, over time the unit itself must also appoint an official in charge of data protection. This person will among other things supervise the processing of the data and privacy protection

Protocol agreement
In addition to setting up the PIU, a number of steps will also be taken with respect to tools. This includes not only the development of the ‘Passenger Name Record Database’. Further shape must also be given to the analysis software and analysis methods. The national security authorities, for example, must yet approve ‘a secure and encrypted communications and information system for automatically sending positive matches’, as the legislation formally describes it.

Moreover, the departments in question and the PIU have yet to conclude a protocol agreement containing the rules relating to the transfer of the data (exchange, maximum time limits for processing, method of communicating a positive ‘match’, etc.) and the technical security and access rules (minimum quality standards for the processed data, protection against destruction, permissions for accessing the data and profiles, rules for storage, destruction deadlines, technological protection measures).

In short, a lot of things still must take place before the PNR project can effectively be implemented. The PNR Act does already contain a number of basic principles. Thus it is already clear what data will need to be processed. The carriers and tour operators will provide the PIU with the data on persons travelling from, to and transiting through, Belgium. This concerns the reservation information (date of reservation, travel dates, personal information, payment information, full travel itinerary, flight numbers, baggage information, number of travellers, etc.) as well as the data on the check-in and boarding status (type of travel document, country of issue, expiration date, transport company/tour operator, date of departure and arrival, seat number, etc.).

In other words, the law aims to obtain a detailed picture of travellers to and through Belgium in order to gain an insight into the presence of persons for whom an alert has been issued and persons who meet the risk profiles. The passenger data may not relate to the racial or ethnic origin of a person, his or her religious or philosophical convictions, political views, union membership, state of health, sex life or sexual orientation. If the PIU receives such information, it will be immediately destroyed.

Goal
The Belgian PNR Act makes possible the analysis and storage of passenger data for the following purposes:

–     To detect and prosecute crime and terrorist offences;
–     To perform tasks for the intelligence services for the detection, analysis and processing of information about activities that may threaten the State’s fundamental interests;
–     To prevent serious breaches of public security such as violent radicalisation; and
–     To improve controls on persons at external borders, among others in the context of illegal immigration.

The passenger data is stored in the database for a maximum of 5 years (from its registration). Afterwards, it is destroyed. However, it will already be depersonalised after 6 months (from registration). This means that the data from which the identity of the person concerned could be inferred, is protected. The processing results are kept only as long as needed to inform the relevant departments.

Carriers and tour operators in turn are required to destroy all the data they transmit within 24 hours.

Illegal immigration
In a separate chapter, the Act goes into more detail on the processing of passenger data by the police responsible for border control and the Immigration Service. The intention here is for the passenger data to be passed on in order to obtain insight into who leaves the territory when, to improve border controls, and to combat illegal immigration.

Many restrictions apply. Thus, immediately after its registration, the passenger data is passed on to the relevant police and the Immigration Service. They store the data in a temporary file and destroy it within 24 hours after forwarding. If the data is needed later, the police and the Immigration Service must submit a specific request to the PIU.

Penalties
Carriers and tour operators risk severe penalties if they do not fulfil their reporting obligations. The law provides for a maximum fine of 50,000 euro per infringement. In the case of a repeat infringement within 2 years, this amount increases to 75,000 euro.

Detecting infringements is a task of the senior civil servant of the PIU. The Minister of Home Affairs decides whether or not to impose a penalty.

The law also includes penalties for members of the PIU that do not fulfil their obligation of confidentiality or intentionally withhold information that prevents certain goals from being achieved.

Measures against terrorism
The processing of passenger data is one of the 18 priority government measures against terror announced just after the Paris attacks. The measure also meets Belgium’s requirements at European level. The Act transposes 3 EU Directives into national law:
–      EU Directive 2016/681 on the use of PNR data in the fight against terror;
–      EU Directive 2004/82 on the obligation of carriers to communicate passenger data; and
–      EU Directive 2010/65 on reporting formalities for ships arriving in and/or departing from European ports.

Belgium for that matter is slightly more stringent than the European regulations on a number of points.

For further information and comment, please contact Arthur Flieger (flieger@fliegerlaw.com, +32 3 238 77 66)

© 2017 A. Flieger – This publication is defined to provide accurate and authoritative information in regard to the subject matter covered. It is transmitted with the understanding that the publisher is not engaged in rendering legal, or any other professional services. If legal advice or other expert assistance is required, professional services should be sought. You can always contact A. Flieger at flieger@fliegerlaw.com.