Those who have seen the last season of Game of Thrones will recall that Westeros was destroyed and its inhabitants tragically killed by a fire-breathing dragon and its malevolent rider, Daenerys Targaryen. Daenerys had used unusual travel patterns through Essos – from Pentos via Vaes Dothrak and Qarth to Meeren – in order to remain undetected en route to her final destination.
If the Lords of the Seven Kingdoms had been aware of this traveller and her intentions, perhaps she could have been stopped en route before Westeros was destroyed.
One individual did know in advance of this potential catastrophe. Bran Stark knew the rider of that dragon and was aware of her intentions. However, this information was not shared with the other kingdoms, and there was no communication system to receive this information in advance of the arrival of this ill-intentioned traveller. Just imagine how different the eighth season would have been if modern aviation security systems had been in use!
Why do we need passenger data in advance?
Although dragons and sorcery may play a role in popular fantasy shows, we face real-life security challenges in the interconnected world we live in. The number of passengers travelling by air is predicted to almost double in the next 20 years – from 4.3 billion today to an estimated 8.2 billion passengers annually by 2037.
What is the OSCE?
With 57 participating States in North America, Europe and Asia, the OSCE – the Organization for Security and Co-operation in Europe – is the world’s largest regional security organization. The OSCE works for stability, peace and democracy for more than a billion people, through political dialogue about shared values and through practical work that aims to make a lasting difference.
With its Institutions, expert units and network of field operations, the OSCE addresses issues that have an impact on our common security, including arms control, terrorism, good governance, energy security, human trafficking, democratization, media freedom and national minorities.
Our dedicated Travel Document Security Programme conducts capacity-building to support States in implementing their UN Security Council commitments to collect API and PNR. To date, the OSCE has worked with 13 countries in South-Eastern Europe, Central Asia, and Eastern Europe, to draft roadmaps, amend legislation, establish passenger information units, gain connectivity with airlines, procure passenger data systems, and ultimately to use and analyse the data.
Increased numbers will mean increased pressure on border security officials who are already stretched to a breaking point, and as the numbers increase, so do the risks. The world has become more interconnected, but so have organized criminal networks. Border security has traditionally been the sole responsibility of nation-states. Cross-border illicit trafficking, financing, and smuggling have become easier with the rise of globalization, and with the ease of travel between countries. Our ability to receive and share additional information about these travellers must increase to meet the elevated risks.
Even more concerning is the evolution of terrorist groups in globally active and interconnected networks. According to the UN, an estimated 40,000 foreign terrorist fighters from more than 110 countries may have travelled to join terrorist groups in the Syrian Arab Republic and Iraq. Following the territorial defeat of the Islamic State of Iraq and the Levant (ISIL), many terrorists are returning home or relocating to safe havens or other troubled parts of the world, representing a major threat to international peace and security.
The UN Security Council recognized the threat and adopted Resolution 2178 in 2014 which mandates all States to collect Advance Passenger Information (API). This was supplemented by Resolution 2396 in 2017 which requires States to collect Passenger Name Record (PNR) data. Member States are required to develop the capability to collect, process and analyze this information, and to ensure that such data is used by and shared with all their competent national authorities, with full respect for human rights and fundamental freedoms.
How can States establish passenger data systems?
Since 2016 the OSCE has been assisting States in establishing systems for collecting both API and PNR data. The aim of this article is to outline three key good practices for States that we have encountered in our work to date. In order to make these good practices more memorable, we have broken them down in a user-friendly ABC guide to establishing a passenger data system.
A = AIRLINES
Let’s start with A. Airlines are the ones with the data, whether it is the API received at check-in, or PNR data received at booking. Now that governments are required to collect this data from airlines, it is a good practice to treat airlines like partners in the implementation process. The airlines that are operating in your State are likely to be already supplying API and/or PNR to your neighbours or the other States they fly to, so they might have good practices that are useful.
In our capacity-building experience, there are three important steps when dealing with airlines:
- Firstly, an airline consultation group should be notified of your State’s plans to start collecting passenger data. In most States there already is a channel or committee for communicating with airlines (at least at the airport level) – this can be utilized or expanded for the purposes of implementing an API or PNR programme. Once the group is established and notified of your country’s plans, it is a good practice to keep the airlines informed of progress, deadlines, and other relevant issues.
- That brings us to the second step – a technical implementation guide. This is a user manual for airlines
that contains all the operational/legal/technical issues that airlines need to be aware of in order for
them to transmit passenger data to your State. Some countries have very helpfully published their
implementation guides online so that airlines can more easily access them, thereby also allowing other
countries to see how best to draft such documents. The OSCE can also support countries in drafting
- The third step is not really a step, but rather a suggested approach – that is to remain flexible. Once the implementation guide has been drafted and sent to airlines, they will need time to implement it, and given that we may be dealing with multiple airlines, on a variety of routes, using different airports in your country – there will likely be connectivity or transmission difficulties. Therefore, we recommend continuing the partnership approach throughout the process as your country progresses in collecting passenger data from more and more flights.
- We in the OSCE work closely with IATA and ICAO to help States engage with airlines, to form consultation groups and to draft these implementation guides.
B = BINDING
B stands for Binding – meaning legally binding. Although we advocate partnerships with the airlines, in order to acquire passenger data from them, you will need legislation that makes it compulsory for airlines to transmit the data. Without it, the airlines will be in contravention of data privacy legislation in their country of origin, especially if they are European carriers), and your State will not be in line with international standards as set out in ICAO Annex 9.
Therefore a national legal framework for collecting passenger data will be required. In the OSCE, we provide
legislative assistance and advice to ensure national legislation has the following elements:
- Why – the purpose of collecting the data should be made clear. Generally, API is collected for
immigration and border control, while PNR is collected for law enforcement and countering terrorism/organized crime. The purpose of a State’s data collection should be made clear in the law.
- What – what data is required. API and PNR are different; therefore it is necessary to state clearly
that you require API and/or PNR. Some legislation also lists the data elements to be included. It is recommended that if a country includes the data elements that this is not an exclusive list, since some airline’s messaging formats include additional data formatting, and occasionally ICAO/IATA update the formats.
- Who – the legislation should make clear which agency will be collecting the data and which agencies will be making use of it. This part of the law should also include a provision for regulating access to the data so that queries are recorded for audit purposes.
- When and how – The law should include provisions on when the data should be transferred: for batch API
after check-in is best, while for iAPI and PNR it can be transmitted upon receipt. The law should also make clear that the data needs to be transmitted electronically using a secure channel (email/hard copies are insufficient).
- How long – provisions should be included on how long the data should be stored for. The EU has strict Directives on both API and PNR, and if the recipient State has flights from multiple European airlines, it is advisable that the State adheres to these data storage provisions.
- What if – For any law to be enforceable in the event of noncompliance, penalties must be prescribed. These penalties should describe the financial sanctions that will be utilized in the cases of airline non-compliance.
C = COLLABORATION
C is for collaboration – meaning collaboration among agencies within your State. A passenger data system can be a great way to improve internal co-operation. It could also potentially expose some major problems. In some countries we have worked in, there are disagreements regarding which agency should be responsible for the data collection and analysis. There are instances where these disagreements have continued, resulting in the State developing and operating separate passenger data systems. This means the airlines have to send the data to multiple locations, and worse still, the State itself wastes time, money and effort developing the same system twice!
So we in the OSCE are helping States to follow the recommended practice of establishing a so-called ‘single window’ agency. This agency would be a single port-of-call for collecting the passenger data. Some States operate on the basis that one agency collects the data and then distributes it to other relevant agencies.
A best practice is to establish a passenger information unit. This would take the form of a single department or unit that brings together the different agencies in one room to look at and analyze the data. This model significantly increases information sharing and collaboration among the relevant law enforcement agencies in your State, while also ensuring that you avoid duplication of effort and a waste of valuable resources in developing multiple systems.
The OSCE has been supporting States in creating inter-agency working groups for establishing a passenger data system and then identifying agencies to form part of a potential passenger information unit.
That, in a nutshell, is our ABC guide of good practices and lessons learned based on our support to 13 countries in developing passenger data systems. A is for Airlines – treat them as partners. B is for Binding legislation that makes clear the What, the Why, the Who, the When, the How, and the What if. C is for Collaboration among your various borders, customs, intelligence and law enforcement agencies.
Although the Game of Thrones series may have ended, our work to support States to develop Advance Passenger Information and Passenger Name Record systems is just beginning.
About the authors
Armin Dervoz is a Project Assistant who serves with the OSCE Travel Document Security Programme
Simon Deignan co-wrote this article in his former capacity as the Programme Manager, OSCE Travel Document Security Programme. He now serves as a Programme Management Officer in the UN Office of Counter-Terrorism, specifically as part of the UN Countering Terrorist Travel Programme.