Data Demands: Europe May Forbid PNR Access

A simmering row between the United States and the European Union over U.S. access to passenger data has come to a boil. The European Commission is threatening to end the temporary ruling it introduced in February that allowed U.S. Customs officials to view the passenger name records of all travelers flying to the United States. Although PNR access breaches deeply enshrined European laws on data privacy, the Commission permitted it with the hope that the United States would address numerous concerns regarding storage and usage of the information. With those expectations not met, Europe is threatening to pull the plug on U.S. access, which could lead to European airlines being heavily fined or even forbidden entry into U.S. airspace if a compromise is not found.

Last week, the European Parliament's Committee on Citizens' Rights and Freedoms exemplified the increasingly hard-line attitude being taken across the Atlantic when it delivered a strongly worded report to the Commission. The report recommended that unless the U.S. government fulfills demands regarding the treatment of data by Dec. 1, then the Commission should forbid E.U. airlines to pass on any more PNRs. According to the report, U.S. demands are "excessive and under all circumstances out of proportion."

In addition to the ethical concerns over privacy, airlines and travel management companies also are protesting about the practical and financial difficulties raised by a related matter: the forthcoming extension of the Advance Passenger Information System. APIS requires airlines to transmit information about passengers to U.S. immigration within 15 minutes of departure. At present, the only details collected are those that can be found on a passport, such as name, date of birth and passport number. However, by the end of the year APIS is to be extended to include several additional details, such as where the passenger intends to stay while visiting the United States.

The extension has drawn protests from airlines, which claim the new demands present a logistical nightmare. British Airways said it is likely to take two minutes to collect the information from each passenger at checkin. Assuming a jumbo jet-load of 450 passengers is being checked in at 10 desks, that would add 90 minutes to each line. BA, which flies 5.4 million people each year to the United States on 275 weekly departures, said it may have to scrap some flights as a result.

Airlines and travel management companies are preparing procedures to help passengers supply APIS data before departure, most likely at time of booking or on carrier Web sites. Their preparations have not been helped by the United States failing to issue instructions on the practicalities of the APIS extension. What is clear, however, is that the increased bureaucracy will inevitably add cost. Asa Hutchinson, DHS undersecretary for border and transportation security, has ruled out a financial contribution from the U.S. government, saying airlines must contribute to making air travel safer.

Ultimately, that cost is likely to be passed on to the end user. "Most travel management companies charge their clients on the basis of how much it costs to service them. If it takes longer to complete bookings because of the need to record APIS information, the inevitable consequence is that fees will have to rise," warned Toby Joseph, TQ3 Travel Solutions COO, in a recently issued briefing paper.

Reaction from all sides of the travel management industry in Europe—whether client, travel agent or airline—to the U.S. passenger data strategy has been unanimously critical. Although there is general understanding of the wish to tighten security following 9/11, many question whether that is a justification for the indiscriminate collection of passenger data.

"The E.U. is still unhappy about it, and our customers are concerned," said Bernard Harrop, European director of industry affairs for American Express, who also keeps watch on data issues for the Association of Corporate Travel Executives in Europe. "Like the JetBlue case, they are worried about the ethical side: what happens to information, where it is stored and lack of control over it. What is more, they cannot see the point of the changes to APIS, especially making people say where they are going to stay. A terrorist can simply say he is going to stay at the Hilton and then head somewhere else."

Tom Stone, chairman of the Institute of Travel Management in the U.K. & Ireland, said his members also are perturbed. "The whole travel industry is united in believing there is no rationale for this," he said. "Mention terrorism and it seems there is carte blanche for the U.S. administration to take any action it likes," he said.

Mike Platt, managing director of BTI UK, believes business travelers may go so far as to avoid flying the increasingly unfriendly skies above the United States.

"The United States is asking passengers for details that I don't think it needs to know," he told a client conference last month. "Some passengers may say, 'Why do they need that? I'm not going.' "

The unhappiness over U.S. data demands falls into four main areas. The first is application. The U.S. Bureau of Customs and Border Protection has made some concessions over plans to share information with other government agencies but remains firm on plans to use it for tracking criminals and terrorists.

Next is the scope of the data. There are usually 39 elements in a PNR and many are regarded as inviolably private, such as payment details, dietary preferences (possibly revealing a passenger's religion) and medical information. Critics said access should be limited to certain fields only. The other two main complaints are lack of redress for European passengers with an independent ombudsman if their information is mishandled or mis-applied and the length of time the data will be stored. The United States has said it will keep records six to seven years. "Our clients think data should be destroyed after the flight is finished," Harrop said.

Having made some concessions over electronic access by other agencies and agreeing to a finite storage period, the U.S. government already has moved in some way to accommodate European objections. In a search for a compromise, the Association of European Airlines has backed a proposal by the Austrian Data Protection Agency that a PNR data bank should be established under E.U. control. The information would be filtered and foreign governments given controlled access. The general consensus among E.U. data protection agencies is that a "push" process, involving the release of a cut-down PNR to U.S. authorities is the only way the crisis can be resolved.

Meanwhile, another contentious project involving the U.S. government has been deferred for one year. As of Oct. 1, passengers from the 27 countries where the United States operates a visa waiver system were only going to be permitted entry if they had a machine-readable passport. Without such a passport, they were going to have to obtain a visa, a process that now requires a face-to-face interview at a U.S. embassy or consulate. With many citizens of the visa waiver countries not having machine-readable passports (an estimated 200,000 in the United Kingdom and up to half of all French passport-holders), the travel industry predicted chaotic scenes at airports. The United States relented in the last week of September, and the new rule has been deferred to Oct. 26, 2004.